One of the most common deployment scenarios for an SSL VPN solution is the use of a double authentication scheme. Double authentication was introduced in ASA code 8.2 and can support up to three simultaneous authentication methods that must all succeed before a user is successfully authenticated.
It is more common for corporations to use only two authentication methods when accessing internal resources remotely. The three authentication methods available are as follows:
* AAA authentication server (primary authentication stage)
* AAA authentication server (secondary authentication stage)
* Client certificate authentication (can be used alongside either the primary or secondary authentication
stages or on its own)
We configure both double AAA and certificate authentication by navigating to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles. In the Basic pane of the Edit Clientless SSL VPN Connection Profile window, click Both option.
You can also use the CLI to configure secondary authentication. To do so, first enter general-attributes configuration mode for your selected tunnel group (connection profile) by using the tunnel-group <name> general-attributes command. Then specify the secondary authentication AAA group.
For this example, I chose to use the LOCAL user database twice.
ASA5505(config)# tunnel-group ?
configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
ASA5505(config)# tunnel-group Engineering ?
configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode
ppp-attributes Enter the ppp-attributes sub command mode
webvpn-attributes Enter the webvpn-attributes sub command mode
ASA5505(config)# tunnel-group Engineering general-attributes
ASA5505(config-tunnel-general)# ?
tunnel-group configuration commands:
accounting-server-group Enter name of the accounting server
group
address-pool Enter a list of address pools to
assign addresses from
annotation Specify annotation text - to be used
by ASDM only
authenticated-session-username Specify the authenticated username
will be associated with the session
authentication-attr-from-server Specify the authentication server that
provides authorization attribute for
the session
authentication-server-group Enter name of the authentication
server group
authorization-required Require users to authorize
successfully in order to connect
authorization-server-group Enter name of the authorization server
group
default-group-policy Enter name of the default group policy
dhcp-server Enter IP address or name of the DHCP
server
exit Exit from tunnel-group general
attribute configuration mode
help Help for tunnel group configuration
commands
ipv6-address-pool Enter a list of IPv6 address pools to
assign addresses from
nat-assigned-to-public-ip NAT assigned IP to public IP
no Remove an attribute value pair
override-account-disable Override account disabled from AAA
server
password-management Enable password management
scep-enrollment Enable SCEP proxy enrollment
secondary-authentication-server-group Enter name of the secondary
authentication server group
secondary-username-from-certificate The DN of the peer certificate used as
secondary username for authorization
strip-group Enable strip-group processing
strip-realm Enable strip-realm processing
username-from-certificate The DN of the peer certificate used as
username for authorization and/or
authentication
ASA5505(config-tunnel-general)# secondary-authentication-server-group ?
tunnel-group-general mode commands/options:
( The interface where the tunnel terminates
LOCAL Predefined server tag for aaa protocol 'local'
WORD < 17 char Name of authentication server group
none Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# secondary-authentication-server-group LOCAL
INFO: This command applies only to SSL VPN - Clientless and AnyConnect.
ASA5505(config-tunnel-general)# secondary-authentication-server-group ?
tunnel-group-general mode commands/options:
( The interface where the tunnel terminates
LOCAL Predefined server tag for aaa protocol 'local'
WORD < 17 char Name of authentication server group
none Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# secondary-authentication-server-group (outside) ?
tunnel-group-general mode commands/options:
LOCAL Predefined server tag for aaa protocol 'local'
WORD < 17 char Name of authentication server group
none Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# $rver-group (outside) LOCAL ?
tunnel-group-general mode commands/options:
use-primary-username Use the primary username for the secondary
authentication
<cr>
ASA5505(config-tunnel-general)# $rver-group (outside) LOCAL use-primary-username
Notice the login page requires for a second password, hence the term "double" authentication.
It is more common for corporations to use only two authentication methods when accessing internal resources remotely. The three authentication methods available are as follows:
* AAA authentication server (primary authentication stage)
* AAA authentication server (secondary authentication stage)
* Client certificate authentication (can be used alongside either the primary or secondary authentication
stages or on its own)
We configure both double AAA and certificate authentication by navigating to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles. In the Basic pane of the Edit Clientless SSL VPN Connection Profile window, click Both option.
You can also use the CLI to configure secondary authentication. To do so, first enter general-attributes configuration mode for your selected tunnel group (connection profile) by using the tunnel-group <name> general-attributes command. Then specify the secondary authentication AAA group.
For this example, I chose to use the LOCAL user database twice.
ASA5505(config)# tunnel-group ?
configure mode commands/options:
WORD < 65 char Enter the name of the tunnel group
ASA5505(config)# tunnel-group Engineering ?
configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode
ppp-attributes Enter the ppp-attributes sub command mode
webvpn-attributes Enter the webvpn-attributes sub command mode
ASA5505(config)# tunnel-group Engineering general-attributes
ASA5505(config-tunnel-general)# ?
tunnel-group configuration commands:
accounting-server-group Enter name of the accounting server
group
address-pool Enter a list of address pools to
assign addresses from
annotation Specify annotation text - to be used
by ASDM only
authenticated-session-username Specify the authenticated username
will be associated with the session
authentication-attr-from-server Specify the authentication server that
provides authorization attribute for
the session
authentication-server-group Enter name of the authentication
server group
authorization-required Require users to authorize
successfully in order to connect
authorization-server-group Enter name of the authorization server
group
default-group-policy Enter name of the default group policy
dhcp-server Enter IP address or name of the DHCP
server
exit Exit from tunnel-group general
attribute configuration mode
help Help for tunnel group configuration
commands
ipv6-address-pool Enter a list of IPv6 address pools to
assign addresses from
nat-assigned-to-public-ip NAT assigned IP to public IP
no Remove an attribute value pair
override-account-disable Override account disabled from AAA
server
password-management Enable password management
scep-enrollment Enable SCEP proxy enrollment
secondary-authentication-server-group Enter name of the secondary
authentication server group
secondary-username-from-certificate The DN of the peer certificate used as
secondary username for authorization
strip-group Enable strip-group processing
strip-realm Enable strip-realm processing
username-from-certificate The DN of the peer certificate used as
username for authorization and/or
authentication
ASA5505(config-tunnel-general)# secondary-authentication-server-group ?
tunnel-group-general mode commands/options:
( The interface where the tunnel terminates
LOCAL Predefined server tag for aaa protocol 'local'
WORD < 17 char Name of authentication server group
none Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# secondary-authentication-server-group LOCAL
INFO: This command applies only to SSL VPN - Clientless and AnyConnect.
ASA5505(config-tunnel-general)# secondary-authentication-server-group ?
tunnel-group-general mode commands/options:
( The interface where the tunnel terminates
LOCAL Predefined server tag for aaa protocol 'local'
WORD < 17 char Name of authentication server group
none Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# secondary-authentication-server-group (outside) ?
tunnel-group-general mode commands/options:
LOCAL Predefined server tag for aaa protocol 'local'
WORD < 17 char Name of authentication server group
none Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# $rver-group (outside) LOCAL ?
tunnel-group-general mode commands/options:
use-primary-username Use the primary username for the secondary
authentication
<cr>
ASA5505(config-tunnel-general)# $rver-group (outside) LOCAL use-primary-username
Notice the login page requires for a second password, hence the term "double" authentication.
No comments:
Post a Comment