Cisco Anyconnect 2fa

| 02-05-2021
[RAND-1-100] Comments



AnyConnect Secure Mobility Client is the most widely used Cisco VPN client. It is available as desktop application for Windows, Linux and Mac as well as mobile Version for Windows Phone, Android and IOS. The following example shows how to secure a virtual private network with the ASA box. Duo Mobile is a two-factor authentication service that can be utilized for systems that require an additional layer of security such as Esther, VPN and NetID login.

  1. Cisco Anyconnect Two Factor
  2. Cisco Ftd Anyconnect 2fa
  3. Cisco Anyconnect Duo 2fa

Preamble

Cisco Anyconnect 2fa

A user's status can be set as Bypass in the Duo Admin Panel (to bypass 2FA), but as an exercise we can also use Duo's Auth Proxy along side a separate authentication server in an environment with Duo 2FA users and non-2FA users.

Cisco anyconnect multifactor

The end result is the same, end-users only have to type their credentials and they get a push, other flags such as phone are used as fallback in the event that the push isn't working (e.g. poor cell reception, etc).

Cisco anyconnect rsa token

Example, in an AD environment;

Cisco Anyconnect 2fa

  • One tunnel-group that uses the DUO Auth Proxy tied to Duo's RADIUS application (not Cisco RADIUS VPN); for the LDAP integration configure appropriate values for search_dn and security_group_dn in the /opt/duoauthproxy/conf/authproxy.cfg file to specify an AD security group whose members are 2FA users.

  • Another tunnel-group that points to another authentication server server; e.g. NPS server with a RADIUS policy pointing to a different AD security group for non-2FA users.

Both tunnel-group aliases will show up in the Anyconnect client, but users will only be able to auth to the AD security group mapped to their respective tunnel-group; providing that the user account isn't in both security groups.

Cisco Anyconnect Two Factor

Group policy and webvpn config;

Internal DNS server10.31.254.51
Internal domaindomain.local

Cisco Ftd Anyconnect 2fa

For Duo;

Duo Auth Proxy server10.31.255.11

The TG-DUO tunnel-group is configured to use the AAA-DUO aaa-server(s). The timeout is bumped up a bit here to deal with potential latency with the push message.

For non-2FA;

Internal NPS server10.31.255.12

Cisco Anyconnect Duo 2fa

The TG-NPS tunnel-group is configured to use the AAA-NPS aaa-server(s). Example assumes NPS role is running on a separate server; i.e. not the DC.