Cisco ASA with AnyConnect VPN Azure Configuration for ...Cisco ASA with AnyConnect VPN and Azure MFA...
Transcript of Cisco ASA with AnyConnect VPN Azure Configuration for ...Cisco ASA with AnyConnect VPN and Azure MFA...
-
Cisco ASA with AnyConnect VPN and Azure MFA Configuration for RADIUS
PublishedOctober,2015
Version1.0
AzureMulti-FactorAuthenticationseamlesslyintegrateswithyourCisco®ASAVPNappliancetoprovideadditionalsecurityforCiscoAnyConnect®VPNloginsandportalaccess.Multi-factorauthentication(MFA)iscombinedwithstandardusercredentialstoincreasesecurityforuseridentityverification.
-
2
Azuresupportsseveralmulti-factorauthenticationmethodsfortheRADIUSprotocol.Eachmethodisachallenge-responsemechanismthatoccursafterprimaryauthenticationwithstandardusercredentials.
• Phonecall–usersreceiveaphonecallwithinstructionsonhowtocompletelogin.• Textmessage–usersreceiveanSMSmessagethatcontainsaverificationcode.Azuresupports
twooptionsforRADIUS:§ One-waymessagingrequiresuserstoenterasentverificationcodeinapromptonthelogin
page.§ Two-waymessagingrequiresuserstosendtheverificationcodebytextmessagereply.
• Mobileapp–usersreceiveapushnotificationfromclientsoftwareinstalledonasmartdevice,likeaphoneortablet.TheAzureAuthenticatorappisavailableforWindowsPhone,iOS,andAndroid.
• OATHtoken–usershaveatokenthatgeneratesaverificationcodewhichisthenenteredinapromptontheportalloginpage.Azuresupportstwooptions:§ Third-partyOATHtokenscanbeimportedtothesystemandsyncedwithuseraccounts.A
commonexampleisahardwaretokenlikeakeyfob.§ TheAzureAuthenticatorappforsmartdevicescanserveasanOATHtokentogenerate
verificationcodesforWindowsPhone,iOS,andAndroiddevices.
ThisguidewillhelpyoutoconfigureAzureMulti-FactorAuthentication(MFA)serverandCiscoASAtousetheRADIUSprotocolforAnyConnectVPNauthentication.
Overview TheAzureMulti-FactorAuthenticationserveractsasaRADIUSserver.TheCiscoASAapplianceactsaRADIUSclient.TheRADIUSserverworksasaproxytoforwardrequeststhatusemultipleauthenticationfactorstoatargetdirectoryservice.Theproxyreceivesaresponsefromthedirectory,whichitsendstotheRADIUSclient.Accessisgrantedonlywhenboththeusercredentials(primaryauthentication)andtheMFAchallengesucceed.SeethediagraminFigure1forreference.
-
3
MFAserverSSLVPNserver
ActiveDirectoryorLDAP
8 response
5 challenge7 response
Authenticationrequest1
Authenticationresponse10
2 Request
9 Response
4 Response
MFAMFA
challenge6
Request3
PrimaryFactor
RADIUS
Phonecall
MFAChallenge/ResponseMethods
2-waytextmessage
Pushnotification
Oathtoken######
1-waytextmessage
Figure1
ThediagramaboverepresentsthelogicalprocessflowforMFA.TheuserexperienceforMFAisfairlysimilartotraditionallogin.SeeFigure2foradescriptionoftheworkflow.
123456
Primaryauthentication
+
SuccessfulauthenticationSecondaryauthentication
SomeMFAoptionsrequirethecodetobeenteredthroughtheloginpromtpt.
Figure2
-
4
Guide Usage Theinformationinthisguideexplainstheconfigurationcommontomostdeployments.Itisimportanttonotetwothings:
• Everyorganizationisdifferentandmayrequireadditionalordifferentconfiguration.• Someconfigurationmayhaveothermethodstoaccomplishthesametaskthanthosedescribed.
InformationisbasedontheconditionsdescribedinthePrerequisitesandComponentssections.TheConventionssectionprovidesusageinformationanddetailsabouttheenvironmentusedforthisguide.
Prerequisites ThefollowingconditionsarerequiredtosetupAzureMFA:
• AnMFAserverinstalledonasystemwitheither:§ WindowsServer2003orhigher.§ WindowsVistaorhigher,thathasUsersPortalandWebServiceSDKservicesinstalled.
