External access to company networks becomes more important every day. Encryption for the data transfer is important to ensure confidentiality on every level.
One factor that has to be considered is the reuse of passwords by the users for several different, sometimes even personal, purposes. Those passwords may be used to gain access to the company network and sensitive information if they have been compromised, especially if VPN connections are used. The same problem arises for passwords that are not complex enough. It is difficult for admins to push and control the use of safe passwords and the users have difficulties memorizing new and complex passwords. But the company network is only as secure as the weakest password.
These problems can be avoided by offering an additional layer of security with two-factor authentication. The login with VPN protection has to be confirmed with the smartphone in addition to providing user name and password. Attackers can not gain access by exploiting weak passwords or guessing credentials.
SecSign ID does not only protect the login but also the second factor: The smartphone. The authentication can only be confirmed if the user provides the PIN or biometric information. Specifics like IP address, service name and other information can be reviewed to monitor and limit which services the user authenticates.
By providing two security levels neither a stolen password nor a stolen smartphone allows attackers to obtain access to the network without knowing the additional PIN or providing the biometric information. In case of a lost or stolen device the user can disable the SecSign ID remotely as an additional security feature.
The distinct SecSign ID authentication works as follows:
The Cisco ASA series is a commonly used security application. It consists of an external firewall, which controls the connection between two networks. It aims in restricting the network access based on source or destination address and employed services. The data transfer is monitored and the passage of data packages is managed based on a configured set of rules. This way, unauthorized network access is prevented. The ASA box uses either IPsec or SSL to secure the VPN.
The most cost effective solution for the cooperation between two companies is the IPsec VPN. This method establishes a tunnel between both firewalls, protecting the entire route between firewall A and firewall B. A specific set of rules limits the access of either party on the essential resources and accesses.
SSL distinguishes between clientless and fat client. Clientless SSL VPN offers a secure connection to resources in the company network via SSL/TLS and web-browser. A remote access via VPN tunnel to an ASA device is created and the user does not need additional software other than the web browser.Intranet web applications, data transfer via NT/Active Directory, Email Proxies or other services are readily available with this solution.The fat client needs to be installed on the client system and offers more functionality, for example assigning static routes, implementation of virtual network cards or port rerouting.
AnyConnect Secure Mobility Client is the most widely used Cisco VPN client. It is available as desktop application for Windows, Linux and Mac as well as mobile Version for Windows Phone, Android and IOS.
The following example shows how to secure a virtual private network with the ASA box. The additional integration of the SecSign ID provides a distinctly higher degree of security by requiring the external AnyConnect Secure Mobility Client to confirm the login with his smartphone.
Is it possible for Cisco Clients like AnyConnect to display the familiar SecSign ID access pass?
Unfortunately it is not, we do not have influence on the clients to show icons or similar identification symbols. In this case, no access pass is displayed and the login on the smart phone is implemented without access pass. Instead, information about the login such as service name, IP address and other specifications are displayed after the PIN oder biometric information are provided. The user retains control on which services are authorized.
The access pass can be omitted since the Active Directory user name and corresponding password are also required, securing the login with a two step 2FA.
The network that has to be secured needs to offer an ASA or ASAv security application that makes the access via SSL- or IPSec-VPN possible. The ASA security application should communicate with a RADIUS Server to authenticate Active Directory User.
Make sure the SecSign ID is compatible with the ASA Version you use before your integrate it.
Log in to your Cisco ASDM interface and ensure the ASA firmware is version 8 or newer. That way the integration can communicate with the SecSign ID Service via Port 443.
You will need the SecSignID RADIUS Proxy for the secured communication between ASA Box and RADIUS. More information on the RADIUS Proxy can be found in the RADIUS tutorial.
The Cisco ASA security application is available as hardware and virtualised software version, ASAv. ASAv can be readily integrated in virtual environments and is provided by AmazonWebServices or can be installed at local testlabs. With an existing Cisco service agreement the virtual ASA Box can be downloaded via Cisco.
The virtualisation is based on its own OS, thus requiring a bare metal server and a hypervisor (VM Ware ESXi). Any additional Software is available as free evaluation version:
2System control is easier with the ESXi embedded Host Client (URL: https://ESXi-Host-IP/ui/#/login).
3Three networks or port groups respectively are generated: management, inside, outside.
4The company test server is a Windows 2012 Server (C) installed on ESXi and added to the inside network. It acts as domain controller and provides the active directory. A new test user is created.
5 Additionally, two Windows 7 or Windows Server machines (B&D) are installed on ESXi. The B machine is added to the inside net, the other one is added to the outside net. Java is installed on both.
6The vCenterClient is installed on machine D (type in the ESXi host address in the browser and follow the installation prompts).
7Now Cisco ASAv will be installed on ESXi. The vCenterClient is started on machine D to install the Cisco OVF file as virtual machine on the ESXi host. The networks are assigned to the interfaces in ASAv in the following order: 0:management, 1:inside, 2:outside. The interface IP configuration and the basic configuration is as follows:
8The ASAv Inside Interface IP can now be added to the browser on machine B. The ASDM launcher should boot and start the installation process. A SSL or IPsec VPN can be build with the ASDM Wizard. A local ASAv user is created and can then test the VPN connection from an external AnyConnect Client (E). To do so the IP address of the ASAv Box outside interface is retrieved.
9The windows server C acts as RADIUS server on port 1812 – more information on the RADIUS setup can be found in this video tutorial Cisco ASA Training 101:RADIUS.
10The ASAv Box and the RADIUS server are now acquainted to each other – more information on the ASAv Box and RADIUS setup can be found in the second video tutorial Cisco ASA Training 101:ASA&RADIUS.
One can now authenticate a user in the VPN via the external AnyConnect Client (E) with the Active Directory name.
11Yet, the login process is still based on simple passwords until the SecSign Radius Proxy is added to machine B. The proxy is a Java application and can be requested here.
More information on the RADIUS proxy setup can be found in this Tutorial. Machine B requires a connection to the SecPKI for the two-factor authentication. In the best case this server can be operated OnPremise within the internal company network. The public server (id1.secsign.com:443) can be used as well, though one has to ensure the ASAv box does not limit the internet connection for machine B.
12The Windows Server C acts as forward RADIUS server. The RADIUS Proxy (B) is registered as RADIUS client, allowing for the ASAv box to be deleted as client. The SecSign ID (SecSign ID user name in Active Directory) is added to active directory, thus the test user (see 4.) is assigned its SecSign ID.
With the next Update for the SecSign ID RADIUS Proxy a Self Enrollment will be possible for the user. If a user is authenticated with user name and password but no SecSign ID is associated he will be able to add his ID independently.
The external AnyConnect Client can retrieve the IP of the ASAv outside interfaces when all services and servers are started (machine A, B and RADIUS proxy, C and AD, RADIUS) to start the authentication.
The AnyConnect client may cancel the VPN connection after a couple of seconds and crash when trying to reset the connection. This issue can be fixed by adjusting the MTU value of the Client OS to 1200.
The windows firewalls needs to be customized accordingly to prevent issues with the connection.
The SecSign ID RADIUS proxy requires a connection to the SecSign ID Server. If the public authentication server is used it has to be available on port 443.
The ASA Box has to forward RADIUS requests for authentication to the SecSign ID RADIUS Server and needs to be configured accordingly. It does not need to be aware of the actual RADIUS server with Active Directory connection.
To find the correspondent SecSign ID to a specific user the SecSign ID RADIUS proxy needs access to the active directory. A new user is created and the corresponding information is added to the SecSign ID RADIUS proxy configuration file.
Keywords: two-factor authentication, 2fa, SecSign ID, Cisco, ASA, VPN, ASDM, ESXi
We provide an ever growing list of APIs and plugins to easily integrate the SecSign ID Two-Factor Authentication in any project. An overview is available at Plugin and APIs.
We do not only offer APIs in different programming languages but also plugins for CMS, Server and VPN environments, oAuth2 and many more. These plugins use our APIs and offer additional functionalities, for example user management, easy and native installation, logging or integration in firewalls or Active Directory.
The JIRA plugin for example uses the JAVA-API. The PHP-Api and JS-API is used by WordPress, Joomla, Drupal, Typo3 and many more. The ASP.net/C#-API is used for the Windows and Cisco VPN and the C-API is used for protecting Unix SSH services. The Objective-C API is used by our AppleTV and iPhone/iPad apps.
You can experience the SecSign ID two-factor authentication and the two-factor login by simply integrating the plugin into your website or test environment. Or you can try out the login process on our website without having to register first. You already have a SecSign ID or you want one? Login now and use the portal or use our hassle free registration.
See for yourself how fast and convenient the login process using challenge-response authentication with 2048-bit key pairs is. There is no need for passwords, and no passwords or other confidential information are ever transmitted. It is easy to integrate and simple to use.
For more information about the patented SafeKey procedure and it's unique security can be found here.
If you are missing an API for the programming language you are working with, feel free to contact us and we’ll find a solution with you. If you need help with the integration into an existing system or you can’t find the plugin for your content management system you are working with, don’t hesitate to contact our support team.
Choose between our SecSign ID Cloud or operate your own on-premise Two-Factor Authentication server.
Operate your own YourBrand ID app - Two-Factor Authentication customized to your needs.
Integrate SecSign ID Two-Factor Authentication in existing apps with our ready-to-use SDK.
Use the Two-Factor Authentication Server to secure your company Active Directory/LDAP. Your own Identity and Access Management System, for example for mandatory updates and additional security features.
Integration in any login environment: web, local, VPN, remote desktop, mobile logins and many more.
No need for complex integration: we have plugins for almost all environments.
Want to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
I am Interested in