Configure AnyConnect Secure Mobility Client with a one-time password (OTP) for two-factor authentication on ASA
👨💻
an introduction
This document describes a configuration example for Cisco AnyConnect Secure Mobility (ASA) client access to an Adaptive Security Appliance (ASA that uses two-factor authentication with the help of One Time Password (OTP)). One must provide the correct credentials and token for the AnyConnect user to connect successfully .
Contributed by Dinesh Modgil, Cisco HTTS Engineer.
Basic requirements
requirements
This document assumes that ASA is fully functional and configured to allow Cisco Adaptive Security Device Manager (ASDM) or Command Line Interface (CLI) to make configuration changes.
Cisco recommends that you have knowledge of these topics:
- Basic knowledge of ASA’s CLI and ASDM
- Configuring SSLVPN on Cisco ASA Head End
- Basic knowledge of two-factor authentication
Ingredients used
The information in this document is based on the following software and hardware versions:
Cisco ASA5506 Adaptive Security Appliance
Cisco Adaptive Security Device Software Release 9.6 (1)
Adaptive Security Device Manager version 7.8 (2)
AnyConnect version 4.5.02033
The information in this document was generated from devices in a specific laboratory environment. All devices used in this document started with a cleared (default) configuration. If your network is active, make sure you understand the potential impact of any command.
Basic information
Two-factor authentication uses two different authentication methods that can be any of the following: “something you know,” “something you have,” and “something you.”
In general, it consists of something that the user knows (the username and password) and something that the user owns (for example, an information entity that an individual only possesses, for example, a token or certificate). This is more secure than traditional authentication designs where the user authenticates via credentials stored either on the on-premises ASA database or an Active Directory (AD) server integrated with ASA. One-time password is one of the simplest and most common forms of two-factor authentication to secure network access. For example, in large organizations, accessing a VPN often requires the use of one-time password tokens for remote user authentication.
In this scenario, we are using the OpenOTP authentication server as an AAA server that uses the Radius protocol to communicate between ASA and the AAA server. User credentials are configured on the OpenOTP server associated with the Google Authenticator app service as a two-factor authentication token.
OpenOTP configuration is not covered here because it is outside the scope of this document. You can check the following links for further reading:-
OpenOTP Setup
https://www.rcdevs.com/docs/howtos/onotp_quick_start/onotp_quick_start/
Configure ASA for OpenOTP Authentication
https://www.rcdevs.com/docs/howtos/asa_ssl_vpn/asa/
packet flow
The following packet was captured on the external ASA interface connected to the AAA server at 10.106.50.20.
- AnyConect user initiates client connection to ASA and depending on the group URL and group alias configured, the connection lands on a specific tunnel group (connection profile). At this point, the user is asked to enter the credentials.
- Once the user enters the credentials, the authentication request (the access request packet) is forwarded to the AAA server from ASA.
- After the authentication request reaches the AAA server, it validates the credentials. If true, the AAA server responds with an access challenge where the user is required to enter a one-time password.
If there are incorrect credentials, an access denial packet is sent to the ASA. - When the user enters the one-time password, the authentication request is sent in the form of an ASA access request packet to the AAA server
- Once the one-time password has been successfully validated on the AAA server, an access acceptance packet is sent from the server to the ASA, the user is successfully authenticated and this completes the two-factor authentication process.
Anyconnect license information
Here are some links to useful information about Cisco AnyConnect Secure Mobility Client licenses:
initialization
This section describes how to configure the Cisco AnyConnect Secure Mobility Client on an ASA.
network diagram
ASDM AnyConnect Configuration Wizard
The AnyConnect Configuration Wizard can be used to configure the AnyConnect Secure Mobility Client. Make sure you download the AnyConnect client package to your ASA firewall flash/disk before proceeding.
Complete these steps to configure AnyConnect Secure Mobility Client via the configuration wizard:
To configure split tunnel via ASDM, download and install AnyConnect software, please refer to the following document:-
Configure ASA CLI
This section provides a CLI configuration for the Cisco AnyConnect Secure Mobility Client for reference purposes.
! ——————– Client Pool Configuration —– ——
Local IP Pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 Mask 255.255.255.0
!
1/1 . Gigabit Ethernet interface
nameif out
Security level 0
dhcp setroute ip address
!
