|

Multi-Factor Authentication for Cisco Firewall SSL VPN

Contents

Overview

CyLock MFA enables strong Multi-Factor Authentication for any firewall based SSL VPN user login. CyLock MFA integrates with the firewall through CyLock MFA RADIUS proxy component installed in a server within the organization’s local network.

The CyLock MFA RADIUS proxy component enables any firewall with RADIUS protocol support to carry out a strong Multi-Factor Authentication (MFA) during remote login to remote network through SSL VPN.

Supported Devices:

Firewall Devices: Cisco ASA Series, Cisco Firepower Next-Generation Firewall (NGFW) series, Cisco Firepower 1000 Series, Cisco ASA 5500-X Series, Cisco PIX Firewall support RADIUS authentication.

Architecture Overview

CyLock MFA RADIUS proxy component needs to be installed within your network to enable MFA during SSL VPN login process. First factor (user login credentials) can be authenticated with an on-premise AD / LDAP / LDAP Server or against CyLock MFA local store. A typical deployment architecture and process is shown below.

Deployment Architecture Checkpoint Firewall Cisco

Figure 1 – Deployment Architecture Block diagram of integrating Fortinet Firewall with CyLock RADIUS Proxy

Note:

  1. CyLock MFA RADIUS Proxy communicates with CyLock MFA Auth Server on TCP port 443
  2. Any firewall configuration to restrict access to CyLock MFA Auth Server through destination IP address or IP address ranges is not recommended as the IP addresses may change to provide service high availability

Prerequisites

  1. Securing an application requires an active CyLock MFA account. (Refer “Getting Started: Guide to CyLock MFA” to start using CyLock MFA to protect your applications).
  2. Login to “CyLock MFA Portal”
  3. Navigate to Application menu in the left menu panel
  4. Click “Add Application” button to secure an application. Locate and select “SSL VPN” from the list of application names. Click “+Secure” button to configure CyLock MFA for SSL VPN. Enter the details as requested and click “Save” button. Before leaving the page copy Application Key and Application ID, which are required during CyLock MFA RADIUS Proxy component installation. See “Securing an Application” for more information about protecting applications in CyLock MFA.
  5. Node.JS to be installed in the server where the CyLock MFA RADIUS Proxy component will be deployed.
  6. Download the CyLock MFA RADIUS Proxy component from the URL https://downloads.cybernexa.com/downloads/CyLock_radius_proxy.zip .
  7. Follow the instructions in “CyLock MFA RADIUS Proxy Installation” section to enable Multi-Factor Authentication (MFA) for SSL VPN user login
  8. Verify Microsoft AD / LDAP / LDAP is installed and configured for authenticating first factors of users.
  9. Download CyLock MFA Mobile App from Play Store or iOS store
  10. Register SSL VPN user using CyLock MFA Mobile app.

CyLock MFA RADIUS Proxy Installation

CyLock MFA RADIUS Proxy component will receive incoming RADIUS requests from your firewall during SSL VPN login. The proxy component will then perform the primary authentication (first factor authentication) either with your internal AD / LDAP / LDAP server or CyLock MFA local store, and then contact CyLock MFA Auth server for second factor authentication.

CyLock MFA RADIUS Proxy can be installed on a physical or virtual host within your network. We recommend a system with at least 4 vCPU, 200 MB disk space, and 4 GB RAM. CyLock MFA RADIUS Proxy supports the following operating systems:

  •   Windows Server 2008 or later (Server 2016+ recommended)
  •   CentOS 7 or later (CentOS 8+ recommended)
  •   Red Hat Enterprise Linux 7 or later (RHEL 8+ recommended)
  •   Ubuntu 16.04 or later (Ubuntu 18.04+ recommended)
  •   Debian 7 or later (Debian 9+ recommended)

Install Node.JS in the server where the CyLock MFA RADIUS Proxy component will be installed.

Download the CyLock MFA RADIUS Proxy component. Refer Prerequisites section above. After downloading, copy/move the Proxy Component to the respective server.

Configuring CyLock MFA RADIUS Proxy component

Go to the folder where the Proxy component has been copied. Extract the CyLock_radius_proxy.zip. After extracting, follow the below steps to configure the component.

On Windows or Linux machine go to the respective folder where the proxy component was copied & extracted.

MFA Configuration:

Open the cyconfig.js file in CyRadius Folder with administrative privileges and change the following properties:

# Property Name (key) Description (value)
1 url Enter Auth URL (Ex - https://demoauth.cybernexa.com/api/v2/srv/)
Contact the CyLock Support Team to get the Auth Server URL.
2 id_sp Customer ID value. Refer point #4 in Prerequisites section.
3 Authorization API Key value. Refer point #4 in Prerequisites section.
4 radius_secret Paste the Encrypted Radius secret key. To obtain the encrypted RADIUS Secret key, please refer to the Key Encryption Process Section listed below.

