Tip: This article covers using YubiKeys with Cisco AnyConnect via RADIUS. For integrating Azure AD via SAML, see Protecting Cisco VPN connections in a Microsoft Environment with Yubico.
Summary
Leveraging Cisco AnyConnect to provide remote VPN access to corporate resources is vital to enable a remote workforce. More and more people are using Cisco AnyConnect and Cisco’s Adaptive Security Appliance (ASA) to perform work remotely. It is critical that strong two-factor authentication is integrated into Cisco’s VPN solution. Cisco’s solution is mature and has a number of options to integrate authentication vendors. Natively, user certificates and specifically smart cards are supported. Additionally, Cisco provides SAML and RADIUS integrations with identity providers (IdPs). These standard patterns provide a simple way to integrate a company's IdP with Cisco’s VPN solution. A number of IdP vendors have good step-by-step guides on how to integrate their product with Cisco AnyConnect and ASA. This guide walks you through setting up Duo’s RADIUS Service for a standard Cisco ASA Server so that Yubico OTP can be used for MFA. See Cisco VPN integration resources from other partners for references to other IdP partners' RADIUS setup guides.
For organizations with non-standard or complex deployments, contact Yubico Sales for more information.
Network overview
A high level overview of the network configuration is shown below.
|
1 + 2 |
Username and password entered (1), YubiKey is activated to generate the OTP which is passed along with the username and password (2) |
|
3 + 4 |
Username/password+Yubico OTP passed through to Cisco VPN Server |
|
5 + 6 |
Cisco hands off authentication to the authentication service via RADIUS |
|
7 |
The authentication service splits the username/password and OTP, verifies the username/password against the organization's Active Directory. The public ID of the YubiKey is used to confirm the YubiKey is associated with the user. |
|
8 |
If Active Directory authentication is valid then the Yubico OTP is validated by the authentication service, either by an internal validation server on-premises or a cloud-based validation service |
|
9 |
If all factors are met, the encrypted connection is made |
Device considerations
Yubico OTP is supported across all platforms as it is just seen as keyboard input, but it is important to check that you select the most appropriate hardware interface, i.e. USB-A, USB-C or Lightning.
Cisco AnyConnect with Yubico OTP support
|
Operating System |
Support |
|
Windows |
Yes |
|
macOS |
Yes |
|
Linux |
Yes |
|
Android |
Yes |
|
iOS |
Yes |
Example: Securing CiscoASA with DUO via RADIUS
In this example scenario, an existing Duo implementation is utilized to extend the Yubico OTP authentication to the VPN infrastructure. Authentication will be to the local Active Directory first, followed by secondary authentication via the Yubico OTP.
|
1 + 2 |
Username and password entered (1), YubiKey is activated to generate the OTP which is appended to the password and separated by a comma (2) |
|
3 + 4 |
Username/password+Yubico OTP passed through to Cisco VPN Server |
|
5 + 6 |
Cisco hands off authentication to the Duo Authentication Proxy via RADIUS |
|
7 |
Duo Proxy splits the username/password and OTP, verifies username/password against Active Directory |
|
8 |
If Active Directory authentication is valid, then the Yubico OTP is validated via the Duo platform |
|
9 |
If all factors are met, the encrypted connection is made |
1. Preparing the RADIUS service
To enable RADIUS within Duo, there are a couple of steps:
-
Enable the Cisco ASA VPN as a Duo application
-
Install the Duo RADIUS proxy within the on-premises infrastructure
-
Configure the connection between the local Cisco and the RADIUS proxy
2. Duo application
Enabling RADIUS as an application is straightforward:
-
Log into your Duo admin panel
-
Navigate to Applications ->Protect an Application
-
Search for Cisco RADIUS VPN and click Protect
-
Make note of the integration key, secret key and API hostname
-
Apply any policies that are required for your home workers. In this example, 2FA is enforced for users working from home.
3. Authentication proxy
The application proxy acts as a RADIUS gateway between the local Cisco VPN and the Duo platform. Again, the process is fairly straightforward:
-
Download the relevant gateway package
-
Refer to Duo documentation for the exact installation instructions, referenced at the end of this article
-
Create a configuration file based on the information noted down from the application configuration
-
Start the service
Example configuration file:
4. Cisco RADIUS enablement
Once the Duo platform and the local proxy service has been configured, the Cisco VPN itself needs to be enabled to authenticate via the RADIUS service.
While this article focuses on Cisco, this process should be fairly standard across most VPN solutions, as as this uses a well defined networking solution in RADIUS.
There are two main actions that are required on the Cisco VPN:
-
Create a AAA RADIUS authentication source
-
Create or modify a VPN profile to use the new service
Again, refer to the full documentation for detailed steps, but the basic configuration is shown below
AAA RADIUS server config, using the “radius_secret” defined above
Once the RADIUS service has been defined, it can be added to an existing profile, or a new one can be defined.
5. Client side usage
If users are already accustomed to using the Cisco AnyConnect client, then there is very little change to how they already work. Additionally, there are no required changes to the users’ VPN client. The user flow is:
-
Start the VPN client and select required the profile, if more than one exists
-
Enter the username in the appropriate field
-
Enter the password, followed by a comma, and then touch the YubiKey to generate the OTP plus a carriage return. For example:
Username: fred
Password: Password12,cccccchuuuvngeklxtnkbbgiigfgbbtcxgbbbthfkvgr
DUO and Cisco resources
Cisco VPN integration resources from other partners