Scribd Logo
Carica

Benvenuto in Scribd!

  • Cisco VPN Concentrator Implementation Guide

    Caricato da

    Alx Alx
    39 visualizzazioni7 pagine
    The Cisco VPN 3000 concentrator is used to create encrypted tunnels between hosts. The product is able to control access to LAN resources and assign local IP addresses based on authentication information, such as a username and password.

    Descrizione originale:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The Cisco VPN 3000 concentrator is used to create encrypted tunnels between hosts. The product is able to control access to LAN resources and assign local IP addresses based on authentication information, such as a username and password.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    39 visualizzazioni7 pagine

    Cisco VPN Concentrator Implementation Guide

    Caricato da

    Alx Alx
    The Cisco VPN 3000 concentrator is used to create encrypted tunnels between hosts. The product is able to control access to LAN resources and assign local IP addresses based on authentication information, such as a username and password.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 7

    Cisco VPN Concentrator Implementation Guide

    Copyright
    Copyright 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp.

    Cisco VPN Concentrator Application Overview


    This document presents the necessary steps to configure a Cisco VPN 3000 Concentrator (models 3005 through 3080) for use with CRYPTOCard tokens. The Cisco VPN 3000 Concentrator is used to create encrypted tunnels between hosts. The product is able to control access to LAN resources and assign local IP addresses based on authentication information, such as a username and password. CRYPTO-Server works in conjunction with the Cisco VPN 3000 Concentrator to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a tunnel to gain access to protected resources:

    1. Using the Cisco VPN Client, the user establishes a connection to the internal network using his/her logon name and PIN + One-time password.
    2. The VPN concentrator passes the authentication information to the CRYPTO-Server (via the RADIUS protocol).

    3. CRYPTO-MAS Server sends back Access-Accept/Deny to the VPN concentrator. 4. Once successfully authenticated, the user gains access to the network.
    The CRYPTO-Server distribution includes a plug-in for the Cisco VPN Client software which, when used in conjunction with a CRYPTOCard ST-1 Software, SC-1 Smart Card, or UB-1 USB token, automates the authentication and logon process for users. The CRYPTOCard Cisco VPN plug-in is supported in version 4.9 of the Cisco VPN client on PPC and Intel Macs and 4.8 on Windows.

    Cisco VPN Concentrator Implementation Guide

    Prerequisites
    The following systems must be installed and operational prior to configuring the VPN concentrator to use CRYPTOCard authentication:

    Ensure that the end user can authenticate through the concentrator with a static password before configuring the concentrator to use CRYPTOCard authentication. An initialized CRYPTOCard token assigned to a valid CRYPTOCard user.

    The following CRYPTO-MAS server information is also required: Primary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address: Secondary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address (OPTIONAL): CRYPTO-MAS RADIUS Authentication port number: CRYPTO-MAS RADIUS Accounting port number (OPTIONAL): CRYPTO-MAS RADIUS Shared Secret:

    Cisco VPN Concentrator Implementation Guide

    Cisco VPN 3000 Concentrator Configuration


    In order for the VPN concentrator to authenticate CRYPTOCard token users, RADIUS authentication must be configured on the concentrator and an IPSec group must be created for CRYPTOCard token users. Configuring the Cisco VPN 3000 Concentrator consists of 4 steps: Step 1: Add a RADIUS server Step 2: Test the authentication server Step 3: Create a CRYPTOCard group Step 4: Cisco VPN Client Configuration

    Step 1: Add a RADIUS Server


    1. In the VPN configuration manager, select Configuration|Servers|Authentication. 2. Click Add to add a new authentication server.
    Fill in the information for the CRYPTO-MAS RADIUS server obtained from the prerequisites section. Once all the information is entered click Add.

    Ensure that the RADIUS server is the first entry in the Authentication Servers list

    Cisco VPN Concentrator Implementation Guide

    Step 2: Test the Authentication Server


    1. Once the RADIUS server has been added to the VPN concentrator setup, use the internal
    test mechanism to ensure the VPN concentrator can authenticate to it using a CRYPTOCard token. From the Authentication Servers menu, select the RADIUS server, and click Test.

    2. Enter the User Name of a CRYPTOCard account, and the next Password generated by the token assigned to that user. Click OK.

    Step 3: Creating a CRYPTOCard group


    In order for CRYPTOCard token users to make VPN connections, a VPN Group must be properly configured.

    1. In the VPN configuration manager, select Configuration|User|Management|Groups. 2. Click Add Group to add a new group. 3. Enter a Group Name and a static Password. Select Internal group as the Type.

    This internal group name and password must be used by all CRYPTOCard end-users when they want to connect using the VPN client.

    4. Under the IPSec tab, select RADIUS in the Authentication pull-down menu.

    5. Click Add to add this group to the VPN concentrator. 6. Ensure this newly created group has an Address Pool of IP addresses that can be assigned
    to the VPN client connections. Select the Group and click Address Pools. Then click Add and enter the Range Start, Range End, and Subnet Mask. Apply the change.

    Cisco VPN Concentrator Implementation Guide

    Step 4: Cisco VPN Client Configuration


    You must configure the VPN client software to enable the end user to connect to the IPSec group.

    Create a New VPN Connection Entry


    From the Cisco VPN Client software, click New to create a new connection entry. Fill in the information for the connection entry, using the group name and password specified in Step 3.

    Connect using the Cisco VPN client


    Choose the connection entry created and click Connect.

    A dialog box will open requesting a Username and Password. Enter the CRYPTOCard Username. Generate a one-time password from the CRYPTOCard token and enter your PIN followed by the one-time password in the Password field. Click OK.

    Once the concentrator has verified the username and password with the CRYPTO-Server database, the connection will be established.
    Cisco VPN Concentrator Implementation Guide 5

    Solution Overview
    Summary
    Product Name Vendor Site Supported VPN Client Software Authentication Method Cisco VPN Concentrator 3000 http://www.cisco.com Windows 2000/XP 4.8, Mac OS X Tiger 4.9 RADIUS authentication

    Supported RADIUS Functionality

    RADIUS Authentication Encryption

    PAP MSCHAPv2

    Authentication Mode

    One-time password Challenge-response Static password

    New PIN Mode

    User-changeable Alphanumeric 4-8 digit PIN User-changeable Numeric 4-8 digit PIN Server-changeable Alphanumeric 4-8 digit PIN Server-changeable Numeric 4-8 digit PIN

    Trademarks
    CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, are either registered trademarks or trademarks of CRYPTOCard Corp. Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.

    Publication History
    Date
    October 25, 2006 November 5, 2006 November 29, 2006

    Changes
    First Draft Creation Global Edit Minor revision

    Cisco VPN Concentrator Implementation Guide

    Potrebbero piacerti anche