Note: Do not modify the key in the key-value pair.

AD / LDAP Configuration:

To enable RADIUS Proxy component, communicate with MS AD / LDAP server or LDAP server, configure the adconfig.js file.


Open the adconfig.js file in CyRadius Folder with administrative privileges and change the below properties.

# Property Name (key) Description (value)
1 Open_ldap_server Enter your open ldap server URL (ex: ldaps://ldap.cybernexa.com)
2 domain Provide your AD / LDAP domain name.
3 url For secured LDAP:
ldaps://computername.domain.com or else simply use
For normal LDAP:
ldap://computername.domain.com
4 baseDN Domain name
5 Password Paste Your AD / LDAP server Administrator user’s Encrypted password. To obtain the encrypted AD / LDAP Password, please refer to the Key Encryption Process Section listed below.

Note: Do not modify the key in the key-value pair.

Key Encryption Process:

Encrypting Radius Secret Key and AD / LDAP Password.


a. After Unzip the radius_proxy.zip file. Go to the secure_cred directory and execute the "secure_cred.js" file using the command below


 (i).node secure_cred.js

  •  Enter Customer ID (ID_SP): Get the ID_SP Key from the CyLock Portal. Refer Point #4 in Prerequisites Section.
  •  Enter Authorization Key: Get the API Key from the CyLock Portal. Refer Point #4 in Prerequisites Section.
  •  Enter Radius Secret: This Secret key is for communication between Firewall and RADIUS Proxy server.
  •  Enter AD / LDAP Admin Secret: Enter Your AD / LDAP Admin Password Refer Figure 2.
RADIUS and LDAP

FFigure 2 – Encrypting RADIUS Secret and AD / LDAP Password

 Copy and paste the Encrypted RADIUS Secret into the “radius_secret” field in cyconfig.js file.

 Copy and paste the Encrypted AD / LDAP Admin Secret into the “password" filed in adconfig.js file.

Note:The RADIUS Secret and AD / LDAP Password should always be encrypted.

Starting CyLock MFA RADIUS Proxy

Manual Start (Windows and Linux):

  1. Open terminal window
  2. Go to the folder where CyLock MFA RADIUS proxy component was copied
  3. Execute the command “node radius.js”

Auto Start (Linux):

To start the component automatically create and run as service

For creating service file follow the below steps:

  1. Open terminal window
  2. Execute vi/etc/systemd/system/cylockradiusservice.service
  3. Copy and paste the below contents from start of the file to end of the file in RADIUS service file.

//*****Start of the file*****

[Unit]
Description=cylockradiusservice
After=syslog.target
After=network.target[Service]
User=cylock_iam
//Replace with your system user name
Type=simple

[Service]
Restart=always
StandardOutput=syslog
StandardError=syslog

//Provide the path of the CyLock MFA RADIUS proxy component (server.js) WorkingDirectory=/home/cylock_iam/CyRadius/

//Provide the path of the CyLock MFA RADIUS proxy component (server.js) ExecStart=/usr/bin/node /home/cylock_iam/CyRadius/server.js
SyslogIdentifier=cylockradiusservice

[Install]

1.WantedBy=multi-user.target



//******End of the file******

  1. 4.Save and exit vi editor by entering the following command

    2. a.:wq!

  2. 5.Enable the service by entering the following command

    3. a.systemctl enable cylockradiusservice.service

  3. 6.Start the service by entering the following command.

    4. a.systemctl start cylockradiusservice.service

Note:For Windows OS, create a service for the batch file (.bat) using nssm.exe utility and start the service.

Configuring Firewall Settings

CyLock MFA integrates with your firewall device based VPN via RADIUS to add Multi-Factor Authentication (MFA) to SSL VPN login. In this context your firewall device will act as RADIUS client and the CyLock MFA RADIUS Proxy component as the RADIUS server.

Configuring Cisco Firewall for RADIUS Authentication

  1. Define an AAA Server Group
    1. Sign in to the Cisco ASDM console for the VPN appliance using an account with sufficient privileges.
    2. Navigate to Configuration > Remote Access VPN > AAA/Local users > AAA Server Groups, as shown below Figure 3.
    3. Click Add to create a new group.

      4. The Add AAA Server Group dialog displays.

      Adding AAA Server Group

      Figure 3 – Adding AAA Server Group

    4. Leave the default settings except for the following:

      5.  AAA Server Group – specify a name to identify the group for the MFA server

       Protocol - select RADIUS if necessary

      Configuring AAA Server Group

      Figure 4 – Configuring AAA Server Group

  2. Add AAA Server(s) to your AAA Server Group
    1. Select Remote Access VPN and navigate to AAA/Local Users >AAA Server Groups.

