Menu

US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
Phone: +1 302 691 94 10

info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

VPN Remote Access with Multi Factor Authentication Experience – Case Study

VPN Remote Access with Multi Factor Authentication Experience – Case Study

Author:


31.03.2017

I would like to share my experience with VPN Remote Access and Multi Factor Authentication with products from Cisco and Duo Security:

  • Cisco Identity Services Engine 2.X,
  • Cisco ASA 5500-X
  • Anyconnect Secure Mobility Client (VPN client)
  • MFA Cloud based services from Duo Security

 

Background of Multi Factor Authentication

Multi Factor Authentication (MFA) is already quite well known approach in achieving more secure authentication process. The aim of this type of authentication is to provide additional level of security ensuring that authenticating user proves his identity with different factors, independent from each other. The MFA paradigm is that the user proves his identity by providing information that he knows (example: user credentials) and then providing information based on what he owns (example: hardware or software token). This procedure increases the probability of genuine authentication and make sure it is not fake. In a hypothetical scenario an attacker can steal user credentials by spying, sniffing or guessing if password is not secure enough, but when using MFA the use of another factor makes such attack more difficult because the attacker does not possesses the second factor for authentication. The second (or third) factor can be of different kinds for instance physical, application based, connected or standalone. They could be a physical or logical tokens, phone calls, text messages or push messages.

 

How does second factor authentication work?

Lets quickly introduce popular types of different authentication factors.

Credentials

The most popular – users knows their username and passwords and provide them while authenticating.

Certificates

Also a popular factor – users have enrolled with their personal certificates and uses X509 framework to authenticate. If you want to know about the certificate authentication process in detail have a look at ITU standards here.

Tokens

Token provides one-time password that changes in fixed time intervals, for example every 60 seconds. One-time password (OTP) is displayed with synchronization with reference server often known as token server. Synchronization is done between token internal clock and token server clock. Both parties generate pseudo random number thanks to OATH algorithm or any variation of OTP generation algorithm. Tokens can be hardware (i.e. RSA SecureID hardware) or software based (i.e. mobile apps for iOS or Android). The downside of the hw tokens is that they are expensive in implementation.

RSA SecurID hardware token MFA Grandmetric

RSA SecurID hardware token example

 

Cerb Software token MFA Multi Factor Authentication VPN

Cerb Software token MFA example

Push notifications

Good choice for big implementations (often cheaper than hardware tokens) is push notification method where User is prompted actively by mobile App to Approve or Decline the fact of authentication. This method is used in conjunction with smartphone device and installed mobile app on it. This kind of authentication factor is used in our case study.

Duo MFA Push Notify

Duo MFA Push Notify factor example

SMS Passcodes

Another type of factor is sending SMS code which needs to be provided by user during authentication prompt. This requires SMS gateway for that process.

Callback phone

Some of market solutions enable “callback phone’ that is automaticaly processed after first factor is correctly passed. After phone call, user is able to press required key. This method works well for offline users for example those who do not use the smartphones.

 

The project aim and chosen solution

The aim was to increase a security level for User VPN authentications. Customer had Cisco infrastructure with high level of integration. After business needs analysis and infra assessment and then several days of Proof of Concept project the choice was Duo Security product for MFA solution because of its flexibility and user friendly interface. There were also signs that it will smoothly integrate within the Cisco architecture components.

 

Architecture components and authentication flow

The steps of authentication is as follows:

  1. User connects with Anyconnect Secure Mobility Client to ASA Headend
  2. User is prompted to provide Domain credentials
  3. Credentials are sent to VPN Headend encrypted
  4. ASA VPN checks credentials with Duo AuthProxy then Duo with ISE. Both communication via Radius.
  5. Cisco ISE in turn verifies user and password with AD Controller
  6. AD responds to ISE. If fails ISE sends the Radius Reject packet back to Duo and then Duo to ASA
  7. If succeeded Duo sends the request with username to Duo Cloud
  8. Duo Cloud then pushes the Approve / Deny message to Mobile App of authenticating user
  9. User accepts (or denies) the connection. If denies, the Radius Access Reject is send via Duo AuthProxy to ASA and connection is torn down.
  10. After Accept from Mobile information is going back to Cloud and then to AuthProxy and finally is landing on ASA VPN Headend
  11. ASA establishes VPN connection with Anyconnect
  12. Last but not least, the accounting message that confirms the established session is sent from ASA to ISE for logging and accounting purposes (piggybacking IP address, Username, Timestamp and more)

Traffic flow high level view – MFA authentication

VPN Multi Factor Authentication idea traffic flow - Duo Security - Cisco ASA - Cisco ISE - VPN Remote Access

VPN Multi Factor Authentication idea traffic flow

ASA VPN Headend

The ASA configuration part is very similar to regular remote access implementation with Cisco Anyconnect. One thing to mention is accounting and authentication server part. In our case study ASA acts as a radius client to Duo Authentication Proxy and in parallel to ISE Policy Service Nodes. The Duo Authentication Proxy in turn is the proxy between ASA, ISE PSN and Duo Cloud API.

