Securing Cisco ASA and ISE

with SMS PASSCODE

The Cisco ASA & ISE series enables businesses to deploy strong security throughout the Secure Borderless Network. The appliances integrate network firewall, application security, and attack protection into a convenient appliance form factor that delivers proven performance and reliability. Cisco ASA appliances can be extended with numerous advanced security features for remote access, intrusion prevention, content security, unified communications, and botnets.

Seamless integration

SMS PASSCODE secures access through the Cisco ASA seamlessly, utilizing the Cisco ASA native RADIUS Challenge/Response features. The multi-factor authentication process for the users is convenient and easy, through the Cisco ASA as the Cisco ASA support RADIUS “Calling-Station-ID” which enables SMS PASSCODE to adapt a flexible security profile and select the appropriate security level, based upon the localization of the originating IP address of the user accessing the Cisco ASA.

Easy installation

SMS PASSCODE acts as a plug-in to the Microsoft Windows Server based Network Policy Server (NPS), making it very easy to install. SMS PASSCODE’s installation software seamlessly detects if the Network Policy Server (NPS) Role is activated on the selected Windows Server and provides the possibility to select to secure the RADIUS Protection by installing a SMS PASSCODE NPS extension. The installation software will make the necessary changes to the NPS server for the SMS PASSCODE Plug-In to work after installation.

SMS PASSCODE supports the usage of Connection Request Policies (CRP), to seamlessly integrate other systems into the RADIUS Server, providing a flexibility to choose how the NPS handles Connection Requests (e.g. by filtering authentication requests based on CRP’s).

Adaptive user authentication

Because SMS PASSCODE can see the IP address its users are logging in from, the solution delivers a higher level of security for Cisco ASA. With this information the IT team can configure location-based authentication policies to allow users to log in with or without an OTP depending on whether they are logging in from a trusted network like the company headquarters, branch or home offices. In addition, SMS PASSCODE can identify fraudulent login attempts from non-trusted sites and completely block access from these networks.

Cisco ASA configuration for SMS PASSCODE

SMS PASSCODE is widely used by Cisco customers extending the Cisco ASA VPN concentrators with both IPsec and SSL VPN extensions.

Cisco Setup VPN group and radius client

1. Start ASDM and login to the Web interface.

2. Go to the wizard's menu and select IPsec VPN Wizard or SSL VPN Wizard (the following is from IPsec wizard, but configuration is quite similar)

3. Select Remote Access and click next:

undefined

4. Select the Cisco VPN Client option and click next:

undefined

5. Click next once you have set the Pre-Shared Key parameter:

undefined

6. Name the Server Group Name: SMS PASSCODE and set the IP address and the Server Secret key and click ok:

undefined

7. Select the AAA server option and select the SMSPasscode Group

undefined

8. Select the SMS Pool Name from the pull-down menu and click next. If you do not have a pool defined, click New… and create the IP pool, select it and click next:

undefined

9. Set encryption to 3DES, Authentication to SHA and Diffie-Hellman Group to 2 and click next:

undefined

10. Verify “Enable Perfect Forwarding Secrecy (PFS) is checked and click next:

undefined

11.You have now set up the Cisco ASA for SMS PASSCODE two-factor authentication.

undefined

Configuring SMS PASSCODE authentication for radius.
To set-up SMS PASSCODE for RADIUS, please consult the SMS PASSCODE Administrators Guide under the section “Configuring RADIUS Protection.

Using MSCHAPv2 protocol.
To use MSCHAPv2 protocol instead of PAP the ASA must have a bugfix for CSCtr85499 which should have been fixed in the following releases (please check cisco.com for CSCtr85499 for updated information): 8.4(4.2) 8.4(5) 8.6(1.4) 9.0(1) 9.1(1) 9.0(0.99) 100.8(0.133)M 100.8(33.4)M 100.7(13.75)M 100.8(11.21)M 100.7(6.79)M 100.9(2.1)M 100.8(27.7)M 100.9(0.1)M 8.4(4.99) 100.8(34.1)M When creating the AAA radius server make sure to enable Microsoft CHAPv2 capable

undefined

And in the Connection Profile “Enable password management”

undefined

In SMS PASSCODE configuration tool you must make sure that Side-by-side is set to always

undefined

And ensure that there is a Network Policy allowing the user to log in and change password via the MSCHAPv2 protocol.

Get up and running with SMS PASSCODE