Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Multiple Multifactor Authentication Protocols On Single ASA?

We currently use AnyConnect client combined with RSA SecurID for multifactor authentication for Windows laptops.

We are considering getting some laptops that don't support the AnyConnect software (such as Chromebooks).

 

Chromebooks support VPN natively using L2TP/IPsec + preshared key or user certificate along with their user name and static password.  There is no UI provided to type in the SecurID PIN and token code, so SecurID is not supported.

If the native VPN client login was combined with something like Microsoft's Phonefactor Azure Multifactor authentication or Duosecurity which both use RADIUS, it would allow multifactor authentication via automated phone call, SMS or a smartphone app and the end user Chromebook device doesn't need to "support" it directly since this authentication happens on the back end.  All the user needs is the preshared key, or certificate plus user name and password and access to their phone.  They login with their user name and password and then get an automated phone call or text they need to respond to before the authentication is allowed.

 

Can both Azure Multifactor authentication and RSA SecurID be supported at the same time, so users with AnyConnect use RSA and users without AnyConnect use Azure?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

You should be able to do this

You should be able to do this with separate connection profiles, each with their own primary and secondary authentication method.

A given (single) profile can only use a single set of primary and secondary authentication methods.

As an aside, I've used the Duosecurity solution for one client's remote access VPN and found it quite nicely done.

Hall of Fame Super Silver

You can use MAC address as a

You can use MAC address as a restriction if you have a database of the devices you are using. Even though the MAC doesn't flow across the L3 VPN per se, it is an attribute of the end station that can be queried.

ISE really shines in these sorts of scenarios.

7 REPLIES
Hall of Fame Super Silver

You should be able to do this

You should be able to do this with separate connection profiles, each with their own primary and secondary authentication method.

A given (single) profile can only use a single set of primary and secondary authentication methods.

As an aside, I've used the Duosecurity solution for one client's remote access VPN and found it quite nicely done.

New Member

I am looking at both Azure

I am looking at both Azure and Duosecurity.  I like  that Azure demos show it works with just a phone required for multifactor authentication.

The demo videos I have seen for Duosecurity and VPN show the users only logging in to VPN through a web page.  These VPN web pages usually require Java or ActiveX plugins that do not run on Chromebooks or mobile device browsers.  If that's a requirement, it will not meet our needs.  

Can Duosecurity work in the same way as Azure where there is no web or app UI required so that the second factor authentication relies only on the user's phone?

Hall of Fame Super Silver

The Duosecurity solution can

The Duosecurity solution can work with clientless SSLVPN. There's pure html code you embed in the clientless portal to add a pointer to their cloud-hosted API (via an LDAPS connection) from within the browser session.

For the second factor you can use a PIN code generated from your DUO app on an iOS or Android-based smart phone, have them push an SMS (you type "push" in the second password field) or even call you on your mobile or an old school land line (you type "phone" and they call your registered number (you can have more than one and would then type phone2 etc.) and you are prompted to push 1 to validate the authentication call when you answer).

I'm not usually a fanboy but they have a pretty slick setup.

New Member

When I log into our VPN

When I log into our VPN portal, it just prompts the user to download the AnyConnect client.

I assume this must mean the ASA only has Essentials licensing.

If we upgrade the license to Premium licenses on the ASAs we can then enable clientless connections through the browser.  Is there any way to restrict clientless connections to specific devices, so only approved devices can connect using clientless access?

We do not want users to be able authenticate the clientless connection from their home computers or Internet cafe-type computers.

Hall of Fame Super Silver

I assumed you had clientless

I assumed you had clientless since I thought you implied you are using Chromebooks already.

With AnyConnect Premium and Dynamic Access Policies (DAP) you can certainly restrict users in any number of ways. Certain bits may also require Advanced Endpoint Assessment (AEA) licensing. Another alternative is to use Identity Services Engine (ISE) Authorization profiles. 

For instance, you can check for user attributes, client and/or machine X.509 certificates, whether the machine is a member of your domain, certain registry keys exist, etc. etc.

New Member

Thanks. I had only said we

Thanks. I had only said we are considering Chromebooks. 

I'm trying to figure out everything we would need to get our setup to work with Chromebooks.

So, the premium licensing requirement seems to be one new requirement I didn't realize we would need.  So, the Chromebook IPSEC native client won't work as is since it would not require logging into the clientless SSL VPN portal?

I'm not sure Chromebooks can be assessed using those AEA features, but we would be able to at least filter out Windows machines that aren't members of our domain or an approved partner's domain and those rogue Windows machines are the biggest problem due to being malware prone (viruses, keyloggers etc,). 

The Chromebook's built-in IPSEC VPN client can work with user certificates for authentication, but is there anything that prevents a user from just exporting their user certificate and importing it on any other device that supports it?

 

Hall of Fame Super Silver

You can use MAC address as a

You can use MAC address as a restriction if you have a database of the devices you are using. Even though the MAC doesn't flow across the L3 VPN per se, it is an attribute of the end station that can be queried.

ISE really shines in these sorts of scenarios.

1115
Views
0
Helpful
7
Replies
CreatePlease to create content