Connect with us

Hi, what are you looking for?

Internet

Configure AnyConnect Secure Mobility Client with a one-time password (OTP) for two-factor authentication on ASA

Configure AnyConnect Secure Mobility Client with a one-time password (OTP) for two-factor authentication on ASA

👨‍💻

an introduction

This document describes a configuration example for Cisco AnyConnect Secure Mobility (ASA) client access to an Adaptive Security Appliance (ASA that uses two-factor authentication with the help of One Time Password (OTP)). One must provide the correct credentials and token for the AnyConnect user to connect successfully .

Contributed by Dinesh Modgil, Cisco HTTS Engineer.

Basic requirements

requirements

This document assumes that ASA is fully functional and configured to allow Cisco Adaptive Security Device Manager (ASDM) or Command Line Interface (CLI) to make configuration changes.

Cisco recommends that you have knowledge of these topics:

  • Basic knowledge of ASA’s CLI and ASDM
  • Configuring SSLVPN on Cisco ASA Head End
  • Basic knowledge of two-factor authentication

Ingredients used

The information in this document is based on the following software and hardware versions:

Cisco ASA5506 Adaptive Security Appliance

Cisco Adaptive Security Device Software Release 9.6 (1)

Adaptive Security Device Manager version 7.8 (2)

AnyConnect version 4.5.02033

Noticeable: Download the AnyConnect VPN Client (anyconnect-win *.pkg) package from Cisco Software Download (registered customers only). Copy the AnyConnect VPN client to the ASA flash drive, which will be downloaded to the remote user’s computers in order to establish an SSL VPN connection with ASA. See the Install AnyConnect Client section of the ASA Configuration Guide for more information.

The information in this document was generated from devices in a specific laboratory environment. All devices used in this document started with a cleared (default) configuration. If your network is active, make sure you understand the potential impact of any command.

Basic information

Two-factor authentication uses two different authentication methods that can be any of the following: “something you know,” “something you have,” and “something you.”

In general, it consists of something that the user knows (the username and password) and something that the user owns (for example, an information entity that an individual only possesses, for example, a token or certificate). This is more secure than traditional authentication designs where the user authenticates via credentials stored either on the on-premises ASA database or an Active Directory (AD) server integrated with ASA. One-time password is one of the simplest and most common forms of two-factor authentication to secure network access. For example, in large organizations, accessing a VPN often requires the use of one-time password tokens for remote user authentication.

In this scenario, we are using the OpenOTP authentication server as an AAA server that uses the Radius protocol to communicate between ASA and the AAA server. User credentials are configured on the OpenOTP server associated with the Google Authenticator app service as a two-factor authentication token.

OpenOTP configuration is not covered here because it is outside the scope of this document. You can check the following links for further reading:-

OpenOTP Setup
https://www.rcdevs.com/docs/howtos/onotp_quick_start/onotp_quick_start/

Configure ASA for OpenOTP Authentication
https://www.rcdevs.com/docs/howtos/asa_ssl_vpn/asa/

packet flow

The following packet was captured on the external ASA interface connected to the AAA server at 10.106.50.20.

  1. AnyConect user initiates client connection to ASA and depending on the group URL and group alias configured, the connection lands on a specific tunnel group (connection profile). At this point, the user is asked to enter the credentials.
  2. Once the user enters the credentials, the authentication request (the access request packet) is forwarded to the AAA server from ASA.

  3. After the authentication request reaches the AAA server, it validates the credentials. If true, the AAA server responds with an access challenge where the user is required to enter a one-time password.
    If there are incorrect credentials, an access denial packet is sent to the ASA.

  4. When the user enters the one-time password, the authentication request is sent in the form of an ASA access request packet to the AAA server

  5. Once the one-time password has been successfully validated on the AAA server, an access acceptance packet is sent from the server to the ASA, the user is successfully authenticated and this completes the two-factor authentication process.

