Phonefactor two authentication with ASA

Unanswered Question
sl_bishop Tue, 12/14/2010 - 14:38

PhoneFactor absolutely works with Cisco ASA and is a very common implementation for them.  First, you install the PhoneFactor Agent on a Windows server that is joined to your domain behind your firewall.  Once installed and activated, you configure a RADIUS client within the Agent with the Cisco ASA's IP address.  You also specify the shared secret that will be used for your RADIUS target in the ASA.  You then go into the Cisco ASA and configure the RADIUS authentication target which points to the PhoneFactor Agent.  You specify the PhoneFactor Agent's IP address and the same shared secret configured in the PhoneFactor Agent.  You must also set the RADIUS timeout to at least 30 seconds (45 recommended) so that you have enough time to complete the two-factor authentication before the ASA times out.

If you are pulling group membership from Active Directory or using an LDAP target for your user store, you could use LDAP authentication instead of RADIUS authentication.  If you contact PhoneFactor (1.877.668.6536), they can provide documentation and/or assistance on how to setup the PhoneFactor Agent to receive the RADIUS or LDAP authentication requests from the ASA.

sl_bishop Wed, 12/15/2010 - 07:41

That is correct.  The ASA will then send its RADIUS authentication request to the PhoneFactor Agent.  If PhoneFactor has been configured to receive the RADIUS request from that client, it can then validate the username and password provided by the ASA against Active Directory, another LDAP target or another RADIUS server.  If those first-factor credentials are correct, it will then perform the second-factor authentication by calling the phone of the user who is logging in.

Hi Shawn,

We did configure the ASA with  the folowing config:

aaa-server RadiusServers (inside) host (Phonefactor agent address)

timeout 60

key cisco

authentication-port 1812

accounting-port 1813

and on Phone factor aggent we did configure ASA's inside interface address and the key cisco. The problem is the phone factor agent is not getting any request from ASA. Anything I need to check on the ASA or at the agent?


sl_bishop Wed, 12/22/2010 - 14:08

If there are any firewalls in between the ASA and the PhoneFactor Agent, the RADIUS ports (1812, 1813) must be open in them.  To determine whether the PhoneFactor Agent is receiving the RADIUS request or not, you should check the PhoneFactorRadiusSvc.log in the C:\Program Files\PhoneFactor\Logs folder (assuming you installed in the default location and have enabled RADIUS Authentication in the Agent).  If the Agent is receiving the RADIUS request, but authentication is failing, please contact your PhoneFactor sale representative who can have a sales engineer take a look and help you determine what is not configured correctly.

sl_bishop Wed, 12/22/2010 - 14:47

Are you sure of your IP addresses?  Do the RADIUS requests you see in the PhoneFactor logs correspond with the times you have tried to authenticate through the ASA?  Do the ASA logs give you and indication of what happens when you try to login?  If the IP addresses are correct, the ASA should be sending its RADIUS request to PhoneFactor, and PhoneFactor should be listening for the RADIUS request from that client.  Just for kicks, try adding the IP address that you are seeing in the PhoneFactor RADIUS log as a RADIUS client in the agent, try your authentication and see if it goes through.  If you are still stuck, call PhoneFactor and ask them to have a Sales Engineer or Support Engineer walk through your configuration with you via WebEx.  It sounds like something simple isn't configured quite right.


This Discussion