-
Cisco ASA with AnyConnect VPN and Azure MFA Configuration for RADIUS
PublishedOctober,2015
Version1.0
AzureMulti-FactorAuthenticationseamlesslyintegrateswithyourCisco®ASAVPNappliancetoprovideadditionalsecurityforCiscoAnyConnect®VPNloginsandportalaccess.Multi-factorauthentication(MFA)iscombinedwithstandardusercredentialstoincreasesecurityforuseridentityverification.
-
2
Azuresupportsseveralmulti-factorauthenticationmethodsfortheRADIUSprotocol.Eachmethodisachallenge-responsemechanismthatoccursafterprimaryauthenticationwithstandardusercredentials.
• Phonecall–usersreceiveaphonecallwithinstructionsonhowtocompletelogin.• Textmessage–usersreceiveanSMSmessagethatcontainsaverificationcode.Azuresupports
twooptionsforRADIUS:§ One-waymessagingrequiresuserstoenterasentverificationcodeinapromptonthelogin
page.§ Two-waymessagingrequiresuserstosendtheverificationcodebytextmessagereply.
• Mobileapp–usersreceiveapushnotificationfromclientsoftwareinstalledonasmartdevice,likeaphoneortablet.TheAzureAuthenticatorappisavailableforWindowsPhone,iOS,andAndroid.
• OATHtoken–usershaveatokenthatgeneratesaverificationcodewhichisthenenteredinapromptontheportalloginpage.Azuresupportstwooptions:§ Third-partyOATHtokenscanbeimportedtothesystemandsyncedwithuseraccounts.A
commonexampleisahardwaretokenlikeakeyfob.§ TheAzureAuthenticatorappforsmartdevicescanserveasanOATHtokentogenerate
verificationcodesforWindowsPhone,iOS,andAndroiddevices.
ThisguidewillhelpyoutoconfigureAzureMulti-FactorAuthentication(MFA)serverandCiscoASAtousetheRADIUSprotocolforAnyConnectVPNauthentication.
Overview TheAzureMulti-FactorAuthenticationserveractsasaRADIUSserver.TheCiscoASAapplianceactsaRADIUSclient.TheRADIUSserverworksasaproxytoforwardrequeststhatusemultipleauthenticationfactorstoatargetdirectoryservice.Theproxyreceivesaresponsefromthedirectory,whichitsendstotheRADIUSclient.Accessisgrantedonlywhenboththeusercredentials(primaryauthentication)andtheMFAchallengesucceed.SeethediagraminFigure1forreference.
-
3
MFAserverSSLVPNserver
ActiveDirectoryorLDAP
8 response
5 challenge7 response
Authenticationrequest1
Authenticationresponse10
2 Request
9 Response
4 Response
MFAMFA
challenge6
Request3
PrimaryFactor
RADIUS
Phonecall
MFAChallenge/ResponseMethods
2-waytextmessage
Pushnotification
Oathtoken######
1-waytextmessage
Figure1
ThediagramaboverepresentsthelogicalprocessflowforMFA.TheuserexperienceforMFAisfairlysimilartotraditionallogin.SeeFigure2foradescriptionoftheworkflow.
123456
Primaryauthentication
+
SuccessfulauthenticationSecondaryauthentication
SomeMFAoptionsrequirethecodetobeenteredthroughtheloginpromtpt.
Figure2
-
4
Guide Usage Theinformationinthisguideexplainstheconfigurationcommontomostdeployments.Itisimportanttonotetwothings:
• Everyorganizationisdifferentandmayrequireadditionalordifferentconfiguration.• Someconfigurationmayhaveothermethodstoaccomplishthesametaskthanthosedescribed.
InformationisbasedontheconditionsdescribedinthePrerequisitesandComponentssections.TheConventionssectionprovidesusageinformationanddetailsabouttheenvironmentusedforthisguide.
Prerequisites ThefollowingconditionsarerequiredtosetupAzureMFA:
• AnMFAserverinstalledonasystemwitheither:§ WindowsServer2003orhigher.§ WindowsVistaorhigher,thathasUsersPortalandWebServiceSDKservicesinstalled.
• ACiscoASAappliancewithAdaptiveSecurityDeviceManager(ASDM)accessanddefaultAnyConnectclientconfigurationtouseforMFA.NOTE:DefaultconfigurationcanbeconfiguredbyrunningtheAnyConnectVPNwizardfromtheASDMconsole.
