Cisco ASA Remote Access VPN using the Local User Database and Duo for 2FA

In this article, we will take a look at how to configure the Cisco ASA for remote access using the local user database and Secure Access by Duo for two-factor authentication. This method can be used for organisations that don’t have an external identity provider (IdP) or do but choose to keep 3rd party identities external to their organisation separate from their corporate IdP.

This article assumes that the reader has a good understanding of the technologies discussed.

Prerequisites

Components Used

  • Duo Admin Panel
  • Duo Authentication Proxy (5.7.3)
  • Cisco ASA (9.18)
  • Cisco ASDM (7.18)
  • Microsoft Server 2019 (Duo Auth Proxy Installed)

Configure Duo

The first thing we will do is configure the components required for Duo 2FA.

  • Access the Duo Admin Panel and navigate to Applications > Protect an Application and search for ‘Cisco RADIUS VPN’

It is recommended that you create an Application Policy for every new application that you choose to protect. In this demonstration, we create a new application policy to allow access to users without 2FA. This is usually recommended while testing the new solution so that users not yet known to Duo are not locked out. The remaining policy settings will be left as default for the purpose of this demonstration

  • Within the application settings, provide the new application with a meaningful name. Username normalisation shouldn’t be required if you are matching against users in the ASA’s local database as you will simply copy those usernames across to Duo. Once you are happy with the settings, click Save to continue.
  • We will need the Integration key, Secret key and API Hostname once we have the authentication proxy installed. For now, download and install the Duo Authentication Proxy onto a designated machine within your environment. You can find instructions on how to do this here. We’ve already installed the Duo Authentication Proxy for this demonstration and so we will proceed with the configuration steps.
  • Open the Duo Authentication Proxy Manager and enter the following configuration ensuring that you replace the ikey, skey and API hostname fields with values relevant to your deployment. The IP address will be the IP used to send RADIUS communication and the secret key will match the key used on the ASA. UDP, port 1812 has been specified in this demo but you may choose to use a different port for your deployment.
[duo_only_client]

; The following configuration is required to enable Duo 2FA for ASA Remote Access VPN connections
[radius_server_duo_only]
ikey=<YOUR IKEY HERE>
skey=<YOUR SKEY HERE>
api_host=<YOUR API HOSTNAME HERE>
radius_ip_1=<YOUR ASA IP HERE>
radius_secret_1=<SHARED SECRET WITH THE ASA>
port=1812
  • Once your configuration is complete, validate the configuration and save it and restart the service.

The Duo Authentication Proxy configuration is now complete. We will now proceed to configure the ASA for remote access VPN with Duo providing 2FA.

Configure the Cisco ASA

In this demonstration, we will configure the basic settings required for establishing a remote access VPN using the local user database. We will then add the relevant configuration in order to add Duo 2FA. We will use ASDM to highlight the configuration for this demonstration.

  • With access to ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles
  • Create a new connection profile by clicking the ‘+ Add’ button. Create your Connection Profile ensuring that the authentication server group is set to LOCAL and the secondary authentication in the Advanced section is set to the Duo Authentication Proxy. Configure any additional settings that are relevant to your environment
  • Navigate to AnyConnect Client Software and upload your required AnyConnect client images
  • Navigate to AnyConnect Client Profile and create a new profile before assigning it to the Group Policy that is tied to the Connection Profile
  • Navigate to AAA/Local Users > Local Users and add or ensure that you have users available in the local database to test authentication with. Each user will also need to be reflected in the ‘Users’ section of the Duo Admin Panel.
  • Navigate back to AnyConnect Connection Profiles and enable AnyConnect VPN client access on the outside interface (the VPN termination point). You can choose to modify the type of access permitted, the port and the device certificate that should be presented. We have kept the default settings as part of this demonstration. Enable ‘Allow user to select connection profile on the login page’ to allow local users to select the right connection profile when connecting to the VPN.
  • Ensure that you have applied all your configuration changes.

Testing

We have now configured the necessary elements and are ready to test our solution.

  • With access to a test machine, connect to the VPN. In this demonstration, we have our Cisco AnyConnect agent already installed on our test machine. The local user is also added and enrolled in Duo.
  • When we connect to the VPN, we have a couple of fields presented:
    • Group: This is the connection profile. You want to select the one that you created earlier in this demonstration
    • Username: This is the local username (Local to the ASA database)
    • Password: The local user’s password (Local to the ASA database)
    • Second Password: This is the authentication factor that you want to use, i.e., Push, SMS, Call. We have entered ‘Push’ and our user ‘Kelvin’ will receive a push notification to his mobile device to complete 2FA before being able to establish a VPN
  • Head over to your Duo Admin Panel and navigate to Reports where you’ll now be able to see the successful authentication

Additional Observations

  • It is possible to specify Duo as the Primary authentication and then LOCAL as the secondary. In this case, the AnyConnect ‘Password’ field would be used to enter the authentication method i.e., Push and then the ‘Second Password’ field would be used to enter the user’s local password.
  • Assuming that you have many local users, manually adding these to Duo will be cumbersome. Unfortunately, there is no real way to export the local user database but you can run the following command to get a list of the local users. Once you have the list of local users, you can import these to Duo using a .CSV file by following the import method here.
show user-identity user all list
Total users: 1  Total IP addresses: 0
  LOCAL\kelvin: 0 active conns

  • You can not automatically sync the ASA’s local database with Duo and therefore, as a result, you will need to manually add/remove each user in both the ASA and Duo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: