ASA Group Lock (LOCAL & AAA) with Cisco DUO Multifactor Authentication
In this Video we will see how to configure Group-Lock feature with Cisco DUO on the ASA with Local & AAA (ISE) authentication.
TIMESTAMPS
INTRO
======
0:00 Intro To The Topic
0:35 Topics Covered
OVERVIEW
=========
1:51 Overview Of The Lab
7:32 The Problem Without Group-Lock
LOCAL GROUP-LOCK
=================
8:29 Local Group Lock
9:49 Tunnel Group Lock Test
DUO DESIGNS
===========
10:09 DUO Designs
DUO LDAPS
==========
13:29 DUO LDAP Design
14:13 Rounds Of Authentication
15:05 LDAP Configuration
19:58 Testing LDAPS
23:00 Configure Second Round Of Authentication (DUO)
25:51 Testing Group-Lock with DUO (LOCAL)
GROUP-LOCK with Cisco ISE (AAA)
=======================
29:51 Primary Authentication With Cisco ISE
WEB LINKS
==========
BLOG Link:
https://doctornetworks.net/asa-tunnel...
DUO-LDAP Documentation
=======================
https://duo.com/docs/ciscoasa-ldap
Using Cisco DUO's Radius Proxy has some limitations, it cannot push back radius attributes to you Firewall. That poses a problem if you want to use the group locking feature with it. Now instead of using the SSL VPN design with Radius of DUO, you need to implement SSL VPN Design with LDAPS for DUO in order to make tunnel group locking possible on the ASA.
We will first perform local group lock on the ASA & test it. Then we will configure LDAPS for the Anyconnect VPN clients.
Now with LDAPS method of DUO, the problem is people don’t understand how authentication works in this case. Lets break it down:
– Primary Authentication (LOCAL or AAA)
– Secondary Authentication (DUO Cloud)
The first round of authentication is done either locally or via a AAA server like ACS/ISE. The second round of authentication is done via the DUO cloud.
Now as the first round’s authentication can be LOCAL, we can leverage the “GROUP LOCK” feature here. that ties the user to a specific tunnel group.
In the second round of authentication, the same username will be sent to the DUO cloud with either of the following DUO authentication mechanism:
– PUSH
– SMS
– PHONE
– NUMERIC CODE
Lets create a username with “Group Lock”. The below commands are implemented sitting on the “Global Configuration” mode of the ASA. e.g. ASA(Config)#
username ahmed password Cisco@1234
username ahmed attributes
group-lock value TG-ONE
Okay that takes care of the tunnel lock, as we haven’t defined any “Authentication” mechanisms in the tunnel group “TG-ONE”, the default authentication method is LOCAL.
Now, lets look at how to configure the second round of authentication.
The below commands are implemented sitting on the “Global Configuration” mode of the ASA. e.g. ASA(Config)#
aaa-server DUO-LDAP protocol ldap
aaa-server DUO-LDAP (outside) host api-beb486a3.duosecurity.com
timeout 60
server-port 636
ldap-base-dn dc=DIX5VBLYL2H0LE6R5Z86,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password (Secret KEY of DUO)
ldap-login-dn dc=DIX5VBLYL2H0LE6R5Z86,dc=duosecurity,dc=com
ldap-over-ssl enable
Смотрите видео ASA Group Lock (LOCAL & AAA) with Cisco DUO Multifactor Authentication онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь Doctor Networks 06 Сентябрь 2021, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 1,469 раз и оно понравилось 15 людям.