• ACiscoASAappliancewithAdaptiveSecurityDeviceManager(ASDM)accessanddefaultAnyConnectclientconfigurationtouseforMFA.NOTE:DefaultconfigurationcanbeconfiguredbyrunningtheAnyConnectVPNwizardfromtheASDMconsole.
• CiscoAnyConnectclientsoftwareinstalledonallclientsthatconnectremotelytothenetwork.• Familiaritywiththefollowingtechnologies:
§ RADIUSconfiguration§ VPNapplianceadministration
Deploymentsofferingthemobileappauthenticationoptionwillalsorequire:
• MFAdeployedonsystemswithWindowsVistaorhigherrequiretheMobileAppWebservicetobeinstalled.
• AuserdevicewiththeAzureauthenticationapplicationinstalled.
Components Thefollowingconditionsreflecttheassumptionsandscopeforinformationdescribedinthisguide.
• TheAzureMFAserverisinstalledonadomain-joinedWindows2012R2server.• OneAzureMFAserverwillbeconfiguredforRADIUS.• OneCiscoASAapplianceisconfigured.
Conventions Informationisbasedonthefollowingconditions.
• TheguidewaswrittenusingaCiscoASA5506appliance.• DocumentationwillrefertotheCiscoASAapplianceastheVPNappliance,orjustappliance.• TheAzureMulti-FactorAuthenticationServerisreferredtoastheMFAserver.• ActiveDirectory(AD)isthedirectoryserviceusedforauthentication.• UserswillbeimportedfromAD.• Adefaulttokenmethodwillbeconfigured.
-
5
• TheOATHtokenmethodusesverificationcodesgeneratedbytheAzureAuthenticationapp.
NOTE:WhileAzureMFAincludestheoptionusePersonalIdentificationNumbers(PINs)asanadditionalfactortothesupportedauthenticationmethods,thatconfigurationisoutsidethescopeofthisguide.
Step 1: Configure Multi-Factor Authentication Server ThistopicexplainshowtoconfiguretheMFAserverandtheon-premisesresourcesitrequires.FirstyouwilllogintotheserverwhereMFAisinstalled.NextyouwillconfigureRADIUSAuthentication.ThenyouwillconnectMFAtothedirectoryservice,afterwhichyouwillconfigureadefaultauthenticationmethod.FinallyyouwillimportaccountstotheMFAUsersgroup.
Multi-Factor Authentication Server Console 1. LogintotheserverwhereMFAisinstalled.2. OpentheAppsscreen.3. ClicktheMulti-FactorAuthenticationServericon:
4. TheMulti-FactorAuthenticationServerwindowopens.
Nowyouwillconfigurethenecessaryservices.
RADIUS Authentication FirstyouwillenableRADIUSauthentication,andthenaddtheVPNapplianceasaclient.
1. ClicktheRADIUSAuthenticationicon.
-
6
2. WhentheRADIUSAuthenticationtoolopens,selectEnableRADIUSauthentication.
3. SelecttheClientstabifnecessary.
NOTE:KeeptrackoftheportnumbersnotedforauthenticationandasyouwillneedthemfortheVPNapplianceconfiguration.Authenticationdefaultsare1645or1812.
-
7
4. ClickAddtoopentheAddRADIUSClientdialogbox.
5. Completethefollowing:
a. IPaddress–entertheVPNapplianceaddress.b. Applicationname–enteradescriptivenamefortheVPNappliance.c. Sharedsecret–createpassphrasetosecuretheRADIUScommunication.
NOTE:ThesharedsecretwillbeconfiguredonboththeMFAserverandVPNappliance,sokeeptrackofit.
d. RequireMulti-FactorAuthenticationusermatch–select;onlyuserswhoareincludedintheMFAUserslistwillbegrantedaccess.NOTE:Thisfeatureprovidesbettercontroloverremoteaccess.Ifnotenabled(unchecked),thenonlyuserswhoareincludedintheMFAUserslistwillneedtoauthenticatewithMFA.OtherdomainuserswillbeabletoauthenticatewithoutMFA.
e. EnablefallbackOATHtoken–selecttoprovideanalternatemethodofauthenticationintheeventthedefaultmethodtimesout.
-
8
NOTE:ThisfeatureonlyapplieswhenOATHtokenisnotthemethodassignedtoauseraccount.Wheninvoked,theuserwillbepromptedtoauthenticatewithahardwaretokenifoneisregisteredfortheuseraccount.
6. SelecttheTargettab.
7. SelectWindowsDomain;thiswillconfiguretheMFAservertouseADforprimary
authentication.
-
9
YouhavecompletedconfiguringRADIUSauthenticationandaddingtheVPNserverasaRADIUSclient.LeavetheMulti-FactorAuthenticationServerwindowopenforthenexttask.
Directory Integration Nowyouwillconnecttothedirectoryservice.
1. Inthenavigationarea,clicktheDirectoryIntegrationicon.
-
10
2. WhentheDirectoryIntegrationtoolopens,selecttheSettingstabifnecessary.
3. SelectUseActiveDirectory.
-
11
YouhavecompletedtheMFAserverdirectoryservicesetup.LeavetheMulti-FactorAuthenticationServerwindowopenforthenexttask.
Default Authentication Method TheinstructionsbelowexplainhowtosetadefaultoptionfortheauthenticationmethodthatwillbeautomaticallyassignedtoMFAuseraccounts.Adefaultmethodisrequiredwhenuserarenotallowedtochangemethods.Thefeatureisoptionalwhenusersareallowedtochangetheirtokenmethods,andmaybemoreconvenientifamajorityofusersneedonemethod.
Configure Company Settings 1. Inthenavigationarea,clicktheCompanySettingsicon:
-
12
2. WhentheCompanySettingstoolopens,selecttheGeneraltabifnecessary.
3. Leavedefaultsettingsexceptforthefollowing:
• Userdefaults–selectoneoftheoptionsbelow:§ Phonecall–selectStandardfromthedropmenu:
-
13
§ Textmessage–configureoneofthefollowing:
o One-WayandOTPfromthedropmenus:
o Two-WayandOTPfromthedropmenus:
-
14
§ Mobileapp–selectStandardfromthedropmenu:
Note:ThisoptionwillrequireuserstoregistertheirdevicesthroughtheAzureauthenticationapp.
§ OATHtokenNOTE:ThisguideprovidesinformationaboutusingtheOATHtokenmethodthroughtheAzureAuthenticatorapp.Whilethird-partytokenscanbeimportedthroughtheMulti-FactorAuthenticationOATHTokensfeature,thatfunctionisoutsidethescopeofthisthisguide.
-
15
ThiscompletesthecompanyinformationsetuptodesignatethedefaultauthenticationmethodforRADIUSAuthentication.LeavetheMulti-FactorAuthenticationServerwindowopenforthenexttask.
MFA Users WhentheVPNappliancewasconfiguredasaRADIUSclient,accesswasrestrictedtomembersoftheMFAUsersgroup.Thisprovidesmorecontroloverremoteaccess,andisasecuritybestpractice.Nowaccountsneedtobeimportedfromthedirectoryservice.
Import User Accounts Thesesinstructionsareforon-demanduserimport.
1. Inthenavigationarea,clicktheUsersicon.
-
16
2. WhentheUserstoolopens,ClickImportfromActiveDirectory.
3. Ontheimportscreen,selectausergroup.
-
17
4. Selecttheuseraccountsyouwanttoimport.
5. Leavethedefaultsettingsexceptforthefollowing:
a. SelecttheSettingstabifnecessary.
-
18
b. IntheImportPhonedropmenu,selectMobile.
NOTE:ForpurposesofthisguidewearedesignatingtheMobileattributeforthephoneimportsetting.ItisthemostcommonoptionusedforMFA.
6. ClicktheImportbutton.
-
19
7. ClickOKintheimportsuccessdialogbox.
8. ClicktheClosebuttonontheimportscreentoreturntotheUserspane.
YouhavecompletedMFAserverconfiguration.
Step 2: Configure the VPN Appliance Nowthattheauthenticationprocesshasbeenconfiguredtousemultiplefactors,youneedtoconfiguretheVPNappliancetoconnecttotheRADIUSserver.
ASDM Console ConfigureanauthenticationserverontheVPNappliancethatwillsendRADIUSauthenticationrequeststotheAzureMFAserver.
FirstyouwillconfigureaservergroupfortheMFARADIUSserver.NextyouneedaconnectionprofileforAnyConnecttoaccesstheRADIUSserver.ThenyouwillcreateaprofiletosetacustomtimeoutvaluetoensurethatAnyConnectVPNclientshaveenoughtimetologinusingMFA.
