Cisco ASA VPN - Configuration Guide Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka0f0000000mbnpkas&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fcisco-asa-vpn-configuration-guide
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Cisco ASA VPN - Configuration Guide
Published: Feb 24, 2016   -   Updated: Apr 20, 2018

In this guide:

Overview

A version of this document exists on our help portal

Okta and Cisco ASA VPN interoperate through the Okta RADIUS Agent. For authentication, the agent translates RADIUS authentication requests from the VPN device into Okta API calls. This guide explains how to configure your Cisco ASA VPN device and the Okta RADIUS Agent.

For authorization, the Cisco device interacts directly with an AD/LDAP Server to pull group memberships and attributes.

Supported Okta Features

Authentication with Okta Credentials via RADIUSYes 
Authentication with Okta Credentials via SAMLNoCisco ASA does not support SAML.
Multi-factor authentication via RADIUSYesUse the Cisco AnyConnect client.
Multi-factor authentication via SAMLNoCisco ASA does not support SAML.
Group memberships/Attributes via RADIUSNo 

Configure Okta

Download and install the RADIUS agent according to Installing the Okta Radius Agent.

Configure the Cisco ASA Device

Process Overview:

  • Create an Authentication, Authorization, and Accounting (AAA) Server Group on the Cisco ASA using the ADSM management software.
  • Create one or more AAA Server Profiles within the AAA group.
  • Configure the Cisco ASA to use the AAA group for VPN access.

Procedures:

  1. Log into the Cisco ADSM interface with admin rights.
  2. Go to Configuration > AAA Server Groups.
  3. Click Add to add a new AAA Server Group.
Add Cisco AAA Server Group.
  1. Enter a friendly server group name.
  2. Set the protocol to RADIUS.
  3. Accept the default settings for all other fields.
Configure AAA server group.
  1. Enter your Interface Name. It should be the network interface that corresponds to your VPN connection.
  2. Enter your Server Name or IP Address. It should be the IP address of the Okta RADIUS Server.
  3. Enter a Timeout duration. If using Push, you should increase this from the default of 10 to at least 20 seconds.
  4. Enter the Server Authentication Port. This should be the port that the Okta RADIUS Port is listening on (default is 1812.)
  5. Leave the default Server Accounting Port.
  6. Leave the default Retry Interval.
  7. Set the Server Secret Key to the Okta RADIUS shared secret that you configured in the Okta RADIUS installation.
  8. Leave Common Password blank.
  9. Accept the ACL Netmask Convert default setting.
  10. Leave Microsoft CHAPv2 Capable unchecked.
Edit AAA Server Profile and Radius Parameters.
  1. Test the connection.
Test AAA Server connection.
  1. Map the AAA Server Group to the appropriate VPN Access Method.
  2. Go to Configuration > Remote Access VPN > AnyConnect Connection Profiles. Your VPN interface should already be set up.
  3. Check each of the settings in the screenshot below.
  4. Click Add in the Connection Profiles section.
Verify autoconnect settings and add connection profile.
  1. Configure the Connection Profile as follows:
  2. Enter a friendly name.
  3. Enter an alias if desired.
  4. Set method to AAA.
  5. Enter the AAA Server Group created above.
  6. Leave User LOCAL if Server Group fails Unchecked.
  7. If appropriate, configure a Group Policy and Client Address Assignment rule.
  8. Make sure Enable SSL VPN client protocol is Checked.
Edit connection profile.
  1. Set up a Dynamic Access Policy to filter users who can connect to your VPN. Without this policy, anyone with Okta credentials may use your VPN.
  2. Go to Configuration> Remote Access VPN > Dynamic Access Policy. 
  3. Click Add.
 Add Dynamic Access Policy
  1. Enter a name for your policy.
  2. Select Add.
Name and add access policy.
  1. Use the attribute interface to filter end users. You can filter based on Group Policy, IP Address,  Connection Profile, or Username.
Set user attributes.

Authorization

There are two types of authorization: coarse-grained and fine-grained. Course-grained access control allows you to define which users can access the VPN device. It does not provide further control as to which VPN zones or resources the end user can then access. You can block users from logging in, but once they're in, they can access all of the resources in your environment. Fine-grained access control refers to controlling the scope of access for an authenticated user.

Course-Grained Authorization with the Okta RADIUS Authentication Policy

To control who gets access to the VPN device via RADIUS, use the Okta Sign-On Policy.

  1. In Okta, go to Security > Policies > Okta Sign-On Policy.
  2. Click Add New Okta Sign-on Policy.
  3. Name your new policy.
  4. Select your new policy.
  5. Click Edit.
  6. Add the groups you want to use your policy.
Add a policy rule.
Note: You can learn more about Okta sign-on policies in the knowledge base article Configuring Sign On Policies.
 

Fine-Grained Authorization with Okta and Cisco ASA

Overview
You must configure fine-grained authorization control from the Cisco ASA VPN device. Cisco ASA supports LDAP as an Authorization Provider. You can use an LDAP connection to query an end user's group memberships and make access decisions based on that.

Procedure

  1. Create a new Authorization Provider. In ADSM navigate to Configuration > AAA > Local Users > AAA Server Groups > Add...
  2. Enter a name.
  3. Select LDAP protocol.
  4. Add an LDAP server.
  5. Enter the information corresponding to your LDAP server. Make sure that the LDAP port is open between the Cisco ASA and the LDAP/AD server. Also, it's recommended that you use LDAP over SSL to improve security.
  6. Click OK. Now you can reference this AAA Server Group in a Dynamic Access Policy (DAP).
  7. Go to Configuration > Network (Client) Access > Dynamic Access Policies
  8. Click Add to add a new policy.

Apply it to the tunnel-group.

ciscoasa(config)# tunnel-group remote-1 general-attributes ciscoasa(config-general)# authorization-server-group ldap_dir_1

Add or edit a policy.

Edit the AAA Attribute Type as follows:

  1. Choose LDAP as the AAA Attribtue Type.
  2. Choose the Attribute ID that you want to establish a condition for (use memberOf for groups.)
  3. Enter the value of the attribute.
  4. Optionally, click Get AD Groups to choose from a drop down list.
  5. Click OK.
Set LDAP as attribute type.

End user experience

Your end users' experience depends on how they access your VPN and the authentication method you choose. End users can access VPN through a browser or the Cisco AnyConnect client. Authentication choices include single and multi-factor methods.


End user experience: single factor authentication

  1. Navigate to your VPN URL.
  2. Enter the Okta username and password.
  3. Click Logon.

End user experience - multi-factor authentication

  1. Navigate to your VPN URL.
  2. Enter Okta username and password.
  3. Click Logon.
  4. Respond to the MFA Challenge.
Respond to the MFA challenge

Cisco AnyConnect and multi-factor authentication

You can use Okta with the Cisco AnyConnect Client. When your end user chooses multi-factor authentication, they must:
  1. Select a second authentication method from the menu.
  2. Click Continue.
  3. Perform the task associated with the chosen MFA method.
Cisco AnyConnect MFA Menu
Learn more about MFA in the MFA End User FAQ.

Additional resources




 


 

Post a Comment

Comments