In this article, I will demonstrate how to configure certificate-based authentication for remote access VPNs, complete with Duo multi-factor authentication (MFA). In order to make use of Duo MFA, the ASA needs to be configured to communicate with Duo as part of the authentication process. However, because certificate-based authentication doesn’t make use of passwords, there is no real reason to communicate with Duo and so with this integration, the ASA needs to be configured in a way whereby certificates can still be used alongside Duo.
Thankfully, the ASA supports the ability to implement certificate-based authentication as well as AAA for remote user VPN authentication but it has to be implemented correctly to be effective.
- Admin access to the Cisco ASA
- Access to the Root CA and (if applicable) any sub-CA’s for your users that will connect remotely
- Users/devices with signed certificate (This demonstration uses user certificates)
Technology used in this Demonstration
- ASAv 9.18 (including ASDM)
- Active Directory Domain Controller
- AnyConnect Client
- Secure Access by Duo (including the Authentication Proxy)
- This article assumes that the reader is familiar with the technologies used in this demonstration
- This article assumes that AnyConnect Client Software is already added to the ASA
- This article assumes that the reader is familiar with VPN technologies and MFA
- This article assumes that the reader is familiar with PKI
Setting up your PKI
I won’t cover PKI in detail because I assume that by reading this article you already have a good grasp on PKI in your environment. However, I do want to call out that you need to make sure that you have access to your Root and any sub-CAs as they will be needed for implementation. Furthermore, ensure that user and/or machine certificates are issued correctly as you will need to decide which certificate and fields should be used for certificate-based authentication.
Prepare the ASA for Certificate-based Authentication
We first need to add the relevant root CA to the ASA. The root CA should be the one that will sign the certificate used for the VPN. To add the certificate, use ASDM and navigate to Device Management > Certificate Management > CA Certificates and click ‘Add’ to browse and add the root CA to the ASA.
The next thing we need to do is create a Certificate Signing Request (CSR) for what will become the VPN certificate. Once generated, the CSR will need to be signed with the relevant CA before being installed on the ASA. To generate the CSR, navigate to Device Management > Certificate Management > Identity Certificates and click ‘Add’. Give the new certificate a meaningful name and select ‘Add a new identity certificate’. Modify the Key Pair, Certificate Subject DN and any Advanced settings if required for your environment. Once done, download the CSR and sign it with the relevant CA. Once signed, head back to the same location on the ASA, click on the original CSR and click ‘Install’; add the newly-signed certificate.
Configure the VPN
Note: The following instructions will prepare your environment for certificate-based authentication with Duo MFA. Some settings may need to change to meet your own requirements.
With access to ASDM, navigate to Remote Access VPN > Network (Client) Access > AnyConnect Client Profile. If you don’t have any profiles created or ready to import, click ‘Add’ to add a new profile for this integration.
- Select the relevant Certificate Store to be used for both Windows & macOS; this demonstration uses User certificates.
- Ensure that ‘AllowRemoteUsers’ is selected for Windows and/or VPN Establishment
Configure any other settings relevant to your organisation before moving on from Preferences (Part 1).
Navigate to Server List and click ‘Add’ to add the details of the VPN server.
Once complete, double-check that no other more specific settings are required for your organisation before pressing ‘OK’ to complete the configuration.
Apply the configuration changes.
Once complete, head over to Network (Client) Access > AnyConnect Connection Profiles and click ‘Device Certificate’. Select the newly signed VPN certificate.
We won’t cover Group Policy in the article as it is assumed that you are familiar with them and how to configure and relate them to Connection Profiles. We will however, cover Connection Profiles as we need to make some changes to the configuration in order for our integration to work. The following example Connection Profile is a newly created profile for this demonstration and depending on your organisations requirements, you may decide to add or change some of the configuration.
The important Connection Profile elements required in order for this integration to work are the following:
- Authentication Method: AAA and certificate
- AAA Server Group: This needs to be set to you use RADIUS against your Duo Authentication Proxy
- Other important configuration required:
- Client Address Assignment
- Group Policy
- Enable SSL/IPsec VPN
- Configure DNS Server/s
- Configure Domain Name
One more thing you may want to configure or check is the certificate fields to be used as the username for authentication. By default the primary field is the Common Name (CN) and the secondary field is the Organization Unit (OU). If the username is contained in the certificates CN then you won’t need to change the following fields under Advanced > Authentication.
Once configured, the VPN configuration should be ready to go!
In order for this integration to work, we need to deploy and configure the Duo Authentication Proxy. Once configured the ASA will pass RADIUS requests to the authentication proxy every time a user authenticates with their username and password. It is important that the authentication proxy is configured to validate primary authentication with the configured Active Directory server. Trying to configure the client as a duo_only_client will result in any username and password being accepted providing they are valid. For example, a user certificate with CN: Kelvin and a username of Bob entered as part of the AAA request with a valid password would still allow Bob to authenticate with Kelvin’s valid certificate. However, when the client configuration on the authentication proxy is set to use the ad_client the username passed from the certificate will need to match the AAA username along with the users credentials.
Before configuring the authentication proxy, configure the Application on the Duo Admin Panel. On the Duo Admin Panel, navigate to Applications > Protect an Application and select ‘Cisco RADIUS VPN. Configure your desired policy for the application and any other necessary settings for your organisation and save all changes once done. Ensure that all users that are going to be subject to this new integration are added and fully enrolled with Duo.
Stay logged in to the Duo Admin panel as you will need the Integration key, Secret key and API hostname for the authentication proxy.
Configure your authentication proxy with the following field completed:
[ad_client] host= service_account_username= service_account_password_protected= search_dn= ;Cisco ASA Certificate-Based Authentication [radius_server_auto] ikey= skey= api_host= radius_ip_1= radius_secret_1= failmode=safe client=ad_client
Validate, save and restart or start the authentication proxy.
Providing everything is configured correctly, you should be ready to test the integration. Below we tested the integration with a remote user and validated the successful authentication on the ASA and Duo.
IP address information has been omitted from the following output:
Duo-ASAv-918# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : administrator Index : 34 Assigned IP : <Omitted> Public IP : <Omitted> Protocol : AnyConnect-Parent SSL-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 Bytes Tx : 19644 Bytes Rx : 6728 Pkts Tx : 2 Pkts Rx : 75 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : certbasedGP Tunnel Group : cert-based-mfa Login Time : 21:14:16 GMT/BDT Fri Mar 31 2023 Duration : 0h:02m:16s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 650101020002200064273f18 Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 34.1 Public IP : <Omitted> Encryption : none Hashing : none TCP Src Port : 49858 TCP Dst Port : 443 Auth Mode : Certificate and userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client OS : win Client OS Ver: 10.0.17763 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.05042 Bytes Tx : 11491 Bytes Rx : 231 Pkts Tx : 1 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 34.2 Assigned IP : <Omitted> Public IP : <Omitted> Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 49864 TCP Dst Port : 443 Auth Mode : Certificate and userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.05042 Bytes Tx : 8153 Bytes Rx : 7341 Pkts Tx : 1 Pkts Rx : 79 Pkts Tx Drop : 0 Pkts Rx Drop : 0
Lastly you can validate the successful MFA request by checking the reports on the Duo admin panel.