-
20
Create AAA Server Group 1. LogintotheCiscoASDMconsolefortheVPNappliance.
2. NavigatetoConfiguration|RemoteAccessVPN|AAA/Localusers|AAAservergroups.
-
21
3. ClickAddtocreateanewgroup.
-
22
4. TheAddanewAAAServerGroupdialogopens.
5. Leavethedefaultsettingsexceptforthefollowing:
a. AAAServerGroup–specifyanametoidentifythegroupfortheMFAserver.b. Protocol–selectRADIUSifnecessary.c. ClickOK.
6. IntheAAAServerGroupslist,selecttheservergroupyoujustcreated.
-
23
7. IntheServersintheSelectedGrouppane,clickAdd.
-
24
8. TheAddAAAServerdialogopens.
9. Leavethedefaultsettingsexceptforthefollowing:
a. InterfaceName–selecttheinterfacethatwillhandlecommunicationwiththeMFAServer.b. ServerNameorIPAddress–specifythenameortheIPaddressoftheMFAserver.c. Timeout(seconds)–itisimportanttosetasufficientlengthoftimeforusersto
authenticate.60secondsisacommonduration,butmayneedtobeadjusted.Forexample,largeorganizationsmayneedmoretimetoaccommodateahighervolumeofrequests.
d. ServerAuthenticationport–entertheportnumberusedforauthenticationcommunicationontheMFAServer.Defaultsare1812or1645.
e. ServerAccountingPort–entertheportnumberusedforRadiusAccounting.Defaultsare1646or1813.
f. RetryInterval–leavedefaultat10Seconds.g. ServerSecretKey–enterthesecuritypassphrasecreatedtoencryptcommunication
betweenMFAandtheCiscoASA.h. CommonPassword–re-entertopassphrase.i. ClickOK.
10. ClickAPPLYtosavetheconfiguration.
-
25
Test Configuration YoucantesttheconnectiontoMFAservertoconfirmthattheconnectioniscorrectlyconfigured.
1. MakesuretheRADIUSserveryoucreatedisstillselected.2. ClicktheTestbuttontoopenthetesttool.
-
26
3. Selectatestoption:
4. EntercredentialsforanaccountthatisconfiguredforAzureMFA.5. ClickOKandwaitfortestresultstopost.
Enable Connection Profile 1. NavigateRemoteAccessVPN|Network(Client)Access|AnyConnectConnectionProfiles.
-
27
2. Leavedefaultsettings,exceptforthefollowing:
a. EnableCiscoAnyConnectVPNClientaccessontheinterfacesselectedintablebelow–confirmcheckboxisselected.
-
28
b. SelecttheappropriateSSLinterfaceaccessoption.
c. ConnectionProfiles–selecttheAnyConnectVPNprofile.
-
29
d. ClickEdit.
e. TheEditAnyConnectConnectionProfilewindowopens.
-
30
f. NavigatetoAuthentication|Method.
-
31
g. Confirmthefollowing:
i. Method–makesureAAAisselected.ii. AAAServerGroup–makesurethegroupcreatedfortheMFAserverisselected.
h. ClickOK.i. ClickApplytosavetheconfiguration.
-
32
Configure Timeout 1. NavigatetoRemoteAccessVPN|Network(Client)Access|AnyConnectClientProfile.
-
33
2. ClickAdd.
-
34
3. TheAddAnyConnectClientProfiledialogopens.
4. Leavethedefaultsettings,exceptforthefollowing:
a. ProfileName–enteradescriptivenameforthenewVPNprofile.b. ClickOK.
5. SelecttheVPNProfilethatwascreatedandclickEdit.
6. TheAnyConnectClientProfileEditoropens.
-
35
7. Leavedefaultsettingsexceptforthefollowing:
a. ClickPreferences(Part2).
-
36
b. NavigatetoAuthenticationTimeout(seconds).
-
37
c. Changethevalueto60seconds.Largeorganizationsmayrequirealongerduration.d. ClickServerList.
-
38
e. ClickAdd.
f. AddtheCiscoASAHostDisplayNameandtheFQDN/IPAddresstotheprofile.
-
39
g. ClickOK.h. ClickOKtosaveconfigurationchangestotheVPNprofile.
