By Dinesh Moudgil, Technical Marketing Engineer – Cisco
By Muffadal Quettawala, Partner Solutions Architect – AWS
Remote workers typically access corporate IT environment using virtual private network (VPN) services. With an expansion of remote workers, organizations have scaled their VPN services in the cloud to connect users to corporate resources that may be hosted in the cloud and/or on-premises.
An important design consideration for cloud-based client VPN service architectures is the choice of authentication mechanism to use for connecting remote users to VPN services.
A common design is to use Microsoft Active Directory for managing and authenticating user identities into the corporate network. At the same time, Zero Trust dictates the use of multi-factor authentication (MFA) for those users.
Cisco ASAv Remote Access VPN provides different types of authentication and authorization capabilities. Cisco ASAv integrates with Cisco Duo to add multi-factor authentication to ASAv AnyConnect VPN connections.
In this post, we show how to configure external authentication with Cisco ASAv on AWS for Remote Access VPN. We use Cisco Duo Authentication proxies to redirect the user authentication request to AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) for primary authentication via LDAPv3, and Duo MFA for multi-factor authentication via TCP port 443.
For this walkthrough, you must have these prerequisites configured in your AWS account:
- Cisco ASAv Remote Access VPN appliances deployed in your AWS account using the AWS Quick Start with a default ‘LAB’ VPN connection profile.
- An existing AWS Managed Microsoft AD directory, or Active Directory Connector, with at least one user. To deploy a directory quickly, see the Quick Start for Active Directory Domain Services on AWS.
- A Duo license; learn more about Duo licensing. You must set up at least one Duo user whose email address is associated with at least one user in Microsoft Active Directory.
- Duo Mobile application on your smartphone used for authentication.
- Ensure the security group associated with your ASAv appliances and NLB listeners are configured to allow traffic on User Datagram Protocol (UDP) port 1812 for authentication and authorization, and UDP port 1813 for accounting.
- Cisco Duo Admin portal access for Duo MFA configuration using the section “First Steps” defined in the documentation.
The overall solution architecture is summarized below. The numbers 1-9 denote the steps in the authentication flow and are explained in detail.
Figure 1 – Overall solution architecture.
- AnyConnect user types in the Fully Qualified Domain Name (FQDN). In our case, vpn.example.com is used. This initiates an SSL VPN connection towards one of the ASAv hosted on AWS.
- The connection lands on the ‘LAB’ VPN connection profile on the ASAv. Once the user enters their credentials, the authentication request (Access-Request packet) is forwarded to one of the Cisco Duo authentication proxies via the Network Load Balancer from the ASAv’s outside interface.
- As Duo authentication proxy receives the authentication request, it validates the credentials using AWS Managed Microsoft AD.
- Once the AWS Managed Microsoft AD credentials are validated, the Duo authentication proxy sends a request to Duo Cloud via TCP port 443 to begin multi-factor authentication.
- At this stage, the AnyConnect user is presented with a “Duo Interactive Prompt.”
- Duo Cloud receives the push from the Duo Mobile application initiated by the AnyConnect user.
- Duo Cloud then responds to the Duo authentication proxy to confirm that MFA is successful.
- Once the Duo authentication proxy receives the response from Duo Cloud, it sends an Access-Accept response packet to the ASAv to confirm the authentication process is complete.
- Finally, ASAv establishes the remote access VPN session initiated by the AnyConnect user and grants access to the intended resources.
Cisco ASAv Remote Access VPN Configuration
This section provides the Cisco ASAv1 CLI configuration for Remote Access VPN, allowing Cisco AnyConnect Secure Mobility Client to establish connection and access resources successfully.
The following steps allow an administrator to configure AnyConnect on an ASAv (including relevant configuration attributes such as IP address pool, split access-list, tunnel-group, and group-policy) along with the Duo authentication proxy configured as an authentication server.
Step 1: Configure Cisco Duo Authentication Proxy as AAA Server
Step 2: Client Pool Configuration
This step defines the local pool of IP addresses. The AnyConnect user will be assigned an IP from this pool.
Step 3: Split ACL Configuration
This step defines the access-list that determines the networks that are accessible by the AnyConnect user once authenticated successfully.
Step 4: Enable AnyConnect on the ASAv
This step enables remote access VPN globally on the ASAv.
Step 5: Group Policy Configuration
This step configures the group-policy attributes for RA VPN session.
Step 6: Tunnel-Group (Connection Profile) Configuration
This step defines the set of records that determine tunnel connection policies.
Similarly, Cisco ASAv2 can be configured to take advantage of the Duo Auth proxy servers, AWS Managed Microsoft AD, and Duo Cloud Security.
