Cisco ASA with AnyConnect VPN and Azure MFA Configuration for RADIUS

PublishedOctober,2015

Version1.0

AzureMulti-FactorAuthenticationseamlesslyintegrateswithyourCisco®ASAVPNappliancetoprovideadditionalsecurityforCiscoAnyConnect®VPNloginsandportalaccess.Multi-factorauthentication(MFA)iscombinedwithstandardusercredentialstoincreasesecurityforuseridentityverification.

2

Azuresupportsseveralmulti-factorauthenticationmethodsfortheRADIUSprotocol.Eachmethodisachallenge-responsemechanismthatoccursafterprimaryauthenticationwithstandardusercredentials.

• Phonecall–usersreceiveaphonecallwithinstructionsonhowtocompletelogin.• Textmessage–usersreceiveanSMSmessagethatcontainsaverificationcode.Azuresupports

twooptionsforRADIUS:§ One-waymessagingrequiresuserstoenterasentverificationcodeinapromptonthelogin

page.§ Two-waymessagingrequiresuserstosendtheverificationcodebytextmessagereply.

• Mobileapp–usersreceiveapushnotificationfromclientsoftwareinstalledonasmartdevice,likeaphoneortablet.TheAzureAuthenticatorappisavailableforWindowsPhone,iOS,andAndroid.

• OATHtoken–usershaveatokenthatgeneratesaverificationcodewhichisthenenteredinapromptontheportalloginpage.Azuresupportstwooptions:§ Third-partyOATHtokenscanbeimportedtothesystemandsyncedwithuseraccounts.A

commonexampleisahardwaretokenlikeakeyfob.§ TheAzureAuthenticatorappforsmartdevicescanserveasanOATHtokentogenerate

verificationcodesforWindowsPhone,iOS,andAndroiddevices.

ThisguidewillhelpyoutoconfigureAzureMulti-FactorAuthentication(MFA)serverandCiscoASAtousetheRADIUSprotocolforAnyConnectVPNauthentication.

Overview TheAzureMulti-FactorAuthenticationserveractsasaRADIUSserver.TheCiscoASAapplianceactsaRADIUSclient.TheRADIUSserverworksasaproxytoforwardrequeststhatusemultipleauthenticationfactorstoatargetdirectoryservice.Theproxyreceivesaresponsefromthedirectory,whichitsendstotheRADIUSclient.Accessisgrantedonlywhenboththeusercredentials(primaryauthentication)andtheMFAchallengesucceed.SeethediagraminFigure1forreference.

3

MFAserverSSLVPNserver

ActiveDirectoryorLDAP

8 response

5 challenge7 response

Authenticationrequest1

Authenticationresponse10

2 Request

9 Response

4 Response

MFAMFA

challenge6

Request3

PrimaryFactor

RADIUS

Phonecall

MFAChallenge/ResponseMethods

2-waytextmessage

Pushnotification

Oathtoken######

1-waytextmessage

Figure1

ThediagramaboverepresentsthelogicalprocessflowforMFA.TheuserexperienceforMFAisfairlysimilartotraditionallogin.SeeFigure2foradescriptionoftheworkflow.

123456

Primaryauthentication

+

SuccessfulauthenticationSecondaryauthentication

SomeMFAoptionsrequirethecodetobeenteredthroughtheloginpromtpt.

Figure2

4

Guide Usage Theinformationinthisguideexplainstheconfigurationcommontomostdeployments.Itisimportanttonotetwothings:

• Everyorganizationisdifferentandmayrequireadditionalordifferentconfiguration.• Someconfigurationmayhaveothermethodstoaccomplishthesametaskthanthosedescribed.

InformationisbasedontheconditionsdescribedinthePrerequisitesandComponentssections.TheConventionssectionprovidesusageinformationanddetailsabouttheenvironmentusedforthisguide.

Prerequisites ThefollowingconditionsarerequiredtosetupAzureMFA:

• AnMFAserverinstalledonasystemwitheither:§ WindowsServer2003orhigher.§ WindowsVistaorhigher,thathasUsersPortalandWebServiceSDKservicesinstalled.

• ACiscoASAappliancewithAdaptiveSecurityDeviceManager(ASDM)accessanddefaultAnyConnectclientconfigurationtouseforMFA.NOTE:DefaultconfigurationcanbeconfiguredbyrunningtheAnyConnectVPNwizardfromtheASDMconsole.

