Cisco VPN Plugin

Introduction

Acceptto’s authentication technology can be used with Cisco VPN to give two-factor authentication to any VPN login.

Requirements

This guide assumes that you have already setup a Cisco VPN ASA and have a working configuration.

In order to use Acceptto MFA with your Cisco VPN you will need a server to either install Acceptto’s RADIUS virtual appliance or configure a FreeRADIUS server from a new installation. See https://freeradius.org/ for more information.

Summary of Requirements:

  1. Cisco VPN setup
  2. Active Directory for the first factor authentication of users accessing your network via VPN
  3. Server with 1 64-BIT CPU, 20GB disk space, and 2GB RAM
  4. VMware ESXI 5.5 or VMware Player virtualization software.
  5. Acceptto RADIUS virtual machine files [insert link here].
Acceptto Account Registration

Before you continue you must register for an Acceptto account by following these steps:

  1. Sign up for an Acceptto account
  2. Login to the user dashboard from the Acceptto homepage
  3. Select the Applications page link then click the “New Application” button
  4. On the New Application page fill in the name and redirect url for your application and click save which will create your UID and Secret that are used in the sections below.

See this guide for more information https://www.acceptto.com/acceptto-mfa-rest  

Active Directory Setup

In this section, you will create a Radius Binding User in your Active Directory and delegate join privileges. Afterwards, you will create a new group with which you can add users.

Create Radius Binding User

In your Active Directory, create a new user by following these steps:

  1. On the Active Directory server, press Start+Win key, and enter dsa.msc to start the Active Directory Users and Computers console.
  2. Click on your domain name, and then expand the contents.
  3. Right-click Users, point to New, and then click User
  4. Type the first name, last name, and user logon name of the new user, then click Next
  5. Type a new password, confirm the password, and then click to select following check boxes:
    1. “User cannot change password”
    2. “Password never expires”
  6. Click next and review the user information. If everything is correct, click Finish.

Create a New Group

Create an Acceptto Active Directory group. Members of this group will be authenticated by Acceptto.

  1. Open Active Directory Users and Computers and select your domain root in the navigation tree.
  2. In the console tree, right-click the folder in which you want to add a new group.
  3. Click New, and then click Group.
  4. Type the name of the new group.
  5. In the New Object - Group dialog box, do the following:
    1. In Group scope, click Global scope.
    2. In Group type, click Security.
  6. Click OK.

Add Users to ‘Acceptto’ Group

Add your newly created binding user to the newly create group. Add users to the Acceptto Active directory group:

  1. Open Active Directory Users and Computers and select your domain root in the navigation tree.
  2. In the console tree, click the folder that contains the Acceptto group.
  3. In the details pane, right-click the group, and then click Properties.
  4. On the Members tab, click Add.
  5. In Enter the object names to select, type the name of the user or group that you want to authenticate using Acceptto, and then click OK.

Right click on the newly added user and choose add to a group. In the select group dialog, enter the name of the newly created group in the ‘Enter the object names to select (examples):’ text field

Acceptto Radius Appliance Configuration

Accessing the Acceptto Radius Appliance

  • SSH into the Acceptto Radius Appliance using the IP address that you have setup. The default username and password are:
    1. Username: acceptto
    2. Password: acceptto

Network Configuration

Edit the Etc Network Interfaces by using the following command:

vim /etc/network/interfaces

Add the IP address of the Active Directory DNS server by inputting ‘dns-nameservers’ followed by your active directory DNS server IP address:

# Automatically generated by the vm import process
auto lo
auto eth0
iface lo inet loopback
iface eth0 inet dhcp
dns-nameservers [IP address of your DNS server]

Exit and run the following command:

root@acceptto-demo:~# service networking restart

In order to verify what server you’re using, run the following command:

root@acceptto-demo:~# dig google.com
; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> google.com
;; global options: +cmd
  
...
;; Query time: 5 msec ;; SERVER: 10.0.1.29#53(10.0.1.29) ← Server IP address ;; WHEN: Fri Jan 26 22:05:40 GMT 2018 ;; MSG SIZE  rcvd: 135

Run the following command to begin configuring the domain information:

root@acceptto-demo:~# sudo ./acceptto.sh
Domain Information Configuration

Now the current configuration must be modified. Input and run ‘2’ to enter the ‘Domain Information configuration’. The current Active Directory Information will display. Input and run ‘y’ in order to begin editing this information. Please note that option ‘1’ will not be needed.

