I have a Cisco ASA 5505 with a Security Plus license along with an AnyConnect Plus license. I don't currently have any VPN configuration on the ASA as I'm still in the planning phase. I would like to know if my planned configuration is supported before I purchase the third party software.
I'm looking into using double authentication for users connecting to the VPN, possibly with an additional certificate component. I found that Duo Security has AnyConnect integration using LDAP. Also, AnyConnect allows you to use LDAP to authenticate against Active Directory. I've done a lot of research and found many resources for configuring double authentication. However, every resource seems to use two different authentication protocols. For instance, the official Cisco documentation shows you how to set up LOCAL as primary and LDAP as secondary. Their wording makes it seem like you can use LDAP for either primary or secondary, but doesn't explicitly say that you can do both. I've also found resources describing how to configure redundant LDAP servers for failover or load balancing, which isn't what I'm looking for. My question is whether it's possible to use two completely separate LDAP servers and have the client authenticate to both. Ideally, the config would look like this:
tunnel-group RA general-attributes
authentication-server-group LDAP_AD
secondary-authentication-server-group LDAP_DUO
default-group-policy Group1
authorization-required
tunnel-group RA webvpn-attributes
authentication aaa certificate
Obviously both LDAP_AD and LDAP_DUO would be configured as their own entries using "aaa-server LDAP_xx protocol ldap" along with the required server info. I'm thinking that this configuration should require users to type in their AD credentials, use Duo security with OTP or Push authentication, and check that the machine has a valid certificate. Has anyone tried this before, or found documentation saying that this type of configuration is supported?
Best Answer
Cisco ASA routers support one authentication group per profile. So if your VPN connection profile is set to use an authentication group named VPN then when users connect to the VPN they will authenticate to the first available server in the VPN authentication group.
You can have LOCAL set for a fallback authentication source, but it is only available if the primary authentication source is not available.
You can require a client certificate in addition to the authentication.
If you desire to use OTP or some other 2FA scheme there is a great discussion on the Cisco forums.
https://supportforums.cisco.com/discussion/11691351/two-factor-authentication-recommendations-asa-5510-vpn