Cisco ASA SecSign 2FA VPN

CISCO ASA SSL & IPSEC VPN WITH SECSIGN ID TWO-FACTOR AUTHENTICATION


Find out why our Two-Factor Authentication is the best, some key-facts for developers and why you should upgrade to SecSign for your business.

Learn more about the options of on-premise use and your own customized ID App in your corporate design.

Download the plugin as cloud version for a free and convenient protection.

Cisco ASA firewall devices offer a coordinated combination of hardware, hardened operation system and firewall software to implement an encrypted remote access to company applications and shared resources via for example SSL or IPsec.

SecSign ID is integrated in the existing system and offers two-factor authentication for your VPN user.

Table of contents

    SecSign ID is a system for real two-factor authentication (2FA) for Cisco ASA VPNs. 2FA adds another layer of security by using a second token. In this case the physical token is your smartphone.

    Questions? Feel free to get in touch with us if you need help setting up your SecSign ID plugin or to request a plugin for a not yet supported environment.

    1. VPN & 2FA

    External access to company networks becomes more important every day. Encryption for the data transfer is important to ensure confidentiality on every level.

    One factor that has to be considered is the reuse of passwords by the users for several different, sometimes even personal, purposes. Those passwords may be used to gain access to the company network and sensitive information if they have been compromised, especially if VPN connections are used. The same problem arises for passwords that are not complex enough. It is difficult for admins to push and control the use of safe passwords and the users have difficulties memorizing new and complex passwords. But the company network is only as secure as the weakest password.

    These problems can be avoided by offering an additional layer of security with two-factor authentication. The login with VPN protection has to be confirmed with the smartphone in addition to providing user name and password. Attackers can not gain access by exploiting weak passwords or guessing credentials.

    SecSign ID does not only protect the login but also the second factor: The smartphone. The authentication can only be confirmed if the user provides the PIN or biometric information. Specifics like IP address, service name and other information can be reviewed to monitor and limit which services the user authenticates.

    By providing two security levels neither a stolen password nor a stolen smartphone allows attackers to obtain access to the network without knowing the additional PIN or providing the biometric information. In case of a lost or stolen device the user can disable the SecSign ID remotely as an additional security feature.

    The distinct SecSign ID authentication works as follows:

    1. The user logs into the VPN service with his user name and password. If user name and password are correct the SecSign ID is automatically retrieved.
    2. The VPN Service sends an authentication request for the identified SecSign ID to the ID Server.
    3. The ID Server sends a push notification to the users device.
    4. The user confirms the login in the mobile app. The app forwards the information to the ID Server to approve the login.
    5. The VPN service reviews the authentication session and the ID server confirms the admission.
    6. The user gains access to the service.

    abstract-authenticationv5-1

    2. Cisco VPN variants and Clients

    The Cisco ASA series is a commonly used security application. It consists of an external firewall, which controls the connection between two networks. It aims in restricting the network access based on source or destination address and employed services. The data transfer is monitored and the passage of data packages is managed based on a configured set of rules. This way, unauthorized network access is prevented. The ASA box uses either IPsec or SSL to secure the VPN.

    The most cost effective solution for the cooperation between two companies is the IPsec VPN. This method establishes a tunnel between both firewalls, protecting the entire route between firewall A and firewall B. A specific set of rules limits the access of either party on the essential resources and accesses.

    SSL distinguishes between clientless and fat client. Clientless SSL VPN offers a secure connection to resources in the company network via SSL/TLS and web-browser. A remote access via VPN tunnel to an ASA device is created and the user does not need additional software other than the web browser.Intranet web applications, data transfer via NT/Active Directory, Email Proxies or other services are readily available with this solution.The fat client needs to be installed on the client system and offers more functionality, for example assigning static routes, implementation of virtual network cards or port rerouting.

    AnyConnect Secure Mobility Client is the most widely used Cisco VPN client. It is available as desktop application for Windows, Linux and Mac as well as mobile Version for Windows Phone, Android and IOS.