• CiscoAnyConnectclientsoftwareinstalledonallclientsthatconnectremotelytothenetwork.• Familiaritywiththefollowingtechnologies:
§ RADIUSconfiguration§ VPNapplianceadministration
Deploymentsofferingthemobileappauthenticationoptionwillalsorequire:
• MFAdeployedonsystemswithWindowsVistaorhigherrequiretheMobileAppWebservicetobeinstalled.
• AuserdevicewiththeAzureauthenticationapplicationinstalled.
Components Thefollowingconditionsreflecttheassumptionsandscopeforinformationdescribedinthisguide.
• TheAzureMFAserverisinstalledonadomain-joinedWindows2012R2server.• OneAzureMFAserverwillbeconfiguredforRADIUS.• OneCiscoASAapplianceisconfigured.
Conventions Informationisbasedonthefollowingconditions.
• TheguidewaswrittenusingaCiscoASA5506appliance.• DocumentationwillrefertotheCiscoASAapplianceastheVPNappliance,orjustappliance.• TheAzureMulti-FactorAuthenticationServerisreferredtoastheMFAserver.• ActiveDirectory(AD)isthedirectoryserviceusedforauthentication.• UserswillbeimportedfromAD.• Adefaulttokenmethodwillbeconfigured.
-
5
• TheOATHtokenmethodusesverificationcodesgeneratedbytheAzureAuthenticationapp.
NOTE:WhileAzureMFAincludestheoptionusePersonalIdentificationNumbers(PINs)asanadditionalfactortothesupportedauthenticationmethods,thatconfigurationisoutsidethescopeofthisguide.
Step 1: Configure Multi-Factor Authentication Server ThistopicexplainshowtoconfiguretheMFAserverandtheon-premisesresourcesitrequires.FirstyouwilllogintotheserverwhereMFAisinstalled.NextyouwillconfigureRADIUSAuthentication.ThenyouwillconnectMFAtothedirectoryservice,afterwhichyouwillconfigureadefaultauthenticationmethod.FinallyyouwillimportaccountstotheMFAUsersgroup.
Multi-Factor Authentication Server Console 1. LogintotheserverwhereMFAisinstalled.2. OpentheAppsscreen.3. ClicktheMulti-FactorAuthenticationServericon:
4. TheMulti-FactorAuthenticationServerwindowopens.
Nowyouwillconfigurethenecessaryservices.
RADIUS Authentication FirstyouwillenableRADIUSauthentication,andthenaddtheVPNapplianceasaclient.
1. ClicktheRADIUSAuthenticationicon.
-
6
2. WhentheRADIUSAuthenticationtoolopens,selectEnableRADIUSauthentication.
3. SelecttheClientstabifnecessary.
NOTE:KeeptrackoftheportnumbersnotedforauthenticationandasyouwillneedthemfortheVPNapplianceconfiguration.Authenticationdefaultsare1645or1812.
-
7
4. ClickAddtoopentheAddRADIUSClientdialogbox.
5. Completethefollowing:
a. IPaddress–entertheVPNapplianceaddress.b. Applicationname–enteradescriptivenamefortheVPNappliance.c. Sharedsecret–createpassphrasetosecuretheRADIUScommunication.
NOTE:ThesharedsecretwillbeconfiguredonboththeMFAserverandVPNappliance,sokeeptrackofit.
d. RequireMulti-FactorAuthenticationusermatch–select;onlyuserswhoareincludedintheMFAUserslistwillbegrantedaccess.NOTE:Thisfeatureprovidesbettercontroloverremoteaccess.Ifnotenabled(unchecked),thenonlyuserswhoareincludedintheMFAUserslistwillneedtoauthenticatewithMFA.OtherdomainuserswillbeabletoauthenticatewithoutMFA.
e. EnablefallbackOATHtoken–selecttoprovideanalternatemethodofauthenticationintheeventthedefaultmethodtimesout.
-
8
NOTE:ThisfeatureonlyapplieswhenOATHtokenisnotthemethodassignedtoauseraccount.Wheninvoked,theuserwillbepromptedtoauthenticatewithahardwaretokenifoneisregisteredfortheuseraccount.
