Cisco ASA SSLVPN/AnyConnect Configuration – Integrating with MS MFA

by | Apr 28, 2020 | Security

Multi-Factor Authentication (MFA) is a great means to further secure your publicly available services.  Services like Microsoft Office 365 and remote access VPN can all benefit from having an additional layer of security.  This document will illustrate how you can integrate Microsoft Azure MFA into a Cisco ASA AnyConnect implementation.  In addition to MFA, this example also uses LDAPS to authorize access to network resources for different groups of users. 

As each user logs into the Cisco AnyConnect client or the Web Portal, they will enter their Active Directory username and password, but then will also be required to satisfy the MFA requirement.  The ASA will then assign group policies based on AD group membership, which can then be used to filter access, etc. 

One thing to note is once MFA extensions are installed on a Microsoft Network Policy Server (NPS/ RADIUS), they can then only be used for MFA purposes.  WARNING: Do not attempt to install MFA extensions on an existing production NPS server. 

General components required:

  • One LDAP attribute map which will map AD groups to a specific ASA Group Policy. 
  • One aaa-server group, which points to one or more LDAP servers.  Highly recommended having at least two for redundancy as well as to use encrypted LDAPS. 
  • One aaa-server group, which points to one or more NPS/RADIUS servers.  Highly recommend having at least two for redundancy. 
  • ACLs specified for Split Tunnel on a per group policy basis. 
  • ACLs specified for VPN filters on a per group policy basis. 
  • Two or more group policies. 
  • One tunnel-group with authentication set to use the MFA RADIUS/NPS server(s) and authorization set to use Microsoft Active Directory (AD) LDAP server(s). 

LDAP-map and AAA-server Groups 

An LDAP-map essentially maps Active Directory groups to an ASA group-policy.  The syntax would look something like this: 

ldap attribute-map LDAPMap 

  map-name  memberOf IETF-Radius-Class 

  map-value memberOf “CN=VPNGeneralUser,OU=Security Groups,OU=Groups,DC=domain,DC=com” GP_GeneralAccess 

The above example uses the distinguished name of a security group from AD and maps it to a group policy called GP_GeneralAccess. 

The AAA-server groups for the NPS/RADIUS setup will contain the server’s IP addresses, ports in use, as well as RADIUS pre-shared keys. 

The AAA-server groups for the LDAPS setup will contain the Active Directory server’s IP addresses, ports in use (recommended port 636 for LDAPS), Base-DNs, which LDAP-map to refer to, as well as ldap-login-dn / password. 

Note – the ldap-login-dn will refer to an account that only requires read access to LDAP (i.e. only needs to be a domain user).  Use minimal rights as much as possible. 

ACLs and Group-Policies 

The Split tunnel ACLs are used to define which data to put onto the tunnel and which data to send out unencrypted.  Many organizations choose to split tunnel so that not all data will flow back through the VPN tunnel, which would eat up additional Internet bandwidth at the datacenter.  Other organizations might want to tunnel everything; so that data would go through the additional IPS or antimalware checks. 

Filter ACLs determine what networks are available to a VPN user once they are connected. 

Each of the Group Policies can have various parameters set depending on what requirements each group of users have.  One of the required settings is to set the vpn-simultaneous-logins to a number greater than or equal to 1 (default is 3).  Depending on the number of AnyConnect licenses the ASA has, I would recommend setting to 1 unless there is business reason to make it greater than 1 (which would allow more than one device per user at a given time).  Some of the other variables that can be set, include DNS servers / domain names, VPN Filters, timeouts, and split tunnel lists.  Other parameters are listed HERE.  

We will also need to have a NOACCESS policy, which means if a user doesn’t match any of the LDAP mappings, they will not be able to connect to the VPN since the simultaneous logins will be set to 0. 

Define a tunnel-group 

Finally, tying everything together is the tunnel-group.  Since the tunnel-group defines what address-pools are used, having only one tunnel-group limits you to one address pool.  If there is a requirement for having two or more pools of addresses to assign to various users, then you would need two or more tunnel groups.  However, this would then need to require users to select their tunnel group. 

In this setup, we’re setting the authentication to use the MFA server(s) and the authorization to use the LDAP servers mentioned earlier.  The tunnel-group parameter authentication-attr-from-serverwill specify which authentication server to use to obtain the authorization attributes to apply to the connection. The primary authentication server is the default selection 

In this example, we want the authorization to be via the LDAP servers.  We will specify “authentication-attr-from-server secondary since we don’t want the authorization coming from the NPS/RADIUS servers.  This command is meaningful only for double authentication. 

We also will specify the default group policy to be NOACCESS.  As stated earlier, if the user connecting is not a member of any of the previous AD groups defined in the LDAP Map, then they will be unable to connect. 

I hope this framework to successfully integrate Microsoft Azure Multi-factor Authentication into a Cisco ASA AnyConnect VPN is helpful to you and your network.  If you’d like additional assistance in implementing this solution, Peters & Associates can help!  Email info@peters.com. We are happy to assist.