Can somebody give me a pathway (or link to the documentation / how to) to implement two-factor authentication (LDAP password + certificate) on Cisco ASA for RemoteVPN (with Anyconnect client)?
Currently our Cisco ASA (5505, 8.4.3) is configured for password authentication using OpenLDAP server. We use RemoteVPN with AnyConnect Client (SSL VPN). And I would like to add certificates into authentication/authorisation process. I don't want to use any external Certificate Authority. I even probably don't need personal certificates for every user.
What I need is just to check if user has a valid certificate before/after/during authentication/authorisation on LDAP with password.
To be honest, now I don't clearly understand how it should work.
1) First of all, I don't understand, where should it be configured on Cisco ASA.
Should I just enable both certificate and aaa authentication "(config-tunnel-webvpn)# authentication aaa certificate" for my tunnel group through my OpenLDAP server? How will it work then? Does OpenLDAP support certificate validation?
Or I need to use secondary authentication to add certificates? Do I need then to configure some server then for secondary authentication?
Or I need to make any other configuration, like CA authority? How then CA authority can get usernames from OpenLDAP? Or can I just make one certificate for all users (such a security level is totally enough for my company)?
2) How the certificate validation process should work? How Cisco ASA will validate the certificate? Is it something like openssl private/public keys or not? Can I set up Local CA Authority on ASA, but still get all users from OpenLDAP? Will it just extract username from the certificate or it will somehow use the certificate itself for authentication?
Thank You very much in advance.
Best Answer
Isn't phone-based auth an option? I prefer that because it's much less of a maintenance burden than certs. For example, to allow someone new to use VPN, you just fill his/her phone number in LDAP, then maybe add him/her to the VPN-enabled users group (if you do that kind of filtering at all), and that's it. Whereas with certs you have to generate a cert, then give it to the user, and then the user needs to take care of it. OTOH a cellphone is pretty much natural for everyone to have.
So I went with phone-based two factor authentication, maybe it'll also help you in some way.
Cisco AnyConnect with Active Directory and Azure Multi-Factor Auth
It's rather easy to do, you can do it all from the GUI. But it's based on AD. Though MSAF supposedly supports LDAP as well, so it should be doable for you, too. Only caveat is that Azure phone calls cost money, either $1.4/user/month or $1.4/10 calls. I'd say it's quite negligible.