2F for RA VPN with Cisco IPSec Client and anyconnect?

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

2F for RA VPN with Cisco IPSec Client and anyconnect?

BigD
HI all,
I have the requirement to change the authentication for remote access VPN users from user/password to 2 factor auth on our ASA. Our folks are NOT using clientless ssl VPN but the Cisco IPSec client and Anyconnect 3.x .
I've set up a 2k8R2 server as NPS that is configured as AAA server on the ASA and implemented a NASIPv4Address condition, configured the ASA as RADIUS client and the WiKID Server as remote RADIUS server. Also I've configured a test user whose VPN connection profile is configured for RADIUS authentication targetting the NPS.
Now, when I try to connect via IPSec client I request the WiKID generated OTP via the token client and enter the username and the OTP instead of the AD password when the login dialogue appears but I don't get auhtenticated.
 
Two questions:
1) Is this the right way to do it (entering username and OTP instead of the AD password)?
2) If so, why am I not authenticated and if not, is WikID even working with IPSec Client and Anyconnect or does it only work with clientless VPN since I have only found a how-to for setting that up but not for the other two RA VPN types)?

Your feedback is highly appreciated.
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

Nick Owen
Administrator

It's probably something in NPS. Take a look at these tips to see if the radius requests are getting to wikid:  https://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests.

On Sep 7, 2015 4:41 AM, "BigD [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
HI all,
I have the requirement to change the authentication for remote access VPN users from user/password to 2 factor auth on our ASA. Our folks are NOT using clientless ssl VPN but the Cisco IPSec client and Anyconnect 3.x .
I've set up a 2k8R2 server as NPS that is configured as AAA server on the ASA and implemented a NASIPv4Address condition, configured the ASA as RADIUS client and the WiKID Server as remote RADIUS server. Also I've configured a test user whose VPN connection profile is configured for RADIUS authentication targetting the NPS.
Now, when I try to connect via IPSec client I request the WiKID generated OTP via the token client and enter the username and the OTP instead of the AD password when the login dialogue appears but I don't get auhtenticated.
 
Two questions:
1) Is this the right way to do it (entering username and OTP instead of the AD password)?
2) If so, why am I not authenticated and if not, is WikID even working with IPSec Client and Anyconnect or does it only work with clientless VPN since I have only found a how-to for setting that up but not for the other two RA VPN types)?

Your feedback is highly appreciated.


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

BigD
OK, will check that.
In the meantime could you tell me if the 2FA should work with the IPSec Client and Anyconnect?
And if so, entering the username and WiKID generated OTP instead of the AD password is the correct course of action?
Have to ask since I haven't found any documentation on that.
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

Nick Owen
Administrator

If you can use radius, it will work. Does it work with NPS using your AD password?

On Sep 7, 2015 9:09 AM, "BigD [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
OK, will check that.
In the meantime could you tell me if the 2FA should work with the IPSec Client and Anyconnect?
And if so, entering the username and WiKID generated OTP instead of the AD password is the correct course of action?
Have to ask since I haven't found any documentation on that.



To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

BigD
Haven't tried that but meanwhile I have new indications as to what goes wrong.
According to tcpdump WiKID receives the RADIUS requests from the NPS but doesn't seem to reply.
Also, my NPS shows the following event: 6274, "The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond."

Looks like I have the same problem that was depicted in the "Troubles getting wikid to respond to radius" thread.

Do I have to undergo the intermediate certificate an localhost certificate step for the communication between NPS and WiKID to work? Because that's the only thing I haven't done yet.
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

Nick Owen
Administrator

Ah, yes. Radius won't start without the certs in place.

On Sep 7, 2015 10:18 AM, "BigD [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
Haven't tried that but meanwhile I have new indications as to what goes wrong.
According to tcpdump WiKID receives the RADIUS requests from the NPS but doesn't seem to reply.
Also, my NPS shows the following event: 6274, "The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond."

Looks like I have the same problem that was depicted in the "Troubles getting wikid to respond to radius" thread.

Do I have to undergo the intermediate certificate an localhost certificate step for the communication between NPS and WiKID to work? Because that's the only thing I haven't done yet.



To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

BigD
This post was updated on .
OK, if I enter username and the OTP in the IPSec client's login dialogue now, the dialogue pops up again, indicating that it didn't like the credentials I provided.
Also I'm seeing in the NPS's event log: 6273, The remote RADIUS (Remote Authentication Dial-In User Service) server did not process the authentication request.
Tried again after I manually validated the user and entered the user id on the WiKID admin page with the same result.

In the WiKID's radius.log I see the message "Passcode is not a number." but it is. I entered the passcode that WiKID token client generated as password which IS a number with 6 digits. What gives?
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

Nick Owen
Administrator

Run 'netstat -anp | grep 1812’.  It should list a process on the radius port.

When you try to authenticate, you should see the request and response from WiKID. 

On Sep 7, 2015 11:14 AM, "BigD [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
OK, if I enter username and the OTP in the IPSec client's login dialogue now, the dialogue pops up again, indicating that it didn't like the credentials I provided.
Also I'm seeing in the NPS's event log: 6273, The remote RADIUS (Remote Authentication Dial-In User Service) server did not process the authentication request.
Tried again after I manually validated the user and entered the user id on the WiKID admin page with the same result.



To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

BigD
[root@wikid private]# netstat -anp | grep 1812
udp        0      0 :::1812                     :::*                                    31094/java

That is all I see.

But in the WiKID's radius.log I see the message "Passcode is not a number." but it is. I entered the passcode that WiKID the token client generated as password which IS a number ...
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

Nick Owen
Administrator

Hmm,  good progress. Passcode is not a number means what it says. It's most likely the shared secret, double check the secret in NPS and WiKID and restart WiKID if you change it. Radius caches everything.

On Sep 7, 2015 11:25 AM, "BigD [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
[root@wikid private]# netstat -anp | grep 1812
udp        0      0 :::1812                     :::*                                    31094/java

That is all I see.

But in the WiKID's radius.log I see the message "Passcode is not a number." but it is. I entered the passcode that WiKID the token client generated as password which IS a number ...


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

BigD
OK, obviously those "passcode is not a number" messages stem from the fact that I tried the actual password instead off the WiKID passcode a few times. Still, I can't authenticate although I have re-entered the shared secret on the NPS (same as  configured on WiKID, which I didn't change).
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

Nick Owen
Administrator

Set your WiKIDAdmin logs to debug it should say why.

Is your user still enabled?

On Sep 7, 2015 12:01 PM, "BigD [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
OK, obviously those "passcode is not a number" messages stem from the fact that I tried the actual password instead off the WiKID passcode a few times. Still, I can't authenticate although I have re-entered the shared secret on the NPS (same as on WiKID).


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

Nick Owen
Administrator
In reply to this post by BigD

Any progress?

On Sep 7, 2015 12:05 PM, "Nick Owen" <[hidden email]> wrote:

Set your WiKIDAdmin logs to debug it should say why.

Is your user still enabled?

On Sep 7, 2015 12:01 PM, "BigD [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
OK, obviously those "passcode is not a number" messages stem from the fact that I tried the actual password instead off the WiKID passcode a few times. Still, I can't authenticate although I have re-entered the shared secret on the NPS (same as on WiKID).


To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

RESOLVED: 2F for RA VPN with Cisco IPSec Client and anyconnect?

BigD
In reply to this post by Nick Owen
Well, this happens if you follow the how-to... sort of... ;)
At the end of the "How to add two-factor authentication to NPS" document there is a passage stating:
"Customers have mentioned having issues with getting the NPS Radius Connection Request Policy working. One sent us this screen shot of a working connection request policy.  They set up the "Remote-RADIUS-to-Windows-User-Mapping" to "True"."

I had configured that as well and authentication didn't work. On a hunch I deleted this setting from the NPS policy and suddenly I was able to authenticate.
That was with IPSec Client. Will now try Anyconnect but I expect that to work as well.
Thanks a bunch!

Reply | Threaded
Open this post in threaded view
|

Re: RESOLVED: 2F for RA VPN with Cisco IPSec Client and anyconnect?

Nick Owen
Administrator

Excellent!

On Sep 8, 2015 7:24 AM, "BigD [via WiKID Strong Authentication Forums]" <[hidden email]> wrote:
Well, this happens if you follow the how-to... sort of... ;)
At the end of the "How to add two-factor authentication to NPS" document there is a passage stating:
"Customers have mentioned having issues with getting the NPS Radius Connection Request Policy working. One sent us this screen shot of a working connection request policy.  They set up the "Remote-RADIUS-to-Windows-User-Mapping" to "True"."

I had configured that as well and authentication didn't work. On a hunch I deleted this setting from the NPS policy and suddenly I was able to authenticate.
That was with IPSec Client. Will now try Anyconnect but I expect that to work as well.
Thanks a bunch!




To start a new topic under General Discussions, email [hidden email]
To unsubscribe from WiKID Strong Authentication Forums, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: 2F for RA VPN with Cisco IPSec Client and anyconnect?

Farrah_35
In reply to this post by BigD
Nice post. I am also in need of VPN that provides multiple protocols. I think express VPN is a good service but not sure about it because have never tried it out. It will be great if you can share a detailed expressvpn review for me.