You are currently viewing Cisco ASA Certificate-based Remote Access VPN Authentication with Duo MFA

Cisco ASA Certificate-based Remote Access VPN Authentication with Duo MFA

In this article, I will demonstrate how to configure certificate-based authentication for remote access VPNs, complete with Duo multi-factor authentication (MFA). In order to make use of Duo MFA, the ASA needs to be configured to communicate with Duo as part of the authentication process. However, because certificate-based authentication doesn’t make use of passwords, there is no real reason to communicate with Duo and so with this integration, the ASA needs to be configured in a way whereby certificates can still be used alongside Duo.

Thankfully, the ASA supports the ability to implement certificate-based authentication as well as AAA for remote user VPN authentication but it has to be implemented correctly to be effective.

Prerequisites

  • Admin access to the Cisco ASA
  • Access to the Root CA and (if applicable) any sub-CA’s for your users that will connect remotely
  • Users/devices with signed certificate (This demonstration uses user certificates)

Technology used in this Demonstration

  • ASAv 9.18 (including ASDM)
  • Active Directory Domain Controller
  • AnyConnect Client
  • Secure Access by Duo (including the Authentication Proxy)

Assumptions

  • This article assumes that the reader is familiar with the technologies used in this demonstration
  • This article assumes that AnyConnect Client Software is already added to the ASA
  • This article assumes that the reader is familiar with VPN technologies and MFA
  • This article assumes that the reader is familiar with PKI

Demonstration

Setting up your PKI

I won’t cover PKI in detail because I assume that by reading this article you already have a good grasp on PKI in your environment. However, I do want to call out that you need to make sure that you have access to your Root and any sub-CAs as they will be needed for implementation. Furthermore, ensure that user and/or machine certificates are issued correctly as you will need to decide which certificate and fields should be used for certificate-based authentication.

Prepare the ASA for Certificate-based Authentication

We first need to add the relevant root CA to the ASA. The root CA should be the one that will sign the certificate used for the VPN. To add the certificate, use ASDM and navigate to Device Management > Certificate Management > CA Certificates and click ‘Add’ to browse and add the root CA to the ASA.

The next thing we need to do is create a Certificate Signing Request (CSR) for what will become the VPN certificate. Once generated, the CSR will need to be signed with the relevant CA before being installed on the ASA. To generate the CSR, navigate to Device Management > Certificate Management > Identity Certificates and click ‘Add’. Give the new certificate a meaningful name and select ‘Add a new identity certificate’. Modify the Key Pair, Certificate Subject DN and any Advanced settings if required for your environment. Once done, download the CSR and sign it with the relevant CA. Once signed, head back to the same location on the ASA, click on the original CSR and click ‘Install’; add the newly-signed certificate.

Configure the VPN

Note: The following instructions will prepare your environment for certificate-based authentication with Duo MFA. Some settings may need to change to meet your own requirements.

With access to ASDM, navigate to Remote Access VPN > Network (Client) Access > AnyConnect Client Profile. If you don’t have any profiles created or ready to import, click ‘Add’ to add a new profile for this integration.

  • Select the relevant Certificate Store to be used for both Windows & macOS; this demonstration uses User certificates.
  • Ensure that ‘AllowRemoteUsers’ is selected for Windows and/or VPN Establishment

Configure any other settings relevant to your organisation before moving on from Preferences (Part 1).

Navigate to Server List and click ‘Add’ to add the details of the VPN server.

Once complete, double-check that no other more specific settings are required for your organisation before pressing ‘OK’ to complete the configuration.

Apply the configuration changes.

Once complete, head over to Network (Client) Access > AnyConnect Connection Profiles and click ‘Device Certificate’. Select the newly signed VPN certificate.

We won’t cover Group Policy in the article as it is assumed that you are familiar with them and how to configure and relate them to Connection Profiles. We will however, cover Connection Profiles as we need to make some changes to the configuration in order for our integration to work. The following example Connection Profile is a newly created profile for this demonstration and depending on your organisations requirements, you may decide to add or change some of the configuration.

