Copyright

Copyright © 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication
may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translate
d into any
language in any form or by any means without the written permission of CRYPTOCar
d Corp.
Cisco VPN Concentrator Implementation Guide
Cisco VPN Concentrator Implementation Guide 1
Cisco VPN Concentrator Application Overview
This document presents the necessary steps to configure a Cisco VPN 3000 Concent
rator (models
3005 through 3080) for use with CRYPTOCard tokens.
The Cisco VPN 3000 Concentrator is used to create encrypted tunnels between host
s. The product
is able to control access to LAN resources and assign local IP addresses based o
n authentication
information, such as a username and password. CRYPTO-Server works in conjunction
with the
Cisco VPN 3000 Concentrator to replace static passwords with strong two-factor a
uthentication that
prevents the use of lost, stolen, shared, or easily guessed passwords when estab
lishing a tunnel to
gain access to protected resources:
1. Using the Cisco VPN Client, the user establishes a connection to the internal
network using
his/her logon name and PIN + One-time password.
2. The VPN concentrator passes the authentication information to the CRYPTO-Serv
er (via the
RADIUS protocol).
3. CRYPTO-MAS Server sends back Access-Accept/Deny to the VPN concentrator.
4. Once successfully authenticated, the user gains access to the network.
The CRYPTO-Server distribution includes a plug-in for the Cisco VPN Client softw
are which, when
used in conjunction with a CRYPTOCard ST-1 Software, SC-1 Smart Card, or UB-1 US
B token,
automates the authentication and logon process for users. The CRYPTOCard Cisco V
PN plug-in is
supported in version 4.9 of the Cisco VPN client on PPC and Intel Macs and 4.8 o
n Windows.
Cisco VPN Concentrator Implementation Guide 2
Prerequisites
The following systems must be installed and operational prior to configuring the
VPN concentrator
to use CRYPTOCard authentication:
â ¢ Ensure that the end user can authenticate through the concentrator with a static p
assword
before configuring the concentrator to use CRYPTOCard authentication.
â ¢ An initialized CRYPTOCard token assigned to a valid CRYPTOCard user.
The following CRYPTO-MAS server information is also required:
Primary CRYPTO-MAS RADIUS Server Fully Qualified
Hostname or IP Address:
Secondary CRYPTO-MAS RADIUS Server Fully Qualified
Hostname or IP Address (OPTIONAL):
CRYPTO-MAS RADIUS Authentication port number:
CRYPTO-MAS RADIUS Accounting port number
(OPTIONAL):
CRYPTO-MAS RADIUS Shared Secret:
Cisco VPN Concentrator Implementation Guide 3
Cisco VPN 3000 Concentrator Configuration
In order for the VPN concentrator to authenticate CRYPTOCard token users, RADIUS
authentication must be configured on the concentrator and an IPSec group must be
created
for CRYPTOCard token users. Configuring the Cisco VPN 3000 Concentrator consists
of 4
steps:
â ¢ Step 1: Add a RADIUS server
â ¢ Step 2: Test the authentication server
â ¢ Step 3: Create a CRYPTOCard group
â ¢ Step 4: Cisco VPN Client Configuration
Step 1: Add a RADIUS Server
1. In the VPN configuration manager, select Configuration|Servers|Authentication
.
2. Click Add to add a new authentication server.
Fill in the information for the CRYPTO-MAS RADIUS server obtained from the prere
quisites
section. Once all the information is entered click Add.
Ensure that the RADIUS server is the first entry in the Authentication Servers l
ist
Cisco VPN Concentrator Implementation Guide 4
Step 2: Test the Authentication Server
1. Once the RADIUS server has been added to the VPN concentrator setup, use the
internal
test mechanism to ensure the VPN concentrator can authenticate to it using a CRY
PTOCard
token. From the Authentication Servers menu, select the RADIUS server, and click
Test.
2. Enter the User Name of a CRYPTOCard account, and the next Password generated
by the
token assigned to that user. Click OK.
Step 3: Creating a CRYPTOCard group
In order for CRYPTOCard token users to make VPN connections, a VPN Group must be
properly
configured.
1. In the VPN configuration manager, select Configuration|User|Management|Groups
.
2. Click Add Group to add a new group.
3. Enter a Group Name and a static Password. Select Internal group as the Type.
This internal group name and password must be used by all CRYPTOCard end-users
when they want to connect using the VPN client.
4. Under the IPSec tab, select RADIUS in the Authentication pull-down menu.
5. Click Add to add this group to the VPN concentrator.
6. Ensure this newly created group has an Address Pool of IP addresses that can
be assigned
to the VPN client connections. Select the Group and click Address Pools. Then cl
ick Add
and enter the Range Start, Range End, and Subnet Mask. Apply the change.
Cisco VPN Concentrator Implementation Guide 5
Step 4: Cisco VPN Client Configuration
You must configure the VPN client software to enable the end user to connect to
the IPSec
group.
Create a New VPN Connection Entry
From the Cisco VPN Client software, click New to create a new connection entry.
Fill in the
information for the connection entry, using the group name and password specifie
d in Step 3.
Connect using the Cisco VPN client
Choose the connection entry created and click Connect.
A dialog box will open requesting a Username and Password. Enter the CRYPTOCard
Username. Generate a one-time password from the CRYPTOCard token and enter your
PIN
followed by the one-time password in the Password field. Click OK.
Once the concentrator has verified the username and password with the CRYPTO-Ser
ver
database, the connection will be established.
Cisco VPN Concentrator Implementation Guide 6
Solution Overview
Summary
Product Name Cisco VPN Concentrator 3000
Vendor Site http://www.cisco.com
Supported VPN Client Software Windows 2000/XP 4.8, Mac OS X Tiger 4.9
Authentication Method RADIUS authentication
Supported RADIUS Functionality
RADIUS Authentication Encryption PAP
MSCHAPv2
Authentication Mode One-time password
Challenge-response
Static password
New PIN Mode User-changeable Alphanumeric 4-8 digit PIN
User-changeable Numeric 4-8 digit PIN
Server-changeable Alphanumeric 4-8 digit PIN
Server-changeable Numeric 4-8 digit PIN
Trademarks
CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, are
either registered trademarks or trademarks of CRYPTOCard Corp.
Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Micro
soft
Corporation. All other trademarks, trade names, service marks, service names, pr
oduct
names, and images mentioned and/or used herein belong to their respective owners
.
Publication History
Date Changes
October 25, 2006 First Draft Creation
November 5, 2006 Global Edit
November 29, 2006 Minor revision