Skip to main content

Add WiKID two-factor authentication to a Cisco ASA Using ADSM 6.4 and radius for a clientless SSL VPN.

The Cisco ASA is a very popular VPN solution. This document covers how to use radius to add two-factor authentication via WiKID to an ASA using the ASDM management interface. If you have not downloaded the WiKID Strong Authentication server, we recommend you start there. Once that is set up, you can configure the ASA to proxy authentication request directly to WIKID or through the MS Radius server NPS to WiKID. If you have questions about the network architecture, please see our eGuide on adding two-factor authentication to your network.

We assume you have your VPN already configured. We will start by adding a RADIUS server. We recommend using RADIUS as your protocol for a number of reasons - it is a good standard, works everywhere and can be configured to incorporate authorization via Active Directory or LDAP allowing simple user disablement.

Under Remote Access VPN select AAA/Local Users and click on AAA Server Group.

2 factor for cisco asa - AAA

Click the Add button to add a server group.

2 factor for cisco asa - AAA server

Give the server group a useful name such as "Two-factor-Auth". No spaces are allowed. Hit OK.

Now, you will see that you can Add a server in the bottom panel under 'Servers in the Selected Group'. Do so.

2 factor for cisco asa - AAA radius

Specify the interface and IP address of either your RADIUS server - NPS if you are trying in Active Directory or the WiKID server if you are not. Again, we recommend tying in authorization by AD as a user would only need to be disabled in AD to be locked out completely.

Under RADIUS Parameters, change the Server Authentication Port to 1812. (The standard changed from 1645 in 2000 so it's completely understandable that Cisco hasn't updated yet. Clearly they have put all their money into updating the ASDM.). Set the Accounting port to 1813 and create or enter a Server Secret Key. This is the shared secret that will need to be the same on your RADIUS server. Remember RADIUS is encoded - not encrypted, so no RADIUS over the open Internet! Hit OK. And the Apply.

Next, click on Connection Profiles in the left window.

2 factor for cisco asa - Connection

Click Add (or Edit if you have one already).

2 factor for cisco asa - AAA profile

Give it a name, such as Two-factor Profile and select the AAA Server Group you created earlier. You may need to add DNS servers and a domain name.

The ASA is ready for two-factor authentication. At this point, you should configure NPS for two-factor authentication. We recommend you first test the ASA/NPS connection using AD passwords and then add the WiKID server as a radius server on NPS. Once that is complete, the users will login with their AD user name and the OTP. NPS will perform authorization based on the user name alone. No sense in requiring a password!

Now we will configure the WiKID server. If you have not downloaded the WiKID two-factor authentication server, get on that. It's free for up to five users. We will add a network client. This can either be your RADIUS server if you are using freeradius or NPS or the ASA itself if you want them talking directly. On the WiKIDAdmin click on the Network Clients tab.

2 factor for cisco asa - WiKID

Click on Create a New Network Client.

2 factor for cisco asa - WiKID2

Give it a useful name, enter the IP address of the RADIUS server or the Cisco ASA depending on your setup. Select RADIUS as the protocol and select the WiKID domain to use. Click Add.

2 factor for cisco asa - WiKID3

Enter the Shared secret. Remember this must match what is entered in the RADIUS server or the Cisco ASA or WiKID will not be able to decode the RADIUS packets.

On the WiKID terminal run 'wikidctl restart'. This updates the RADIUS cache and if you are using our ISO virtual appliance opens up the firewall for the IP address of the network client. If you are using the packages, please open port 1812 UDP for the correct IP address.

Now let's test it. Start your WiKID token and get an OTP for the WiKID domain you specified for the network client.

You can test the RADIUS authentication on the ASDM under AAA Server Group/Servers in the Selected group without having to login to the VPN from the outside.

2 factor for cisco asa - WiKID5

Hopefully, your test was successful:

2 factor for cisco asa - WiKID6Two-Factor Authentication without the hassle factor

If not, please see these tips on trouble-shooting RADIUS.

(We also have a screencast for the Cisco 5500.)

Remember: we offer five free two-factor authentication licenses. Download the server today!

Keywords:



 

Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication