Luka Kodric

HOWTO: RSA SecurID Access IDR's RADIUS for Authentication and LDAP for Authorization on Cisco ASA

Discussion created by Luka Kodric on May 17, 2018
Latest reply on May 17, 2018 by Erica Chalfin

Hi

 

I will describe how to setup RSA SecurID Access Identity Router (IDR), LDAP, Cisco ASA's Remote Access VPN (AnyConnect) to perform Authentication via IDR's RADIUS server and Authorization via LDAP (Active Directory). The finished configuration will have two Tunnel Groups one called Employees other Contractors. Employees will have full network access and Contractors will have limited access to internal network. Contractors won't be able to login into Employees tunnel group and vice versa.

The reason for this is currently IDR doesn't support multiple RADIUS profiles and mapping custom RADIUS class attributes e.g. (Class[M] - OU=Employees;) to certain AD groups.

 

This HOWTO is valid until we get proper implementation via multiple RADIUS profiles: SecurID Access RADIUS Profile mapped to AD Group 

 

Software used:

  • Cisco ASA OS: 9.6(4)8
  • Cisco ASDM 7.8.2.151
  • RSA SecurID IDR: 2.2.0.2.1
  • Cisco Anyconnect: 4.5.04029

 

Let's start!

 

1. Create two AD groups in your domain controller and add users to them who would like to have remote VPN access.

  • VPNemployees
  • VPNcontractors

 

2. Connect to Cisco ASA via CLI (SSH) and create LDAP mapping:

 

ldap attribute-map GROUP_BIND
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=VPNemployees,OU=Groups,OU=examaple,DC=net Employees
  map-value memberOf CN=VPNcontractors,OU=Groups,OU=example,DC=net Contractors

3. Add first LDAP (domain controller server) that we will use for authorization. You can also add the second one for HA:

aaa-server VPN_LDAP (inside) host 10.0.2.3 <-- replace with IP of your domain controller
 server-port 636                                                <-- we are using SSL to connect to DC
 ldap-base-dn DC=example,DC=net
 ldap-scope subtree
 ldap-login-password *****
 ldap-login-dn svc_ad
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map GROUP_BIND

4. Add IDR RADIUS server that we will use for authentication. You can also add the second one for HA:

aaa-server IDR_RADIUS protocol radius
aaa-server IDR_RADIUS (inside) host 10.0.2.4 <-- replace with MGMT IP of your IDR router interface
 timeout 120                                                         <-- make sure its set to 120 sec or else it won't work.
 key *****

 authentication-port 1812                                     <-- port must be 1812 or else it won't work.

4.1 Configure IDR RADIUS following this document: Add a RADIUS Client for the Cloud Authentication Service 

 

 

5. Configure remote access VPN (Cisco AnyConnect)

5.1 Enable Cisco AnyConnect & tunnel-goups

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.5.04029-webdeploy-k9.pkg 2
 anyconnect profiles Contractors disk0:/contractors.xml            <--- AnyConnect cilent profiles we will later adjust
 anyconnect profiles Employees disk0:/employees.xml
 anyconnect enable
 tunnel-group-list enable       
 cache
  disable
 error-recovery disable

5.2 Create Group Policy called Employees:

group-policy Employees internal
group-policy Employees attributes
 dns-server value 10.0.2.3                            <-- replace with your DNS server (domain controller)
 vpn-simultaneous-logins 5                           <-- allow only 5 simultaneous logins
 vpn-session-timeout none
 vpn-filter value EMPLOYEES_ACCESS_VPN   <-- set ACL with accept or deny rules for Employees
 vpn-tunnel-protocol ssl-client
 group-lock value Employees                       <-- here we specify group lock so users from other group contractors won't be able to login into Employees
 split-tunnel-policy excludespecified
 default-domain value example.net
 webvpn
  anyconnect profiles value Employees type user

5.3 Create tunnel group called Employees:

tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
 address-pool IP_VPN_POOL_172.16.101.0      <-- setup dhcp pool for remote anyconnect cilents
 authentication-server-group IDR_RADIUS         <-- set RSA IDR RADIUS for authentication
 authorization-server-group VPN_LDAP              <-- set LDAP(AD) for authorization
 default-group-policy Employees
 authorization-required                                          <-- set this so authorization is requred

tunnel-group Employees webvpn-attributes
 group-alias Employees enable

5.4 Repeat the same for other user group Contractors:

group-policy Contractors internal
group-policy Contractors attributes
 dns-server value 10.0.2.3
 vpn-simultaneous-logins 5
 vpn-session-timeout none
 vpn-filter value CONTRACTORS_ACCESS_VPN
 vpn-tunnel-protocol ssl-client
 group-lock value Contractors
 split-tunnel-policy excludespecified
 default-domain value example.net
 webvpn
  anyconnect profiles value Contractors type user

tunnel-group Contractors type remote-access
tunnel-group Contractors general-attributes
 address-pool IP_VPN_POOL_172.16.101.0
 authentication-server-group IDR_RADIUS
 authorization-server-group VPN_LDAP
 default-group-policy Contractors
 authorization-required
tunnel-group Contractors webvpn-attributes
 group-alias Contractors enable

 

6. Configure AnyConnect timeouts for both group profiles. (This step requires Cisco ASDM)

 

Login to ASDM and go to: Remote Access VPN --> Network (Cilent) Access --> AnyConnect Cilent Profile

Click on "AnyConnect Client Profile" and then click "Edit".

 

Click on "Preferences (Part 1)" section and make sure "RSA SecurID Integration" is set to "Automatic".

 

Click on "Preferences (Part 2)" and adjust "Authentication Timeout (seconds)" to "120".

 

Click on "Server List" then click "Add..." and add your outside VPN server name and FQDN/IP e.g. vpn.example.net .

 

!!! Repeat this process for second AnyConnect Cilent Profile: Employees !!!

 

After you finished go to Remote Access VPN --> Network (Cilent) Access --> AnyConnect Cilent Profile click on Export and save both profiles with names Contractors.xml and Employees.xml and distribute them on computers which Cisco AnyConnect will be used to connect to Cisco ASA VPN. (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile).

 

The step above is required because by default Cisco AnyConnect has timeout set too low and authentication will timeout before it can be completed. These xml profiles are always updated on clients during successful login but for the first time connecting you have to update them manually by the steps described in above paragraph.

 

Another option is to use Cisco AnyConnect Profile Editor Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - The AnyConnect Profile Editor [Cisco AnyConn… 

 

I hope someone will find this HOWTO useful.

Outcomes