6. SelecttheTargettab.
7. SelectWindowsDomain;thiswillconfiguretheMFAservertouseADforprimary
authentication.
-
9
YouhavecompletedconfiguringRADIUSauthenticationandaddingtheVPNserverasaRADIUSclient.LeavetheMulti-FactorAuthenticationServerwindowopenforthenexttask.
Directory Integration Nowyouwillconnecttothedirectoryservice.
1. Inthenavigationarea,clicktheDirectoryIntegrationicon.
-
10
2. WhentheDirectoryIntegrationtoolopens,selecttheSettingstabifnecessary.
3. SelectUseActiveDirectory.
-
11
YouhavecompletedtheMFAserverdirectoryservicesetup.LeavetheMulti-FactorAuthenticationServerwindowopenforthenexttask.
Default Authentication Method TheinstructionsbelowexplainhowtosetadefaultoptionfortheauthenticationmethodthatwillbeautomaticallyassignedtoMFAuseraccounts.Adefaultmethodisrequiredwhenuserarenotallowedtochangemethods.Thefeatureisoptionalwhenusersareallowedtochangetheirtokenmethods,andmaybemoreconvenientifamajorityofusersneedonemethod.
Configure Company Settings 1. Inthenavigationarea,clicktheCompanySettingsicon:
-
12
2. WhentheCompanySettingstoolopens,selecttheGeneraltabifnecessary.
3. Leavedefaultsettingsexceptforthefollowing:
• Userdefaults–selectoneoftheoptionsbelow:§ Phonecall–selectStandardfromthedropmenu:
-
13
§ Textmessage–configureoneofthefollowing:
o One-WayandOTPfromthedropmenus:
o Two-WayandOTPfromthedropmenus:
-
14
§ Mobileapp–selectStandardfromthedropmenu:
Note:ThisoptionwillrequireuserstoregistertheirdevicesthroughtheAzureauthenticationapp.
§ OATHtokenNOTE:ThisguideprovidesinformationaboutusingtheOATHtokenmethodthroughtheAzureAuthenticatorapp.Whilethird-partytokenscanbeimportedthroughtheMulti-FactorAuthenticationOATHTokensfeature,thatfunctionisoutsidethescopeofthisthisguide.
-
15
ThiscompletesthecompanyinformationsetuptodesignatethedefaultauthenticationmethodforRADIUSAuthentication.LeavetheMulti-FactorAuthenticationServerwindowopenforthenexttask.
MFA Users WhentheVPNappliancewasconfiguredasaRADIUSclient,accesswasrestrictedtomembersoftheMFAUsersgroup.Thisprovidesmorecontroloverremoteaccess,andisasecuritybestpractice.Nowaccountsneedtobeimportedfromthedirectoryservice.
Import User Accounts Thesesinstructionsareforon-demanduserimport.
1. Inthenavigationarea,clicktheUsersicon.
-
16
2. WhentheUserstoolopens,ClickImportfromActiveDirectory.
3. Ontheimportscreen,selectausergroup.
-
17
4. Selecttheuseraccountsyouwanttoimport.
5. Leavethedefaultsettingsexceptforthefollowing:
a. SelecttheSettingstabifnecessary.
-
18
b. IntheImportPhonedropmenu,selectMobile.
NOTE:ForpurposesofthisguidewearedesignatingtheMobileattributeforthephoneimportsetting.ItisthemostcommonoptionusedforMFA.
6. ClicktheImportbutton.
-
19
7. ClickOKintheimportsuccessdialogbox.
8. ClicktheClosebuttonontheimportscreentoreturntotheUserspane.
YouhavecompletedMFAserverconfiguration.
Step 2: Configure the VPN Appliance Nowthattheauthenticationprocesshasbeenconfiguredtousemultiplefactors,youneedtoconfiguretheVPNappliancetoconnecttotheRADIUSserver.
ASDM Console ConfigureanauthenticationserverontheVPNappliancethatwillsendRADIUSauthenticationrequeststotheAzureMFAserver.
FirstyouwillconfigureaservergroupfortheMFARADIUSserver.NextyouneedaconnectionprofileforAnyConnecttoaccesstheRADIUSserver.ThenyouwillcreateaprofiletosetacustomtimeoutvaluetoensurethatAnyConnectVPNclientshaveenoughtimetologinusingMFA.
