Cisco Anyconnect

Introduction

The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication with Cisco AnyConnect SSL-VPN.

Prerequisites & general issues

Requirements

A Mideye Server (any release). If there is a firewall between the Cisco ASA and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Cisco ASA acts as a RADIUS client towards the Mideye Server. Hence, the Cisco ASA must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Password-change using MS-CHAP-v2

Since Cisco ASA supports MS-CHAP-v2 as authentication protocol, users that are about to have their password expired can change their password when login on using AnyConnect SSLVPN. To enable this feature Mideye Server release 4.3.0 or higher is required. For detailed instruction how to enable password-management, see section Enable MS-CHAP-V2.

Limitations with dynamic RADIUS-reject messages

The option to present RADIUS-reject messages dynamically from a RADIUS server was introduced in ASA version 8.3.x when using PAP as authentication method (default authentication method). This means that more information about failed login attempts is presented to the user, enabling users to solve login problems themselves. For example, if login fails due to the mobile phone not being reachable, the Mideye error message ’Phone not reachable, for help see [www.mideye.com/help]’ is displayed to the user instead of the default message ’Login failed’. Also information about token cards that are out of sync can be presented to the user. When using MS-CHAP-v2, dynamic reject messages will not be displayed from the Mideye Server, but instead from an internal database from your ASA. This means that reject messages can not be customised the same way as with using PAP. Challenge-messages will still be presented from the Mideye Server. For detailed instructions how to enable dynamic RADIUS-messages see section Dynamically display RADIUS-reject messages.

Prerequisites

This guide will not explain how to create a new connection-profile. Refer to Cisco-documentation how to setup your ASA to act as a remote-access VPN using AnyConnect.

Integration steps

The following steps will describe how create a new RADIUS-client on your Mideye Server, and how to create a new AAA-server and apply it to an existing connection profile with SSL-VPN enabled. All steps regarding the Cisco ASA will be executed from IOS accessed from either SSH, telnet or console.

Create a new RADIUS-client

Open “Configuration Tool” on your Mideye Server and click the “RADIUS-clients” tab. Click “New” and type the IP-address or hostname for your Cisco ASA. Click “LDAP Server” and assign LDAP-servers. Click “OK” followed by “Save” and “Close” to restart the services.

Create a new RADIUS-client for your Cisco ASA.

Create a new RADIUS-client for your Cisco ASA.

Assign LDAP-servers

Assign LDAP-servers

Create a new AAA-server using RADIUS

From Cisco IOS, access enter global configuration mode:

Cisco-ASA> enable 
Cisco-ASA# config terminal 
Cisco-ASA (config)#

Create a new AAA-server using RADIUS:

Cisco-ASA (config)# aaa-server mideye-server protocol RADIUS

Assign IP, shared secret and timeout settings for the aaa-server:

Cisco-ASA(config)# aaa-server mideye-server (internal) host 172.16.10.100 
Cisco-ASA(config-aaa-server-host))# key ****** 
Cisco-ASA(config-aaa-server-host))# authentication-port 1812 
Cisco-ASA(config-aaa-server-host))# accounting-port 1813 
Cisco-ASA(config-aaa-server-host))# timeout 35 
Cisco-ASA(config-aaa-server-host))# exit

Apply the created AAA-server to your existing SSL-VPN-profile:

Cisco-ASA(config)# tunnel-group "mideye-server" general-attributes 
Cisco-ASA(config-tunnel-general)# authentication-server-group RADIUS

Write the configuration made to memory:

Cisco-ASA(config)# write memory

Verify two-factor OTP functionality

To verify that RADIUS is setup correctly, logon to your Cisco ASA-firewall using ASDM and navigate to Configuration → RemoteAccessV P N → AAA/LocalUsers. Select the “Server Group” and the correct server name and click “Test”. Select “Authentication” and type a username and password that your RADIUS-server should be able to find via LDAP. An SMSOTP should be delivered followed by the following error-message:

This message appears because ASDM cannot handle challenge-response.

This message appears because ASDM cannot handle challenge-response.

Configure settings for the connection-profile

This chapter will explain various settings that can be made on the connection-profile.

Increase the timeout-value for the Cisco Anyconnect client

The default timeout-value for a connection-attempt initiated from a Cisco AnyConnect client is 12 seconds. For full functionality with Mideye RADIUS-server, the recommended timeout value is 35 seconds. This can only be changed using Cisco ASDM since all changes are written to an xml-file.

To change the timeout-value open ASDM and click “Configuration” → ”RemoteAccess VPN” → ”Network(Client)Access” → ”AnyConnectClientProfile”. Select the client profile used for Cisco AnyConnect and click “Edit”. If none exist, create a new one and assign it to the group-policy for AnyConnect then click “Edit”. Navigate to “Preferences (Part2)” and change the value “Authentication timeout (seconds) to 35 seconds. This new timeout-value will be downloaded automatically when connecting using Cisco AnyConnect client.

Change the timeout-value to 35 seconds (default 12 seconds).

Change the timeout-value to 35 seconds (default 12 seconds).

Last step is to add a Server Listing. Navigate to Server List and click “Add”. Add a host display name followed by the FQDN of the SSL-VPN URL. Save the configuration.

Note: First time changing this requires the endusers to first download the new .xml profile. The new timeout will function on their second connection using Anyconnect.