The important Connection Profile elements required in order for this integration to work are the following:

  • Authentication Method: AAA and certificate
  • AAA Server Group: This needs to be set to you use RADIUS against your Duo Authentication Proxy
  • Other important configuration required:
    • Client Address Assignment
    • Group Policy
      • Enable SSL/IPsec VPN
      • Configure DNS Server/s
      • Configure Domain Name

One more thing you may want to configure or check is the certificate fields to be used as the username for authentication. By default the primary field is the Common Name (CN) and the secondary field is the Organization Unit (OU). If the username is contained in the certificates CN then you won’t need to change the following fields under Advanced > Authentication.

Once configured, the VPN configuration should be ready to go!

Configure Duo

In order for this integration to work, we need to deploy and configure the Duo Authentication Proxy. Once configured the ASA will pass RADIUS requests to the authentication proxy every time a user authenticates with their username and password. It is important that the authentication proxy is configured to validate primary authentication with the configured Active Directory server. Trying to configure the client as a duo_only_client will result in any username and password being accepted providing they are valid. For example, a user certificate with CN: Kelvin and a username of Bob entered as part of the AAA request with a valid password would still allow Bob to authenticate with Kelvin’s valid certificate. However, when the client configuration on the authentication proxy is set to use the ad_client the username passed from the certificate will need to match the AAA username along with the users credentials.

Before configuring the authentication proxy, configure the Application on the Duo Admin Panel. On the Duo Admin Panel, navigate to Applications > Protect an Application and select ‘Cisco RADIUS VPN. Configure your desired policy for the application and any other necessary settings for your organisation and save all changes once done. Ensure that all users that are going to be subject to this new integration are added and fully enrolled with Duo.

Stay logged in to the Duo Admin panel as you will need the Integration key, Secret key and API hostname for the authentication proxy.

Configure your authentication proxy with the following field completed:

[ad_client]
host=
service_account_username=
service_account_password_protected=
search_dn=

;Cisco ASA Certificate-Based Authentication
[radius_server_auto]
ikey=
skey=
api_host=
radius_ip_1=
radius_secret_1=
failmode=safe
client=ad_client

Validate, save and restart or start the authentication proxy.

Testing

Providing everything is configured correctly, you should be ready to test the integration. Below we tested the integration with a remote user and validated the successful authentication on the ASA and Duo.

IP address information has been omitted from the following output:

Duo-ASAv-918#  show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username     : administrator          Index        : 34
Assigned IP  : <Omitted>              Public IP    : <Omitted>
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384
Bytes Tx     : 19644                  Bytes Rx     : 6728
Pkts Tx      : 2                      Pkts Rx      : 75
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : certbasedGP            Tunnel Group : cert-based-mfa
Login Time   : 21:14:16 GMT/BDT Fri Mar 31 2023
Duration     : 0h:02m:16s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 650101020002200064273f18
Security Grp : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 34.1
  Public IP    : <Omitted>
  Encryption   : none                   Hashing      : none
  TCP Src Port : 49858                  TCP Dst Port : 443
  Auth Mode    : Certificate and userPassword
  Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes
  Client OS    : win
  Client OS Ver: 10.0.17763
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.9.05042
  Bytes Tx     : 11491                  Bytes Rx     : 231
  Pkts Tx      : 1                      Pkts Rx      : 0
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

SSL-Tunnel:
  Tunnel ID    : 34.2
  Assigned IP  : <Omitted>              Public IP    : <Omitted>
  Encryption   : AES-GCM-256            Hashing      : SHA384
  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384
  Encapsulation: TLSv1.2                TCP Src Port : 49864
  TCP Dst Port : 443                    Auth Mode    : Certificate and userPassword
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
  Client OS    : Windows
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.9.05042
  Bytes Tx     : 8153                   Bytes Rx     : 7341
  Pkts Tx      : 1                      Pkts Rx      : 79
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

Lastly you can validate the successful MFA request by checking the reports on the Duo admin panel.

Tags: , , , , , , , , , , , ,

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply