Cisco ASAv Remote Access VPN for AWS with External Multi-Factor Authentication

By Dinesh Moudgil, Technical Marketing Engineer – Cisco
By Muffadal Quettawala, Partner Solutions Architect – AWS

Remote workers typically access corporate IT environment using virtual private network (VPN) services. With an expansion of remote workers, organizations have scaled their VPN services in the cloud to connect users to corporate resources that may be hosted in the cloud and/or on-premises.

An important design consideration for cloud-based client VPN service architectures is the choice of authentication mechanism to use for connecting remote users to VPN services.

A common design is to use Microsoft Active Directory for managing and authenticating user identities into the corporate network. At the same time, Zero Trust dictates the use of multi-factor authentication (MFA) for those users.

Cisco ASAv Remote Access VPN provides different types of authentication and authorization capabilities. Cisco ASAv integrates with Cisco Duo to add multi-factor authentication to ASAv AnyConnect VPN connections.

In this post, we show how to configure external authentication with Cisco ASAv on AWS for Remote Access VPN. We use Cisco Duo Authentication proxies to redirect the user authentication request to AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) for primary authentication via LDAPv3, and Duo MFA for multi-factor authentication via TCP port 443.

Cisco Systems is an AWS ISV Partner that helps customers optimize their cloud strategy by bringing together networking, security, analytics, and management.

Prerequisites

For this walkthrough, you must have these prerequisites configured in your AWS account:

• Cisco ASAv Remote Access VPN appliances deployed in your AWS account using the AWS Quick Start with a default ‘LAB’ VPN connection profile.
• An existing AWS Managed Microsoft AD directory, or Active Directory Connector, with at least one user. To deploy a directory quickly, see the Quick Start for Active Directory Domain Services on AWS.
• A Duo license; learn more about Duo licensing. You must set up at least one Duo user whose email address is associated with at least one user in Microsoft Active Directory.
• Duo Mobile application on your smartphone used for authentication.
• Ensure the security group associated with your ASAv appliances and NLB listeners are configured to allow traffic destined to User Datagram Protocol (UDP) port 1812 for authentication and authorization, and UDP port 1813 for accounting.
• Cisco Duo Admin portal access for Duo MFA configuration using the section “First Steps” defined in the documentation.

Solution Overview

The overall solution architecture is summarized below. The numbers 1-9 denote the steps in the authentication flow and are explained in detail.

Figure 1 – Overall solution architecture.

1. AnyConnect user types in the Fully Qualified Domain Name (FQDN). In our case, vpn.example.com is used. This initiates a VPN connection towards one of the ASAv hosted on AWS.
2. The connection lands on the ‘LAB’ VPN connection profile on the ASAv. Once the user enters their credentials, the authentication request (Access-Request packet) is forwarded to one of the Cisco Duo authentication proxies via the Network Load Balancer from the ASAv’s outside interface.
3. As Duo authentication proxy receives the authentication request, it validates the credentials using AWS Managed Microsoft AD.
4. Once the AWS Managed Microsoft AD credentials are validated, the Duo authentication proxy sends a request to Duo Cloud via TCP port 443 to begin multi-factor authentication.
5. At this stage, the AnyConnect user is presented with a “Duo Interactive Prompt.”
6. Duo Cloud receives the push from the Duo Mobile application initiated by the AnyConnect user.
7. Duo Cloud then responds to the Duo authentication proxy to confirm that MFA is successful.
8. Once the Duo authentication proxy receives the response from Duo Cloud, it sends an Access-Accept response packet to the ASAv to confirm the authentication process is complete.
9. Finally, ASAv establishes the remote access VPN session initiated by the AnyConnect user and grants access to the intended resources.

Walkthrough

Cisco ASAv Remote Access VPN Configuration

This section provides the Cisco ASAv1 CLI configuration for Remote Access VPN, allowing Cisco AnyConnect Secure Mobility Client to establish connection and access resources successfully.

The following steps allow an administrator to configure AnyConnect on an ASAv (including relevant configuration attributes such as IP address pool, split access-list, tunnel-group, and group-policy) along with the Duo authentication proxy configured as an authentication server.

Step 1: Configure Cisco Duo Authentication Proxy as AAA Server

aaa-server DuoProxy protocol radius
!------AWS NLB FQDN fronting the Duo authentication proxies--------- 
aaa-server DuoProxy (outside) host DuoProxyLB-f8838f63c741cf49.elb.us-east-1.amazonaws.com
! ------secret key for authenticating the ASAv to the AAA server --------
 key 0 <redacted> 
!------ port number to be used for authentication ------- 
 authentication-port 1812
!----- port number to be used for accounting ----------  
 accounting-port 1813

Step 2: Client Pool Configuration

This step defines the local pool of IP addresses. The AnyConnect user will be assigned an IP from this pool.

ip local pool VPN-POOL 172.16.32.1-172.16.63.254 mask 255.255.224.0

Step 3: Split ACL Configuration

This step defines the access-list that determines the networks that are accessible by the AnyConnect user once authenticated successfully.

access-list split standard permit 10.0.0.0 255.255.0.0 
access-list split standard permit 172.16.0.0 255.255.0.0

Step 4: Enable AnyConnect on the ASAv

This step enables remote access VPN globally on the ASAv.

webvpn
!------enables RA VPN on the “outside” interface------
enable outside
!------ enables the Anyconnect client ------
anyconnect enable
!------ enables the tunnel group list drop-down menu ------
tunnel-group-list enable

