I would like to share my experience with VPN Remote Access and Multi Factor Authentication with products from Cisco and Duo Security:
Multi Factor Authentication (MFA) is already quite well known approach in achieving more secure authentication process. The aim of this type of authentication is to provide additional level of security ensuring that authenticating user proves his identity with different factors, independent from each other. The MFA paradigm is that the user proves his identity by providing information that he knows (example: user credentials) and then providing information based on what he owns (example: hardware or software token). This procedure increases the probability of genuine authentication and make sure it is not fake. In a hypothetical scenario an attacker can steal user credentials by spying, sniffing or guessing if password is not secure enough, but when using MFA the use of another factor makes such attack more difficult because the attacker does not possesses the second factor for authentication. The second (or third) factor can be of different kinds for instance physical, application based, connected or standalone. They could be a physical or logical tokens, phone calls, text messages or push messages.
Lets quickly introduce popular types of different authentication factors.
The most popular – users knows their username and passwords and provide them while authenticating.
Also a popular factor – users have enrolled with their personal certificates and uses X509 framework to authenticate. If you want to know about the certificate authentication process in detail have a look at ITU standards here.
Token provides one-time password that changes in fixed time intervals, for example every 60 seconds. One-time password (OTP) is displayed with synchronization with reference server often known as token server. Synchronization is done between token internal clock and token server clock. Both parties generate pseudo random number thanks to OATH algorithm or any variation of OTP generation algorithm. Tokens can be hardware (i.e. RSA SecureID hardware) or software based (i.e. mobile apps for iOS or Android). The downside of the hw tokens is that they are expensive in implementation.
Good choice for big implementations (often cheaper than hardware tokens) is push notification method where User is prompted actively by mobile App to Approve or Decline the fact of authentication. This method is used in conjunction with smartphone device and installed mobile app on it. This kind of authentication factor is used in our case study.
Another type of factor is sending SMS code which needs to be provided by user during authentication prompt. This requires SMS gateway for that process.
Some of market solutions enable “callback phone’ that is automaticaly processed after first factor is correctly passed. After phone call, user is able to press required key. This method works well for offline users for example those who do not use the smartphones.
The aim was to increase a security level for User VPN authentications. Customer had Cisco infrastructure with high level of integration. After business needs analysis and infra assessment and then several days of Proof of Concept project the choice was Duo Security product for MFA solution because of its flexibility and user friendly interface. There were also signs that it will smoothly integrate within the Cisco architecture components.
The steps of authentication is as follows:
The ASA configuration part is very similar to regular remote access implementation with Cisco Anyconnect. One thing to mention is accounting and authentication server part. In our case study ASA acts as a radius client to Duo Authentication Proxy and in parallel to ISE Policy Service Nodes. The Duo Authentication Proxy in turn is the proxy between ASA, ISE PSN and Duo Cloud API.
Besides regular Authentication and Authorization rules Duo Auth Proxy need to be configured as a radius client on Cisco ISE. Cisco ISE acts as:
ISE functions in our case study:
In this project User-to-IP mappings are crucial for whole infrastructure because these mappings are used in different segments for identity access. The purpose of identity filtering is described here.
Duo Auth Proxy can be hosted on Linux or Windows Server machine. Duo Authentication proxy is the interface between ISE and ASA, ASA and Cloud API, ISE and Cloud API. You can take a look at the config guides at Duo site https://duo.com/docs/authproxy_reference
For the sake of proper authentication, user and mobile devices handling, the Duo Cloud interface is used. There is connection established between Duo Auth Proxy, Duo Cloud API and Active Directory that is used for AD authentication, user and device enrolment with Duo Mobile App.
The solution was integrated with high-availability environment and there is no single point of failure within the VPN infrastructure. For further details of components and their configuration, follow us on Grandmetric LinkedIn site
Hi Marcin. What would be the difference between configuring ISE to perform the AD authentication step, rather than the DUO proxy?
Hi Brady, thanks for asking. Good question. The user authentication against AD (as a first MFA factor) is actually performed by ISE. Duo proxy acts as a proxy as the name implies 😉 so authentication challenge flows from ASA via Duo Proxy to ISE then to AD. ISE can make Authentication and Authorization decisions and most importantly accounts this login event. In the same time Duo Proxy contacts the Duo Cloud for the sake of sending push notification to right mobile app. However Duo Cloud needs to have AD integration as well to properly onboard the users and mobile apps. I hope this clarifies a little. Feel free to ask if you have more questions.
Marcin
Hi Marcin! Thank you for replying so quickly. Your description was very helpful. Would you be defeating the purpose of the ISE server, if you configured as follows;
-ASA configured for RADIUS, pointing to the ISE servers
-ISE uses the DUO proxy as its only external identify source
-DUO proxy configured as AD client for primary authentication
-DUO proxy to DUO RADIUS cloud application for token push
Ok, i got your point. Personally i do not see any reason why it would not work, but in my opinion you could loose the information that might be valuable (like AD group) having AD – DUO proxy connection instead ISE – AD connection. In fact Duo proxy can talk with AD and can talk Radius however I have not seen such flow in Duo validated deisgn.
best,
Marcin
This diagram may help illustrate the traffic flow that I am referring to
https://drive.google.com/file/d/1CRxzzQ6tWRQ9BLGCnEXT-XKbDzbS27Od/view?usp=sharing
Hi Marcin
Fantastic blog, really informative.
Just got a question, how would the flow be if ISE is doing Posture as well ?
regards
Nik
What is DCA and DCB in flowchart?
Hi, DCA and DCB stand for Data Center A and Data Center B respectively.
Hi Marcin
Thanks for the great post. Is it possible to just verify the Certs installed on the user’s PC (to ensure they connect from Corporate-owned devices) and use RSA MFA (passcode) instead of using AD Username/password and RSA MFA?