Is it possible to configure a Cisco AnyConnect VPN to use two separate LDAP authentication methods simultaneously?
I ended up answering my own question - this is possible. I found out that Duo offers a free trial, so I went ahead and set up an account to try to get it to work with my setup. In the end, I was able to have both Active Directory LDAP and Duo Security LDAP set up at the same time. The relevant part of the code is here:
tunnel-group VPN_RA type remote-access
tunnel-group VPN_RA general-attributes
address-pool X
authentication-server-group WINDOWS
secondary-authentication-server-group Duo_LDAP use-primary-username
authorization-server-group WINDOWS
default-group-policy Group1
authorization-required
tunnel-group VPN_RA webvpn-attributes
authentication aaa certificate
group-alias RA enable
The user has to type in their AD username and password along with a secondary password for Duo in order to connect. There also must be a valid certificate present on the machine.
Related videos on Youtube
14 : 16
22 : 57
13 : 45
02 : 26
21 : 32
Chris
Updated on September 18, 2022Comments
-
Chris over 1 year
I have a Cisco ASA 5505 with a Security Plus license along with an AnyConnect Plus license. I don't currently have any VPN configuration on the ASA as I'm still in the planning phase. I would like to know if my planned configuration is supported before I purchase the third party software.
I'm looking into using double authentication for users connecting to the VPN, possibly with an additional certificate component. I found that Duo Security has AnyConnect integration using LDAP. Also, AnyConnect allows you to use LDAP to authenticate against Active Directory. I've done a lot of research and found many resources for configuring double authentication. However, every resource seems to use two different authentication protocols. For instance, the official Cisco documentation shows you how to set up LOCAL as primary and LDAP as secondary. Their wording makes it seem like you can use LDAP for either primary or secondary, but doesn't explicitly say that you can do both. I've also found resources describing how to configure redundant LDAP servers for failover or load balancing, which isn't what I'm looking for. My question is whether it's possible to use two completely separate LDAP servers and have the client authenticate to both. Ideally, the config would look like this:
tunnel-group RA general-attributes authentication-server-group LDAP_AD secondary-authentication-server-group LDAP_DUO default-group-policy Group1 authorization-required tunnel-group RA webvpn-attributes authentication aaa certificateObviously both LDAP_AD and LDAP_DUO would be configured as their own entries using "aaa-server LDAP_xx protocol ldap" along with the required server info. I'm thinking that this configuration should require users to type in their AD credentials, use Duo security with OTP or Push authentication, and check that the machine has a valid certificate. Has anyone tried this before, or found documentation saying that this type of configuration is supported?