• CiscoAnyConnectclientsoftwareinstalledonallclientsthatconnectremotelytothenetwork.• Familiaritywiththefollowingtechnologies:

§ RADIUSconfiguration§ VPNapplianceadministration

Deploymentsofferingthemobileappauthenticationoptionwillalsorequire:

• MFAdeployedonsystemswithWindowsVistaorhigherrequiretheMobileAppWebservicetobeinstalled.

• AuserdevicewiththeAzureauthenticationapplicationinstalled.

Components Thefollowingconditionsreflecttheassumptionsandscopeforinformationdescribedinthisguide.

• TheAzureMFAserverisinstalledonadomain-joinedWindows2012R2server.• OneAzureMFAserverwillbeconfiguredforRADIUS.• OneCiscoASAapplianceisconfigured.

Conventions Informationisbasedonthefollowingconditions.

• TheguidewaswrittenusingaCiscoASA5506appliance.• DocumentationwillrefertotheCiscoASAapplianceastheVPNappliance,orjustappliance.• TheAzureMulti-FactorAuthenticationServerisreferredtoastheMFAserver.• ActiveDirectory(AD)isthedirectoryserviceusedforauthentication.• UserswillbeimportedfromAD.• Adefaulttokenmethodwillbeconfigured.

5

• TheOATHtokenmethodusesverificationcodesgeneratedbytheAzureAuthenticationapp.

NOTE:WhileAzureMFAincludestheoptionusePersonalIdentificationNumbers(PINs)asanadditionalfactortothesupportedauthenticationmethods,thatconfigurationisoutsidethescopeofthisguide.

Step 1: Configure Multi-Factor Authentication Server ThistopicexplainshowtoconfiguretheMFAserverandtheon-premisesresourcesitrequires.FirstyouwilllogintotheserverwhereMFAisinstalled.NextyouwillconfigureRADIUSAuthentication.ThenyouwillconnectMFAtothedirectoryservice,afterwhichyouwillconfigureadefaultauthenticationmethod.FinallyyouwillimportaccountstotheMFAUsersgroup.

Multi-Factor Authentication Server Console 1. LogintotheserverwhereMFAisinstalled.2. OpentheAppsscreen.3. ClicktheMulti-FactorAuthenticationServericon:

4. TheMulti-FactorAuthenticationServerwindowopens.

Nowyouwillconfigurethenecessaryservices.

RADIUS Authentication FirstyouwillenableRADIUSauthentication,andthenaddtheVPNapplianceasaclient.

1. ClicktheRADIUSAuthenticationicon.

6

2. WhentheRADIUSAuthenticationtoolopens,selectEnableRADIUSauthentication.

3. SelecttheClientstabifnecessary.

NOTE:KeeptrackoftheportnumbersnotedforauthenticationandasyouwillneedthemfortheVPNapplianceconfiguration.Authenticationdefaultsare1645or1812.

7

4. ClickAddtoopentheAddRADIUSClientdialogbox.

5. Completethefollowing:

a. IPaddress–entertheVPNapplianceaddress.b. Applicationname–enteradescriptivenamefortheVPNappliance.c. Sharedsecret–createpassphrasetosecuretheRADIUScommunication.

NOTE:ThesharedsecretwillbeconfiguredonboththeMFAserverandVPNappliance,sokeeptrackofit.

d. RequireMulti-FactorAuthenticationusermatch–select;onlyuserswhoareincludedintheMFAUserslistwillbegrantedaccess.NOTE:Thisfeatureprovidesbettercontroloverremoteaccess.Ifnotenabled(unchecked),thenonlyuserswhoareincludedintheMFAUserslistwillneedtoauthenticatewithMFA.OtherdomainuserswillbeabletoauthenticatewithoutMFA.

e. EnablefallbackOATHtoken–selecttoprovideanalternatemethodofauthenticationintheeventthedefaultmethodtimesout.

8

NOTE:ThisfeatureonlyapplieswhenOATHtokenisnotthemethodassignedtoauseraccount.Wheninvoked,theuserwillbepromptedtoauthenticatewithahardwaretokenifoneisregisteredfortheuseraccount.