Description of Domain Information Configuration Fields
  1. DC – This is the name of the domain controller.
  2. LdapBindID – This is the user that you need to create in your Active Directory and bind to the Radius Appliance (e.g. user@example.com)
  3. LdapBaseDN – The domain of your Active Directory presented in Ldap format (e.g. cn=Users,dc=example,dc=com)
  4. NETBIOS – The first part of the domain. For instance: ‘test’ in test.acceptto.com
  5. REALM – The whole domain (e.g.  www.example.com)
  6. AccepttoADGroup - The group name from Active Directory that will hold the users that will be using Acceptto’s multi-factor authentication

Upon entering the Domain Information Configuration please input each value depending on your own setup:

######################################
 	1) Network Configuration
 	2) Domain Information configuration
 	3) Joining host to Domain
 	4) Add New Radius Client
 	5) Acceptto Authentication Factor
 	6) Acceptto Deployment Method
 	7) Exit
Please select an option: 2
------------------------------
 	Here is your current Active Directory Information:
 	DC               ==>  "EC2AMAZ-GJJ0FO7.test.acceptto.com"
 	LdapBindID       ==>  "radius9@test.acceptto.com"
 	LdapBaseDN       ==>  "cn=Users,dc=example,dc=com"
 	NETBIOS          ==>  "TEST"
 	REALM            ==>  "test.acceptto.com"
 	AccepttoADGroup  ==>  "Acceptto2"
 	AuthType         ==>  UseEmailAsID
 	------------------------------
 	Do you want to modify current config (y/n)? y

 	######################################
 	Domain Name (E.g DOMAIN.COM): 
 	Domain controller FQDN name (E.g dc.domain.com): 
 	Active Directory Binding User (E.g USER@DOMAIN.COM): 
 	 Password: 
 	LDAP Search BaseDN (E.g DC=DOMAIN,DC=COM): 
 	NETBIOS Name (E.g DOMAIN): 
 	Active Directory Group: 

 	Active Directory information summary:
 	  Domain: 
 	  Domain Controller FQDN Name: 
 	  Active Directory Binding User: 
 	  LDAP Search BaseDN: 
 	  NETBIOS Name: 
 	  Active Directory Group: 

 	######################################
 	Are you sure that the information presented above is correct (y/n)? 
Joining Host to Domain

Now it’s time to join the host to the domain. Input and run ‘3’ and you will be presented with a confirmation to join the domain. Input ‘y’ and run.

######################################
 	1) Network Configuration                   
 	2) Domain Information configuration                              
 	3) Joining host to Domain                    
 	4) Add New Radius Client                   
 	5) Acceptto Authentication Factor                            
 	6) Acceptto Deployment Method                        
 	7) Exit  

 	Please select an option: 3
 	------------------------------

 	Do want to join test.acceptto.com domain(y/n)? y
 	Please wait, This can take up to 120 seconds...

 	Join to test.acceptto.com was successful. 
 	Press any key to return to menu...

If this fails, please check and make sure you did the previous steps correctly and that you entered the correct values for your domain. You can also look at /var/acceptto/ for logs with information about what fails.

Add New Radius Client

Navigate back to the Acceptto Radius Appliance and input and run ‘4’.

  1. Client name: Can be anything you choose.
  2. Client IP address: This is the IP address of the VPN appliance.
  3. Shared Secret: Password that the VPN and the Radius server use to connect to one another.

 	######################################
 	1) Network Configuration                   
 	2) Domain Information configuration                              
 	3) Joining host to Domain                    
 	4) Add New Radius Client                   
 	5) Acceptto Authentication Factor                            
 	6) Acceptto Deployment Mehtod                        
 	7) Exit  

 	Please select an option: 4
 	------------------------------

 	Here is the current list of radius clients:
 	client cisco {
 	  ipaddr = 1.2.3.5
 	  secret = test
 	}
 	client cisco-vpn {
 	  ipaddr = 10.0.1.198
 	  secret = cisco
 	}

 	Do you want to add new client(y/n)? y
 	Please enter new client name: cicso-vpn2
 	Please enter new client ip address: 10.0.1.198
 	Please Enter shared secret: test123

 	New Client Information:
 	Client Name:  cicso-vpn2 
 	Client ip address:  10.0.1.198 
 	Celint secret:  test123 

 	Add cicso-vpn2 to configuration(y/n)? y
Acceptto Authentication Factor

The Acceptto Authentication Factor refers to the type of authentication that is currently selected. Here, you can change the authentication type between User-Name and Email. Input and run ‘5’ to open the interface to change this authentication type. Now you can choose which authentication type you would like to use. Input and run the number corresponding to the authentication type.


 	######################################
 	1) Network Configuration                   
 	2) Domain Information configuration                              
 	3) Joining host to Domain                    
 	4) Add New Radius Client                   
 	5) Acceptto Authentication Factor                            
 	6) Acceptto Deployment Method                        
 	7) Exit  

 	Please select an option: 5

 	------------------------------

 	Acceptto Authentication type selection:

 	Currently User-Name is used as Authentication Factor.

