Strong Authentication

for
Cisco ASA 5500 Series
with

Powerful Authentication Management for Service Providers and Enterprises

Authentication Service Delivery Made EASY

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Copyright
Copyright 2011. CRYPTOCard Inc. All rights reserved. The information contained herein is subject
to change without notice. Proprietary Information of CRYPTOCard Inc.
Disclaimer
The information contained in this document may change without notice, and may have been altered
or changed if you have received it from a source other than CRYPTOCard Inc. While every effort is
made to ensure the accuracy of content offered on these pages, CRYPTOCard Inc. shall have no
liability for errors, omissions or inadequacies in the content contained herein or for interpretations
thereof.
Use of this information constitutes acceptance for use in an AS IS condition, without warranties of
any kind, and any use of this information is at the users own risk.
No part of this documentation may be reproduced without the prior written permission of the
copyright owner. CRYPTOCard Inc. disclaims all warranties, either expressed or implied, including
the warranties of merchantability and fitness for a particular purpose. In no event shall CRYPTOCard
Inc. be liable for any damages whatsoever, including direct, indirect, incidental, consequential or
special damages, arising from the use or dissemination hereof, even if CRYPTOCard Inc. has been
advised of the possibility of such damages. Some provinces, states or countries do not allow the
exclusion or limitation of liability for consequential or incidental damages, so the foregoing
limitation may not apply.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the everchanging nature of the Internet prevents CRYPTOCard Inc. from guaranteeing the content or
existence of the resource. When possible, the reference contains alternate sites or keywords that
could be used to acquire the information by other methods. If you find a broken or inappropriate
link, please send an email with the topic name, link, and its behaviour to support@cryptocard.com.
The software described in this document is furnished under a license and may be used or copied
only in accordance with the terms of the license.
Trademarks
BlackShield ID, CRYPTOCard and the CRYPTOCard logo are trademarks and/or registered trademarks
of CRYPTOCard Corp. in Canada and/or other countries. All other goods and/or services mentioned
are trademarks of their respective holders.

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Contact Information
CRYPTOCards technical support specialists can provide assistance when planning and implementing
CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication
products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition
from existing access control systems and a satisfying experience for network users. We can also help
you leverage your existing network equipment and systems to maximize your return on investment.
CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If
you purchased this product through a CRYPTOCard channel partner, please contact your partner
directly for support needs.
To contact CRYPTOCard directly:
United Kingdom

North America

2430 The Quadrant, Aztec West, Almondsbury,

Bristol, BS32 4AQ, U.K.

600-340 March Road, Kanata, Ontario,

Canada K2K 2E4

Phone: +44 870 7077 700

Phone: +1 613 599 2441

Fax:

Fax:

+44 870 70770711

support@cryptocard.com

+1 613 599 2442

support@cryptocard.com

For information about obtaining a support contract, see our Support Web page at
http://www.cryptocard.com

Overview

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Overview
By default Cisco ASA user authentication requires that a user provide a correct user name and
password to successfully logon. This document describes the steps necessary to augment this logon
mechanism with strong authentication by adding a requirement to provide a one-time password
generated by a CRYPTOCard token by using the instructions below.

Applicability
This integration guide is applicable to:
Security Partner Information
Security Partner
Cisco
Product Name
Cisco ASA 5500 series
ASA Version
8.3
ADSM Version
6.3(1)

Authentication Service Delivery Platform Compatibility

Publication History
Date
January 26,
2009
July 9, 2009
Sept 15, 2010

Changes
Document created

Version
1.0

Copyright year updated

Updated for GrIDsure, MP and different auth methods

1.1
1.2

Preparation and Prerequisites

Ensure end users can authenticate through the Cisco ASA with a static password before
configuring the Cisco Secure ASA to use RADIUS authentication.

A RADIUS Client has been configured in BlackShield with a shared secret and port number
identical to that being programmed in the Cisco ASA.

Test user account with an active token.

Overview

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Configuration
Configure Cisco ASA for Two Factor Authentication
Configuring the Cisco ASA consists of 4 steps:

Step 1: Define a RADIUS enabled AAA Server group.

Step 2: Assign a RADIUS AAA Server to the AAA Server group.

Step 3: Assign RADIUS Authentication to a Clientless SSL VPN Connection Profile

Step 4: Assign RADIUS Authentication to a IPSec VPN Connection Profile

Step 5: Assign RADIUS Authentication to an AnyConnect VPN Connection Profile

Define a RADIUS enabled AAA Server group

1.