6. SelecttheTargettab.

7. SelectWindowsDomain;thiswillconfiguretheMFAservertouseADforprimary

authentication.

9

YouhavecompletedconfiguringRADIUSauthenticationandaddingtheVPNserverasaRADIUSclient.LeavetheMulti-FactorAuthenticationServerwindowopenforthenexttask.

Directory Integration Nowyouwillconnecttothedirectoryservice.

1. Inthenavigationarea,clicktheDirectoryIntegrationicon.

10

2. WhentheDirectoryIntegrationtoolopens,selecttheSettingstabifnecessary.

3. SelectUseActiveDirectory.

11

YouhavecompletedtheMFAserverdirectoryservicesetup.LeavetheMulti-FactorAuthenticationServerwindowopenforthenexttask.

Default Authentication Method TheinstructionsbelowexplainhowtosetadefaultoptionfortheauthenticationmethodthatwillbeautomaticallyassignedtoMFAuseraccounts.Adefaultmethodisrequiredwhenuserarenotallowedtochangemethods.Thefeatureisoptionalwhenusersareallowedtochangetheirtokenmethods,andmaybemoreconvenientifamajorityofusersneedonemethod.

Configure Company Settings 1. Inthenavigationarea,clicktheCompanySettingsicon:

12

2. WhentheCompanySettingstoolopens,selecttheGeneraltabifnecessary.

3. Leavedefaultsettingsexceptforthefollowing:

• Userdefaults–selectoneoftheoptionsbelow:§ Phonecall–selectStandardfromthedropmenu:

13

§ Textmessage–configureoneofthefollowing:

o One-WayandOTPfromthedropmenus:

o Two-WayandOTPfromthedropmenus:

14

§ Mobileapp–selectStandardfromthedropmenu:

Note:ThisoptionwillrequireuserstoregistertheirdevicesthroughtheAzureauthenticationapp.

§ OATHtokenNOTE:ThisguideprovidesinformationaboutusingtheOATHtokenmethodthroughtheAzureAuthenticatorapp.Whilethird-partytokenscanbeimportedthroughtheMulti-FactorAuthenticationOATHTokensfeature,thatfunctionisoutsidethescopeofthisthisguide.

15

ThiscompletesthecompanyinformationsetuptodesignatethedefaultauthenticationmethodforRADIUSAuthentication.LeavetheMulti-FactorAuthenticationServerwindowopenforthenexttask.

MFA Users WhentheVPNappliancewasconfiguredasaRADIUSclient,accesswasrestrictedtomembersoftheMFAUsersgroup.Thisprovidesmorecontroloverremoteaccess,andisasecuritybestpractice.Nowaccountsneedtobeimportedfromthedirectoryservice.

Import User Accounts Thesesinstructionsareforon-demanduserimport.

1. Inthenavigationarea,clicktheUsersicon.

16

2. WhentheUserstoolopens,ClickImportfromActiveDirectory.

3. Ontheimportscreen,selectausergroup.

17

4. Selecttheuseraccountsyouwanttoimport.

5. Leavethedefaultsettingsexceptforthefollowing:

a. SelecttheSettingstabifnecessary.

18

b. IntheImportPhonedropmenu,selectMobile.

NOTE:ForpurposesofthisguidewearedesignatingtheMobileattributeforthephoneimportsetting.ItisthemostcommonoptionusedforMFA.

6. ClicktheImportbutton.

19

7. ClickOKintheimportsuccessdialogbox.

8. ClicktheClosebuttonontheimportscreentoreturntotheUserspane.

YouhavecompletedMFAserverconfiguration.

Step 2: Configure the VPN Appliance Nowthattheauthenticationprocesshasbeenconfiguredtousemultiplefactors,youneedtoconfiguretheVPNappliancetoconnecttotheRADIUSserver.

ASDM Console ConfigureanauthenticationserverontheVPNappliancethatwillsendRADIUSauthenticationrequeststotheAzureMFAserver.

FirstyouwillconfigureaservergroupfortheMFARADIUSserver.NextyouneedaconnectionprofileforAnyConnecttoaccesstheRADIUSserver.ThenyouwillcreateaprofiletosetacustomtimeoutvaluetoensurethatAnyConnectVPNclientshaveenoughtimetologinusingMFA.