 	1) User-Name
 	2) Email
 	3) Exit
 	Please select acceptto authentication factor:2
 	Email will used as Authentication factor.
 	Press any key to return to menu...
Configuration of FreeRADIUS on New Server

Follow this section only if you choose to configure a new install of FreeRADIUS instead of using the Acceptto RADIUS OVA.

In Debian, the FreeRADIUS base directory is located at /etc/freeradius/3.0. We will be referring to this location as raddb in the steps below, to maintain alignment with the FreeRADIUS documentation.

Locate the radius daemon configuration file at /etc/raddb/radiusd.conf

Verify that the following lines are uncommented:

policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/
  • Copy the file raddb/mods-available/ldap to raddb/mods-enabled/ldap
    • Edit the file and locate the section that begins with server =
    • Add the following:
      1. server = Your LDAP Server IP Address OR Hostname
      2. Identity = A USER DN that is going to authenticate to Active Directory for example ‘cn=ldapuser, dc=example, dc=net’.
      3. password = The password that is going to be used between RADIUS and CiscoVPN to authenticate RADIUS requests
      4. base_dn = This configures where the LDAP search begins, for example if your domain is example.net and all your users are members of the users group, then your dn would look similar to: ‘cn=users,dc=example,dc’.
      5. filter = The filter uses RFC2254 based syntax to include LDAP objects of interest. For example if you only want users to be used for LDAP matching, then your filter would look similar to: "(&(objectclass=user)(objectcategory=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))".

Locate and edit the file raddb/mods-config/files/authorize

Add the following sections:

DEFAULT LDAP-Group == "cn=users,dc=example,dc=net"
DEFAULT Auth-Type := Accept

Copy the file raddb/mods-available/perl in to raddb/mods-available/perl

  • Locate and edit the file raddb/mods-available/perl
  • Locate the section perl {
  • Add the following section:
filename = ${modconfdir}/${.:instance}/acceptto.pl
  • Copy the acceptto.pl file provided with this document to raddb/mods-config/perl/acceptto.pl
    • Edit the file and locate my $email, this variable will hold the email account you used to register with Acceptto.
    • Set the variable my $UID to the value of the UID that you obtained from the Acceptto Dashboard.
    • Set the variable my $secret to the value of the UID that you obtained from the Acceptto Dashboard.
    • Optionally set the variable my $message to a string that will identify what type of request your users are receiving.
    • Ensure that the acceppto.pl is executable by executing the command chmod +x raddb/mods-config/perl/acceptto.pl
  • Locate and edit the file raddb/clients.conf
  • Add the following section:
  • client cisco {
    ipaddr = IP Address of the CiscoVPN
    secret = The shared secret between RADIUS and CiscoVPN
    }
    
    • Restart the RADIUS Server
    • For example systemctl restart freeradius.service
    • Test the installation
    • Using radtest:
      • radtest ldapuser ldapuserpassword 127.0.0.1 0 The shared secret between CiscoVPN and RADIUS

    If successful you will get an alert on your mobile asking to authorize the login and your RADIUS should return a message like “Received Access-Accept Id XY from 127.0.0.1:1812 to 0.0.0.0: length Z”.

    Cisco VPN Appliance Configuration

    Here we will outline the steps you need to take to configure your Cisco VPN to the Acceptto Radius Appliance.

    Add a Server Group

    Go to the AAA Server Groups and click ‘Add’ to add a server group.

     
    Setting Value
    AAA Server Group Acceptto
    Protocol Radius
     

    Configure Server Group

    Select the server group you added, go and add a user. Use the following settings:
    Setting Value
    Interface Name Management
    Server Name or IP Address IP Address of Your RADIUS Server
    Time 90 Seconds (recommended)
    Server Authentication Port 1812
    Server Accounting Port 1813
    Retry Interval 10 Seconds
    Server Secret Key Shared Secret Set in the RADIUS Server
    Microsoft CHAPv2 Capable Checked
       

    Click OK to apply the configuration

    Configure your VPN Profile

    Optional step: Configure client-less VPN to test Acceptto Radius Appliance by selecting your connection profile and clicking edit. In the Basic Authentication Setting page select the server group you created above and uncheck Use LOCAL if Server Group fails.

    Test Your Configuration

    Test the configuration using credentials of a user that is in the ‘Acceptto’ group. This user needs to have an email which is registered on the Acceptto platform. Please see the Setting Up document for Acceptto account registration.

    A message will be returned concerning the result of the test.

    Support

    If you require assistance, please email us at support@acceptto.com