Sunday, June 1, 2014

Clientless SSL VPN Double Authentication

One of the most common deployment scenarios for an SSL VPN solution is the use of a double authentication scheme. Double authentication was introduced in ASA code 8.2 and can support up to three simultaneous authentication methods that must all succeed before a user is successfully authenticated.

It is more common for corporations to use only two authentication methods when accessing internal resources remotely. The three authentication methods available are as follows:

* AAA authentication server (primary authentication stage)

* AAA authentication server (secondary authentication stage)

* Client certificate authentication (can be used alongside either the primary or secondary authentication
stages or on its own)


We configure both double AAA and certificate authentication by navigating to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles. In the Basic pane of the Edit Clientless SSL VPN Connection Profile window, click Both option. 

You can also use the CLI to configure secondary authentication. To do so, first enter general-attributes configuration mode for your selected tunnel group (connection profile) by using the tunnel-group <name> general-attributes command. Then specify the secondary authentication AAA group.

For this example, I chose to use the LOCAL user database twice.

ASA5505(config)# tunnel-group ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the tunnel group
ASA5505(config)# tunnel-group Engineering ?

configure mode commands/options:
  general-attributes  Enter the general-attributes sub command mode
  ipsec-attributes    Enter the ipsec-attributes sub command mode
  ppp-attributes      Enter the ppp-attributes sub command mode
  webvpn-attributes   Enter the webvpn-attributes sub command mode
ASA5505(config)# tunnel-group Engineering general-attributes
ASA5505(config-tunnel-general)# ?

tunnel-group configuration commands:
  accounting-server-group                Enter name of the accounting server
                                         group
  address-pool                           Enter a list of address pools to
                                         assign addresses from
  annotation                             Specify annotation text - to be used
                                         by ASDM only
  authenticated-session-username         Specify the authenticated username
                                         will be associated with the session
  authentication-attr-from-server        Specify the authentication server that
                                         provides authorization attribute for
                                         the session
  authentication-server-group            Enter name of the authentication
                                         server group
  authorization-required                 Require users to authorize
                                         successfully in order to connect
  authorization-server-group             Enter name of the authorization server
                                         group
  default-group-policy                   Enter name of the default group policy
  dhcp-server                            Enter IP address or name of the DHCP
                                         server
  exit                                   Exit from tunnel-group general
                                         attribute configuration mode
  help                                   Help for tunnel group configuration
                                         commands
  ipv6-address-pool                      Enter a list of IPv6 address pools to
                                         assign addresses from
  nat-assigned-to-public-ip              NAT assigned IP to public IP
  no                                     Remove an attribute value pair
  override-account-disable               Override account disabled from AAA
                                         server
  password-management                    Enable password management
  scep-enrollment                        Enable SCEP proxy enrollment
  secondary-authentication-server-group  Enter name of the secondary
                                         authentication server group
  secondary-username-from-certificate    The DN of the peer certificate used as
                                         secondary username for authorization
  strip-group                            Enable strip-group processing
  strip-realm                            Enable strip-realm processing
  username-from-certificate              The DN of the peer certificate used as
                                         username for authorization and/or
                                         authentication
ASA5505(config-tunnel-general)# secondary-authentication-server-group ?

tunnel-group-general mode commands/options:
  (               The interface where the tunnel terminates
  LOCAL           Predefined server tag for aaa protocol 'local'
  WORD < 17 char  Name of authentication server group
  none            Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# secondary-authentication-server-group LOCAL
INFO: This command applies only to SSL VPN - Clientless and AnyConnect.
ASA5505(config-tunnel-general)# secondary-authentication-server-group ?

tunnel-group-general mode commands/options:
  (               The interface where the tunnel terminates
  LOCAL           Predefined server tag for aaa protocol 'local'
  WORD < 17 char  Name of authentication server group
  none            Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# secondary-authentication-server-group (outside) ?

tunnel-group-general mode commands/options:
  LOCAL           Predefined server tag for aaa protocol 'local'
  WORD < 17 char  Name of authentication server group
  none            Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# $rver-group (outside) LOCAL ?

tunnel-group-general mode commands/options:
  use-primary-username  Use the primary username for the secondary
                        authentication
  <cr>
ASA5505(config-tunnel-general)# $rver-group (outside) LOCAL use-primary-username





Notice the login page requires for a second password, hence the term "double" authentication.




No comments:

Post a Comment