20

Create AAA Server Group 1. LogintotheCiscoASDMconsolefortheVPNappliance.

2. NavigatetoConfiguration|RemoteAccessVPN|AAA/Localusers|AAAservergroups.

21

3. ClickAddtocreateanewgroup.

22

4. TheAddanewAAAServerGroupdialogopens.

5. Leavethedefaultsettingsexceptforthefollowing:

a. AAAServerGroup–specifyanametoidentifythegroupfortheMFAserver.b. Protocol–selectRADIUSifnecessary.c. ClickOK.

6. IntheAAAServerGroupslist,selecttheservergroupyoujustcreated.

23

7. IntheServersintheSelectedGrouppane,clickAdd.

24

8. TheAddAAAServerdialogopens.

9. Leavethedefaultsettingsexceptforthefollowing:

a. InterfaceName–selecttheinterfacethatwillhandlecommunicationwiththeMFAServer.b. ServerNameorIPAddress–specifythenameortheIPaddressoftheMFAserver.c. Timeout(seconds)–itisimportanttosetasufficientlengthoftimeforusersto

authenticate.60secondsisacommonduration,butmayneedtobeadjusted.Forexample,largeorganizationsmayneedmoretimetoaccommodateahighervolumeofrequests.

d. ServerAuthenticationport–entertheportnumberusedforauthenticationcommunicationontheMFAServer.Defaultsare1812or1645.

e. ServerAccountingPort–entertheportnumberusedforRadiusAccounting.Defaultsare1646or1813.

f. RetryInterval–leavedefaultat10Seconds.g. ServerSecretKey–enterthesecuritypassphrasecreatedtoencryptcommunication

betweenMFAandtheCiscoASA.h. CommonPassword–re-entertopassphrase.i. ClickOK.

10. ClickAPPLYtosavetheconfiguration.

25

Test Configuration YoucantesttheconnectiontoMFAservertoconfirmthattheconnectioniscorrectlyconfigured.

1. MakesuretheRADIUSserveryoucreatedisstillselected.2. ClicktheTestbuttontoopenthetesttool.

26

3. Selectatestoption:

4. EntercredentialsforanaccountthatisconfiguredforAzureMFA.5. ClickOKandwaitfortestresultstopost.

Enable Connection Profile 1. NavigateRemoteAccessVPN|Network(Client)Access|AnyConnectConnectionProfiles.

27

2. Leavedefaultsettings,exceptforthefollowing:

a. EnableCiscoAnyConnectVPNClientaccessontheinterfacesselectedintablebelow–confirmcheckboxisselected.

28

b. SelecttheappropriateSSLinterfaceaccessoption.

c. ConnectionProfiles–selecttheAnyConnectVPNprofile.

29

d. ClickEdit.

e. TheEditAnyConnectConnectionProfilewindowopens.

30

f. NavigatetoAuthentication|Method.

31

g. Confirmthefollowing:

i. Method–makesureAAAisselected.ii. AAAServerGroup–makesurethegroupcreatedfortheMFAserverisselected.

h. ClickOK.i. ClickApplytosavetheconfiguration.

32

Configure Timeout 1. NavigatetoRemoteAccessVPN|Network(Client)Access|AnyConnectClientProfile.

33

2. ClickAdd.

34

3. TheAddAnyConnectClientProfiledialogopens.

4. Leavethedefaultsettings,exceptforthefollowing:

a. ProfileName–enteradescriptivenameforthenewVPNprofile.b. ClickOK.

5. SelecttheVPNProfilethatwascreatedandclickEdit.

6. TheAnyConnectClientProfileEditoropens.

35

7. Leavedefaultsettingsexceptforthefollowing:

a. ClickPreferences(Part2).

36

b. NavigatetoAuthenticationTimeout(seconds).

37

c. Changethevalueto60seconds.Largeorganizationsmayrequirealongerduration.d. ClickServerList.

38

e. ClickAdd.

f. AddtheCiscoASAHostDisplayNameandtheFQDN/IPAddresstotheprofile.

39

g. ClickOK.h. ClickOKtosaveconfigurationchangestotheVPNprofile.

