cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3234
Views
0
Helpful
7
Replies

Multiple Multifactor Authentication Protocols On Single ASA?

webabc123
Level 1
Level 1

We currently use AnyConnect client combined with RSA SecurID for multifactor authentication for Windows laptops.

We are considering getting some laptops that don't support the AnyConnect software (such as Chromebooks).

 

Chromebooks support VPN natively using L2TP/IPsec + preshared key or user certificate along with their user name and static password.  There is no UI provided to type in the SecurID PIN and token code, so SecurID is not supported.

If the native VPN client login was combined with something like Microsoft's Phonefactor Azure Multifactor authentication or Duosecurity which both use RADIUS, it would allow multifactor authentication via automated phone call, SMS or a smartphone app and the end user Chromebook device doesn't need to "support" it directly since this authentication happens on the back end.  All the user needs is the preshared key, or certificate plus user name and password and access to their phone.  They login with their user name and password and then get an automated phone call or text they need to respond to before the authentication is allowed.

 

Can both Azure Multifactor authentication and RSA SecurID be supported at the same time, so users with AnyConnect use RSA and users without AnyConnect use Azure?

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

You should be able to do this with separate connection profiles, each with their own primary and secondary authentication method.

A given (single) profile can only use a single set of primary and secondary authentication methods.

As an aside, I've used the Duosecurity solution for one client's remote access VPN and found it quite nicely done.

View solution in original post

You can use MAC address as a restriction if you have a database of the devices you are using. Even though the MAC doesn't flow across the L3 VPN per se, it is an attribute of the end station that can be queried.

ISE really shines in these sorts of scenarios.

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

You should be able to do this with separate connection profiles, each with their own primary and secondary authentication method.

A given (single) profile can only use a single set of primary and secondary authentication methods.

As an aside, I've used the Duosecurity solution for one client's remote access VPN and found it quite nicely done.

I am looking at both Azure and Duosecurity.  I like  that Azure demos show it works with just a phone required for multifactor authentication.

The demo videos I have seen for Duosecurity and VPN show the users only logging in to VPN through a web page.  These VPN web pages usually require Java or ActiveX plugins that do not run on Chromebooks or mobile device browsers.  If that's a requirement, it will not meet our needs.  

Can Duosecurity work in the same way as Azure where there is no web or app UI required so that the second factor authentication relies only on the user's phone?

The Duosecurity solution can work with clientless SSLVPN. There's pure html code you embed in the clientless portal to add a pointer to their cloud-hosted API (via an LDAPS connection) from within the browser session.

For the second factor you can use a PIN code generated from your DUO app on an iOS or Android-based smart phone, have them push an SMS (you type "push" in the second password field) or even call you on your mobile or an old school land line (you type "phone" and they call your registered number (you can have more than one and would then type phone2 etc.) and you are prompted to push 1 to validate the authentication call when you answer).

I'm not usually a fanboy but they have a pretty slick setup.

When I log into our VPN portal, it just prompts the user to download the AnyConnect client.

I assume this must mean the ASA only has Essentials licensing.

If we upgrade the license to Premium licenses on the ASAs we can then enable clientless connections through the browser.  Is there any way to restrict clientless connections to specific devices, so only approved devices can connect using clientless access?

We do not want users to be able authenticate the clientless connection from their home computers or Internet cafe-type computers.

I assumed you had clientless since I thought you implied you are using Chromebooks already.

With AnyConnect Premium and Dynamic Access Policies (DAP) you can certainly restrict users in any number of ways. Certain bits may also require Advanced Endpoint Assessment (AEA) licensing. Another alternative is to use Identity Services Engine (ISE) Authorization profiles. 

For instance, you can check for user attributes, client and/or machine X.509 certificates, whether the machine is a member of your domain, certain registry keys exist, etc. etc.

Thanks. I had only said we are considering Chromebooks. 

I'm trying to figure out everything we would need to get our setup to work with Chromebooks.

So, the premium licensing requirement seems to be one new requirement I didn't realize we would need.  So, the Chromebook IPSEC native client won't work as is since it would not require logging into the clientless SSL VPN portal?

I'm not sure Chromebooks can be assessed using those AEA features, but we would be able to at least filter out Windows machines that aren't members of our domain or an approved partner's domain and those rogue Windows machines are the biggest problem due to being malware prone (viruses, keyloggers etc,). 

The Chromebook's built-in IPSEC VPN client can work with user certificates for authentication, but is there anything that prevents a user from just exporting their user certificate and importing it on any other device that supports it?

 

You can use MAC address as a restriction if you have a database of the devices you are using. Even though the MAC doesn't flow across the L3 VPN per se, it is an attribute of the end station that can be queried.

ISE really shines in these sorts of scenarios.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: