Menu

US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl
  • VPN Remote Access with Multi Factor Authentication Experience – Case Study

    VPN Remote Access with Multi Factor Authentication Experience – Case Study

    Date: 31.03.2017

    Author:


    I would like to share my experience with VPN Remote Access and Multi Factor Authentication with products from Cisco and Duo Security:

    • Cisco Identity Services Engine 2.X,
    • Cisco ASA 5500-X
    • Anyconnect Secure Mobility Client (VPN client)
    • MFA Cloud based services from Duo Security

     

    Background of Multi Factor Authentication

    Multi Factor Authentication (MFA) is already quite well known approach in achieving more secure authentication process. The aim of this type of authentication is to provide additional level of security ensuring that authenticating user proves his identity with different factors, independent from each other. The MFA paradigm is that the user proves his identity by providing information that he knows (example: user credentials) and then providing information based on what he owns (example: hardware or software token). This procedure increases the probability of genuine authentication and make sure it is not fake. In a hypothetical scenario an attacker can steal user credentials by spying, sniffing or guessing if password is not secure enough, but when using MFA the use of another factor makes such attack more difficult because the attacker does not possesses the second factor for authentication. The second (or third) factor can be of different kinds for instance physical, application based, connected or standalone. They could be a physical or logical tokens, phone calls, text messages or push messages.

     

    How does second factor authentication work?

    Lets quickly introduce popular types of different authentication factors.

    Credentials

    The most popular – users knows their username and passwords and provide them while authenticating.

    Certificates

    Also a popular factor – users have enrolled with their personal certificates and uses X509 framework to authenticate. If you want to know about the certificate authentication process in detail have a look at ITU standards here.

    Tokens

    Token provides one-time password that changes in fixed time intervals, for example every 60 seconds. One-time password (OTP) is displayed with synchronization with reference server often known as token server. Synchronization is done between token internal clock and token server clock. Both parties generate pseudo random number thanks to OATH algorithm or any variation of OTP generation algorithm. Tokens can be hardware (i.e. RSA SecureID hardware) or software based (i.e. mobile apps for iOS or Android). The downside of the hw tokens is that they are expensive in implementation.

    RSA SecurID hardware token MFA Grandmetric

    RSA SecurID hardware token example

     

    Cerb Software token MFA Multi Factor Authentication VPN

    Cerb Software token MFA example

    Push notifications

    Good choice for big implementations (often cheaper than hardware tokens) is push notification method where User is prompted actively by mobile App to Approve or Decline the fact of authentication. This method is used in conjunction with smartphone device and installed mobile app on it. This kind of authentication factor is used in our case study.

    Duo MFA Push Notify

    Duo MFA Push Notify factor example

    SMS Passcodes

    Another type of factor is sending SMS code which needs to be provided by user during authentication prompt. This requires SMS gateway for that process.

    Callback phone

    Some of market solutions enable “callback phone’ that is automaticaly processed after first factor is correctly passed. After phone call, user is able to press required key. This method works well for offline users for example those who do not use the smartphones.

     

    The project aim and chosen solution

    The aim was to increase a security level for User VPN authentications. Customer had Cisco infrastructure with high level of integration. After business needs analysis and infra assessment and then several days of Proof of Concept project the choice was Duo Security product for MFA solution because of its flexibility and user friendly interface. There were also signs that it will smoothly integrate within the Cisco architecture components.

     

    Architecture components and authentication flow

    The steps of authentication is as follows:

    1. User connects with Anyconnect Secure Mobility Client to ASA Headend
    2. User is prompted to provide Domain credentials
    3. Credentials are sent to VPN Headend encrypted
    4. ASA VPN checks credentials with Duo AuthProxy then Duo with ISE. Both communication via Radius.
    5. Cisco ISE in turn verifies user and password with AD Controller
    6. AD responds to ISE. If fails ISE sends the Radius Reject packet back to Duo and then Duo to ASA
    7. If succeeded Duo sends the request with username to Duo Cloud
    8. Duo Cloud then pushes the Approve / Deny message to Mobile App of authenticating user
    9. User accepts (or denies) the connection. If denies, the Radius Access Reject is send via Duo AuthProxy to ASA and connection is torn down.
    10. After Accept from Mobile information is going back to Cloud and then to AuthProxy and finally is landing on ASA VPN Headend
    11. ASA establishes VPN connection with Anyconnect
    12. Last but not least, the accounting message that confirms the established session is sent from ASA to ISE for logging and accounting purposes (piggybacking IP address, Username, Timestamp and more)

    Traffic flow high level view – MFA authentication

    VPN Multi Factor Authentication idea traffic flow - Duo Security - Cisco ASA - Cisco ISE - VPN Remote Access

    VPN Multi Factor Authentication idea traffic flow

    ASA VPN Headend

    The ASA configuration part is very similar to regular remote access implementation with Cisco Anyconnect. One thing to mention is accounting and authentication server part. In our case study ASA acts as a radius client to Duo Authentication Proxy and in parallel to ISE Policy Service Nodes. The Duo Authentication Proxy in turn is the proxy between ASA, ISE PSN and Duo Cloud API.

    Cisco ISE part

    Besides regular Authentication and Authorization rules Duo Auth Proxy need to be configured as a radius client on Cisco ISE. Cisco ISE acts as:

    • Radius Server for Duo Auth Proxy
    • Radius Server for ASA VPN
    • Proxy for AD authentication

    ISE functions in our case study:

    • Authentication Server (AD as external identity source)
    • Authorization Server for differentiate Users and Groups access privileges
    • Accounting Server for log storage and User-to-IP mapping source

    In this project User-to-IP mappings are crucial for whole infrastructure because these mappings are used in different segments for identity access. The purpose of identity filtering is described here.

    Duo Authentication Proxy

    Duo Auth Proxy can be hosted on Linux or Windows Server machine. Duo Authentication proxy is the interface between ISE and ASA, ASA and Cloud API, ISE and Cloud API. You can take a look at the config guides at Duo site https://duo.com/docs/authproxy_reference

    Duo Cloud and Active Directory

    For the sake of proper authentication, user and mobile devices handling, the Duo Cloud interface is used. There is connection established between Duo Auth Proxy, Duo Cloud API and Active Directory that is used for AD authentication, user and device enrolment with Duo Mobile App.

    The solution was integrated with high-availability environment and there is no single point of failure within the VPN infrastructure. For further details of components and their configuration, follow us on Grandmetric LinkedIn site

    Author

    Grandmetric

    Grandmetric is an IT Next Generation Systems integration company helping clients with their IT transformation, infrastructure automation, LAN, WiFi, SD-WAN & SDN delivery. Fast growing Grandmetric team is becoming also a referal point in Cloud migrations and DC Stack management with their Storage, OS and virtualization experience. Grandmetric provides technical insights along with technical trainings in areas of expertise. Latest projects cover also IoT subjects R&D in the area of IoT backend development, big data analysis and monitoring. Based on above experience in production systems maintenance, new division – Grandmetric Managed Services (GMS) maintaining IT infrastructure of corporates & globally present customers is available for demanding IT environments.

    11 Comments
    Brady
    19 June 2018 at 20:53

    Hi Marcin. What would be the difference between configuring ISE to perform the AD authentication step, rather than the DUO proxy?

     
    Marcin Bialy
    19 June 2018 at 21:13

    Hi Brady, thanks for asking. Good question. The user authentication against AD (as a first MFA factor) is actually performed by ISE. Duo proxy acts as a proxy as the name implies 😉 so authentication challenge flows from ASA via Duo Proxy to ISE then to AD. ISE can make Authentication and Authorization decisions and most importantly accounts this login event. In the same time Duo Proxy contacts the Duo Cloud for the sake of sending push notification to right mobile app. However Duo Cloud needs to have AD integration as well to properly onboard the users and mobile apps. I hope this clarifies a little. Feel free to ask if you have more questions.

    Marcin

     
    Brady
    17 July 2018 at 04:46

    Hi Marcin! Thank you for replying so quickly. Your description was very helpful. Would you be defeating the purpose of the ISE server, if you configured as follows;
    -ASA configured for RADIUS, pointing to the ISE servers
    -ISE uses the DUO proxy as its only external identify source
    -DUO proxy configured as AD client for primary authentication
    -DUO proxy to DUO RADIUS cloud application for token push

     
    Marcin Bialy
    18 July 2018 at 18:03

    Ok, i got your point. Personally i do not see any reason why it would not work, but in my opinion you could loose the information that might be valuable (like AD group) having AD – DUO proxy connection instead ISE – AD connection. In fact Duo proxy can talk with AD and can talk Radius however I have not seen such flow in Duo validated deisgn.

    best,
    Marcin

     
    Brady
    17 July 2018 at 05:29

    This diagram may help illustrate the traffic flow that I am referring to

    https://drive.google.com/file/d/1CRxzzQ6tWRQ9BLGCnEXT-XKbDzbS27Od/view?usp=sharing

     
    Nik
    14 February 2019 at 07:50

    Hi Marcin
    Fantastic blog, really informative.
    Just got a question, how would the flow be if ISE is doing Posture as well ?
    regards
    Nik

     
    SAHE ALAM
    2 June 2020 at 07:48

    What is DCA and DCB in flowchart?

     
    Joanna Chmiel
    25 June 2020 at 14:05

    Hi, DCA and DCB stand for Data Center A and Data Center B respectively.

     
    Sri
    14 February 2021 at 08:11

    Hi Marcin
    Thanks for the great post. Is it possible to just verify the Certs installed on the user’s PC (to ensure they connect from Corporate-owned devices) and use RSA MFA (passcode) instead of using AD Username/password and RSA MFA?

     

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Grandmetric