    Anyconnect license information

Here are some links to useful information about Cisco AnyConnect Secure Mobility Client licenses:

initialization

This section describes how to configure the Cisco AnyConnect Secure Mobility Client on an ASA.

Noticeable: Use the Order Finder (registered customers only) to get more information about the orders used in this section.

network diagram


ASDM AnyConnect Configuration Wizard

The AnyConnect Configuration Wizard can be used to configure the AnyConnect Secure Mobility Client. Make sure you download the AnyConnect client package to your ASA firewall flash/disk before proceeding.

Complete these steps to configure AnyConnect Secure Mobility Client via the configuration wizard:

To configure split tunnel via ASDM, download and install AnyConnect software, please refer to the following document:-

Configure ASA CLI

This section provides a CLI configuration for the Cisco AnyConnect Secure Mobility Client for reference purposes.

! ——————– Client Pool Configuration —– ——

Local IP Pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 Mask 255.255.255.0

!

1/1 . Gigabit Ethernet interface

nameif out

Security level 0

dhcp setroute ip address

!

! ——————– Configure Split ACL ——————–

SPLIT-TUNNEL Standard Permit for Access List 10.0.0.0 255.255.255.0

Pager lines 24

Enable recording

Recording timestamp

mtu tftp 1500

MT outside 1500

icmp unreachable flow rate 1 burst volume 1

icmp is allowed outside

asdm image disk0: /asdm-782.bin

No ASDM enabled date

arp timeout 14400

No ARP Offline Permission

Track out 0.0.0.0 0.0.0.0 10.106.56.1 1

! —————— AAA Server Configuration ——————–

Radius of RADIUS_OTP for aaa server

aaa RADIUS_OTP Server (External) Host 10.106.50.20

key *****

! —— Configure the trust point that contains the ASA identity certificate ——

crypto ca Trustpoint ASDM_Trustpoint 0

Self registration

Topic name CN = bglanyconnect.cisco.com

keypair self

! ——- Apply Trustpoint on the external interface ——

SSL Trustpoint ASDM_Trustpoint0 Out

! ——- Enable AnyConnect and Configure AnyConnect Image ——

webvpn

Enable outside

anyconnect image disk0: /anyconnect-win-4.5.02033-webdeploy-k9.pkg 1

enable anyconnect

Enable Tunnel Group List

! ——————– Configure Group Policy ——————–

GroupPolicy_ANYCONNECT-PROFILE Internal

GroupPolicy_ANYCONNECT-PROFILE Attributes of Group Policy

DNS server value 10.10.10.99

vpn-ssl-client protocol tunnel

Specific split tunneling tunnels

SPLIT-TUNNEL List Value

cisco.com default domain value

! ———- Tunnel-Group (Configuration Profile) Configuraiton ———-

ANYCONNECT_PROFILE group tunnel remote access type

General attributes of the tunnel set ANYCONNECT_PROFILE

ANYCONNECT-POOL

Authentication-Server-Set RADIUS_OTP

GroupPolicy_ANYCONNECT-PROFILE . Default Group Policy

Tunnel set ANYCONNECT_PROFILE webvpn attributes

Enable group alias ANYCONNECT-PROFILE

: End

Noticeable:

To configure and install a third party certificate on ASA for AnyConnect client connections, please refer to the following document:-

Check

Use this section to ensure that your configuration is working correctly.

Noticeable: The Output Interpreter Tool (registered customers only) supports some show orders. Use the Output Interpreter Tool to view an analysis of show command output.