    The following example shows how to secure a virtual private network with the ASA box. The additional integration of the SecSign ID provides a distinctly higher degree of security by requiring the external AnyConnect Secure Mobility Client to confirm the login with his smartphone.

    push

    3. System Overview and Requirements

    system-overview-v2-1

    1. The VPN user connects to the internet and launches the Cisco AnyConnect Client to establish a SSL or IPsec VPN connection with the Intranet. The request is routed to the ASA box “outside” interface.
    2. The ASA Box sends a RADIUS request to the Sec Sign ID RADIUS Proxy to authenticate and authorize the user.
    3. The SecSign ID RADIUS Proxy sends a RADIUS request with user name and password to the RADIUS Forward Server.
    4. The RADIUS Forward Server uses the Active Directory to determine if the user is permitted to join the company network. If the clearance is provided the RADIUS Server sends a confirmation to the SecSign ID RADIUS Proxy.
    5. The SecSign ID RADIUS Proxy requests the SecSign ID of the VPN user from the Active Directory based on the user name.
    6. If a SecSign ID is assigned it is transmitted back to the SecSign ID RADIUS Proxy.
    7. The SecSign ID RADIUS Proxy contacts the ID Server with the determined SecSign ID to perform the two-factor authentication. The ID Server sends a push notification to the user’s smartphone.
    8. The ID server adjusts the status of the authentication session as soon as the user confirms the login on the mobile app. The SecSign ID RADIUS Proxy inquires on the status of the login in frequent intervals.
    9. A RADIUS confirmation is sent to the ASA box as soon as the login is confirmed.
    10. The ASA box grants access to the client for the VPN.

    Is it possible for Cisco Clients like AnyConnect to display the familiar SecSign ID access pass?

    Unfortunately it is not, we do not have influence on the clients to show icons or similar identification symbols. In this case, no access pass is displayed and the login on the smart phone is implemented without access pass. Instead, information about the login such as service name, IP address and other specifications are displayed after the PIN oder biometric information are provided. The user retains control on which services are authorized.

    The access pass can be omitted since the Active Directory user name and corresponding password are also required, securing the login with a two step 2FA.

    4. Requirements for the SecSign ID integration

    The network that has to be secured needs to offer an ASA or ASAv security application that makes the access via SSL- or IPSec-VPN possible. The ASA security application should communicate with a RADIUS Server to authenticate Active Directory User.

    Make sure the SecSign ID is compatible with the ASA Version you use before your integrate it.

    Log in to your Cisco ASDM interface and ensure the ASA firmware is version 8 or newer. That way the integration can communicate with the SecSign ID Service via Port 443.

    You will need the SecSignID RADIUS Proxy for the secured communication between ASA Box and RADIUS. More information on the RADIUS Proxy can be found in the RADIUS tutorial.

    5. Virtualization and ASA setup

    The Cisco ASA security application is available as hardware and virtualised software version, ASAv. ASAv can be readily integrated in virtual environments and is provided by AmazonWebServices or can be installed at local testlabs. With an existing Cisco service agreement the virtual ASA Box can be downloaded via Cisco.

    The virtualisation is based on its own OS, thus requiring a bare metal server and a hypervisor (VM Ware ESXi). Any additional Software is available as free evaluation version:

    virtualisierung

    1To realise the virtualisation in a testlab the VM Ware Fusion has to be installed and VMware vSphere Hypervisor (ESXi) has to be added as virtual machine.

    2System control is easier with the ESXi embedded Host Client (URL: https://ESXi-Host-IP/ui/#/login).

    3Three networks or port groups respectively are generated: management, inside, outside.

    4The company test server is a Windows 2012 Server (C) installed on ESXi  and added to the inside network. It acts as domain controller and provides the active directory. A new test user is created.

    5 Additionally, two Windows 7 or Windows Server machines (B&D) are installed on ESXi. The B machine is added to the inside net, the other one is added to the outside net. Java is installed on both.

    6The vCenterClient is installed on machine D (type in the ESXi host address in the browser and follow the installation prompts).

    7Now Cisco ASAv will be installed on ESXi. The vCenterClient is started on machine D to install the Cisco OVF file as virtual machine on the ESXi host. The networks are assigned to the interfaces in ASAv in the following order: 0:management, 1:inside, 2:outside. The interface IP configuration and the basic configuration is as follows:

    8The ASAv Inside Interface IP can now be added to the browser on machine B. The ASDM launcher should boot and start the installation process. A SSL or IPsec VPN can be build with the ASDM Wizard. A local ASAv user is created and can then test the VPN connection from an external AnyConnect Client (E). To do so the IP address of the ASAv Box outside interface is retrieved.

    9The windows server C acts as RADIUS server on port 1812 – more information on the RADIUS setup can be found in this video tutorial Cisco ASA Training 101:RADIUS.

    10The ASAv Box and the RADIUS server are now acquainted to each other – more information on the ASAv Box and RADIUS setup can be found in the second video tutorial Cisco ASA Training 101:ASA&RADIUS.