In the Cisco ASDM client select

Configuration.

2.

Select Remote Access VPN.

3.

Under Remote Access VPN expand

AAA/Local Users then select AAA Server
Group.

4.

Select Add in the AAA Server Group

section. Enter the Server Group name
(ex. CRYPTOCard) and RADIUS as the
Protocol.

Configuration

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Assigning a RADIUS AAA Server to the AAA Server group

1.

Under Remote Access VPN expand

AAA/Local Users, AAA Server Group
then on the right highlight the
CRYPTOCard Group.

2.

In the Servers in the Selected

Group section select Add.

3.

Enter the following information

Choose the interface

IP address of the supported RADIUS server.

RADIUS authentication port (1812)

RADIUS accounting port (1813)

Server Secret Key (Shared Secret)

4.

After adding the AAA Server to the AAA Server group, you will see it
appear in the AAA Servers in the selected group section.

Configuration

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Assigning CRYPTOCard Authentication to a Clientless SSL VPN Connection

Profile
The Clientless SSL VPN Connection Profiles include the type of authentication method used during
the negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS enabled profile
must be created.
1.

In the Cisco ASDM client select

Configuration, Remote Access VPN.

2.

Expand Clientless SSL VPN Access

and highlight Connection Profiles.

3.

In Connection Profiles select Add.

4.

Enter a name for the profile.

5.

Under Authentication select AAA.

6.

In the AAA Server Group dropdown

select CRYPTOCard.

7.

Complete the additional entries

with the settings required by your
organization.

8.

Verify the CRYPTOCard profile is enabled. If required, disable the other Connection Profiles.

Configuration

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Assigning CRYPTOCard Authentication to a IPSec VPN Connection

Profile
The IPSec VPN Connection Profiles include the type of authentication method used during the
negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS enabled profile
must be created.
1.

In the Cisco ASDM client select Configuration, Remote Access VPN.

2.

Expand Network (Client) Access and highlight IPsec Connection Profiles.

3.

In Connection Profiles select Add.

4.

Enter a name for the profile.

5.

Under Authentication select AAA.

6.

In the AAA Server Group dropdown select CRYPTOCard.

7.

Complete the additional entries with the settings required by your

organization.

Configuration

Strong Authentication for Cisco ASA 5500 Series with BlackShield

8.

Verify the CRYPTOCard profile is enabled. If required, disable the other

Connection Profiles.

Assigning CRYPTOCard Authentication to a AnyConnect Connection

Profile
The IPSec VPN Connection Profiles include the type of authentication method used during the
negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS enabled profile
must be created.
1.

In the Cisco ASDM client select Configuration, Remote Access VPN.

2.

Expand Network (Client) Access and highlight AnyConnect Connection

Profiles.

3.

In Connection Profiles select Add.

Configuration

Strong Authentication for Cisco ASA 5500 Series with BlackShield

4.

Enter a name for the profile.

5.

Under Authentication select AAA.

6.

In the AAA Server Group dropdown select CRYPTOCard.

7.

Complete the additional entries with the settings required by your

organization.

8.

Verify the CRYPTOCard profile is enabled. If required, disable the other

Connection Profiles.

Configuration

10

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Clientless SSL VPN and GrIDsure authentication

The Cisco SSL VPN login page can be configured to authenticate hardware and GrIDsure token users.
1.

The user enters the Cisco SSL VPN URL into their web browser.

2.

The Cisco SSL VPN login page displays a Username and OTP field as well as a Login and Get GrID
button.

3.

The user enters their username into the Username field then selects Get Grid. The request is
submitted from the users web browser to the BlackShield.

4.

The BlackShield displays the users GrIDsure Grid within the Cisco SSL VPN login page.

5.

The user enters their GrIDsure password into the OTP field then submits the request.

6.

The Cisco ASA device performs a RADIUS authentication request against the BlackShield. If the
CRYPTOCard credentials entered are valid, the user is presented with their Cisco ASA portal
otherwise, the attempt is rejected.

The following steps will enable a hardware and GrIDsure aware logon page.
1.

In the BlackShield distribution package browse to the html, agents,

Cisco, GrIDsure directory.

2.

Copy the ciscogridsure.js file to a temporary folder then open the file
with a text editor.

