Generally, there are two forms of approaches that are used widely in networks today for User Credentials management i.e.  Username & Password based authentication and/or Certificate based authentication.First approach is easier to manage but if you choose easy passwords or your passwords are stolen, your identity can get compromised. 2nd approach requires little bit of management overhead but offers most security since your Identity Certificates can’t be forged that easily. However, if your laptop which has your Certificate installed gets stolen , your identity gets compromised. Both methods offer single layer of authentication.

Using any of the above methods alone, your identity can be compromised. Despite of losing user credentials (someone decoding your company’s global VPN Client group authentication key from the Cisco VPN Client PCF file – ) or certificates (stolen laptops , smartphones etc), is there any way to still protect your identity ? Well , this is where Two Factor Authentication comes into play.So, would you be able to ensure that even if your credentials were compromised , your identity is still secure ? Answer is YES. By adding a 2nd factor i.e. a second layer to your authentication process , you can save yourself from being vulnerable to such common attacks that exist so widely today.

We would look into some mechanics of 2 Factor authentication & how it can help you protect your VPN solutions in particular although this can be equally used for protecting your assets/your sites etc. too.

We would discuss integration of One Time Password (OTP) into your VPN Network here.

OTP can be integrated with Cisco VPN Solutions for any of the following :

  • Clientless SSL VPN( Thin Client, Smart Tunnels )
  • AnyConnect VPN Client (Full Client)
  • Cisco VPN Client for Remote Access IPSec VPNs etc.

OTP can be in form of hardware tokens or software tokens. Since smartphones are common these days, it’s easy to integrate this solution via applications . However , traditional phones can also be leveraged for this purpose.

OTP can be delivered via any of these methods :

  • Hardware Tokens (generating passcodes)
  • Phone Call ( using IVR )
  • SMS to your Mobile Phone
  • Email to your email address
  • Push Notification to your Smartphone via Applications ( iPhone / Android / Windows Mobile etc )

Depending on your company policy, One Time Password (OTP) Solution can be deployed as :

One-Time Password via SMS authentication to Cisco ASA VPN Solution :

Authentication verification  from User’s Perspective :

Step 1 : Assuming that you have already configured Remote Access VPN on Cisco ASA ,  your AD domain user ( Sara Marshal ) logs into her VPN Session via Cisco VPN Client,  her credentials will be passed to Active Directory Server (via ACS) as Primary Authentication Method. (Click on Image to view clearly)

Cisco VPN Session Primary Authentication

 

Step 2 : Based on already configured Cell Phone details in OTP Server, If her primary authentication succeeds, she would have an instant SMS on her cell phone.

OTP via SMS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 3 : Now , she can enter her One-Time Password (OTP) within Cisco VPN Client prompt to get successfully connected to VPN.

One-Time Password Prompt

& she has successfully authenticated .

One-Time Password via SMS authentication to Cisco ASA VPN End-to-End Full Configuration including OTP Server is covered in detail here.

 

Free PDF    Send article as PDF   

Tags: , , , , , , , ,

2 Responses to “Two factor authentication for Cisco VPN Solutions”

  1. Hi Guys,

    Does anyone have the above configuration “One-Time Password server deployed locally on your network” for Cisco ACS 5.3 using Cisco AnyConnect client?

  2. Yadhu Tony says:

    Excellent document. Really useful.
    Cheers!

Leave a Reply

hide totop
  • RSS
  • Facebook
  • Twitter
  • RSS
  • Facebook
  • Twitter