Dynamically display RADIUS-reject messages

Mideye error messages (and the default language) can be modified via Mideye Configuration tool, see screenshot below. RADIUS-reject messages on Cisco AnyConnect Secure Mobility will only work on Security Appliance Software Version 9.1(2) or higher using Cisco AnyConnect Secure Mobility Client 3.1.04066 or higher. This will only work when PAP is used as authentication-protocol. To enable the dynamic reject messages from ASDM complete the following steps.

  1. Click on “Configuration” followed by “Remote Access VPN”
  2. Click the “AnyConnect Connection Profile” and select the connection profile used for login with RADIUS followed by “Edit”
  3. Expand “Advanced” and click “Group Alias / Group URL”
  4. Check “Enable the display of RADIUS Reject-Messages on the login screen when authentication is rejected.”

Reject messages from Mideye RADIUS-server shown instead of “Login Failed”.

Reject messages dynamically displayed by the Mideye Server. These messages can be modified using configuration-tool on your Mideye Server.

Reject messages dynamically displayed by the Mideye Server. These messages can be modified using configuration-tool on your Mideye Server.

Enable password-management (MS-CHAP-v2)

Starting from Mideye Server-release 4.3.0 and higher it is possible to manage passwords that are about to expire. This require further configuration on the Mideye Server (refer to Configuration guide). To enable this feature on Cisco ASA the following configuration need to be added.

Cisco-ASA(config)# tunnel-group "mideyeserver" ppp-attributes
Cisco-ASA(config-ppp)# (config-ppp) no authentication pap
Cisco-ASA(config-ppp)# authentication MS-CHAP-v2
Cisco-ASA(config-ppp)# exit

Save the configuration
Cisco-ASA(config)# write memory

Configure RADIUS-client to properly display special characters such as å, ä and ö

By default any created RADIUS client will use UTF-8 as encoding. To properly display special character such as å, ä and ö the encoding has to be changed to use ISO-8859- 1. This can be done by opening “Radiusconfigure” on your Mideye Server and select RADIUS Clients. Select the RADIUS-client created for ASA55xx and click modify. Click “Client configuration” and change “Encoding” to ISO-8859-1. Click “OK”, “Save” and “Close” to restart the Mideye Server.

Optional configuration

This chapter explains optional configuration such as Dynamic Access Policy (DAP) with RADIUS-translation.

Dynamic Access Policy using RADIUS-translation

To further extend the functionality of RADIUS, Dynamic Access Policy (DAP) can be used to assign specific users or group permission from LDAP when logging in using AnyConnect. This require configuration on both the Mideye Server and Cisco ASA. When using DAP, all AnyConnect users will share the same IP-subnet but will be granted permission to certain network resources based on what group(s) they belong to in LDAP. Complete the following steps to enable RADIUS-translation with DAP:

Steps for Mideye Server:

  • Open “Configuration Tool” on your Mideye Server and click the “LDAP RADIUS Translation” tab. Click “New”.
  • Type the Distinguished name for a group containing users of a certain type (for example administrators) in the “LDAP Attribute Value” field. Select “CLASS” and click “Assign”. Add a suitable string for the group and click “OK”. Starting from Mideye Server release 4.2.3 LDAP-RADIUS translation can also be used with wildcard/Java Regular Expressions, e,g. CN=Mideye-administrators.*
Add DN, select CLASS and add a string for for the DN.

Add DN, select CLASS and add a string for for the DN.

  • Click “LDAP Servers” and select the LDAP Server being used and click “Modify”. Navigate to the “LDAP-RADIUS” tab and check” LDAP-RADIUS Translation” and type “memberOf” in the “LDAP Attribute Name:” field.
Enable LDAP - RADIUS Translation on the LDAP-server

Enable LDAP – RADIUS Translation on the LDAP-server

  • Click “Save” and “Close” to restart the service.

Steps for Cisco ASA:

  • All configuration for DAP  must be done using ASDM. Click “Configuration” → ”RemoteAccessVPN” → ”Network(Client)Access” → ”DynamicAccessPolicy”. Click “Add”.
  • Give the policy a suitable Policy name and change the “Selection Criteria” to “User has ALL of the following AAA…”
  • Click the left “Add” button and change the AAA Attribute Type to “RADIUS” and type the Attribute ID 25. Add the same value as the string from the Mideye Server
Create a new Dynamic Access Policy.

Create a new Dynamic Access Policy.

  • Click the “Network ACL Filters (client)” tab. Click “Manage” followed by “Add”. Create a new ACL and give it a suitable name. Select the ACL and click “Add” and add a new ACE. Add permissions to what networks or IP-addresses users should have access to. Click “OK” and finish the new DAP.
Manage permissions for the DAP.

Manage permissions for the DAP.

Repeat steps 1-8 to add more groups. Verify that your DAP-policies work by connecting using AnyConnect. When verified change the default DAP “DfltAccessPolicy” to terminate all other connections. This can be done by selecting the default DAP-policy and click “Edit”. Change “Action” to “Terminate”.

Change the default DAP to terminate all other connections

Change the default DAP to terminate all other connections

Troubleshooting

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs

Mideye Server\log\radius-messages.log

If nothing is logged, verify that udp/1812 is allowed between your Cisco ASA and Mideye Server.

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.