In this article, we’ll take a look at how to configure multi-factor authentication (MFA) for remote access VPN’s (RA VPN) configured on a locally managed Cisco Firepower Threat Defence (FTD) device. Primary authentication for RA VPN users will take place using the FTD’s local database and Cisco Duo will be introduced to provide MFA before remote users are able to connect to the VPN.
- The FTD is already configured for RA VPN using the local user database
- Duo is already available in your environment
- FTD locally managed using the Firepower Device Manager (FDM)
- FTD with a RA VPN license
- Duo account
- Export controlled features enabled
- Access the Duo Admin panel and navigate to Applications > Protect an Application and search ‘FTD’. Click ‘Protect’ on the application named ‘Cisco Firepower Threat Defense VPN’ using Protection Type ‘2FA’.
- Make a note of the applications Integration Key, Secret Key and API hostname. Do not share the Secret Key with anyone. This information will be required when the authentication proxy is configured.
- Create an application policy by clicking ‘Apply a policy to all users’. Configure the following policy settings:
- New User Policy: Deny Access
- Authentication Policy: Enforce 2FA
Note: If you’re testing this in a live environment, it is advised that a separate policy is created to only enforce 2FA for test users.
The remaining policy settings can remain the same. Proceed by applying the new policy and scroll to the bottom of the screen and click ‘Save’. Optionally, feel free to modify your policy as required.
Note: Ensure that you have a test user fully enrolled in Duo as inline self-enrollment is not supported using this particular application. This lab will not cover user and device enrolment.
Configure the Authentication Proxy
- On the Windows Server, install the Authentication Proxy from the following link: https://dl.duosecurity.com/duoauthproxy-latest.exe. Run through the installation steps before moving to the next step.
- Navigate to the Program Files of the Duo Authentication Proxy installation. Providing that you installed it to the C: drive, the following path should be accurate:
- C: > Program Files > Duo Security Authentication Proxy > conf With Administrative rights, open the file named ‘authproxy.cfg’
- In this lab you will be configuring local authentication of RA VPN users and therefore will only use Duo as a secondary authentication method. Enter the following configuration into the authproxy.cfg file, replacing the entries that show < > with the configuration relevant to your environment:
[duo_only_client] [radius_server_auto] ikey=<Your Integration Key Here> skey=<Your Secret Key Here> api_host=<Your API Hostname Here> radius_ip_1=<IP Address of the FTD> client=duo_only_client
- Open a command prompt with administrative privileges and issue the following command to start the Duo Authentication Proxy:
net start duoauthproxy
The prompt will notify you of any errors. Ensure that there are no errors before continuing. A more detailed breakdown of errors can be shown in the ‘connectivity_tool.log’ log. You can navigate to this via C: > Program Files > Duo Security Authentication Proxy > Log.
Configure the FTD
- Create a test user on the FTD. Navigate to Objects > Users and click ‘+’ to add your RA VPN users. Ensure that the ‘Service Types’ reflects ‘RA VPN’. Add one called ‘RA_User1’ and one username that corresponds with a user enrolled in the Duo admin panel.
- Navigate to Objects > Identity Sources, click ‘+’ and select ‘RADIUS Server’ to add a new RADIUS Server. Enter the configuration that corresponds with the RADIUS configuration placed into the Duo Authentication Proxy configuration file. Once complete click ‘Ok’ to save the configuration.
- Select ‘+’ to create a ‘RADIUS Server Group’. Add the newly created RADIUS server to the RADIUS Server Group and click ‘Ok’ to save the configuration.
- Test access to your RADIUS Server by clicking ‘TEST ALL SERVERS’ and enter the username and password that corresponds with your local identity store and the Duo database.
- Ensure that RADIUS server tests are successful before continuing with the lab.
- On the main page of the FDM GUI, click on ‘Remote Access VPN’ and select ‘Connection Profile’. Add a new Connection Profile using the ‘+’ button or select ‘CREATE CONNECTION PROFILE’.
- Add the following configuration to the new Connection Profile:
- Connection Profile Name: RAVPN_CP
- Primary Identity Source: AAA Only
- Primary Identity Source for User Authentication: LocalIdentitySource
- Secondary Identity Source: RADIUSSRVGroup1
- Use Primary username for secondary login: Enabled
- Username for session server: Primary
- Password Type: Prompt
- Client Address Pool Assignment: RA_VPN_Pool
- Primary Identity Source: AAA Only
- Press ‘Next’ where you will be brought to the default group policy. For this demonstration you will use the default group policy named ‘DfltGrpPolicy’. Review the policy summary and press ‘Next’.
Note: You may choose to modify the Default Group Policy to only include internal subnets as part of the split tunnel configuration. You may also choose to add a specific AnyConnect Client Profile.
- Configure the Global Settings with the following configuration:
- Certificate of Device Identity: RA_VPN_Cert
- Outside Interface: outside
- Access Control for VPN Traffic: Enabled
- NAT Exempt: Enabled
- Inside Interface: Inside
- Inside Networks: LAN_Network
- AnyConnect Package: Upload a suitable AnyConnect package that is compatible with your RAVPN device
- Check your settings and then proceed by pressing ‘Next’.
- Review a summary of the pending changes and once you are happy with them click ‘Finish’ to save the configuration.
- Deploy the configuration changes on the FTD
Test Remote Access Authentication with Duo 2FA
- With access to the remote user, test the RA VPN connectivity. Open a browser and navigate to the IP address that was specified as the outside interface on the FTD. If the RA VPN has been correctly configured, you will see the connection profile that was previously configured along with the request for a username and two passwords.
- You should now be prompted to download and install the AnyConnect Secure Mobility Client. Assuming you’re running a Windows client, click ‘Download for Windows’. Alternatively, you should be prompted to download the AnyConnect client most suited for your endpoint, provided you have added the package on the FTD.
Note: If your test user device already has the AnyConnect client configured, you don’t need to connect using the browser. Alternatively, open Cisco AnyConnect and connect to the VPN using the connection profile previously configured.
- Enter the username and password of the user enrolled in Duo and the FTD. Within the secondary password field, the following methods can be chosen and enterted into this field for MFA:
- A passcode from Duo Mobile (Example: ,12345)
- . Press ‘Logon’ to proceed.
- Assuming that the remote user has selected to use a push notification, they should receive a push notification from the Duo mobile application. Once approved, 2FA is complete and the user should be able to connect to the VPN.
Note: You may receive multiple authentication requests from Duo before the VPN connection is established.
- Access the Duo admin panel and navigate to Reports > Authentication Log and view your successful authentication using Duo 2FA.
You have now configured 2FA for Cisco FTD RA VPN’s.