Two-factor authentication of AnyConnect clients. Active Directory and Azure Multi-Factor Authentication Server

Already, almost no one raises questions about why we need two factor authentication, especially when accessing remote user resources. A priori, the user is rather irresponsible about storing passwords protecting work information, which is not surprising, given how many personal passwords one has to remember and the priorities of the average person in terms of protecting personal or work information.

The introduction of authentication of remote users on the principle “something I know + something I have” allows you to make an attack aimed at intercepting or selecting passwords, meaningless and significantly reduce the threat of information security from an attacker getting a user password.
')
I present you the Microsoft Azure Multi-Factor Authentication Server (MFAS) configuration guide as the second authentication factor when connecting domain users to company resources using Cisco AnyConnect.

Why MS Azure?

1. Better integration with AD, which is very convenient when the same account is used for VPN as for other resources.
2. Different types of authentication, call, SMS application and offline OTP code.
3. Easy to set up.
4. High reliability and trust.

Of the minuses, it is probably worth noting that this is a paid solution, but security is never cheap.

Microsoft Azure setup

The steps below assume that you have a subscription or a trial version of Microsoft Azure is installed.
We proceed directly to the setting:

1. We go to the portal management Azure .
   
   
   
2. Go to the tab Active Directory -> Suppliers of multifactor authentication -> Quick creation. Specify the necessary parameters and then "create".
   
   
   
   After creation, the “Control” button will be available, go to:
   
   
   
3. Go to downloads. Download MULTI-FACTOR AUTHENTICATION SERVER.
   
   You also need to create an account to activate the server.
   
   To install this server you need .NET Framework 2.0.
   

   Important: It is recommended to install on a separate VM. When installing, skip the setup wizard.
   Server functions: user synchronization with AD, RADIUS server for Cisco ASA, sending authorization requests for the second factor, receiving and processing responses from clients, user authorization. It can be installed both on server versions and on client versions.
   

4. When you first start, we activate it using a previously generated account (we refuse to replicate at this stage).
5. We configure integration of users between AD and our server. In the Directory Integration tab, we add a directory that will synchronize with AD and configure synchronization settings:
   
   
   
   
6. In AD, we create a user and synchronize the User Database with MFAS:
   a) create a test user and specify the phone number:
   
   b) Save, click the "Test .." button in the Users tab. Enter user credentials:
   
   c) We receive a call to the specified phone, press "#". A message indicates a successful completion of the test:
   
   You can also check the authorization via SMS. For this, in the client settings, you must specify the authorization method Text message - One-Way - OTP. In this case, MFAS will request OTP, which in the form of SMS will come to your phone.
   
   
   In order to associate a user with a mobile device on which Azure Authenticator is installed, you will need to deploy and configure the User Portal (User Portal Installation and Configuration Instructions ).
   
   It is also necessary to additionally install and configure Mobile Portal:
   
   a) Go to the directory C: \ Program Files \ Multi-Factor Authentication Server
   
   
   b) Select the required version and install.
   
   c) After installation, edit the file:
   From: \ Inetpub \ wwwroot \ MultiFactorAuthMobileAppWebService \ Web.conf
   Find the parameters:
   WEB_SERVICE_SDK_AUTHENTICATION_USERNAME
   WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD
   And we change the values ​​in the same way as the User Portal parameters.
   
   Also in the pfup section, the <valu> http: // localhost: 4898 / PfWsSdk.asmx </ valu> parameter is changed by analogy with User Portal - <valuation> https: //EXTERNALFQDN/MultiFactorAuthWebServiceSDK/PfWsSdk.asmx </ valu>. In our case, "EXTERNALFQDN" is mfa.servilon.com
   

   It should be noted that for the User Portal to work:
   - Record in the external DNS zone, which will point to the User Portal.
   - Trust relationships with the server. Ideally, this is a “white” certificate issued for the EXTERNALFQDN.
   

   
   
7. After installation and configuration, for the User Portal to work correctly, enter the URL to the portal in the User Portal tab and, if authorization is for domain users, specify Primary authentication - Windows Domain.
   
   
8. In the Mobile App tab, enter the URL of the Mobile App Web Service and check the Enable OATH tokens checkbox if you want to use your mobile device as a Software token.
   
   APP operation principle:
   
   • In token mode
     
     
   • In standard mode without PIN
     
     
   
   
9. After the portal is configured, to bind a mobile device, click on the User Portal link, in this case https://mfa.servilon.com/multifactorauth
   
   

   During the first login, you need to fill in the secret questions form, after which the user will receive full access to the portal

   
   
10. In the Activate Mobile App menu, go to the Generate Activation Code. We generate a new activation code and as a result we get:
    
    
    The mobile device must have the Azure Authenticator application installed (links for iOS , Android, and Windows Mobile ).
    Launch the application - press + and read the QR code. As a result, the account is tied to a mobile device:
    
    
    Check on server:
    
    
    Now you can experiment with different authentication modes and see what makes the Standard mode different from the OATH token.
    
    

Radius Setup

Cisco ASA can use a third-party Radius server to authenticate AnyConnect users. To do this, you need to configure the AAA Server on the ASA, and configure the Radius client on the MFAS:

Configuring CISCO ASA

Since domain authentication is used, the ASA must have a trust relationship with the domain. It is also recommended to use a “white” certificate for VPN gateway. In our case - vpn.servilon.co

On the ASA, we recommend that you configure AnyConnect VPN gateway with local authentication. Make sure that the connection works, and then proceed to setting up authentication through Radius.

Then we configure RADIUS. Go to Configuration / Remote Access VPN / AAA / Local Users / AAA Server Groups and create a group:


Add a server to the group. The timeout must be increased, since the default values ​​may not be enough to enter the code.


We are testing a bundle with a RADIUS server:


If the test is successful, on the previously configured “AnyConnect Connection Profiles” we change the authentication from the local to the new group:


Profile Setup:

1. Change timeout:
   
   
2. Specify the FQDN for Anyconnect gateway.
   
   

In order to test the connection with authentication in standard mode and OATH token mode, connect to the FQDN and enter the domain credentials:



We receive a request to enter the code from the mobile application:


If you use the standard mode without a PIN, then the application will receive a request for confirmation of authentication:


After checking the second factor, the user is authenticated. Authentication successful:


This article describes an example of setting up two-factor user authentication for the Cisco AnyConnect application, but this scheme can be implemented for any services that support authentication using the Radius protocol.
Yours, Servilon Team