This document describes how to configure a Cisco VPN Concentrator to support two-factor authentication from WiKID Systems. We will configure both boxes to communicate using Radius.
First, we will configure the Cisco:
- From the Concentrator Manager, select Configuration -> System -> Servers -> Authentication click Add and enter: Server Type: RADIUS
- Authentication Server: Hostname or IP address of the WiKID Strong Authentication Server
- For Server Port, enter 1812
- For the Server Secret, enter a shared secret that you will later set in the WiKID server.
- Under Configuration -> User, Create a group and set its Authentication Type RADIUS. Give the group a name and a password. Since you are configuring this group on the VPN3000, select type to be Internal.
- Web VPN Configuration
- The Web VPN uses the first authentication server listed in the Authentication Server list to authenticate all users. Go to Configuration -> System -> Servers -> Authentication and move the new radius authentication server to the top.
- Change the Login Message displayed to the user by going to Configuration -> Tunnel and Security -> WebVPN -> Home Page. Then enter the Login Message, such as “Please enter your username and WiKID Passcode.”
Now, we'll configure the WiKID server to process the one-time passwords from the Cisco box:
- Log into the WiKID server and click on the Domains Tab
- Click on Create a New Domain
- Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 18.104.22.168, the WiKID server code would be 216239051099. Click "Create". (Obviously, if you already have a domain setup, you can skip this step>)
- Click Network Clients tab and on "Create a new Network Client".
- Enter the information requested. For the IP Address, use the IP address of your Cisco VPN box. Select Radius and the domain you just created. Click "Add" when you're finished.
- On the next page, enter the shared secret you entered on the Cisco server. You do not have to enter any information under "Return Attributes".
- Important: From the WiKID terminal or via SSH, you will need to run "stop" and then "start" to load the new configuration into the WiKID Radius server.
That should be it for setting up the Cisco for two-factor authentication. Now, let's test the system by setting up user manually:
- Start the WiKID token client
- Select "New Domain" and enter the 12 digit domain identifier you set up on the WiKID server
- Enter your desired PIN. You will get a registration code back from the WiKID server.
- Login to the WiKID Admin server again and click on the Users tab, then "Manually Validate a User"
- Click on your registration code (it should be the only one) and enter your desired username - it should be a username the Cisco will accept.
- Your username is now valid. Now start up the browser and try to login with a WiKID one-time password.
Trouble-shooting: If it doesn't work, check the WiKID server logs. When a one-time password is requested, you will see "Passcode Request Successful" in the logs. After that you should see "Successful Online Passcode Validation". If you don't see anything after the "Passcode Request Successful", then the one-time password validation is not getting to the WiKID server from the Aventail server. Be sure to run "stop"/"start" on the WiKID server. Once you have tested the system, take a look at how to roll out two-factor authentication to all your users based on Active Directory credentials.