Cisco ISE part

Besides regular Authentication and Authorization rules Duo Auth Proxy need to be configured as a radius client on Cisco ISE. Cisco ISE acts as:

  • Radius Server for Duo Auth Proxy
  • Radius Server for ASA VPN
  • Proxy for AD authentication

ISE functions in our case study:

  • Authentication Server (AD as external identity source)
  • Authorization Server for differentiate Users and Groups access privileges
  • Accounting Server for log storage and User-to-IP mapping source

In this project User-to-IP mappings are crucial for whole infrastructure because these mappings are used in different segments for identity access. The purpose of identity filtering is described here.

Duo Authentication Proxy

Duo Auth Proxy can be hosted on Linux or Windows Server machine. Duo Authentication proxy is the interface between ISE and ASA, ASA and Cloud API, ISE and Cloud API. You can take a look at the config guides at Duo site https://duo.com/docs/authproxy_reference

Duo Cloud and Active Directory

For the sake of proper authentication, user and mobile devices handling, the Duo Cloud interface is used. There is connection established between Duo Auth Proxy, Duo Cloud API and Active Directory that is used for AD authentication, user and device enrolment with Duo Mobile App.

The solution was integrated with high-availability environment and there is no single point of failure within the VPN infrastructure. For further details of components and their configuration, follow us on Grandmetric LinkedIn site

Author

Grandmetric

Grandmetric is an IT Next Generation Systems integration company helping clients with their IT transformation, infrastructure automation, LAN, WiFi, SD-WAN & SDN delivery. Fast growing Grandmetric team is becoming also a referal point in Cloud migrations and DC Stack management with their Storage, OS and virtualization experience. Grandmetric provides technical insights along with technical trainings in areas of expertise. Latest projects cover also IoT subjects R&D in the area of IoT backend development, big data analysis and monitoring. Based on above experience in production systems maintenance, new division – Grandmetric Managed Services (GMS) maintaining IT infrastructure of corporates & globally present customers is available for demanding IT environments.

11 Comments
Brady
19 June 2018 at 20:53

Hi Marcin. What would be the difference between configuring ISE to perform the AD authentication step, rather than the DUO proxy?

 
Marcin Bialy
19 June 2018 at 21:13

Hi Brady, thanks for asking. Good question. The user authentication against AD (as a first MFA factor) is actually performed by ISE. Duo proxy acts as a proxy as the name implies 😉 so authentication challenge flows from ASA via Duo Proxy to ISE then to AD. ISE can make Authentication and Authorization decisions and most importantly accounts this login event. In the same time Duo Proxy contacts the Duo Cloud for the sake of sending push notification to right mobile app. However Duo Cloud needs to have AD integration as well to properly onboard the users and mobile apps. I hope this clarifies a little. Feel free to ask if you have more questions.

Marcin

 
Brady
17 July 2018 at 04:46

Hi Marcin! Thank you for replying so quickly. Your description was very helpful. Would you be defeating the purpose of the ISE server, if you configured as follows;
-ASA configured for RADIUS, pointing to the ISE servers
-ISE uses the DUO proxy as its only external identify source
-DUO proxy configured as AD client for primary authentication
-DUO proxy to DUO RADIUS cloud application for token push

 
Marcin Bialy
18 July 2018 at 18:03

Ok, i got your point. Personally i do not see any reason why it would not work, but in my opinion you could loose the information that might be valuable (like AD group) having AD – DUO proxy connection instead ISE – AD connection. In fact Duo proxy can talk with AD and can talk Radius however I have not seen such flow in Duo validated deisgn.

best,
Marcin

 
Brady
17 July 2018 at 05:29

This diagram may help illustrate the traffic flow that I am referring to

https://drive.google.com/file/d/1CRxzzQ6tWRQ9BLGCnEXT-XKbDzbS27Od/view?usp=sharing

 
Nik
14 February 2019 at 07:50

Hi Marcin
Fantastic blog, really informative.
Just got a question, how would the flow be if ISE is doing Posture as well ?
regards
Nik

 
SAHE ALAM
2 June 2020 at 07:48

What is DCA and DCB in flowchart?

 
Joanna Chmiel
25 June 2020 at 14:05

Hi, DCA and DCB stand for Data Center A and Data Center B respectively.

 
Sri
14 February 2021 at 08:11

Hi Marcin
Thanks for the great post. Is it possible to just verify the Certs installed on the user’s PC (to ensure they connect from Corporate-owned devices) and use RSA MFA (passcode) instead of using AD Username/password and RSA MFA?

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter!


Grandmetric