    One can now authenticate a user in the VPN via the external AnyConnect Client (E) with the Active Directory name.

    11Yet, the login process is still based on simple passwords until the SecSign Radius Proxy is added to machine B. The proxy is a Java application and can be requested here.

    More information on the RADIUS proxy setup can be found in this Tutorial. Machine B requires a connection to the SecPKI for the two-factor authentication. In the best case this server can be operated OnPremise within the internal company network. The public server (id1.secsign.com:443) can be used as well, though one has to ensure the ASAv box does not limit the internet connection for machine B.

    12The Windows Server C acts as forward RADIUS server. The RADIUS Proxy (B) is registered as RADIUS client, allowing for the ASAv box to be deleted as client. The SecSign ID (SecSign ID user name in Active Directory) is added to active directory, thus the test user (see 4.) is assigned its SecSign ID.

    With the next Update for the SecSign ID RADIUS Proxy a Self Enrollment will be possible for the user. If a user is authenticated with user name and password but no SecSign ID is associated he will be able to add his ID independently.

    The external AnyConnect Client can retrieve the IP of the ASAv outside interfaces when all services and servers are started (machine A, B and RADIUS proxy, C and AD, RADIUS) to start the authentication.

    6. Troubleshooting

    The AnyConnect client may cancel the VPN connection after a couple of seconds and crash when trying to reset the connection. This issue can be fixed by adjusting the MTU value of the Client OS to 1200.

    The windows firewalls needs to be customized accordingly to prevent issues with the connection.

    The SecSign ID RADIUS proxy requires a connection to the SecSign ID Server. If the public authentication server is used it has to be available on port 443.

    The ASA Box has to forward RADIUS requests for authentication to the SecSign ID RADIUS Server and needs to be configured accordingly. It does not need to be aware of the actual RADIUS server with Active Directory connection.

    To find the correspondent SecSign ID to a specific user the SecSign ID RADIUS proxy needs access to the active directory. A new user is created and the corresponding information is added to the SecSign ID RADIUS proxy configuration file.

    Keywords: two-factor authentication, 2fa, SecSign ID, Cisco, ASA, VPN, ASDM, ESXi

    7. Available APIS

    We provide an ever growing list of APIs and plugins to easily integrate the SecSign ID Two-Factor Authentication in any project. An overview is available at Plugin and APIs.
    We do not only offer APIs in different programming languages but also plugins for CMS, Server and VPN environments, oAuth2 and many more. These plugins use our APIs and offer additional functionalities, for example user management, easy and native installation, logging or integration in firewalls or Active Directory.

    The JIRA plugin for example uses the JAVA-API. The PHP-Api and JS-API is used by WordPress, Joomla, Drupal, Typo3 and many more. The ASP.net/C#-API is used for the Windows and Cisco VPN and the C-API is used for protecting Unix SSH services. The Objective-C API is used by our AppleTV and iPhone/iPad apps.

    available_apis

    8. See for yourself

    You can experience the SecSign ID two-factor authentication and the two-factor login by simply integrating the plugin into your website or test environment. Or you can try out the login process on our website without having to register first. You already have a SecSign ID or you want one? Login now and use the portal or use our hassle free registration.

    See for yourself how fast and convenient the login process using challenge-response authentication with 2048-bit key pairs is. There is no need for passwords, and no passwords or other confidential information are ever transmitted. It is easy to integrate and simple to use.

    For more information about the patented SafeKey procedure and it's unique security can be found here.

    If you are missing an API for the programming language you are working with, feel free to contact us and we’ll find a solution with you. If you need help with the integration into an existing system or you can’t find the plugin for your content management system you are working with, don’t hesitate to contact our support team.

    Your own ID-Server

    On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

    your_own_id

    Why upgrade to SecSign?

    On-premise or in the cloud

    Choose between our SecSign ID Cloud or operate your own on-premise Two-Factor Authentication server.

    Easy customization

    Operate your own YourBrand ID app - Two-Factor Authentication customized to your needs.

    Ready-to-use SDK

    Integrate SecSign ID Two-Factor Authentication in existing apps with our ready-to-use SDK.

    Easy user management

    Use the Two-Factor Authentication Server to secure your company Active Directory/LDAP. Your own Identity and Access Management System, for example for mandatory updates and additional security features.

    Cover all logins

    Integration in any login environment: web, local, VPN, remote desktop, mobile logins and many more.

    Plugins for all your needs

    No need for complex integration: we have plugins for almost all environments.

    Do NOT follow this link or you will be banned from the site!