8. ClickApplytosavetheconfiguration.
-
40
IMPORTANT:TheAnyConnectClientProfileyoujustcreatedmustbeinstalledoneverydevicethatwilluseMFAauthenticationtoavoidtimeoutissuesduringtheloginprocess.OnewaytoaccomplishthiswouldbetorequireclientstoconnecttotheAnyConnectportalandthenpushtheprofileautomatically.
YouhavecompletedVPNappliancesetup.
Step 3: Test Authentication Thetopicsbelowareprovidedtohelptestauthenticationwiththesetupyoujustcompleted.Logininstructionsareprovidedforeachoftheauthenticationmethods.DeviceregistrationinstructionsareincludedfordeploymentsthatusethemobileappmethodforthepushnotificationorOATHtokenoptions.Ifyouaren’tgoingtousemobileapp,thenskipstraighttotheLoginsection.
Device Registration for Azure Authenticator Users Thissteponlyapplieswhenthemobileappauthenticationmethodisused.
ThefollowinginstructionsexplainhowtoactivateauserdevicethroughtheMFAserverUsersPortal.Pleasenotethefollowingrequirementspriortogettingstarted.
-
41
Requirements • AdevicewiththeAzureAuthenticatormobileapplicationinstalled.Theapplicationcanbe
downloadedfromtheplatformstoreforthefollowingdevices:§ WindowsPhone§ Android§ iOS
• TheAzureUsersPortaladdress.• AcomputertoaccesstheUsersPortal.• Usercredentials
Activate Device NOTE:Informationprovidedbelowiscurrentasofthepublicationdate,butissubjecttochangewithoutnotice.
1. LogintotheAzureuserportalfromacomputer.2. Thesetupscreendisplays.
3. ClickGenerateActivationCode.4. Activationcodeoptionswilldisplay.
-
42
5. Openthemobileauthenticationappontheuserdevice.
Example:
6. Therearetwooptions:
• EntertheActivationCodeandURLdisplayedontheUsersPortalscreenonthedeviceactivationscreen.
• UsethedevicetoscanthebarcodedisplayedonUsersPortalscreen.
-
43
Youhavecompleteddeviceactivation.
Login NowyouarereadytotestMFAauthentication.Pleasenotetherequirementslistedbelowbeforeyoustart.
GeneralRequirements
• TheCiscoAnyConnectVPNClientProfileinstalledonthedevicethatwillaccessthenetwork• TheIPaddressorhostnameforAnyConnectVPNaccess• Usercredentials
Phone Call Required:AphonewiththenumberlistedintheADuseraccountMobilephoneattribute.
1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.Example:
2. Enterusercredentials.3. Checkthephoneforacall.
NOTE:ThecalloriginatesinthecloudfromtheAzureMFAapplication.Example:
-
44
4. Thephonecallwillprovideinstructionstocompleteauthentication.
Text Message Required:AnSMS-capablephonewiththenumberlistedintheADuseraccountMobilephoneattribute.
One-Way Text Message 1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.
Example:
2. Enterusercredentials.3. Retrievetheverificationcodefromthetextmessage.
Example:
-
45
4. Entertheverificationcodeontheresponseprompt.
Example:
Two-Way Text Message 1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.
Example:
-
46
2. Enterusercredentials.3. Checkthephoneforatextmessagewiththeverificationcode.
Example:
4. Replytothetextmessagewiththesameverificationcode.
Mobile App Required:AdevicewiththeAzureAuthenticatorappactivated.
1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.Example:
-
47
2. Enterusercredentials.3. CheckthedevicewithAzureAuthenticatorforaprompt.
Example:
4. ClickVerify.5. TheauthenticationapplicationwillcommunicatewiththeMFAservertocomplete
authentication.
Oath Token Required:AdevicewiththeAzureAuthenticatorappactivated.
1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.Example:
-
48
2. Enterusercredentials.3. Onthemobiledevice,opentheAzureAuthenticatorapp.4. Retrieveaverificationcodefromtheapp.
Example:
5. Entertheverificationcodeontheresponseprompt.
Example:
-
49
SuccessfulauthenticationfortheVPNconnectionisindicatedbytheclient.Example:
ThiscompletesthesetupandtestingforAzureMulti-FactorAuthenticationusingtheRADIUSprotocolinaCiscoASA/AnyConnectVPNappliancedeployment.