8. ClickApplytosavetheconfiguration.

40

IMPORTANT:TheAnyConnectClientProfileyoujustcreatedmustbeinstalledoneverydevicethatwilluseMFAauthenticationtoavoidtimeoutissuesduringtheloginprocess.OnewaytoaccomplishthiswouldbetorequireclientstoconnecttotheAnyConnectportalandthenpushtheprofileautomatically.

YouhavecompletedVPNappliancesetup.

Step 3: Test Authentication Thetopicsbelowareprovidedtohelptestauthenticationwiththesetupyoujustcompleted.Logininstructionsareprovidedforeachoftheauthenticationmethods.DeviceregistrationinstructionsareincludedfordeploymentsthatusethemobileappmethodforthepushnotificationorOATHtokenoptions.Ifyouaren’tgoingtousemobileapp,thenskipstraighttotheLoginsection.

Device Registration for Azure Authenticator Users Thissteponlyapplieswhenthemobileappauthenticationmethodisused.

ThefollowinginstructionsexplainhowtoactivateauserdevicethroughtheMFAserverUsersPortal.Pleasenotethefollowingrequirementspriortogettingstarted.

41

Requirements • AdevicewiththeAzureAuthenticatormobileapplicationinstalled.Theapplicationcanbe

downloadedfromtheplatformstoreforthefollowingdevices:§ WindowsPhone§ Android§ iOS

• TheAzureUsersPortaladdress.• AcomputertoaccesstheUsersPortal.• Usercredentials

Activate Device NOTE:Informationprovidedbelowiscurrentasofthepublicationdate,butissubjecttochangewithoutnotice.

1. LogintotheAzureuserportalfromacomputer.2. Thesetupscreendisplays.

3. ClickGenerateActivationCode.4. Activationcodeoptionswilldisplay.

42

5. Openthemobileauthenticationappontheuserdevice.

Example:

6. Therearetwooptions:

• EntertheActivationCodeandURLdisplayedontheUsersPortalscreenonthedeviceactivationscreen.

• UsethedevicetoscanthebarcodedisplayedonUsersPortalscreen.

43

Youhavecompleteddeviceactivation.

Login NowyouarereadytotestMFAauthentication.Pleasenotetherequirementslistedbelowbeforeyoustart.

GeneralRequirements

• TheCiscoAnyConnectVPNClientProfileinstalledonthedevicethatwillaccessthenetwork• TheIPaddressorhostnameforAnyConnectVPNaccess• Usercredentials

Phone Call Required:AphonewiththenumberlistedintheADuseraccountMobilephoneattribute.

1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.Example:

2. Enterusercredentials.3. Checkthephoneforacall.

NOTE:ThecalloriginatesinthecloudfromtheAzureMFAapplication.Example:

44

4. Thephonecallwillprovideinstructionstocompleteauthentication.

Text Message Required:AnSMS-capablephonewiththenumberlistedintheADuseraccountMobilephoneattribute.

One-Way Text Message 1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.

Example:

2. Enterusercredentials.3. Retrievetheverificationcodefromthetextmessage.

Example:

45

4. Entertheverificationcodeontheresponseprompt.

Example:

Two-Way Text Message 1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.

Example:

46

2. Enterusercredentials.3. Checkthephoneforatextmessagewiththeverificationcode.

Example:

4. Replytothetextmessagewiththesameverificationcode.

Mobile App Required:AdevicewiththeAzureAuthenticatorappactivated.

1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.Example:

47

2. Enterusercredentials.3. CheckthedevicewithAzureAuthenticatorforaprompt.

Example:

4. ClickVerify.5. TheauthenticationapplicationwillcommunicatewiththeMFAservertocomplete

authentication.

Oath Token Required:AdevicewiththeAzureAuthenticatorappactivated.

1. Onacomputer,launchtheAnyConnectclientandconnecttothenetwork.Example:

48

2. Enterusercredentials.3. Onthemobiledevice,opentheAzureAuthenticatorapp.4. Retrieveaverificationcodefromtheapp.

Example:

5. Entertheverificationcodeontheresponseprompt.

Example:

49

SuccessfulauthenticationfortheVPNconnectionisindicatedbytheclient.Example:

ThiscompletesthesetupandtestingforAzureMulti-FactorAuthenticationusingtheRADIUSprotocolinaCiscoASA/AnyConnectVPNappliancedeployment.