Cisco Any Connect with DUO MFA

Cisco ASA – Cisco AnyConnect with DUO Multi Factor Authentication 

Recently i though to deploy Cisco ASA in my lab and try Multi Factor Authentication with Cisco owned DUO app.

After installing Cisco ASA and complete the basic configuration, i started with DUO configuration on ASDM and DUO Admin (Website).

First and the foremost you need to have an account in DUO portal (I did register a trial version). After registering, i downloaded DUO app on my mobile phone as well so that my primary account from where i do login as Admin, is also authenticated with MFA.

  • Register for a Duo account.
  • Login to Duo Admin Panel
  • Navigate to Applications
  •  Click on Protect an Application and search for Cisco ASA SSL VPN
  • Click on Protect

uccollabing.com

  • You will be redirected to the application page.  Here are the things you need to do:

uccollabing.com

Downloading Cisco DUO JS Package and DigiCert CA Certificates

  • Download the Duo Cisco package from  Cisco SSL VPN application page, and unzip it and save the file in your desktop.

uccollabing.com

  • Download the following certificates from Cisco ASA LDAP page and save it in your desktop.

uccollabing.com

  • DigiCert High Assurance EV Root CA
  • DigiCert SHA2 High Assurance Server CA

So, all the three files will look as below:uccollabing.com

Register a user in DUO

  • Navigate to Users > Click on Add User
  • Username > Enter a username. The username should be the same name as configured in your AD, who is going to authenticate himself/herself using Cisco AnyConnect VPN.
  • Make sure that the user is part of a group and the user is Active.

uccollabing.com

uccollabing.com

uccollabing.com

Install the DigiCert CA Certificates

  • Log on to  Cisco ASDM Interface.
  • Click the Configuration tab and then click Device Management in the left menu.
  • Navigate to Certificate ManagementCA Certificates.
  • Click the Add button.
  • In the “Install Certificate” window, select the Install from a file option and then click the Browse.
  • Select the DigiCert High Assurance EV Root CA file you downloaded from DigiCert and click on Install.
  •  Select the DigiCert SHA2 High Assurance Server CA file you downloaded from DigiCert and click on Install.

uccollabing.com

uccollabing.com

Modify the Login Page 

Importing the JS File

  • Click the Configuration tab and then click Remote Access VPN in the left menu.
  • Navigate to Clientless SSL VPN AccessPortal > Web Contents.
  • Click on Import.
  • Select Local computer, click Browse Local File. Upload the JS file Duo-Cisco-vX.js file you downloaded and extracted from the zip file.
  • After the file is selected, Duo-Cisco-vX.js will appear in the Web Content Path box.
  • In the Destination section, select No in response to “Require authentication to access its content?
  • Click on Import Now

uccollabing.com

uccollabing.com

Customizing the Login Page

  • Navigate to Clientless SSL VPN AccessPortal > Customization
  • Click on Edit
  • Click Title Panel (under Logon Page)
  • Type <script src=”/+CSCOU+/Duo-Cisco-vX.js”></script> (replace vX with the file version you downloaded in the previous step)
  • Click OK.
  • Click on Apply.

uccollabing.com

Configuring the DUO LDAP Server

Configuring AAA Server Group:

  • Navigate to AAA/Local UsersAAA Server Groups
  • Click Add
  • In the Server Group > Duo-LDAP
  • Protocol > LDAP
  • Click on OK

uccollabing.com

Add AAA Server

  • Select the DUO-LDAP group which was just added.
  • Interface Name > Choose the external interface which is connected towards Internet.
  • Server Name or IP Address > Your API hostname (i.e. api-XXXXXXXX.duosecurity.com) 
  • Timeout > 60 seconds
  • Check Enable LDAP over SSL 
  • Server Port > 636
  • Server Type > — Detect Automatically/Use Generic Type —
  • Base DN > dc=INTEGRATION_KEY,dc=duosecurity,dc=com
  • Scope > One level beneath the Base DN
  • Naming Attribute(s) > cn
  • Login DN > dc=INTEGRATION_KEY,dc=duosecurity,dc=com
  • Login Password > SECRET_KEY
  • Click on OK
  • Click on Apply

Note: Replace INTEGRATION_KEY and SECRET_KEY with your application-specific keys)

uccollabing.com

uccollabing.com

Testing AAA Server Authentication

  • Click the Test button.
  • On the “Test AAA Server” form, select Authentication.
  • Enter the username of user that exists in Duo and has a valid authentication device (like a phone or token).
  • Instead of entering the user’s password, enter the passcode from Duo Mobile App and then click OK.

uccollabing.com

uccollabing.com

Configuring the DUO LDAP Server

  • Navigate to Clientless SSL VPN AccessConnection Profiles
  • Select the connection profile to which you want to add Duo Authentication near the bottom and click Edit
  • Choose Secondary Authentication (under Advanced) from the left menu.
  • Select Duo-LDAP from the Server Group list.
  • Uncheck the Use LOCAL if Server Group fails check box.
  • Check the Use primary username check box.
  • Click OK
  • Click Apply

uccollabing.com

 

Testing with DUO – Using WebPage and AnyConnect VPN Client

Testing using WebPage

  • Enter the Web URL of Cisco ASA
  • You will be prompted to login with two way authentication. On the first page, the authentication will be you RADIUS Authentication (Local Authentication).
  • Enter your username and password and click on Login.

uccollabing.com

 

  • Once you successfully authenticate on your first page, then you will be asked for secondary authentication i.e., DUO Authentication where you can either send a push notification and approve the authentication or enter the generated password from your Mobile DUO app.

uccollabing.com

Testing using Cisco AnyConnect Client

  • Launch Cisco AnyConnect Client and connect to your ASA
  • Enter your AD Username
  • Enter your AD Password
  • Enter your secondary Password : You can get the passcode from your DUO App
  • Click on OK
  • If your AD username and password and your secondary authentication is successful, you will be able to login to Cisco AnyConnect VPN.

uccollabing.com

uccollabing.com

 

Leave a Reply

Your email address will not be published. Required fields are marked *