IMPLEMENTING MFA FOR CISCO ASA VPN USING UPSSO

This document provides instructions to integrate Cisco ASA SSL VPN with UPSSO to implement MFA (Multi-factor Authentication).

PRE-REQUISITES

To integrate UPSSO with the Cisco ASA SSL VPN, below are the pre-requisites we need.

  • Administrator access to UPSSO Portal.
  • Cisco ASA version 9.X and higher
  • Cisco AnyConnect VPN version 4.6 or higher.

CISCO ASA VPN & MFA NETWORK DIAGRAM

  1. User authenticated to the firewall using Cisco any connect software.
  2. Cisco ASA firewall sends an authentication request to the UPSSO Radius server.
  3. UPSSO Radius server forwards the authentication request to the IDP server.
  4. IDP server checks the authentication request with enterprise LDAP or UPSSO directory.
  5. IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.
  6. Radius receives authorization accept or reject method from the IDP server.
  7. UPSSO Radius server confirms the Authentication request to the target device.

ADD RADIUS CLIENT IN UPSSO PORTAL

  1. Login to the UPSSO portal.
  2. Once login, go to Radius client’s section.

3. Click on the + button to add a new client.

4. Enter the device friendly name and IP address and secret for the device to authenticate with the RADIUS server—this secret used during the device radius configuration.

CONFIGURING VPN USING CISCO ASDM

In this guide, we are using three interfaces in the Cisco ASDM. Interface details are as follows.

  • Inside – LAN facing Interface – IP address: 10.10.1.54
  • Outside – WAN facing interface – IP address: 10.10.2.18
  • Management – Interface used to connect ASDM client for firewall configurations. - IP address 10.10.3.138

CREATE REMOTE ACCESS VPN

We use the ASDM wizard to create a VPN.

  1. From the top menu navigate to Wizards > VPN Wizards > AnyConnect VPN Wizard

2. In the VPN Wizard give a familiar name and select the right interface for receiving traffic. Here we are selecting Outside interface to receive traffic from outside.

3. Select the appropriate VPN protocol. In our case, we have selected SSL only. But you can select both SSL and IPSEC VPN protocols based on the requirement.

4. In the device, certificates click on Manage and click on the add button to add an identity certificate.

5. We are adding the self-signed certificate for the LAB environment. In the production, please use the CA-signed certificate to avoid certificate errors.

6. In the client images, we need to upload the client images the Cisco ASA can use when provisioning VPN client to the user. We can get this package from the cisco website. This package has the file extension of .pkg

7. In the authentication methods, add a sample user for VPN testing, add the RADIUS authentication method later in the document.

8. In the SAML configuration, leave the default. Please refer to this link on configuring SAML authentication for VPN users.

9. Client Address assignment is the address range assigned to the VPN client when connecting to the corporate network

10. In the Network name resolution, servers enter the IP address of your organization name servers. Make sure the name servers are reachable from the CISCO ASA.

11. In the NAT Exempt, if network address translation is enabled, we must exempt from the translation.

12. Click on the finish button to finalize the configuration and save the configuration once it is loaded successfully.

CONFIGURING RADIUS AUTHENTICATION

  1. Go to AAA/Local users > AAA server groups and click on the add button next to AAA server groups windows

2. Configure the Radius server as per the below table.

SettingValue
Interface NameThe ASA interface where your UPSSO RADIUS server accessible
Server Name or IP AddressThe hostname or IP address of your UPSSO RADIUS server
Timeout60 seconds should be sufficient to complete authentication; see the FAQ item about timeouts.
Server Authentication Port1812
Server Accounting Port1813
Retry Interval10 seconds
Server Secret KeyShared Secret when configuring the radius client using UPSSO portal
Microsoft CHAPv2 CapableUnchecked

3. Once added, verify the connectivity using the test button. Once the connection is successful, add the VPN Authentication method to the VPN profile.

4. Go to Network (Client) access > AnyConnect Connection profiles

5. Select the connection profile we have created earlier and click on edit.

6. In the Authentication section, Basic profile settings page select the UPSSO-RADIUS authentication

7. Save all the configuration to ASA memory.

CONNECTING TO CLIENT USING UPSSO MFA

  1. Go to the Cisco ASA URL and login with the username and password provisioned in the UPPSO portal. Please check the below link on provisioning users.

2. Once successful login downloads, the VPN client and install it in the system.

3. Open the VPN client and enter the domain name or IP address of the outside interface and click on connect.

4. Enter your username and password, which is provisioned in the UPSSO portal.

5. Once the first-factor authentication is successful. VPN client prompts for the second-factor authentication.

6. Once authentication successful, you are connected to the network.