How to Install Duo Security 2FA for Cisco ASA SSL VPN using LDAP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- [Narrator] Hi, I'm Matt from Duo Security. In this video, I'm going to show you how to protect your Cisco ASA SSL VPN logins with Duo. During the setup process, you will use the Cisco Adaptive Security Device Manager, or ASDM. Before watching this video, be sure to reference the documentation for installing this configuration at duo.com/docs/cisco. Note that this configuration supports inline self-service enrollment and the Duo Prompt. Our alternate RADIUS-based Cisco configuration offers additional features including configurable failmodes, IP address-based policies and autopush authentication, but does not support the Duo Prompt. Read about that configuration at duo.com/docs/cisco-alt. First, make sure that Duo is compatible with your Cisco ASA device. We support ASA firmware version 8.3 or later. You can check which version of the ASA firmware your device is using by logging into the ASDM interface. Your firmware version will be listed in the Device Information box next to ASA Version. In addition, you must have a working primary authentication configuration for your SSL VPN users, such as LDAP authentication to Active Directory. (light music) To get started with the installation process, log in to the Duo Admin Panel. In the Admin Panel, click on Applications. Then click Protect an Application. Type in "cisco". Next to the entry for Cisco SSL VPN, click Protect this Application, which takes you to your new application's properties page. At the top of this page, click the link to download the Duo Cisco zip package. Note that this file contains information specific to your application. Unzip it somewhere convenient and easy to access, like your desktop. Then click on the link to open the Duo for Cisco documentation. Keep both the documentation and properties pages open as you continue through the setup process. After creating the application in the Duo Admin panel and downloading the zip package, you need to modify the sign-in page for your VPN. Log on to your Cisco ASDM. Click the configuration tab and then click Remote Access VPN in the left menu. Navigate to Clientless SSL VPN Access, Portal, Web Contents. Click Import. In the Source section, select Local Computer, and click Browse Local Files. Locate the Duo-Cisco-[VersionNumber].js file you extracted from the zip package. After you select the file, it will appear in the Web Content Path box. In the Destination section, under Require authentication to access its content?, select the radio button next to No. Click Import Now. Navigate to Clientless SSL VPN Access, Portal, Customization. Select the Customization Object you want to modify. For this video, we will use the default customization template. Click Edit. In the outline menu on the left, under Logon Page, click Title Panel. Copy the string provided in step nine of the Modify the sign-in page section on the Duo Cisco documentation and paste it in the text box. Replace "X" with the file version you downloaded. In this case, it is "6". Click OK, then click Apply. Now you need to add the Duo LDAP server. Navigate to AAA/Local Users, AAA Server Groups. In the AAA Server Groups section at the top, click Add. In the AAA Server Group field, type in Duo-LDAP. In the Protocol dropdown, select LDAP. More recent versions of the ASA firmware require you to provide a realm-id. In this example, we will use "1". Click OK. Select the Duo-LDAP group you just added. In the Servers in the Selected Group section, click Add. In the Interface Name dropdown, choose your external interface. It may be called outside. In the Server Name or IP address field, paste the API hostname from your application's properties page in the Duo Admin Panel. Set the Timeout to 60 seconds. This will allow your users enough time during login to respond to the Duo two-factor request. Check Enable LDAP over SSL. Set Server Type to Detect Automatically/Use Generic Type. In the Base DN field, enter dc= then paste your integration key from the applications' properties page in the Duo Admin Panel. After that, type ,dc=duosecurity,dc=com Set Scope to One level beneath the Base DN. In the Naming Attributes field, type cn. In the Login DN field, copy and paste the information from the Base DN field you entered above. In the Login Password field, paste your application's secret key from the properties page in the Duo Admin Panel. Click OK, then click Apply. Now configure the Duo LDAP server. In the left sidebar, navigate to Clientless SSL VPN Access, Connection Profiles. Under Connection Profiles, select the connection profile you want to modify. For this video, we will use the DefaultWEBVPNGroup. Click Edit. In the left menu, under Advanced, select Secondary Authentication. Select Duo-LDAP in the Server Group list. Uncheck the Use LOCAL if Server Group fails box. Check the box for Use primary username. Click OK, then click Apply. If any of your users log in through desktop or mobile AnyConnect clients, you'll need to increase the AnyConnect authentication timeout from the default 12 seconds, so that users have enough time to use Duo Push or phone callback. In the left sidebar, navigate to Network (Client) Access, AnyConnect Client Profile. Select your AnyConnect client profile. Click Edit. In the left menu, navigate to Preferences (Part 2). Scroll to the bottom of the page and change the Authentication Timeout (seconds) setting to 60. Click OK, then click Apply. With everything configured, it is now time to test your setup. In a web browser, navigate to your Cisco ASA SSL VPN service URL. Enter your username and password. After you complete primary authentication, the Duo Prompt appears. Using this prompt, users can enroll in Duo or complete two-factor authentication. Since this user has already been enrolled in Duo, you can select Send Me a Push, Call Me, or Enter a Passcode. Select Send Me a Push to send a Duo push notification to your smartphone. On your phone, open the notification, tap the green button to accept, and you're logged in. Note that when using the AnyConnect client, users will see a second password field. This field accepts the name of a Duo factor, such as push or phone, or a Duo passcode. In addition, the AnyConnect client will not update to the increased 60 second timeout until a successful authentication is made. It is recommended that you use a passcode for your second factor to complete your first authentication after updating the AnyConnect timeout. You have successfully setup Duo two-factor authentication for your Cisco ASA SSL VPN.
Info
Channel: Duo Security
Views: 21,754
Rating: undefined out of 5
Keywords: 2fa, two factor, two factor authentication, mfa, multi factor auth, duo, duo security, duo cisco, cisco asa, cisco 2fa, cisco vpn, yt:cc=on
Id: 6nEvmc8wjic
Channel Id: undefined
Length: 9min 51sec (591 seconds)
Published: Fri Feb 23 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.