-
20
Create AAA Server Group 1. LogintotheCiscoASDMconsolefortheVPNappliance.
2. NavigatetoConfiguration|RemoteAccessVPN|AAA/Localusers|AAAservergroups.
-
21
3. ClickAddtocreateanewgroup.
-
22
4. TheAddanewAAAServerGroupdialogopens.
5. Leavethedefaultsettingsexceptforthefollowing:
a. AAAServerGroup–specifyanametoidentifythegroupfortheMFAserver.b. Protocol–selectRADIUSifnecessary.c. ClickOK.
6. IntheAAAServerGroupslist,selecttheservergroupyoujustcreated.
-
23
7. IntheServersintheSelectedGrouppane,clickAdd.
-
24
8. TheAddAAAServerdialogopens.
9. Leavethedefaultsettingsexceptforthefollowing:
a. InterfaceName–selecttheinterfacethatwillhandlecommunicationwiththeMFAServer.b. ServerNameorIPAddress–specifythenameortheIPaddressoftheMFAserver.c. Timeout(seconds)–itisimportanttosetasufficientlengthoftimeforusersto
authenticate.60secondsisacommonduration,butmayneedtobeadjusted.Forexample,largeorganizationsmayneedmoretimetoaccommodateahighervolumeofrequests.
d. ServerAuthenticationport–entertheportnumberusedforauthenticationcommunicationontheMFAServer.Defaultsare1812or1645.
e. ServerAccountingPort–entertheportnumberusedforRadiusAccounting.Defaultsare1646or1813.
f. RetryInterval–leavedefaultat10Seconds.g. ServerSecretKey–enterthesecuritypassphrasecreatedtoencryptcommunication
betweenMFAandtheCiscoASA.h. CommonPassword–re-entertopassphrase.i. ClickOK.
10. ClickAPPLYtosavetheconfiguration.
-
25
Test Configuration YoucantesttheconnectiontoMFAservertoconfirmthattheconnectioniscorrectlyconfigured.
1. MakesuretheRADIUSserveryoucreatedisstillselected.2. ClicktheTestbuttontoopenthetesttool.
-
26
3. Selectatestoption:
4. EntercredentialsforanaccountthatisconfiguredforAzureMFA.5. ClickOKandwaitfortestresultstopost.
Enable Connection Profile 1. NavigateRemoteAccessVPN|Network(Client)Access|AnyConnectConnectionProfiles.
-
27
2. Leavedefaultsettings,exceptforthefollowing:
a. EnableCiscoAnyConnectVPNClientaccessontheinterfacesselectedintablebelow–confirmcheckboxisselected.
-
28
b. SelecttheappropriateSSLinterfaceaccessoption.
c. ConnectionProfiles–selecttheAnyConnectVPNprofile.
-
29
d. ClickEdit.
e. TheEditAnyConnectConnectionProfilewindowopens.
-
30
f. NavigatetoAuthentication|Method.
-
31
g. Confirmthefollowing:
i. Method–makesureAAAisselected.ii. AAAServerGroup–makesurethegroupcreatedfortheMFAserverisselected.
h. ClickOK.i. ClickApplytosavetheconfiguration.
-
32
Configure Timeout 1. NavigatetoRemoteAccessVPN|Network(Client)Access|AnyConnectClientProfile.
-
33
2. ClickAdd.
-
34
3. TheAddAnyConnectClientProfiledialogopens.
4. Leavethedefaultsettings,exceptforthefollowing:
a. ProfileName–enteradescriptivenameforthenewVPNprofile.b. ClickOK.
5. SelecttheVPNProfilethatwascreatedandclickEdit.
6. TheAnyConnectClientProfileEditoropens.
-
35
7. Leavedefaultsettingsexceptforthefollowing:
a. ClickPreferences(Part2).
-
36
b. NavigatetoAuthenticationTimeout(seconds).
-
37
c. Changethevalueto60seconds.Largeorganizationsmayrequirealongerduration.d. ClickServerList.
-
38
e. ClickAdd.
f. AddtheCiscoASAHostDisplayNameandtheFQDN/IPAddresstotheprofile.
-
39
g. ClickOK.h. ClickOKtosaveconfigurationchangestotheVPNprofile.
