Cisco Anyconnect
Prerequisites¶
Refer to Cisco-documentation how to setup your ASA to act as a remote-access VPN using AnyConnect.
Integration steps¶
The following steps will describe how create a new RADIUS-client on your Mideye Server, and how to create a new AAA-server and apply it to an existing connection profile with SSL-VPN enabled. All steps regarding the Cisco ASA will be executed from IOS accessed from either SSH, telnet or console.
Add Cisco RADIUS client in the Mideye Server¶
See section RADIUS clients in the reference guide.
Create a new AAA-server using RADIUS¶
-
From Cisco IOS, access enter global configuration mode:
-
Create a new AAA-server using RADIUS:
-
Assign IP, shared secret and timeout settings for the aaa-server:
Cisco-ASA(config)# aaa-server mideye-server (internal) host 172.16.10.100 Cisco-ASA(config-aaa-server-host))# key ****** Cisco-ASA(config-aaa-server-host))# authentication-port 1812 Cisco-ASA(config-aaa-server-host))# accounting-port 1813 Cisco-ASA(config-aaa-server-host))# timeout 35 Cisco-ASA(config-aaa-server-host))# exit -
Apply the created AAA-server to your existing SSL-VPN-profile:
-
Write the new configuration to memory:
Verify two-factor OTP functionality¶
To verify that RADIUS is setup correctly, logon to your Cisco ASA-firewall using ASDM.
- Navigate to Configuration → RemoteAccessVPN → AAA/LocalUsers.
- Select the Server Group and the correct server name and click Test.
- Select Authentication and type a valid username and password.
- An SMS-OTP should be delivered followed by the following error-message:
This message appears because ASDM can't handle challenge-response.
Configure connection-profile settings¶
Increase the timeout-value for the Cisco Anyconnect client¶
Important
If the RADIUS timeout is not changed to 35 seconds, some users will experience SMS delivery with no challenge prompt. Or the OTP will not appear to be valid. This can be due to slow SMS interworking or other Phone Network provider Issues.
The default timeout-value for a connection-attempt for Cisco AnyConnect client is 12 seconds. For full functionality with Mideye RADIUS-server, the recommended timeout value is 35 seconds. This can only be changed using Cisco ASDM.
- Open ASDM and click Configuration → RemoteAccess VPN → Network(Client)Access → AnyConnectClientProfile.
- Select the client profile used for Cisco AnyConnect and click Edit. If none exist, create a new one and assign it to the group-policy for AnyConnect then click Edit.
- Navigate to Preferences (Part2) and change the value Authentication timeout (seconds) to 35 seconds.
- This new timeout-value will be downloaded automatically when connecting using Cisco AnyConnect client.
- Last step is to add a Server Listing. Navigate to Server List and click Add.
- Add a host display name followed by the FQDN of the SSL-VPN URL. Save the configuration.
Note
First time changing this requires the endusers to first download the new .xml profile. The new timeout will function on their second connection using Anyconnect.
Dynamic RADIUS-reject messages¶
Mideye error messages (and the default language) can be modified via Mideye Configuration tool, see screenshot below. RADIUS-reject messages on Cisco AnyConnect Secure Mobility will only work on Security Appliance Software Version 9.1(2) or higher using Cisco AnyConnect Secure Mobility Client 3.1.04066 or higher. This will only work when PAP is used as authentication-protocol. To enable the dynamic reject messages from ASDM complete the following steps.
- Click Configuration → Remote Access VPN
- Click AnyConnect Connection Profile and select the connection profile used for login with RADIUS followed by Edit
- Expand Advanced and click Group Alias / Group URL
- Check Enable the display of RADIUS Reject-Messages on the login screen when authentication is rejected.
Reject messages from Mideye RADIUS-server shown instead of Login Failed.
Reject messages dynamically displayed by the Mideye Server. These messages can be modified using configuration-tool on your Mideye Server. How to configure User Messages in Mideye Server 5.
Password-change using MS-CHAP-v2¶
Since Cisco ASA supports MS-CHAP-v2 as authentication protocol, users that are about to have their password expired can change their password when login on using AnyConnect SSLVPN. To enable this feature Mideye Server release 4.3.0 or higher is required. This also requires further configuration on the Mideye Server (refer to Configuration guide). To enable this feature on Cisco ASA the following configuration need to be added.
Save the configurationConfigure RADIUS-client to properly display special characters such as å, ä and ö¶
By default any created RADIUS client will use UTF-8 as encoding. To properly display special character such as å, ä and ö the encoding has to be changed to use ISO-8859- 1. This can be done by opening Radiusconfigure on your Mideye Server and select RADIUS Clients. Select the RADIUS-client created for ASA55xx and click modify. Click Client configuration and change Encoding to ISO-8859-1. Click OK, Save and Close to restart the Mideye Server.
Dynamic Access Policy using RADIUS-translation¶
To further extend the functionality of RADIUS, Dynamic Access Policy (DAP) can be used to assign specific users or group permission from LDAP when logging in using AnyConnect. This require configuration on both the Mideye Server and Cisco ASA. When using DAP, all AnyConnect users will share the same IP-subnet but will be granted permission to certain network resources based on what group(s) they belong to in LDAP. Complete the following steps to enable RADIUS-translation with DAP:
Mideye Server - DAP Config¶
Cisco ASA - DAP Config¶
- All configuration for DAP must be done using ASDM. Click Configuration → RemoteAccessVPN → Network(Client)Access → DynamicAccessPolicy. Click Add.
- Give the policy a suitable Policy name and change the Selection Criteria to User has ALL of the following AAA…
- Click the left Add button and change the AAA Attribute Type to RADIUS and type the Attribute ID 25. Add the same value as the string from the Mideye Server
Create a new Dynamic Access Policy.
- Click the Network ACL Filters (client) tab. Click Manage followed by Add. Create a new ACL and give it a suitable name. Select the ACL and click Add and add a new ACE. Add permissions to what networks or IP-addresses users should have access to. Click OK and finish the new DAP.
Manage permissions for the DAP.
Repeat steps 1-8 to add more groups. Verify that your DAP-policies work by connecting using AnyConnect. When verified change the default DAP DfltAccessPolicy to terminate all other connections. This can be done by selecting the default DAP-policy and click Edit. Change Action to Terminate.
Change the default DAP to terminate all other connections
Limitations with dynamic RADIUS-reject messages¶
The option to present RADIUS-reject messages dynamically from a RADIUS server was introduced in ASA version 8.3.x when using PAP as authentication method (default authentication method). This means that more information about failed login attempts is presented to the user, enabling users to solve login problems themselves. For example, if login fails due to the mobile phone not being reachable, the Mideye error message ’Phone not reachable, for help see [www.mideye.com/help]’ is displayed to the user instead of the default message ’Login failed’. Also information about token cards that are out of sync can be presented to the user. When using MS-CHAP-v2, dynamic reject messages will not be displayed from the Mideye Server, but instead from an internal database from your ASA. This means that reject messages can not be customized the same way as with using PAP. Challenge-messages will still be presented from the Mideye Server. For detailed instructions how to enable dynamic RADIUS-messages see section Dynamically display RADIUS-reject messages.