The following show commands can be executed to confirm the status and statistics of the AnyConnect client.

asa(config)# Show vpn-sessiondb anyconnect

Session type: AnyConnect

Username: Cisco Index: 1

Assigned IP address: 192.168.100.1 Public IP: 10.106.49.111

Protocol: AnyConnect-Parent DTLS-Tunnel

License: AnyConnect Premium

Encryption: AnyConnect-Parent: (1) None DTLS Tunnel: (1) AES256

Hash: AnyConnect-Parent: (1) No DTLS-Tunnel: (1) SHA1

Tx byte: 15122 byte Rx: 5897

Group Policy: GroupPolicy_ANYCONNECT-PROFILE

Tunnel group: ANYCONNECT_PROFILE

Check-in time: 14:47:09 UTC Wed Nov 1, 2017

Duration: 1 hour: 04 min: 52 sec

Idle: 0h:00m:00s

VLAN Mapping: N/A VLAN: None

Audt session ID: 000000000000100059f9de6d

Total Safety Score: None

asa(config)# Show vpn-sessiondb details any cisco filter name

Session type: AnyConnect Detailed

Username: Cisco Index: 1

Assigned IP address: 192.168.100.1 Public IP: 10.106.49.111

Protocol: AnyConnect-Parent DTLS-Tunnel

License: AnyConnect Premium

Encryption: AnyConnect-Parent: (1) None DTLS Tunnel: (1) AES256

Hash: AnyConnect-Parent: (1) No DTLS-Tunnel: (1) SHA1

Tx byte: 15122 byte Rx: 5897

Pkts Tx: 10 Pkts Rx: 90

Pkts Tx Drop: 0 Pkts Rx Drop: 0

Group Policy: GroupPolicy_ANYCONNECT-PROFILE

Tunnel group: ANYCONNECT_PROFILE

Check-in time: 14:47:09 UTC Wed Nov 1, 2017

Duration: 1h: 04m: 55s

Idle: 0h:00m:00s

VLAN Mapping: N/A VLAN: None

Audt session ID: 000000000000100059f9de6d

Total Safety Score: None

AnyConnect-Parent Tunnels: 1

DTLS Tunnels- Tunnels: 1

AnyConnect-Parent:

Tunnel ID: 1.1

Public IP: 10.106.49.111

Encryption: No Hash: None

TCP Src Port: 53113 TCP Dst Port: 443

Authentication mode: userPassword

Idle timeout: 30 minutes Idle left: 1 minute

Customer operating system: win

Client OS Version: 6.1.7601 Service Pack 1

Client type: AnyConnect

Client Version: Cisco AnyConnect VPN Agent for Windows 4.5.02033

Tx byte: 7561 byte Rx: 0

Pkts Tx: 5 Pkts Rx: 0

Pkts Tx Drop: 0 Pkts Rx Drop: 0

DTLS Tunnel:

Tunnel ID: 1.3

Assigned IP address: 192.168.100.1 Public IP: 10.106.49.111

Encryption: AES256 Hashing: SHA1

Code: AES256-SHA

Encapsulation: DTLSv1.0 UDP Src Port: 63257

UDP Dst Port: 443 Authentication Mode: User Password

Idle timeout: 30 minutes Idle left: 0 minutes

Client OS: Windows

Client type: DTLS VPN Client

Client Version: Cisco AnyConnect VPN Agent for Windows 4.5.02033

Tx byte: 0 byte Rx: 5801

Pkts Tx: 0 Pkts Rx: 88

Pkts Tx Drop: 0 Pkts Rx Drop: 0

User Experience

Troubleshooting

This section provides information that you can use to troubleshoot configuration errors.

Noticeable: Review important information about debug commands before use correction orders.

caution: In ASA, you can set different debug levels; By default, level 1 is used. If you change the debug level, the verbosity of debugging may increase. Do this with caution, especially in production environments.

To troubleshoot the entire authentication process of an incoming AnyConnect client connection, you can use this patch:

• Correct the radius of everything

aaa . authentication correction

• Debug webvpn errors…

[ad_1]
Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related

Internet

AnyConnect certificate-based authentication. Cisco community 👨‍💻 The information in this document is based on the following software and hardware versions: ASA 5510 running software...

Internet

AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...

Internet

ITProPortal . Portal 👨‍💻 We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...

Internet

Top 5 Free AV Packages – 👌 Bitdefender Antivirus Free Edition best interface Positives Works on Windows 7 and 8.1 Very easy to use...