3.

Modify the gridMakerURL value to reflect the location of the

BlackShield Self Service site.
Example:
var gridMakerURL =
"https://mycompany.com/blackshieldss/index.aspx?getChallengeImage
=true&userName=";
Note: If gridMakerURL references https, you must have a certificate
installed on the BlackShield Self Service IIS server.

Configuration

11

Strong Authentication for Cisco ASA 5500 Series with BlackShield

4.

In the Cisco ASDM client select Configuration, Remote Access VPN.

5.

Expand Clientless SSL VPN Access, Portal and highlight Customization.

6.

In Customization objects select Add

7.

In General, Customization Object Name enter CCGrid as the title.

Select the Connection Profile and Group Policy for which the
customization will be applied.

8.

Expand Logon page and select Logon Form. In the Password Prompt
section replace Password with OTP.

9.

Expand Logon page and select Informational Panel. Place a checkmark

in Display informational panel. In the Panel Position select Right. Copy
the contents of the ciscogridsure.js into the Text box. Leave the Logo
Image blank. Set the Image Position to Below Text.

Configuration

12

Strong Authentication for Cisco ASA 5500 Series with BlackShield

10. In Clientless SSL VPN Access, Connection Profiles highlight the GrIDsure

enabled profile and select Edit.

11. Expand Advanced then select Clientless SSL VPN. Verify Portal Page

Customization references the newly created GrIDsure enabled portal.

12. In Clientless SSL VPN Access, Group Profiles highlight the GrIDsure

enabled profile and select Edit.

13. Expand More Options then select Customization. Verify Portal

Customization references the newly created GrIDsure enabled portal.

Configuration

13

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Clientless SSL VPN and MP Token detection

The default Cisco ASA login page is unable to detect the presence of BlackShield software tokens.
The following section allows a Cisco Administrator to enable software token detection for a Cisco
Clientless SSL VPN site.
The Cisco ASA Login page can be configured to display primary authentication credential fields (i.e.
one username and password field) or primary and secondary authentication credential fields (i.e.
multiple username and password fields).

If the Clientless SSL VPN site is configured to use primary authentication credentials (i.e.
CRYPTOCard only), the CCMPPri.inc and CRYPTOCardScript.js file must be added to Web
Contents then referenced in the custom configuration.

If the Clientless SSL VPN site is configured to use primary and secondary authentication
credentials (i.e. Microsoft and CRYPTOCard credentials), the CCMPPriSec.inc and
CRYPTOCardScript.js file must be added to Web Contents then referenced in the custom
configuration.

Note: All three files (CCMPPri.inc, CCMPPriSec.inc and CRYPTOCardScript.js) may be added to Web
Contents but only one .inc file can be assigned to a WebVPN site.
Perform the following steps to enabled software token detection.

Configuration

14

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Uploading custom CRYPTOCard login pages

All files referenced in this section can be found in the BlackShield distribution package under the
html, agents, Cisco, MP Clientless SSL VPN.
1.

In ASDM, select Configuration, Remote Access VPN.

2.

Expand Clientless SSL VPN Access then Portal.

3.

Highlight Web Contents then select Import.

4.

In Destination select No. For example, use this option to make the content available only to
the portal page.

5.

In the Source - Local Computer select Browse Local Files.

6.

Select CRYPTOCardScript.js then click Import Now.

7.

In Web Contents select Import.

8.

In Destination select No. For example, use this option to make the content available only to
the portal page.

9.

In the Source - Local Computer select Browse Local Files.

10. Select CCMPPri.inc or CCMPPriSec.inc then click Import Now.

Creating an SSL VPN Portal Page Customization Object

1.

In ASDM, select Configuration, Remote Access VPN.

2.

Expand Clientless SSL VPN Access then Portal.

3.

Highlight Customization then select Add.

4.

In Customization Object Name enter CRYPTOCard MP Detection select OK then apply the
settings.

5.

Select the Connection Profile and Group Policy for which the customization will be applied.

6.

Highlight Logon Page then select Replace pre-defined logon page with a custom page (full
customization). In the Custom Page dropdown select /+CSCOU+/CCMPPri.inc or
/+CSCOU+/CCMPPriSec.inc.

Configuration

15

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Verifying the Connection and Group profile

1.

In Clientless SSL VPN Access, Connection Profiles highlight the MP detection enabled profile and
select Edit.

