Cisco ASA authentication with SecurEnvoy (RADIUS) for Remote Access VPN
Below is the Cisco ASA and SecurEnvoy Configuration I did at one of my customer site.
One of my customer currently uses ACS servers for VPN authentication. They also had a SecurEnvoy server which is used to assign One Time Passcodes (OTP) to authenticating users. The VPN user authenticates to ASA which passes authentication to ACS which in turn send authentication request to SecurEnvoy boxes. Once the SecurEnvoy confirms authentication as Success or failure the ACS servers will put the user in the desired group.
To authenticate external vendors they had local accounts created on ACS.
As can be seen from above the only reason the customer used ACS servers was to add the users to a particular group and to allow access for external vendors. As ACS didn’t add much value to our VPN deployment we decided to replace ACS.
Following were the key goals of the project:
Remove Cisco ACS servers for VPN authentication in order to simplify VPN authentication.
Move external vendor accounts to ADAM instance which is integrated with SecurEnvoy.
Use Active Directory Groups for granting user access to Corporate VPN.
Hardware & Software Used
Cisco ASA 5520 v8.2.3
Windows Server 2003 Standard R2 with SecurEnvoy 5.3 installed on VMware
A single SecurEnvoy server can be used for multiple domains. In my customers case we have 2 domains:
One is our primary domain where all the users login while the other domain is an ADAM instance which is used to authenticate external vendors which is installed and setup as part of SecurEnvoy configuration.
1) Install SecurEnvoy- Check SecurEnvoy website for detailed Installation instructions. Also configure SecurEnvoy within your AD domain.
2) Create a Security Group in Active Directory and add all the users who require VPN access into that group. The VPN group name is RemoteAccess.
3) Enable users in SecurEnvoy.
4) Open “SecurEnvoy Administration” webpage. The default path for this should be http://SERVERNAME/secadmin/admin.exe
5) Go to the Radius tab and click New to add a new radius server.
6) Add the NAS IP Address of Cisco ASA and Shared Secret. Choose the appropriate Default domain.
7) In “Pass Back Data to Radius Client in Attribute” change the value to 025.
8) Choose “LDAP group members are passed back” radio button.
9) Below is how all the settings should look.
10) Now configure ADAM instance using SecurEnvoy. Users can be created in SecurEnvoy which actually creates it in ADAM but Groups cannot be crated in SecurEnvoy.
11) Launch “SecurEnvoy Advanced Config” from Start>All Programs>SecurEnvoy>Advanced Config
12) All the settings for existing domain should already be there if the configuration was done during installation of SecurEnvoy. For now we will be installing new ADAM domain hence choose option “Add New Domain” as in screenshot below:
13) Enter settings as below in Step 1 (choose appropriate domain name and port number.The port number specified here will be used for connecting to this domain using ADSI) and go click on Step 2, Step3 and Step4 and click update and exit the program.
14) Now open “SecurEnvoy Administration” webpage.
15) Go to the Users tab. In the Domain field drop down menu you will now see the new domain you created. From here you can create new users which actually will be created in ADAM.
16) Now you need to create a Groups in ADAM to which that user can be added.
17) Connect to ADAM instance using ADSIEdit.For details on how to connect to ADAM instance see http://188.8.131.52/en-us/library/cc779052(WS.10).aspx .Make sure you change the Port number to the one defined when creating ADAM instance in SecurEnvoy.
18) Once connected create a new Security Group and add the user in it you already created user in SecurEnvoy. See http://technet.microsoft.com/en-us/library/cc782850(WS.10).aspx for exact steps.
The config below is the ASA setup.All the users and vendors who connect using the VPN use a single vpn pcf file.
!DEFINE HERE THE SECURENVOY SERVER NAME AND THE PRESHARED KEY
aaa-server SECUR_ENVOY protocol radius
aaa-server SECURENVOY (inside) host 184.108.40.206
THIS IS THE BASE GROUP.PCF FILES HAVE THIS GROUP DETAILS IN THERE.
tunnel-group BASEGROUP type remote-access
tunnel-group BASEGROUP general-attributes
tunnel-group BASEGROUP ipsec-attributes
THIS IS THE GROUP THE USER WILL BE ADDED AFTER AUTHENTICIATON.THIS IS THE GROUP WHICH SHOULD ALSO BE CREATED ON SECURENVOY AND USER BE PART OF THIS GROUP.SECURENVOY PASSES ASA THIS GROUP INFORMATION
group-policy VENDORS attributes
vpn-filter value ACL_ VENDORS
address-pools value VENDORS -pool
group-policy ADUSERS attributes
vpn-filter value ACL_ ADUSERS
address-pools value ADUSERS -pool [twitter-follow username=”vikjaswal” scheme=”dark”]