Step 5: Group Policy Configuration

This step configures the group-policy attributes for RA VPN session.

group-policy LAB internal
group-policy LAB attributes
!------permitted tunneling protocols for RA VPN session------
  vpn-tunnel-protocol ssl-client ssl-clientless
!------ split tunneling method for IPv4 traffic by Anyconnect user ------
 split-tunnel-policy tunnelspecified
!------ name of access-list for split tunnel configuration------
 split-tunnel-network-list value split

Step 6: Tunnel-Group (Connection Profile) Configuration

This step defines the set of records that determine tunnel connection policies.

tunnel-group LAB type remote-access
tunnel-group LAB general-attributes
!------ associates the address pool to assign addresses from ------
 address-pool VPN-POOL
!- associates the authentication server group with the tunnel-group --
 authentication-server-group DuoProxy
!------ associates the group-policy with the tunnel-group------
 default-group-policy LAB
!------ define the Group Alias name for the Anyconnect user ------
tunnel-group LAB webvpn-attributes
 group-alias LAB-VPN enable

Similarly, Cisco ASAv2 can be configured to take advantage of the Duo Auth proxy servers, AWS Managed Microsoft AD, and Duo Cloud Security.

Cisco Duo Authentication Proxy Configuration

This section provides the configuration required for Duo authentication proxy servers to communicate to AWS Managed Microsoft AD to perform primary authentication, and then reach out to Duo Security for secondary authentication.

This configuration allows an AnyConnect user to successfully authenticate via Duo authentication proxy (using AWS Managed Microsoft AD and Duo Cloud for MFA) and thus establish a RA VPN session successfully.

The parameter attributes are summarized in the table that follows:

On each Duo authentication proxy, navigate to /opt/duoauthproxy/conf and configure the authproxy.cfg as follows:

[ad_client]
host=10.0.68.227
host_2=10.0.73.19
service_account_username=duoadmin
service_account_password=<redacted>
search_dn=dc=example,dc=com

[radius_server_auto]
ikey=<redacted>
skey=<redacted>
api_host=api-XXXXXXXX.duosecurity.com
radius_ip_1=10.0.2.58
radius_ip_2=10.0.10.44
radius_secret_1=<redacted>
radius_secret_2=<redacted>
client=ad_client
port=1812

For more information on configuration Cisco Duo Proxy, see the documentation.

Validation

Now that the ASAvs and Duo authentication proxy servers are configured, let’s verify that end-to-end functionality is correct:

• Open AnyConnect client, type in the FQDN (in this example, we use vpn.example.com), and click Connect.

Figure 2 – Cisco AnyConnect login.

• Click on Connect Anyway to accept the certificate warning. Note that to prevent the certificate warning from being shown to the AnyConnect user, it’s highly recommended you use an identity certificate for the ASAv that is issued by a well-known certificate authority (CA), or your organization’s CA the AnyConnect user trusts.

Figure 3 – Cisco AnyConnect security warning.

• Enter the Microsoft Active Directory credentials.

Figure 4 – Cisco AnyConnect primary authentication.

• When prompted, accept the Duo push notification in your Duo mobile application for second factor authentication.

Figure 5 – Cisco AnyConnect MFA with Duo Push.

Verification

On ASAv, confirm the status of AnyConnect client and its statistics using the following command:

ASAv01RAVPN# show vpn-sessiondb anyconnect 
Session Type: AnyConnect
Username     : awstest                Index        : 103
Assigned IP  : 172.16.0.1             Public IP    : X.X.X.X
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA384
Bytes Tx     : 3408                   Bytes Rx     : 211
Group Policy : LAB                    Tunnel Group : LAB
Login Time   : 13:33:36 UTC Thu Jun 10 2021
Duration     : 0h:00m:42s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 0a00223b0006700060c214b0
Security Grp : none

On the Duo Admin portal, navigate to Reports > Authentication to verify the authentication status of the AnyConnect user.

Figure 6 – Duo Admin portal authentication log.

On the Duo authentication proxy, navigate to opt/duoauthproxy/log/ and within authproxy.log enter the following logs to confirm successful authentication:

2021-06-25T20:02:19+0000 [duoauthproxy.lib.log#info] (('10.0.70.23', 32588), awstest, 228): Duo authentication returned 'allow': 'Success. Logging you in...'

2021-06-25T20:02:19+0000 [duoauthproxy.lib.log#info] (('10.0.70.23', 32588), awstest, 228): Returning response code 2: AccessAccept

2021-06-25T20:02:19+0000 [duoauthproxy.lib.log#info] (('10.0.70.23', 32588), awstest, 228): Sending response

Cleaning Up

To avoid incurring future charges, delete the resources associated with the solution, such as ASAv, Duo Proxy Servers, and AWS Managed Microsoft AD.

Conclusion

In this post, you learned how to configure ASAv hosted on an AWS Cloud and Cisco Duo Proxy server for Remote Access VPN.

Primary authentication is achieved by the virtue of Duo Proxy server communicating to AWS Managed Microsoft AD, and secondary authentication is achieved by Duo Cloud Security. Once authenticated, secure remote worker can access resources off the ASAv using AnyConnect successfully.

.

.

Cisco Systems – AWS Partner Spotlight

Cisco is an AWS ISV Partner providing a range of products for transporting data, voice, and video within buildings, across campuses, and around the world.

Contact Cisco | Partner Overview | AWS Marketplace

*Already worked with Cisco? Rate the Partner

*To review an AWS Partner, you must be a customer that has worked with them directly on a project.