      2. Select the server group just created.

    2. Click Add.

      3. The Edit 'Server Name' Server dialog displays.

      Adding AAA Server Group

      Figure 5 – Entering RADIUS Server Details

    3. Specify the following, leaving all other fields unchanged:
      •  Interface Name- select the interface that will handle communication with the MFA Server.
      •  Server Name or IP Address- specify the name or the IP address of the CyLock RADIUS Agent
      •  Timeout (seconds)- 60 seconds
      •  Server Authentication port- enter the required port number. Port 1812 was used as the example.
      •  Server Accounting Port- 1646. This value is not used, but must be entered to complete the setup.
      •  Retry Interval- leave default at 60 seconds
      •  Server Secret Key- provided secret defined when setting up the app
      •  Common Password- leave blank.
      •  Uncheck Microsoft CHAPv2 Capable. (important).
      •  Click OK
  3. Click the Apply button to save your new AAA Server Group.
      Adding AAA Server Group

      Figure 6 – Clicking Apply Button to save changes

  4. To set up a new AnyConnect VPN configuration for testing purposes, navigate to Wizards > VPN Wizards > AnyConnect VPN Wizard
      Configuring AnyConnect VPN Wizard

      Figure 7 – Configuring AnyConnect VPN Wizard

  5. Click Next. Clicking Next

    Figure 8 – Clicking Next

  6. Enter a Connection Profile Name of your choosing, then click Next. Entering Connection Profile Name

    Figure 9 – Entering Connection Profile Name

  7. Confirm SSL is checked, uncheck IPsec, choose your CA Device Certificate, then click Next. Selecting SSL and Choosing Device Certificate

    Figure 10 – Selecting SSL and Choosing Device Certificate

  8. Choose your relevant client images, then click Next. Choosing Client Image

    Figure 11 – Choosing Client Image

  9. Choose the AAA Server Group that you previously created, then click Next. Choosing AAA Server Group

    Figure 12 – Choosing AAA Server Group

  10. Click the Next button to skip the SAML Configuration option. Clicking Next

    Figure 13 – Clicking Next

  11. Select your relevant Address Pool, then click Next. Selecting Address Pool

    Figure 14 – Selecting Address Pool

  12. Confirm your DNS settings, then click the Next button. Configuring DNS Settings

    Figure 15 – Configuring DNS Settings

  13. Select/Deselect the NAT Exempt option to align with your VPN needs, then click the Next button. Unselecting the NAT Exempt

    Figure 16 – Unselecting the NAT Exempt

  14. Click the Next button. Clicking Next

    Figure 17 – Clicking Next

  15. Review and validate your settings, then click the Finish button. Validating the Settings

    Figure 18 – Validating the Settings

  16. Test your setup with the ASDM interface. ASDM Interface

    Figure 19 – ASDM Interface

    Testing the Connection

    Figure 20 – Testing the Connection


Test Your Setup

Types of Authentication Options:


1.CyLock allows the following Authentication during SSL VPN Login

# Mode Process Steps
1 Default Mode In password field enter << Your password >> (for carrying out the default authentication)
2 Online (Push) In password field enter << Your password >>,1 (for carrying Online MFA Push authentication)
3 Online (Push +PIN) In password field enter << Your password >>,2 (for carrying Online MFA Push+PIN authentication)
4 Online (Push +Bio) In password field enter << Your password >>,3 (for carrying Online MFA Push+Bio authentication)
5 Offline (CR-OTP - Display) In password field enter << Your password >>,4 (for carrying Offline MFA CR-OTP (Display) authentication)
6 Offline (CR-OTP – Email) In password field enter << Your password >>,5 (for carrying out Offline MFA CR-OTP (Email) authentication)
7 Offline (CR-OTP – SMS) In password field enter << Your password >>,6 (for carrying Offline MFA CR-OTP (SMS) authentication)
8 Offline (POTP - Email) In password field enter << Your password >>,7 (for carrying out Offline MFA POTP (Email) authentication)
9 Offline (POTP – SMS) In password field enter << Your password >>,8 (for carrying Offline MFA POTP (SMS) authentication)
10 Offline (TOTP) In password field enter << Your password >>,9 (for carrying Offline MFA TOTP authentication)

2.Test your setup with the Cisco AnyConnect VPN client.

Cisco AnyConnect VPN Client

Figure 21 – Cisco AnyConnect VPN Client

3. Enter Your SSL VPN Login Credential and Choose Group > CyLock (RADIUS)

Entering Login Credentials

Figure 22 – Entering Login Credentials

4. On successful 1FA, A push notification or any preferred authentication request (2FA) is sent to your mobile device as shown in the below figure 21.

5. Accept the Push + PIN request using CyLock MFA Mobile App. After the authentication is approved, the VPN connection will be established.

6. Enter 6 Digit Pin that you have set during the device registration and then press

Entering 6 Digit pin

Figure 25 – Entering 6 Digit pin

7. The VPN connection is established after authentication is approved using the CyLock MFA Mobile APP.

VPN Connection Established

Figure 26 – VPN Connection Established