! ——————– Configure Split ACL ——————–
SPLIT-TUNNEL Standard Permit for Access List 10.0.0.0 255.255.255.0
Pager lines 24
Enable recording
Recording timestamp
mtu tftp 1500
MT outside 1500
icmp unreachable flow rate 1 burst volume 1
icmp is allowed outside
asdm image disk0: /asdm-782.bin
No ASDM enabled date
arp timeout 14400
No ARP Offline Permission
Track out 0.0.0.0 0.0.0.0 10.106.56.1 1
! —————— AAA Server Configuration ——————–
Radius of RADIUS_OTP for aaa server
aaa RADIUS_OTP Server (External) Host 10.106.50.20
key *****
! —— Configure the trust point that contains the ASA identity certificate ——
crypto ca Trustpoint ASDM_Trustpoint 0
Self registration
Topic name CN = bglanyconnect.cisco.com
keypair self
! ——- Apply Trustpoint on the external interface ——
SSL Trustpoint ASDM_Trustpoint0 Out
! ——- Enable AnyConnect and Configure AnyConnect Image ——
webvpn
Enable outside
anyconnect image disk0: /anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
enable anyconnect
Enable Tunnel Group List
! ——————– Configure Group Policy ——————–
GroupPolicy_ANYCONNECT-PROFILE Internal
GroupPolicy_ANYCONNECT-PROFILE Attributes of Group Policy
DNS server value 10.10.10.99
vpn-ssl-client protocol tunnel
Specific split tunneling tunnels
SPLIT-TUNNEL List Value
cisco.com default domain value
! ———- Tunnel-Group (Configuration Profile) Configuraiton ———-
ANYCONNECT_PROFILE group tunnel remote access type
General attributes of the tunnel set ANYCONNECT_PROFILE
ANYCONNECT-POOL
Authentication-Server-Set RADIUS_OTP
GroupPolicy_ANYCONNECT-PROFILE . Default Group Policy
Tunnel set ANYCONNECT_PROFILE webvpn attributes
Enable group alias ANYCONNECT-PROFILE
: End
Noticeable:
To configure and install a third party certificate on ASA for AnyConnect client connections, please refer to the following document:-
Check
Use this section to ensure that your configuration is working correctly.
The following show commands can be executed to confirm the status and statistics of the AnyConnect client.
asa(config)# Show vpn-sessiondb anyconnect
Session type: AnyConnect
Username: Cisco Index: 1
Assigned IP address: 192.168.100.1 Public IP: 10.106.49.111
Protocol: AnyConnect-Parent DTLS-Tunnel
License: AnyConnect Premium
Encryption: AnyConnect-Parent: (1) None DTLS Tunnel: (1) AES256
Hash: AnyConnect-Parent: (1) No DTLS-Tunnel: (1) SHA1
Tx byte: 15122 byte Rx: 5897
Group Policy: GroupPolicy_ANYCONNECT-PROFILE
Tunnel group: ANYCONNECT_PROFILE
Check-in time: 14:47:09 UTC Wed Nov 1, 2017
Duration: 1 hour: 04 min: 52 sec
Idle: 0h:00m:00s
VLAN Mapping: N/A VLAN: None
Audt session ID: 000000000000100059f9de6d
Total Safety Score: None
asa(config)# Show vpn-sessiondb details any cisco filter name
Session type: AnyConnect Detailed
Username: Cisco Index: 1
Assigned IP address: 192.168.100.1 Public IP: 10.106.49.111
Protocol: AnyConnect-Parent DTLS-Tunnel
License: AnyConnect Premium
Encryption: AnyConnect-Parent: (1) None DTLS Tunnel: (1) AES256
Hash: AnyConnect-Parent: (1) No DTLS-Tunnel: (1) SHA1
Tx byte: 15122 byte Rx: 5897
Pkts Tx: 10 Pkts Rx: 90
Pkts Tx Drop: 0 Pkts Rx Drop: 0
Group Policy: GroupPolicy_ANYCONNECT-PROFILE
Tunnel group: ANYCONNECT_PROFILE
Check-in time: 14:47:09 UTC Wed Nov 1, 2017
Duration: 1h: 04m: 55s
Idle: 0h:00m:00s
VLAN Mapping: N/A VLAN: None
Audt session ID: 000000000000100059f9de6d
Total Safety Score: None
AnyConnect-Parent Tunnels: 1
DTLS Tunnels- Tunnels: 1
AnyConnect-Parent:
Tunnel ID: 1.1
Public IP: 10.106.49.111
Encryption: No Hash: None
TCP Src Port: 53113 TCP Dst Port: 443
Authentication mode: userPassword
Idle timeout: 30 minutes Idle left: 1 minute
Customer operating system: win
Client OS Version: 6.1.7601 Service Pack 1
Client type: AnyConnect
Client Version: Cisco AnyConnect VPN Agent for Windows 4.5.02033
Tx byte: 7561 byte Rx: 0
Pkts Tx: 5 Pkts Rx: 0
Pkts Tx Drop: 0 Pkts Rx Drop: 0
DTLS Tunnel:
Tunnel ID: 1.3
Assigned IP address: 192.168.100.1 Public IP: 10.106.49.111
Encryption: AES256 Hashing: SHA1
Code: AES256-SHA
Encapsulation: DTLSv1.0 UDP Src Port: 63257
UDP Dst Port: 443 Authentication Mode: User Password
Idle timeout: 30 minutes Idle left: 0 minutes
Client OS: Windows
Client type: DTLS VPN Client
Client Version: Cisco AnyConnect VPN Agent for Windows 4.5.02033
Tx byte: 0 byte Rx: 5801
Pkts Tx: 0 Pkts Rx: 88
Pkts Tx Drop: 0 Pkts Rx Drop: 0
User Experience
Troubleshooting
This section provides information that you can use to troubleshoot configuration errors.
To troubleshoot the entire authentication process of an incoming AnyConnect client connection, you can use this patch:
• Correct the radius of everything
aaa . authentication correction
• Debug webvpn errors…
[ad_1]
Don’t forget to share this post with friends !