2.

Expand Advanced then select Clientless SSL VPN. Verify Portal Page Customization references
the newly created MP detection enabled portal.

3.

In Clientless SSL VPN Access, Group Profiles highlight the MP detection enabled profile and
select Edit.

4.

Expand More Options then select Customization. Verify Portal Customization references the
newly created MP detection enabled portal.

Open your web browser and proceed to the Clientless SSL VPN site. If this is the first time accessing
the page you will be prompted to install a CRYPTOCard ActiveX Web API.
If a software token exists, the page will detect and display all software tokens otherwise a hardware
login mode will appear.
When primary authentication credential mode is enabled with software tokens the login fields
appear in the following order: Token name, PIN.
When primary and secondary authentication credential mode is enabled with software tokens, the
login fields appear in the following order: token name, PIN, password (Microsoft).

Cisco ASA AnyConnect Client

The Cisco AnyConnect SSL VPN client is very different from the IPSec VPN client. The Cisco ASA
device can dynamically display login field names and login field based on the settings defined in each
Group Profile.
The Cisco ASA device may also restrict users from selecting the Group Profile and it can place
additional customizable options within the Preferences button.
Here are a couple of examples on how the Cisco AnyConnect will show depending on the group
selected.

Cisco ASA AnyConnect Client

16

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Figure 1:Username and Password (MS Password)

Field

Figure 2: Username, Password (MS Password),

and Second Password (OTP) Field

CRYPTOCard Cisco AnyConnect Client

Organizations may wish to integrate software based two factor authentication tokens with the Cisco
AnyConnect client to simplify the login process for users, thus eliminating the need to copy and
paste a One Time Password from one application to another.
With the BlackShield ID Cisco AnyConnect agent, the ability to integrate software based two factor
authentication tokens with the Cisco AnyConnect becomes a reality.
The two versions of the Cisco AnyConnect client that CRYPTOCard works with are Cisco AnyConnect
client 2.4.1012 or 2.5.0217.
Here are a couple of examples on how the BlackShield ID Cisco AnyConnect agent will look like
depending on which group is selected and which field the agent has been configured to display the
software token detection.

Cisco ASA AnyConnect Client

17

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Figure 3: MP Token detection on Primary

Password field

Figure 4: MP Token detection on Secondary

Password field

Figure 5: MP Token detection in both Primary

and Secondary Password fields

Cisco ASA AnyConnect Client

18

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Cisco AnyConnect Client and MP Token Detection

!!IMPORTANT!!: The Cisco AnyConnect client must be already installed prior to the
installation of the CRYPTOCard Cisco AnyConnect package.
CRYPTOCard provides a Cisco AnyConnect client capable of detecting the presence of BlackShield
software tokens. The following steps must be performed:
1. Install the BlackShield ID Software Tools.

NOTE: If you are on a 64bit Operating System, install the BlackShield ID Software Tools for
AnyConnect. The installer can be found in html, agents, x64 directory within the
BlackShield download package.

2. Install the MP Token into the BlackShield ID Software Tools

3. Install the BlackShield ID Cisco AnyConnect package.
4. After installing the BlackShield ID Cisco AnyConnect, Click on:

Start

All Programs

CRYPTOCard

BlackShield ID Cisco AnyConnect

Version 2.x (2.4 or 2.5)

Cisco AnyConnect VPN Client 2.x (2.4 or

2.5)

Once connected to the Cisco ASA the following will be

displayed. This is the default configuration for the
BlackShield ID Cisco AnyConnect agent.

If the default configuration is incorrect, and the MP

Token detection are being detected in the incorrect
fields then please go to the section below to change the
MP Token detection.

Cisco ASA AnyConnect Client

19

Strong Authentication for Cisco ASA 5500 Series with BlackShield

BlackShield Cisco AnyConnect Agent registry key

The registry entry allows specifying where the MP token dropdown will appear and what password
field(s) will be used when the one-time password is submitted to the server.
On a Windows XP/Vista/7 (32 bit) , the registry key is located in:
\HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\CiscoAnyClientPlugin

On a Windows XP/Vista/7 (64 bit) , the registry key is located in:

\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CRYPTOCard\CiscoAnyClientPlugin

The registry key is called SoftTokenInclusion, and the default value for the key is:

ALL+ALL+1;

The Definition is as follows:

Connect To+Group Profile+Field Position to display MP and submit one-time password;

