Cisco ASA and AnyConnect: Something you have and something you know

If you love multi-factor authentication like I do–ok, I don’t love it, we don’t know each other well enough for me to call it love just yet…it’s still a new relationship, ok? Don’t pressure me!

Multi-factor authentication is not a Security silver bullet. It’s just a way to add another layer to the “security onion”, making an authentication breach a little more difficult for attackers and making that vector a little less desirable. If you read about the RSA SecurID breach not so long ago, you know that even the most respected vendors can take a tumble.

So, this article is not about who has the best product or how to make your network impenetrable–it’s about providing another layer to your remote access security, using Cisco ASA and AnyConnect, along with a Microsoft CA server you may already have running in your environment. And as usual, I’ll focus on the Cisco configuration, rather than the Microsoft server config, since I don’t manage that device.

If you followed the Wikipedia link above about multi-factor authentication, you saw that there are basically three factors available for authentication: something you know (like a password), something you have (like a certificate or token), and something you are (like a biometric scan to determine that you’re you). With standard VPN authentication, we tend to only choose one of those items–passwords. Unfortunately, people-being-who-we-are tend to choose weak passwords that are easy for us to remember and that are, therefore, easy to guess or find. Taking the ease out of password cracking/guessing is what RSA or other authentication tokens were made for: forcing some authentication complexity on the end user who’s not necessarily concerned about security, in a way that’s easy for them to repeat. The problem with these sorts of tokens is that they can be very expensive to deploy.

Cisco has made it pretty easy to deploy two-factor authentication in two different modes: on-box and off-box. In the on-box mode, the ASA is a certificate authority and manages the certificates used for two-factor authentication itself. There’s no additional cost to this method, but it just doesn’t scale well. The off-box method is what I’ll describe here, but as I alluded to earlier, we won’t be using RSA tokens, we’ll use PKI, implemented with a Microsoft CA server infrastructure.

Please keep in mind there are definitely best practices for creating a PKI infrastructure of your own and it’s something you should be very diligent about. A compromised CA will affect a lot more than your remote access.

Assumptions:

  • You have a working Microsoft CA/PKI infrastructure set up and secured.
  • You have a working Cisco ASA, ready to be configured for remote access using AnyConnect clients.

Steps:

  1. Import Microsoft CA root certificate into ASA and get ASA and CA communicating directly
  2. ! create new trustpoint for the Microsoft CA root certificate
    !
    crypto ca trustpoint tp_windows_pki_mod_2048_ca_root
     enrollment terminal
    crypto ca authenticate tp_windows_pki_mod_2048_ca_root
    ! < paste tp_windows_pki_mod_2048_ca_root.pem >
    
    
    ! generate a new RSA keypair with mod 2048 for exchange with the Microsoft CA
    crypto key generate rsa label kp_windows_pki_mod_2048 2048
    
    
    ! create the trustpoint for automatic enrollment and revocation
    crypto ca trustpoint tp_windows_pki_mod_2048_ca_subordinate
     enrollment url http://<server-name>/certsrv/mscep/mscep.dll
     subject-name CN=<fqdn.of.asa>,OU=<your ou here>,O=<your org here>,C=<your country here>,St=<your state here>,L=<your city here>
     keypair kp_windows_pki_mod_2048
     crl configure
    crypto ca authenticate tp_windows_pki_mod_2048_ca_subordinate
    !
    ! trustpoint is authenticated automatically
    
    
    ! retrieve enrollment challenge password from CA:
    ! http://<server-name>/certsrv/mscep_admin
    
    
    crypto ca enroll tp_windows_pki_mod_2048_ca_subordinate
    !
    ! enter challenge password
  3. Configure ASA for web VPN and specify AnyConnect client images
  4. ! copy the anyconnect client(s) to the ASA
    ! REPEAT for STANDBY ASA
    copy tftp://<your tftp server>/anyconnect-win-3.1.01065-k9.pkg flash
    copy tftp://<your tftp server>/anyconnect-macosx-i386-3.1.01065-k9.pkg flash
    copy tftp://<your tftp server>/anyconnect-linux-64-3.1.01065-k9.pkg flash
    
    ! enable webvpn
    webvpn
    
    ! specify valid AnyConnect packages and assign priority based on likelihood of use
    svc image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-3.1.01065-k9.pkg 2
    svc image disk0:/anyconnect-linux-64-3.1.01065-k9.pkg 3
    ! assign to an interface
    enable outside
    ! enable AnyConnect client connections
    svc enable
    
    
    ! permit interface ACL bypass for IPSec and SSL clients globally
    sysopt connection permit-vpn
    
  5. Configure LDAP authentication server
  6. ! create an LDAP attribute map to reference later
    ldap-attribute-map lam_attribute_map
    
    
    ! create aaa-server group for password authentication
    aaa-server user_auth_ldap protocol ldap
    aaa-server user_auth_ldap (inside) host <your ldap server>
     server-port 389
     ldap-base-dn dc=<your ldap base>, dc=com
     ldap-scope subtree
     ldap-login-password <asa ldap user password>
     ldap-login-dn cn=<asa ldap user name>, ou=<asa ldap user ou>, dc=<asa ldap user base>, dc=com
     server-type microsoft
     ldap-attribute-map lam_attribute_map
    
  7. Configure ASA tunnel-group and group-policy
  8. ! create an ACL for split-tunnel-policy
    access-list acl_tunneled_networks extended permit ip 10.0.0.0 255.0.0.0 any
    
    
    ! create a local IP pool for clients
    ip local pool ip_pool_anyconnect 10.1.1.1-10.1.1.255
    
    ! create a tunnel group and URL alias
    tunnel-group tg_anyconnect_client type remote-access
    tunnel-group tg_anyconnect_client general-attributes
     authentication-server-group user_auth_ldap
     ! change default group-policy to "no access"
     default-group-policy gp_no_access
    
     
    tunnel-group tg_anyconnect_client webvpn-attributes
     ! test authentication using ldap servers only
     authentication aaa
     group-url https://<external fqdn of your asa>/anyconnect-client enable
    
    
    ! create a certificate map to map the ASA's certificate to a specific
    ! tunnel-group: 'tg_anyconnect_client' --> 10
    crypto ca certificate map cm_certificate_map 10
    subject-name co <portion of the subject name from your Microsoft CA client certs>
    
     
    ! create a tunnel-group-map to map the certificate map to a specific tunnel-group 
    tunnel-group-map enable rules
    tunnel-group-map cm_certificate_map 10 tg_anyconnect_client
    
    
    ! create group policy for anyconnect clients
    group-policy gp_anyconnect_client internal
    group-policy gp_anyconnect_client attributes
     dns-server value <your dns server 1> <your dns server 2>
     vpn-simultaneous-logins 2
     vpn-tunnel-protocol svc webvpn
     split-tunnel-policy tunnelspecified
     ! acl_tunneled_networks is an ACL for the networks you WANT to tunnel
     split-tunnel-network-list value acl_tunneled_networks
     default-domain value <your domain>
     address-pools value ip_pool_anyconnect
     
    
    ! ldap attribute map to bind users/groups to specific group-policies
    ! existing attribute map
    ldap attribute-map lam_attribute_map
    ! 'memberOf' ldap property will be handled like a radius class
     map-name memberOf IETF-Radius-Class
    ! assign the users or groups to existing group-policies
    ! need AD group created, 'anyconnect_vpn_users'
     map-value memberOf "CN=anyconnect_vpn_users,OU=<your ou here>,DC=<your dc here>,DC=<your dc here>" gp_anyconnect_client
    
  9. Install AnyConnect client, then intermediate and client certificates on AnyConnect client device–usually, just double-click them to import
  10. Test LDAP-only authentication with AnyConnect client
  11. Test certificate-only authentication with AnyConnect client
  12. ! change tunnel-group to use certificate only
    !
    tunnel-group tg_anyconnect_client webvpn-attributes
     authentication certificate
  13. Test certificate-and-LDAP authentication with AnyConnect client
  14. ! change tunnel-group to use both
    !
    tunnel-group tg_anyconnect_client webvpn-attributes
     authentication certificate aaa

mac_anyconnect_client

mac_anyconnect_client

On my Mac, I now get prompted to approve the use of the client certificate stored in my keychain whenever I try to connect to our ASA. Of course, I can choose to make the selection permanently, but I’d rather continue to see that two-factor authentication is required for this group-policy.

1 Comment

Leave a Reply