How to set up the Cisco Networks ASA 5500 SSL-VPN Edition · PDF fileNSD1237 How to Setup the Cisco Networks ASA 5500 SSL-VPN Edition to Use Different OTPServer Methods Fact Nordic

NSD1237 How to Setup the Cisco Networks ASA 5500 SSL-VPN Edition to Use Different OTPServer Methods

Fact

Nordic Edge One Time Password Server version 3

Cisco ASA 5500 serie

Situation

Nordic Edge One Time Password Server and the Cisco ASA 5500 serie have comprehensive RADIUS

support and different two-factor authentication methods can be used to protect access to ressources

OTPServer is protecting.

Users may be given a choice when connecting to an SSL-VPN solution to receive a One Time Password

via SMS, eMail or use the Nordic Edge Pledge client for mobile devices.

This guide is describing how to setup a Cisco ASA 5500 serie and a Nordic Edge One Time Password

server to offer Users two different OTP methods, SMS and Pledge.

Solution

ASA Configuration

1. Create two RADIUS groups, one for PLEDGE and one for SMS from ASA Device Manager Configuration/

Remote Access VPN/AAA/Local Users/AAA Server Groups + Add

For example:

- SMS

- PLEDGE

2. For each RADIUS group, configure a RADIUS server with same IP address but different port numbers.

- Click on Add from "Servers in Selected Group"

- Configure NORDIC-EDGE-SMS with port 1645

- Configure NORDIC-PLEDGE with port 1812

3) Create a CONNECTION-PROFILE (also called tunnel-groups) for each method, one for SMS and one for PLEDGE.

Associate these profiles to their respective Radius server group (Step 1).

- Create OTP-NORDIC-EDGE connection profile, use alias "OTP SMS" and choose corresponding AAA Server Group

(NORDIC-EDGE-SMS) created in step 1.

- Create NORDIC-PLEDGE connection profile, use alias "PLEDGE" and choose corresponding AAA Server Group

(NORDIC-PLEDGE) created in step 1.

4. Verify that option "Allow user to select connection profile, identified by its alias, on the login page." from configuration screen below is checked. It is found under global connection profiles, Configuration/Remote Access VPN/Clientless SSL VPN Access.

5. Users should now be able to choose a Group from the Drop Down list corresponding to the the login method they would like to use.

OTPServer Configuration  To match above ASA setup: Add additional port 1812 in the Radius Section

Configure two Radius Clients corresponding to ASA Radius Groups For example: Cisco- SMS

Click the Advanced button and Un-check Option Listen on All Available Port Numbers.

Then Select Radius Port 1645 and Click OK

Cisco-Pledge

Click the Advanced button and Un-check Option Listen on All Available Port Numbers.

Then Select Radius Port 1812 and Click OK

Verify configuration in OTPServer Radius section by entering 1645 as an Additional Port 

OTPServer will now listen to ASA Group  Note: Port 1645 will NOT be saved as an Additional Port.