So an example would be:

ASA.cryptocard.com+CRYPTOCard Henry+1;

Here is the explanation of the example above:

This will work when connecting to ASA.cryptocard.com

MP token detection will only show up using the CRYPTOCard

Henry Group profile.
Cisco ASA AnyConnect Client

20

Strong Authentication for Cisco ASA 5500 Series with BlackShield

It will display the MP Token detection in the first field

Here are examples of changing the MP Token detection to a different field:

ALL+ALL+1
Display MPs in first username field and submit
one-time password to first password field.
This is the default setting after installing the
BlackShield ID Cisco AnyConnect, and the
BlackShield ID Software Tools
This option is used if the authentication is going
against the BlackShield ID Professional server.

ALL+ALL+2
Display MPs in second username field and
submit one-time password to second password
field.
This option is used if dual authentication is
required.
(e.g. Microsoft Password [Top], then
CRYPTOCard [Bottom].)

Cisco ASA AnyConnect Client

21

Strong Authentication for Cisco ASA 5500 Series with BlackShield

ALL+ALL+3
Display MPs in first and second username field
and submit one-time password to first and
second password field.
This setting is used if there needs to be
authentication against 2 BlackShield ID Pro
Server
This would be an odd case as this setting would
rarely be used.

Multiple options can be appended to the SoftTokenInclusion registry key.

Here is an example:

SoftTokenInclusion registry key:

ALL+Corporate+1;ALL+CRYPTOCard Henry+2;ALL+CRYPTOCard+3;

Cisco ASA AnyConnect Client

22

Strong Authentication for Cisco ASA 5500 Series with BlackShield

Troubleshooting
RADIUS Authentication issues
When troubleshooting RADIUS authentication issues refer to the logs on the Cisco ASA device.
All logging information for Internet Authentication Service (IAS) or Network Policy Server (NPS) can
be found in the Event Viewer.
All logging information for the BlackShield IAS\NPS agent can be found in the \Program
Files\CRYPTOCard\BlackShield ID\IAS Agent\log directory.
The following is an explanation of the logging messages that may appear in the event viewer for the
Internet Authentication Service (IAS) or Network Policy Server (NPS) RADIUS Server.
Error Message:

Packet DROPPED: A RADIUS message was received from an invalid RADIUS client.

Solution:

Error Message:

Authentication Rejected: Unspecified

Solution:

This will occur when one or more of the following conditions occur:

Verify a RADIUS client entry exists on the RADIUS server.

The username does not correspond to a user on the BlackShield Server.

The CRYPTOCard password does not match any tokens for that user.

The shared secret entered in Cisco Secure ACS does not match the shared secret
on the RADIUS server
Error Message:

Authentication Rejected: The request was rejected by a third-party extension DLL

file.

Solution:

This will occur when one or more of the following conditions occur:

The BlackShield Agent for IAS\NPS cannot contact the BlackShield Server.

The Pre-Authentication Rules on the BlackShield server do not allow incoming

requests from the BlackShield Agent for IAS\NPS.

The BlackShield Agent for IAS\NPS Keyfile does not match the Keyfile stored on
the BlackShield Server.

The username does not correspond to a user on the BlackShield Server

The CRYPTOCard password does not match any tokens for that user.

Troubleshooting

23

Strong Authentication for Cisco ASA 5500 Series with BlackShield

GrIDsure Authentication issues

Issue:
Solution:

Issue:
Solution:

The GrIDsure enabled Clientless SSL VPN logon page does not appear.

Verify the Clientless SSL VPN Connection and Group profile reference the
customized GrIDsure enabled portal page.

Verify the Information Panel settings are configured exactly as described in Step
9 of the Clientless SSL VPN and GrIDsure authentication section.

The Get GrID button does not display the GrIDsure grid.

A username must be supplied before a GrIDsure grid can be generated.

The user must have been assigned a GrIDsure token and have completed selfenrolment.

In a web browser enter the gridMakerURL and appended the username after the
equal sign.

Example
https://company.com/blackshieldss/index.aspx?getChallengeImage=true&userName
=bob
A webpage should appear with a GrIDsure grid for the user (ex. Bob).

Verify the client browser can access the URL of the BlackShield self service web
site.

Verify the GrIDsure token is not in a suspended or locked state.

Further Information
For further information, please visit http://www.cryptocard.com

Troubleshooting

24