Multi-Factor Authentication (MFA) is an excellent means to further secure your publicly available services. Services like Microsoft Office 365 and remote access VPN can all benefit from having an additional layer of security. So let's talk about how you can integrate Microsoft Azure MFA into a Cisco ASA (Adaptive Security Appliance) AnyConnect implementation. In addition to MFA, we'll also give examples of using LDAPS (Lightweight Directory Access Protocol) to authorize access to network resources for different groups of users.
As each user logs into the Cisco AnyConnect client or the Web Portal, they will enter their Entra ID (formerly known as Active Directory) username and password, but then they will also be required to satisfy the MFA protocol. The ASA will assign group policies based on Entra ID group membership, which can then be used to filter access.
One thing to note is once MFA extensions are installed on a Microsoft Network Policy Server (NPS/RADIUS), they can then only be used for MFA purposes.
WARNING: Do not attempt to install MFA extensions on an existing production NPS server.
General components required:
- One LDAP attribute map, which will map Entra ID groups to a specific ASA Group Policy
- One AAA-server group, which points to one or more LDAP servers (highly recommended to have at least two for redundancy as well as to use encrypted LDAPS)
- One AAA-server group, which points to one or more NPS/RADIUS servers (highly recommend having at least two for redundancy)
- ACLs specified for Split Tunnel on a per-group policy basis
- ACLs specified for VPN filters on a per-group policy basis
- Two or more group policies
- One tunnel group with authentication set to use the MFA RADIUS/NPS server(s) and authorization set to use Microsoft Entra ID LDAP server(s)
LDAP-map and AAA-server Groups
An LDAP-map essentially maps Entra ID groups to an ASA group policy. The syntax would look something like this:
ldap attribute-map LDAPMap
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPNGeneralUser,OU=Security Groups,OU=Groups,DC=domain,DC=com" GP_GeneralAccess
The above example uses the distinguished name of a security group from Entra ID and maps it to a group policy called 'GP_GeneralAccess'.
The AAA-server groups for the NPS/RADIUS setup will contain the server’s IP addresses, ports in use, as well as RADIUS pre-shared keys.
The AAA-server groups for the LDAPS setup will contain the Entra ID server’s IP addresses, ports in use (recommended port 636 for LDAPS), Base-DNs, which LDAP-map to refer to, as well as ldap-login-dn/password.
Note – the ldap-login-dn will refer to an account that only requires read access to LDAP (i.e. only needs to be a domain user). Use minimal rights as much as possible.
ACLs and Group-Policies
The Split tunnel ACLs are used to define which data to put into the tunnel and which data to send out unencrypted. Many organizations choose to split tunnel so that not all data will flow back through the VPN tunnel, which would eat up additional Internet bandwidth at the data center. Other organizations might want to tunnel everything; so that data would go through the additional IPS or anti-malware checks.
Filter ACLs determine what networks are available to a VPN user once they are connected.
Each of the Group Policies can have various parameters set depending on what requirements each group of users has. One of the required settings is to set the 'vpn-simultaneous-logins' to a number greater than or equal to 1 (default is 3). Depending on the number of AnyConnect licenses the ASA has, I would recommend setting it to 1 unless there is a business reason to make it greater than 1 (which would allow more than one device per user at a given time). Some of the other variables that can be set include DNS servers/domain names, VPN Filters, timeouts, and split tunnel lists. Other parameters are listed HERE.
We will also need to have a 'NOACCESS' policy, which means if a user doesn’t match any of the LDAP mappings, they will not be able to connect to the VPN since the simultaneous logins will be set to 0.
Define a Tunnel Group
Finally, tying everything together is the tunnel group. Since the tunnel group defines what address pools are used, having only one tunnel group limits you to one address pool. If there is a requirement for having two or more pools of addresses to assign to various users, then you would need two or more tunnel groups. However, this would then need to require users to select their tunnel group.
In this setup, we’re setting the authentication to use the MFA server(s) and the authorization to use the LDAP servers mentioned earlier. The tunnel group parameter 'authentication-attr-from-server', will specify which authentication server to use to obtain the authorization attributes to apply to the connection. The primary authentication server is the default selection.
In this case, we want the authorization to be via the LDAP servers. We will specify 'authentication-attr-from-server secondary' since we don’t want the authorization coming from the NPS/RADIUS servers. This command is meaningful only for double authentication.
We also will specify the default group policy to be 'NOACCESS'. As stated earlier, if the user connecting is not a member of any of the previous Entra ID groups defined in the LDAP Map, then they will be unable to connect.
We hope using this framework to successfully integrate Microsoft Azure Multi-factor Authentication into a Cisco ASA AnyConnect VPN is helpful to you and your network.
Do you still have questions? Check out more of our IT Tips, or let us know by reaching out to talk to an expert. We are here to help!
