Go to 2FA (Two-Factor Authentication for ASA SSL VPN)
- Tutorial
For these purposes, most companies use VPN technology, which has established itself as a well-protected way of providing access to local resources of an organization.
My company was no exception, and we, like many others, use this technology. And, like many others, we use Cisco ASA 55xx as a remote access gateway.
As the number of remote users increases, there is a need to facilitate the process of issuing credentials. But at the same time, this must be done without compromising security.
For ourselves, we found a solution in the application of two-factor authentication for connecting via Cisco SSL VPN, using one-time passwords. And this publication will tell you how to organize such a solution with minimal time and zero cost for the necessary software (provided that you already have a Cisco ASA in your infrastructure).
The market is replete with boxed solutions for generating one-time passwords, while offering a lot of options for obtaining them, whether sending a password via SMS or using tokens, both “iron” and software (for example, on a mobile phone). But the desire for savings and the desire to save money for my employer, in the current crisis forced me to find a free way to implement a service for generating one-time passwords. Which, while free, is not much inferior to commercial solutions (here we should make a reservation, noting that this product also has a commercial version, but we agreed that our costs, in money, will be zero).
So, we need:
- A Linux image with a built-in set of tools - multiOTP, FreeRADIUS and nginx, for accessing the server via the web (http://download.multiotp.net/ - I used a ready-made image for VMware)
- Active Directory Server
- Actually Cisco ASA (I, for convenience, I use ASDM)
- Any software token that supports the TOTP mechanism (I, for example, use Google Authenticator, but the same FreeOTP will do)
I won’t go into the details of image deployment. As a result, you will get Debian Linux with multiOTP and FreeRADIUS already installed, configured to work in conjunction and a web interface for OTP administration.
Step 1. We initiate the system and configure it to our network.
By default, the system comes with root \ root credentials. I think everyone guessed that it would be nice to change the root password after the first login. It is also necessary to change the network settings (by default it is '192.168.1.44' with the gateway '192.168.1.1'). After you can reboot the system.
In Active Directory, create the otp user , with the password MySuperPassword .
Step 2. Configure the connection and import Active Directory users.
For this we need access to the console, and directly the multiotp.php file , using which we will configure the settings for connecting to Active Directory.
Go to the directory / usr / local / bin / multiotp / and take turns executing the following commands:
./multiotp.php -config default-request-prefix-pin=0Determines whether an additional (permanent) pin is required when entering a one-time pin (0 or 1)
./multiotp.php -config default-request-ldap-pwd=0Determines whether a domain password is required when entering a one-time pin (0 or 1)
./multiotp.php -config ldap-server-type=1The type of LDAP server is indicated (0 = regular LDAP server, in our case 1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Indicates in which format the user name is represented (this value will only display the name, without a domain)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"Same for group only
./multiotp.php -config ldap-group-attribute="memberOf"Specifies a method for determining whether a user belongs to a group.
./multiotp.php -config ldap-ssl=1Whether to use a secure connection to the LDAP server (of course, yes!)
./multiotp.php -config ldap-port=636Port for connecting to an LDAP server
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localYour Active Directory Server Address
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Specify where to start the search for users in the domain
./multiotp.php -config ldap-bind-dn="[email protected]"Specify a user who has Active Directory search rights
./multiotp.php -config ldap-server-password="MySuperPassword"Specify the user password to connect to Active Directory
./multiotp.php -config ldap-network-timeout=10We set a timeout to connect to Active Directory
./multiotp.php -config ldap-time-limit=30We set a time limit for the user import operation
./multiotp.php -config ldap-activated=1Activate Active Directory Connection Configuration
./multiotp.php -debug -display-log -ldap-users-syncWe import users from Active Directory
Step 3. Generate a QR code for the token.
Everything is extremely simple here. Open the web interface of the OTP server in the browser, log in (do not forget to change the password for the administrator, set by default!), And click on the “Print” button:

The result of this action will be a page that contains two QR codes. We boldly hammer on the first of them (despite the attractive inscription Google Authenticator / Authenticator / 2 Steps Authenticator), and again we boldly scan the second code into the software token on the phone:

(yes, I intentionally ruined the QR code to make it unreadable).
After completing these actions in your application, every thirty seconds, a six-digit password will be generated.
For fidelity, you can check in the same interface:

By driving in the username and one-time password from the application on the phone. Got a positive response? So move on.
Step 4. We configure and test the operation of FreeRADIUS
As I mentioned above - multiOTP is already configured to work with FreeRADIUS, it remains to conduct tests and enter information about our VPN gateway into the FreeRADIUS configuration file.
We return to the server console, to the directory / usr / local / bin / multiotp / , enter:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Including thereby more detailed logging.
In the FreeRADIUS client configuration file ( /etc/freeradius/clinets.conf ), we comment on all lines related to localhost and add two entries:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- for the test
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- for our VPN gateway.
We restart FreeRADIUS and try to log in:
radtest username 100110 localhost 1812 testing321where username = username, 100110 = password given to us by the application on the phone, localhost = address of the RADIUS server, 1812 - port of the RADIUS server, testing321 - password of the client of the RADIUS server (which we specified in the config).
The result of this command will be output, approximately the following content:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Now we need to make sure that the user has successfully authenticated. To do this, we look at the log of multiotp itself:
tail /var/log/multiotp/multiotp.logAnd if the last entry there is:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Then everything went well, and we can perform
Step 5. Configuring the Cisco ASA
We agree that we already have the configured group and policies for accessing the SLL VPN configured in conjunction with Active Directory, and we need to add two-factor authentication for this profile.
1. Add a new group of AAA servers:

2. Add our multiOTP server to the group:

3. Edit the connection profile by setting the Active Directory server group as the main authentication server:

4. On the Advanced -> Authentification tab, we also select the Active Directory server group:

5. On the Advanced -> Secondary authentification tab, select the created server group in which the multiOTP server is registered. Note that Session username is inherited from the primary AAA server group:

We apply the settings and
Step 6, it’s the last one. We
check whether we have two-factor authentication for SLL VPN:

Woah la! When connecting via the Cisco AnyConnect VPN Client, a second, one-time, password will also be requested.
I hope that this article will help someone, and that it will give someone food for thought, how you can use this free OTP server for other tasks. Share in the comments if you wish.