Cisco Duo Authentication Proxy Configuration
This section provides the configuration required for Duo authentication proxy servers to communicate to AWS Managed Microsoft AD to perform primary authentication, and then reach out to Duo Security for secondary authentication.
This configuration allows an AnyConnect user to successfully authenticate via Duo authentication proxy (using AWS Managed Microsoft AD and Duo Cloud for MFA) and thus establish a RA VPN session successfully.
The parameter attributes are summarized in the table that follows:
|host||Domain controller in AWS Managed Microsoft AD in AZ1.||10.0.68.227|
|host_2||Domain controller in AWS Managed Microsoft AD in AZ2.||10.0.73.19|
|service_account_username||Domain account username having permission to bind to Microsoft Active Directory and perform searches.||duoadmin|
|service_account_password||The password corresponding to service_account_username||<redacted>|
|search_dn||LDAP distinguished name (DN) of a Microsoft Active Directory containing all of the users you wish to permit to log in.||search_dn|
|lkey||Integration Key associated to the application; in this case, ASAv obtained from the details page for the application in the Duo Admin Panel.||<redacted>|
|skey||Secret Key associated to the application; in this case, ASAv obtained from the details page for the application in the Duo Admin Panel.||<redacted>|
|api_host||Duo API hostname (e.g. api-XXXXXXXX.duosecurity.com), associated to your account obtained from the details page for the application in the Duo Admin Panel.||api-XXXXXXXX.duosecurity.com|
|radius_ip_X||ASAv1’s outside interface IP used to communicate to Duo Proxy servers.||10.0.2.58|
|radius_ip_Y||ASAv2’s outside interface IP used to communicate to Duo Proxy servers.||10.0.10.44|
|The secret shared with RADIUS clients matching radius_ip_1 and radius_ip_2||<redacted>|
|client||Mechanism the Authentication Proxy should use to perform primary authentication.||ad_client|
|port||Port on which to listen for incoming RADIUS Access Requests.||1812|
On each Duo authentication proxy, navigate to /opt/duoauthproxy/conf and configure the authproxy.cfg as follows:
For more information on configuration Cisco Duo Proxy, see the documentation.
Now that the ASAvs and Duo authentication proxy servers are configured, let’s verify that end-to-end functionality is correct:
- Open AnyConnect client, type in the FQDN (in this example, we use vpn.example.com), and click Connect.
Figure 2 – Cisco AnyConnect login.
- Click on Connect Anyway to accept the certificate warning. Note that to prevent the certificate warning from being shown to the AnyConnect user, it’s highly recommended you use an identity certificate for the ASAv that is issued by a well-known certificate authority (CA), or your organization’s CA the AnyConnect user trusts.
Figure 3 – Cisco AnyConnect security warning.
- Enter the Microsoft Active Directory credentials.
Figure 4 – Cisco AnyConnect primary authentication.
- When prompted, accept the Duo push notification in your Duo mobile application for second factor authentication.
Figure 5 – Cisco AnyConnect MFA with Duo Push.
On ASAv, confirm the status of AnyConnect client and its statistics using the following command:
On the Duo Admin portal, navigate to Reports > Authentication to verify the authentication status of the AnyConnect user.
Figure 6 – Duo Admin portal authentication log.
On the Duo authentication proxy, navigate to opt/duoauthproxy/log/ and within authproxy.log enter the following logs to confirm successful authentication:
2021-06-25T20:02:19+0000 [duoauthproxy.lib.log#info] (('10.0.70.23', 32588), awstest, 228): Duo authentication returned 'allow': 'Success. Logging you in...'
2021-06-25T20:02:19+0000 [duoauthproxy.lib.log#info] (('10.0.70.23', 32588), awstest, 228): Returning response code 2: AccessAccept
2021-06-25T20:02:19+0000 [duoauthproxy.lib.log#info] (('10.0.70.23', 32588), awstest, 228): Sending response
To avoid incurring future charges, delete the resources associated with the solution, such as ASAv, Duo Proxy Servers, and AWS Managed Microsoft AD.
In this post, you learned how to configure ASAv hosted on an AWS Cloud and Cisco Duo Proxy server for Remote Access VPN.
Primary authentication is achieved by the virtue of Duo Proxy server communicating to AWS Managed Microsoft AD, and secondary authentication is achieved by Duo Cloud Security. Once authenticated, secure remote worker can access resources off the ASAv using AnyConnect successfully.
Cisco Systems – AWS Partner Spotlight
Cisco is an AWS ISV Partner providing a range of products for transporting data, voice, and video within buildings, across campuses, and around the world.
*Already worked with Cisco? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.