8. ClickApplytosavetheconfiguration.
-
40
IMPORTANT:TheAnyConnectClientProfileyoujustcreatedmustbeinstalledoneverydevicethatwilluseMFAauthenticationtoavoidtimeoutissuesduringtheloginprocess.OnewaytoaccomplishthiswouldbetorequireclientstoconnecttotheAnyConnectportalandthenpushtheprofileautomatically.
YouhavecompletedVPNappliancesetup.
Step 3: Test Authentication Thetopicsbelowareprovidedtohelptestauthenticationwiththesetupyoujustcompleted.Logininstructionsareprovidedforeachoftheauthenticationmethods.DeviceregistrationinstructionsareincludedfordeploymentsthatusethemobileappmethodforthepushnotificationorOATHtokenoptions.Ifyouaren’tgoingtousemobileapp,thenskipstraighttotheLoginsection.
Device Registration for Azure Authenticator Users Thissteponlyapplieswhenthemobileappauthenticationmethodisused.
ThefollowinginstructionsexplainhowtoactivateauserdevicethroughtheMFAserverUsersPortal.Pleasenotethefollowingrequirementspriortogettingstarted.
-
41
Requirements • AdevicewiththeAzureAuthenticatormobileapplicationinstalled.Theapplicationcanbe
downloadedfromtheplatformstoreforthefollowingdevices:§ WindowsPhone§ Android§ iOS
• TheAzureUsersPortaladdress.• AcomputertoaccesstheUsersPortal.• Usercredentials
Activate Device NOTE:Informationprovidedbelowiscurrentasofthepublicationdate,butissubjecttochangewithoutnotice.
1. LogintotheAzureuserportalfromacomputer.2. Thesetupscreendisplays.
3. ClickGenerateActivationCode.4. Activationcodeoptionswilldisplay.
-
42
5. Openthemobileauthenticationappontheuserdevice.
Example:
6. Therearetwooptions:
• EntertheActivationCodeandURLdisplayedontheUsersPortalscreenonthedeviceactivationscreen.
• UsethedevicetoscanthebarcodedisplayedonUsersPortalscreen.
-
43
Youhavecompleteddeviceactivation.
Login NowyouarereadytotestMFAauthentication.Pleasenotetherequirementslistedbelowbeforeyoustart.
GeneralRequirements
• TheCiscoAnyConnectVPNClientProfileinstalledonthedevicethatwillaccessthenetwork• TheIPaddressorhostnameforAnyConnectVPNaccess• Usercredentials
Phone Call Required:AphonewiththenumberlistedintheADuseraccountMobilephoneattribute.
1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.Example:
2. Enterusercredentials.3. Checkthephoneforacall.
NOTE:ThecalloriginatesinthecloudfromtheAzureMFAapplication.Example:
-
44
4. Thephonecallwillprovideinstructionstocompleteauthentication.
Text Message Required:AnSMS-capablephonewiththenumberlistedintheADuseraccountMobilephoneattribute.
One-Way Text Message 1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.
Example:
2. Enterusercredentials.3. Retrievetheverificationcodefromthetextmessage.
Example:
-
45
4. Entertheverificationcodeontheresponseprompt.
Example:
Two-Way Text Message 1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.
Example:
-
46
2. Enterusercredentials.3. Checkthephoneforatextmessagewiththeverificationcode.
Example:
4. Replytothetextmessagewiththesameverificationcode.
Mobile App Required:AdevicewiththeAzureAuthenticatorappactivated.
1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.Example:
-
47
2. Enterusercredentials.3. CheckthedevicewithAzureAuthenticatorforaprompt.
Example:
4. ClickVerify.5. TheauthenticationapplicationwillcommunicatewiththeMFAservertocomplete
authentication.
Oath Token Required:AdevicewiththeAzureAuthenticatorappactivated.
1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.Example:
-
48
2. Enterusercredentials.3. Onthemobiledevice,opentheAzureAuthenticatorapp.4. Retrieveaverificationcodefromtheapp.
Example:
5. Entertheverificationcodeontheresponseprompt.
Example:
-
49
SuccessfulauthenticationfortheVPNconnectionisindicatedbytheclient.Example:
ThiscompletesthesetupandtestingforAzureMulti-FactorAuthenticationusingtheRADIUSprotocolinaCiscoASA/AnyConnectVPNappliancedeployment.