:orphan: *********************************** Cisco IPSEC Client Integration *********************************** """"""""""""" Introduction """"""""""""" The Cisco IPSEC client allows authentication using the following methods from Swivel: * SMS Text * `Mobile Phone Client `_ * `Token `_ * `Taskbar Utility `_ This document outlines how to integrate PINsafe Turing image using the PINsafe `Taskbar `_ for Microsoft Windows, with the Cisco IPSEC VPN Client. If SMS use is only required then the below Taskbar steps are not required. For the Cisco ASA PINsafe integration see `Cisco ASA Integration `_ """"""""""""""""""" Baseline """"""""""""""""""" PINsafe 3.5 Cisco IPSEC VPN Client 5.0.02 PINsafe Taskbar 1.3.01 """""""""""""" Prerequisites """""""""""""" PINsafe 3.x, 3.5 for RADIUS groups Turing image available to user from across internet Cisco IPSEC VPN Client A Cisco Authentication device using PINsafe as a RADIUS server PINsafe Taskbar for Microsoft Windows Cisco IPSEC Client Cisco documentation """""""""""" Architecture """""""""""" The user connects to the Checkpoint VPN by using the SecureClient software. The Checkpoint is configured to use a Swivel server for radius authentication. Users are stored and maintained in Swivel. """"""""""""""""""""" Swivel Configuration """"""""""""""""""""" ====================================== Configuring the RADIUS server ====================================== On the Swivel Administration console configure the RADIUS Server and NAS, see `RADIUS Configuration `_ ======================================= Enabling Session creation with username ======================================= To allow the TURing image, PINpad and other single channel images, under Server/Single Channel set `Allow session request by username `_ to Yes. ========================================= Setting up Swivel Dual Channel Transports ========================================= See `Transport Configuration `_ """""""""""""""""""""""""""""""""""""""""""" PINsafe Client Configration """""""""""""""""""""""""""""""""""""""""""" **PINsafe Dual Channel Configuration** No specific client requirements for Dual Channel integration. **PINsafe Single Channel Configuration** Follow the installation notes to install the PINsafe Taskbar utility. Ensure that a Single Channel image can be generated. See Taskbar How to Guide. Note the intehgration has only been tested with the Turing Single Channel Image. """""""""""""""""""""""""""""""""""""""""""" Cisco VPN Server Configuration """""""""""""""""""""""""""""""""""""""""""" Configure the VPN server according to the Cisco Documentation, configuring the Cisco VPN server to use PINsafe as a RADIUS authentication server. """""""""""""""""""""""""""""""""""""""""""" Cisco IPSEC Client Configuration """""""""""""""""""""""""""""""""""""""""""" **Cisco IPSEC Client with Dual Channel Authentication** No further configuration is required for the Cisco IPSEC client **Cisco IPSEC Client with Single Channel Authentication** Follow the Cisco installation notes. Then open the VPN Client Options menu and choose Application Launcher. The VPN Client displays a dialog, click on Enable and then enter the PINsafe Taskbar utility path and the required syntax: Example: C:\Program Files\Swivel Secure Ltd\PINsafe Taskbar\PINsafeTaskbar.exe show Click Apply to activate the application. Note: The Cisco IPSEC VPN Client may need to be restarted. **Cisco IPSEC client with OTC and AD password** The Swivel server can be configured to use AD password and OTC. On the Swivel Administration console under RADIUS/NAS for the Cisco ASA set Check password with repository to Yes and apply the settings. The Password is entered first followed by the OTC, as passwordOTC. See also `Password How to Guide `_. """"""""""""""""" Troubleshooting """"""""""""""""" Start the Cisco IPSEC VPN client, and click on connect. A Turing window should appear. A One Time Code can be obtained for authentication. Check the PINsafe logs for Turing images and RADIUS requests. **No RADIUS connections seen** Check ports, Cisco uses 1645/1646 by default, Swivel uses 1812/1813 by default. **Cisco continues to use AD/other password instead of Swivel OTC** Remove the Swivel RADIUS servers, apply the configuration then reenter them. Apply the configuration and then test to ensure RADIUS requests are seen in the Swivel logs. """"""""""""""""""""""" Additional Information """"""""""""""""""""""" For assistance in the PINsafe installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com