1. KORUS SSL VPN - Kangwon · 1. KORUS SSL VPN 접속메뉴얼 해당자료는Wikn10 Pro 기준으로작성되었습니다. 인프라운영
How to set up the Cisco Networks ASA 5500 SSL-VPN Edition · PDF fileNSD1237 How to Setup the...
Transcript of How to set up the Cisco Networks ASA 5500 SSL-VPN Edition · PDF fileNSD1237 How to Setup the...
NSD1237 How to Setup the Cisco Networks ASA 5500 SSL-VPN Edition to Use Different OTPServer Methods
Fact
Nordic Edge One Time Password Server version 3
Cisco ASA 5500 serie
Situation
Nordic Edge One Time Password Server and the Cisco ASA 5500 serie have comprehensive RADIUS
support and different two-factor authentication methods can be used to protect access to ressources
OTPServer is protecting.
Users may be given a choice when connecting to an SSL-VPN solution to receive a One Time Password
via SMS, eMail or use the Nordic Edge Pledge client for mobile devices.
This guide is describing how to setup a Cisco ASA 5500 serie and a Nordic Edge One Time Password
server to offer Users two different OTP methods, SMS and Pledge.
Solution
ASA Configuration
1. Create two RADIUS groups, one for PLEDGE and one for SMS from ASA Device Manager Configuration/
Remote Access VPN/AAA/Local Users/AAA Server Groups + Add
For example:
- SMS
- PLEDGE
2. For each RADIUS group, configure a RADIUS server with same IP address but different port numbers.
- Click on Add from "Servers in Selected Group"
- Configure NORDIC-EDGE-SMS with port 1645
- Configure NORDIC-PLEDGE with port 1812
3) Create a CONNECTION-PROFILE (also called tunnel-groups) for each method, one for SMS and one for PLEDGE.
Associate these profiles to their respective Radius server group (Step 1).
- Create OTP-NORDIC-EDGE connection profile, use alias "OTP SMS" and choose corresponding AAA Server Group
(NORDIC-EDGE-SMS) created in step 1.
- Create NORDIC-PLEDGE connection profile, use alias "PLEDGE" and choose corresponding AAA Server Group
(NORDIC-PLEDGE) created in step 1.
4. Verify that option "Allow user to select connection profile, identified by its alias, on the login page." from configuration screen below is checked. It is found under global connection profiles, Configuration/Remote Access VPN/Clientless SSL VPN Access.
5. Users should now be able to choose a Group from the Drop Down list corresponding to the the login method they would like to use.
OTPServer Configuration To match above ASA setup: Add additional port 1812 in the Radius Section
Configure two Radius Clients corresponding to ASA Radius Groups For example: Cisco- SMS
Click the Advanced button and Un-check Option Listen on All Available Port Numbers.
Then Select Radius Port 1645 and Click OK
Cisco-Pledge
Click the Advanced button and Un-check Option Listen on All Available Port Numbers.
Then Select Radius Port 1812 and Click OK
Verify configuration in OTPServer Radius section by entering 1645 as an Additional Port
OTPServer will now listen to ASA Group Note: Port 1645 will NOT be saved as an Additional Port.