Skip to main content

With this method, your SSH port is always closed until someone successfully requests a one-time passcode from the WiKID server, similar to port-knocking, but more secure.

This document was contributed by a WiKID user. This configuration file opens a port for ssh once the user has logged into an https front-end. While this example uses tacacs+, it should also work with radius.

 

 ! Step 1: configure wikid
! Step 1a: configure tacacs+ on wikid server

! Step 2: configure Cisco FWSM to use the tacacs+ service provided by wikid
! see also
! http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fwaaa_f.html
!
! Template config for using Wikid 2 facter auth to allow ssh access
! This only covers wikid and ssh, not any other FW configs
! 'outside' is the outside FW interface, and 'dmz' in the protected interface
! I used 'names' for readability
! I use RFC1918 address in this example, but assume no NAT
! 
! I have this running in production on two FWSMs with a more complicated config
! I have not tested the exact config below, If you see any errors, please let me know
!

names
! the wikid server
name 192.168.1.10 wikid-server
! the ssh server
name 192.168.1.11 shell-server
!
! define service ports and servers
object-group service ssh tcp
 description ssh
 port-object eq ssh
object-group network ssh-servers
 description ssh servers
 network-object host shell-server

object-group service http-only tcp
 description http
 port-object eq www
object-group service https-only tcp
 description https
 port-object eq https

object-group network wikid-servers
 description wikid servers
 network-object host wikid-server

! allow wikid clients to access the wikid server
access-list outside-acl extended permit tcp any object-group wikid-servers object-group http-only 
! allow access to https for auth
access-list outside-acl extended permit tcp any object-group ssh-servers   object-group https-only 
! allow ssh, but also needs AAA below
access-list outside-acl extended permit tcp any object-group ssh-servers   object-group ssh
access-group outside-acl in interface outside

! 5 minute timeout to cache wikid response
! once you auth via https://shell-server you have 5 minutes to log into the ssh server
! after that you need a new token
timeout uauth 0:05:00 absolute

! 
aaa-server 2factor protocol tacacs+
aaa-server 2factor (dmz) host wikid-server
! key must match wikid server key
 key SuperSecret

! allow ssh only after auth with https://shell-server
aaa authentication include ssh   outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor 

! you should NOT be running a webserver with ssl support on the shell-server
! the FWSM generates a ssl cert for it's part in the auth process that
! will conflict with the one on the shell server
aaa authentication include https outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor 

! optional as it allows the wikid token to pass in cleartext
! also needs a matching acl above (left as an exercise to the reader)
! aaa authentication include ftp   outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor
! aaa authentication include http  outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor


! as an example of how to allow some hosts to bypass the token auth
! aaa authentication exclude ssh outside shell-server 255.255.255.255 my.home.ip 255.255.255.255 2factor
! 

! For the Cisco ASA I think you will need this also
! aaa authentication listener http outside port 1080 redirect
! aaa authentication listener https outside port 1443 redirect
 


Keywords:



 

Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication