The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication with Cisco AnyConnect SSL-VPN.
Prerequisites & general issues
A Mideye Server (any release). If there is a firewall between the Cisco ASA and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Cisco ASA acts as a RADIUS client towards the Mideye Server. Hence, the Cisco ASA must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.
Password-change using MS-CHAP-v2
Since Cisco ASA supports MS-CHAP-v2 as authentication protocol, users that are about to have their password expired can change their password when login on using AnyConnect SSLVPN. To enable this feature Mideye Server release 4.3.0 or higher is required. For detailed instruction how to enable password-management, see section Enable MS-CHAP-V2.
Limitations with dynamic RADIUS-reject messages
The option to present RADIUS-reject messages dynamically from a RADIUS server was introduced in ASA version 8.3.x when using PAP as authentication method (default authentication method). This means that more information about failed login attempts is presented to the user, enabling users to solve login problems themselves. For example, if login fails due to the mobile phone not being reachable, the Mideye error message ’Phone not reachable, for help see [www.mideye.com/help]’ is displayed to the user instead of the default message ’Login failed’. Also information about token cards that are out of sync can be presented to the user. When using MS-CHAP-v2, dynamic reject messages will not be displayed from the Mideye Server, but instead from an internal database from your ASA. This means that reject messages can not be customised the same way as with using PAP. Challenge-messages will still be presented from the Mideye Server. For detailed instructions how to enable dynamic RADIUS-messages see section Dynamically display RADIUS-reject messages.
This guide will not explain how to create a new connection-profile. Refer to Cisco-documentation how to setup your ASA to act as a remote-access VPN using AnyConnect.
The following steps will describe how create a new RADIUS-client on your Mideye Server, and how to create a new AAA-server and apply it to an existing connection profile with SSL-VPN enabled. All steps regarding the Cisco ASA will be executed from IOS accessed from either SSH, telnet or console.
Create a new RADIUS-client
Open “Configuration Tool” on your Mideye Server and click the “RADIUS-clients” tab. Click “New” and type the IP-address or hostname for your Cisco ASA. Click “LDAP Server” and assign LDAP-servers. Click “OK” followed by “Save” and “Close” to restart the services.
Create a new AAA-server using RADIUS
From Cisco IOS, access enter global configuration mode:
Cisco-ASA> enable Cisco-ASA# config terminal Cisco-ASA (config)#
Create a new AAA-server using RADIUS:
Cisco-ASA (config)# aaa-server mideye-server protocol RADIUS
Assign IP, shared secret and timeout settings for the aaa-server:
Cisco-ASA(config)# aaa-server mideye-server (internal) host 172.16.10.100 Cisco-ASA(config-aaa-server-host))# key ****** Cisco-ASA(config-aaa-server-host))# authentication-port 1812 Cisco-ASA(config-aaa-server-host))# accounting-port 1813 Cisco-ASA(config-aaa-server-host))# timeout 35 Cisco-ASA(config-aaa-server-host))# exit
Apply the created AAA-server to your existing SSL-VPN-profile:
Cisco-ASA(config)# tunnel-group "mideye-server" general-attributes Cisco-ASA(config-tunnel-general)# authentication-server-group RADIUS
Write the configuration made to memory:
Cisco-ASA(config)# write memory
Verify two-factor OTP functionality
To verify that RADIUS is setup correctly, logon to your Cisco ASA-firewall using ASDM and navigate to Configuration → RemoteAccessV P N → AAA/LocalUsers. Select the “Server Group” and the correct server name and click “Test”. Select “Authentication” and type a username and password that your RADIUS-server should be able to find via LDAP. An SMSOTP should be delivered followed by the following error-message:
Configure settings for the connection-profile
This chapter will explain various settings that can be made on the connection-profile.
Increase the timeout-value for the Cisco Anyconnect client
The default timeout-value for a connection-attempt initiated from a Cisco AnyConnect client is 12 seconds. For full functionality with Mideye RADIUS-server, the recommended timeout value is 35 seconds. This can only be changed using Cisco ASDM since all changes are written to an xml-file.
To change the timeout-value open ASDM and click “Configuration” → ”RemoteAccess VPN” → ”Network(Client)Access” → ”AnyConnectClientProfile”. Select the client profile used for Cisco AnyConnect and click “Edit”. If none exist, create a new one and assign it to the group-policy for AnyConnect then click “Edit”. Navigate to “Preferences (Part2)” and change the value “Authentication timeout (seconds) to 35 seconds. This new timeout-value will be downloaded automatically when connecting using Cisco AnyConnect client.
Last step is to add a Server Listing. Navigate to Server List and click “Add”. Add a host display name followed by the FQDN of the SSL-VPN URL. Save the configuration.
Note: First time changing this requires the endusers to first download the new .xml profile. The new timeout will function on their second connection using Anyconnect.
Dynamically display RADIUS-reject messages
Mideye error messages (and the default language) can be modified via Mideye Configuration tool, see screenshot below. RADIUS-reject messages on Cisco AnyConnect Secure Mobility will only work on Security Appliance Software Version 9.1(2) or higher using Cisco AnyConnect Secure Mobility Client 3.1.04066 or higher. This will only work when PAP is used as authentication-protocol. To enable the dynamic reject messages from ASDM complete the following steps.
- Click on “Configuration” followed by “Remote Access VPN”
- Click the “AnyConnect Connection Profile” and select the connection profile used for login with RADIUS followed by “Edit”
- Expand “Advanced” and click “Group Alias / Group URL”
- Check “Enable the display of RADIUS Reject-Messages on the login screen when authentication is rejected.”
Reject messages from Mideye RADIUS-server shown instead of “Login Failed”.
Enable password-management (MS-CHAP-v2)
Starting from Mideye Server-release 4.3.0 and higher it is possible to manage passwords that are about to expire. This require further configuration on the Mideye Server (refer to Configuration guide). To enable this feature on Cisco ASA the following configuration need to be added.
Cisco-ASA(config)# tunnel-group "mideyeserver" ppp-attributes
Cisco-ASA(config-ppp)# (config-ppp) no authentication pap
Cisco-ASA(config-ppp)# authentication MS-CHAP-v2
Cisco-ASA(config-ppp)# exit Save the configuration
Cisco-ASA(config)# write memory
Configure RADIUS-client to properly display special characters such as å, ä and ö
By default any created RADIUS client will use UTF-8 as encoding. To properly display special character such as å, ä and ö the encoding has to be changed to use ISO-8859- 1. This can be done by opening “Radiusconfigure” on your Mideye Server and select RADIUS Clients. Select the RADIUS-client created for ASA55xx and click modify. Click “Client configuration” and change “Encoding” to ISO-8859-1. Click “OK”, “Save” and “Close” to restart the Mideye Server.
This chapter explains optional configuration such as Dynamic Access Policy (DAP) with RADIUS-translation.
Dynamic Access Policy using RADIUS-translation
To further extend the functionality of RADIUS, Dynamic Access Policy (DAP) can be used to assign specific users or group permission from LDAP when logging in using AnyConnect. This require configuration on both the Mideye Server and Cisco ASA. When using DAP, all AnyConnect users will share the same IP-subnet but will be granted permission to certain network resources based on what group(s) they belong to in LDAP. Complete the following steps to enable RADIUS-translation with DAP:
Steps for Mideye Server:
- Open “Configuration Tool” on your Mideye Server and click the “LDAP RADIUS Translation” tab. Click “New”.
- Type the Distinguished name for a group containing users of a certain type (for example administrators) in the “LDAP Attribute Value” field. Select “CLASS” and click “Assign”. Add a suitable string for the group and click “OK”. Starting from Mideye Server release 4.2.3 LDAP-RADIUS translation can also be used with wildcard/Java Regular Expressions, e,g. CN=Mideye-administrators.*
- Click “LDAP Servers” and select the LDAP Server being used and click “Modify”. Navigate to the “LDAP-RADIUS” tab and check” LDAP-RADIUS Translation” and type “memberOf” in the “LDAP Attribute Name:” field.
- Click “Save” and “Close” to restart the service.
Steps for Cisco ASA:
- All configuration for DAP must be done using ASDM. Click “Configuration” → ”RemoteAccessVPN” → ”Network(Client)Access” → ”DynamicAccessPolicy”. Click “Add”.
- Give the policy a suitable Policy name and change the “Selection Criteria” to “User has ALL of the following AAA…”
- Click the left “Add” button and change the AAA Attribute Type to “RADIUS” and type the Attribute ID 25. Add the same value as the string from the Mideye Server
- Click the “Network ACL Filters (client)” tab. Click “Manage” followed by “Add”. Create a new ACL and give it a suitable name. Select the ACL and click “Add” and add a new ACE. Add permissions to what networks or IP-addresses users should have access to. Click “OK” and finish the new DAP.
Repeat steps 1-8 to add more groups. Verify that your DAP-policies work by connecting using AnyConnect. When verified change the default DAP “DfltAccessPolicy” to terminate all other connections. This can be done by selecting the default DAP-policy and click “Edit”. Change “Action” to “Terminate”.
Check if anything is written to the Mideye RADIUS logs
If nothing is logged, verify that udp/1812 is allowed between your Cisco ASA and Mideye Server.
Contact Mideye support
For further support please contact Mideye support, firstname.lastname@example.org, +46854514750.