If you love multi-factor authentication like I do–ok, I don’t love it, we don’t know each other well enough for me to call it love just yet…it’s still a new relationship, ok? Don’t pressure me!
Multi-factor authentication is not a Security silver bullet. It’s just a way to add another layer to the “security onion”, making an authentication breach a little more difficult for attackers and making that vector a little less desirable. If you read about the RSA SecurID breach not so long ago, you know that even the most respected vendors can take a tumble.
So, this article is not about who has the best product or how to make your network impenetrable–it’s about providing another layer to your remote access security, using Cisco ASA and AnyConnect, along with a Microsoft CA server you may already have running in your environment. And as usual, I’ll focus on the Cisco configuration, rather than the Microsoft server config, since I don’t manage that device.
If you followed the Wikipedia link above about multi-factor authentication, you saw that there are basically three factors available for authentication: something you know (like a password), something you have (like a certificate or token), and something you are (like a biometric scan to determine that you’re you). With standard VPN authentication, we tend to only choose one of those items–passwords. Unfortunately, people-being-who-we-are tend to choose weak passwords that are easy for us to remember and that are, therefore, easy to guess or find. Taking the ease out of password cracking/guessing is what RSA or other authentication tokens were made for: forcing some authentication complexity on the end user who’s not necessarily concerned about security, in a way that’s easy for them to repeat. The problem with these sorts of tokens is that they can be very expensive to deploy.
Cisco has made it pretty easy to deploy two-factor authentication in two different modes: on-box and off-box. In the on-box mode, the ASA is a certificate authority and manages the certificates used for two-factor authentication itself. There’s no additional cost to this method, but it just doesn’t scale well. The off-box method is what I’ll describe here, but as I alluded to earlier, we won’t be using RSA tokens, we’ll use PKI, implemented with a Microsoft CA server infrastructure.
Please keep in mind there are definitely best practices for creating a PKI infrastructure of your own and it’s something you should be very diligent about. A compromised CA will affect a lot more than your remote access.
- You have a working Microsoft CA/PKI infrastructure set up and secured.
- You have a working Cisco ASA, ready to be configured for remote access using AnyConnect clients.
- Import Microsoft CA root certificate into ASA and get ASA and CA communicating directly
- Configure ASA for web VPN and specify AnyConnect client images
- Configure LDAP authentication server
- Configure ASA tunnel-group and group-policy
- Install AnyConnect client, then intermediate and client certificates on AnyConnect client device–usually, just double-click them to import
- Test LDAP-only authentication with AnyConnect client
- Test certificate-only authentication with AnyConnect client
- Test certificate-and-LDAP authentication with AnyConnect client
! create new trustpoint for the Microsoft CA root certificate ! crypto ca trustpoint tp_windows_pki_mod_2048_ca_root enrollment terminal crypto ca authenticate tp_windows_pki_mod_2048_ca_root ! < paste tp_windows_pki_mod_2048_ca_root.pem > ! generate a new RSA keypair with mod 2048 for exchange with the Microsoft CA crypto key generate rsa label kp_windows_pki_mod_2048 2048 ! create the trustpoint for automatic enrollment and revocation crypto ca trustpoint tp_windows_pki_mod_2048_ca_subordinate enrollment url http://<server-name>/certsrv/mscep/mscep.dll subject-name CN=<fqdn.of.asa>,OU=<your ou here>,O=<your org here>,C=<your country here>,St=<your state here>,L=<your city here> keypair kp_windows_pki_mod_2048 crl configure crypto ca authenticate tp_windows_pki_mod_2048_ca_subordinate ! ! trustpoint is authenticated automatically ! retrieve enrollment challenge password from CA: ! http://<server-name>/certsrv/mscep_admin crypto ca enroll tp_windows_pki_mod_2048_ca_subordinate ! ! enter challenge password
! copy the anyconnect client(s) to the ASA ! REPEAT for STANDBY ASA copy tftp://<your tftp server>/anyconnect-win-3.1.01065-k9.pkg flash copy tftp://<your tftp server>/anyconnect-macosx-i386-3.1.01065-k9.pkg flash copy tftp://<your tftp server>/anyconnect-linux-64-3.1.01065-k9.pkg flash ! enable webvpn webvpn ! specify valid AnyConnect packages and assign priority based on likelihood of use svc image disk0:/anyconnect-win-3.1.01065-k9.pkg 1 svc image disk0:/anyconnect-macosx-i386-3.1.01065-k9.pkg 2 svc image disk0:/anyconnect-linux-64-3.1.01065-k9.pkg 3 ! assign to an interface enable outside ! enable AnyConnect client connections svc enable ! permit interface ACL bypass for IPSec and SSL clients globally sysopt connection permit-vpn
! create an LDAP attribute map to reference later ldap-attribute-map lam_attribute_map ! create aaa-server group for password authentication aaa-server user_auth_ldap protocol ldap aaa-server user_auth_ldap (inside) host <your ldap server> server-port 389 ldap-base-dn dc=<your ldap base>, dc=com ldap-scope subtree ldap-login-password <asa ldap user password> ldap-login-dn cn=<asa ldap user name>, ou=<asa ldap user ou>, dc=<asa ldap user base>, dc=com server-type microsoft ldap-attribute-map lam_attribute_map
! create an ACL for split-tunnel-policy access-list acl_tunneled_networks extended permit ip 10.0.0.0 255.0.0.0 any ! create a local IP pool for clients ip local pool ip_pool_anyconnect 10.1.1.1-10.1.1.255 ! create a tunnel group and URL alias tunnel-group tg_anyconnect_client type remote-access tunnel-group tg_anyconnect_client general-attributes authentication-server-group user_auth_ldap ! change default group-policy to "no access" default-group-policy gp_no_access tunnel-group tg_anyconnect_client webvpn-attributes ! test authentication using ldap servers only authentication aaa group-url https://<external fqdn of your asa>/anyconnect-client enable ! create a certificate map to map the ASA's certificate to a specific ! tunnel-group: 'tg_anyconnect_client' --> 10 crypto ca certificate map cm_certificate_map 10 subject-name co <portion of the subject name from your Microsoft CA client certs> ! create a tunnel-group-map to map the certificate map to a specific tunnel-group tunnel-group-map enable rules tunnel-group-map cm_certificate_map 10 tg_anyconnect_client ! create group policy for anyconnect clients group-policy gp_anyconnect_client internal group-policy gp_anyconnect_client attributes dns-server value <your dns server 1> <your dns server 2> vpn-simultaneous-logins 2 vpn-tunnel-protocol svc webvpn split-tunnel-policy tunnelspecified ! acl_tunneled_networks is an ACL for the networks you WANT to tunnel split-tunnel-network-list value acl_tunneled_networks default-domain value <your domain> address-pools value ip_pool_anyconnect ! ldap attribute map to bind users/groups to specific group-policies ! existing attribute map ldap attribute-map lam_attribute_map ! 'memberOf' ldap property will be handled like a radius class map-name memberOf IETF-Radius-Class ! assign the users or groups to existing group-policies ! need AD group created, 'anyconnect_vpn_users' map-value memberOf "CN=anyconnect_vpn_users,OU=<your ou here>,DC=<your dc here>,DC=<your dc here>" gp_anyconnect_client
! change tunnel-group to use certificate only ! tunnel-group tg_anyconnect_client webvpn-attributes authentication certificate
! change tunnel-group to use both ! tunnel-group tg_anyconnect_client webvpn-attributes authentication certificate aaa