The need to provide remote access to a corporate environment arises more and more often, whether it be your users or partners who need access to a particular server in your organization.
For these purposes, most companies use VPN technology, which has proven itself as a secure way to provide access to the organization's local resources.
My company is no exception, and we, like many others, use this technology. And, like many others, we use Cisco ASA 55xx as a remote access gateway.
With an increase in the number of remote users, there is a need to facilitate the procedure for issuing credentials. But at the same time, this must be done without compromising safety.
For ourselves, we found a solution in using two-factor authentication to connect via Cisco SSL VPN, using one-time passwords. And this publication will tell you how to organize such a solution with minimal time and zero costs for the necessary software (provided that you already have Cisco ASA in your infrastructure).
The market is replete with boxed solutions for generating one-time passwords, while offering a lot of options for obtaining them, whether it is sending a password via SMS or using tokens, both hardware and software (for example, on a mobile phone). But the craving for savings and the desire to save money for my employer, in the current crisis, made me find a free way to implement a service for generating one-time passwords. Which, despite being free, is not much inferior to commercial solutions (it should be noted here that this product also has a commercial version, but we agreed that the costs, in terms of money, will be zero).
So, we need:
- A Linux image with a built-in set of tools - multiOTP, FreeRADIUS and nginx, for accessing the server via the web (http://download.multiotp.net/ - I used a ready-made image for VMware)
β Active Directory Server
- Actually Cisco ASA (I, for convenience, use ASDM)
- Any software token that supports the TOTP mechanism (I, for example, use Google Authenticator, but the same FreeOTP will do)
I will not go into the details of the unfolding of the image. As a result, you will get Debian Linux with multiOTP and FreeRADIUS already installed, configured to work in conjunction and a web interface for OTP administration.
Step 1. We initiate the system and configure it for our network
By default, the system comes with root root credentials. I think everyone guessed that it would be nice to change the password of the root user after the first login. You also need to change the network settings (the default is '192.168.1.44' with the gateway '192.168.1.1'). After that, you can reboot the system.
Create a user in Active Directory otp, with password MySuperPassword.
Step 2. Set up the connection and import Active Directory users
To do this, we need access to the console, and directly the file multiotp.php, using which we will configure the settings for connecting to Active Directory.
Go to the directory /usr/local/bin/multiotp/ and run the following commands one by one:
./multiotp.php -config default-request-prefix-pin=0Determines whether an additional (permanent) pin is required when entering a one-time pin (0 or 1)
./multiotp.php -config default-request-ldap-pwd=0Determines whether a domain password is required when entering a one-time pin (0 or 1)
./multiotp.php -config ldap-server-type=1The type of LDAP server is specified (0 = normal LDAP server, in our case 1 = Active Directory)
./multiotp.php -config ldap-cn-identifier="sAMAccountName"Specifies the format in which to represent the username (this value will output only the username, without the domain)
./multiotp.php -config ldap-group-cn-identifier="sAMAccountName"The same, only for the group
./multiotp.php -config ldap-group-attribute="memberOf"Specifies the method for determining whether a user belongs to a group
./multiotp.php -config ldap-ssl=1Whether to use a secure connection to the LDAP server (yes, of course!)
./multiotp.php -config ldap-port=636Port for connecting to the LDAP server
./multiotp.php -config ldap-domain-controllers=adSRV.domain.localAddress of your Active Directory server
./multiotp.php -config ldap-base-dn="CN=Users,DC=domain,DC=local"Specify where to start searching for users in the domain
./multiotp.php -config ldap-bind-dn="[email protected]"Specify a user who has search rights in Active Directory
./multiotp.php -config ldap-server-password="MySuperPassword"Specify the user password to connect to Active Directory
./multiotp.php -config ldap-network-timeout=10Setting a timeout for connecting to Active Directory
./multiotp.php -config ldap-time-limit=30Set a time limit for the user import operation
./multiotp.php -config ldap-activated=1Activate Active Directory connection configuration
./multiotp.php -debug -display-log -ldap-users-syncWe import users from Active Directory
Step 3. Generate a QR code for the token
Everything is extremely simple here. Open the web interface of the OTP server in the browser, log in (don't forget to change the default password for the admin!), and click on the "Print" button:
The result of this action will be a page that contains two QR codes. We boldly ignore the first of them (despite the attractive inscription Google Authenticator / Authenticator / 2 Steps Authenticator), and again boldly scan the second code into a software token on the phone:
(yes, I deliberately messed up the QR code to make it unreadable).
After performing these actions in your application, every thirty seconds, a six-digit password will be generated.
For fidelity, you can check, in the same interface:
Entering the username and one-time password from the application on the phone. Got a positive response? So we move on.
Step 4. Configure and test FreeRADIUS
As I mentioned above, multiOTP is already configured to work with FreeRADIUS, it remains to run tests and add information about our VPN gateway to the FreeRADIUS configuration file.
We return to the server console, to the directory /usr/local/bin/multiotp/, we introduce:
./multiotp.php -config debug=1
./multiotp.php -config display-log=1Including thus more detailed logging.
In the FreeRADIUS client configuration file (/etc/freeradius/clinets.conf) comment all lines related to localhost and add two entries:
client localhost {
ipaddr = 127.0.0.1
secret = testing321
require_message_authenticator = no
}- for the test
client 192.168.1.254/32 {
shortname = CiscoASA
secret = ConnectToRADIUSSecret
}- for our VPN gateway.
Restart FreeRADIUS and try to log in:
radtest username 100110 localhost 1812 testing321where username = username, 100110 = password given to us by the application on the phone, localhost = RADIUS server address, 1812 β RADIUS server port, testing321 β password of the RADIUS server client (which we specified in the config).
The output of this command will be something like the following:
Sending Access-Request of id 44 to 127.0.0.1 port 1812
User-Name = "username"
User-Password = "100110"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=44, length=20Now we need to make sure that the user is successfully authenticated. To do this, we will look into the log of multiotp itself:
tail /var/log/multiotp/multiotp.logAnd if the last entry there is:
2016-09-01 08:58:17 notice username User OK: User username successfully logged in from 127.0.0.1
2016-09-01 08:58:17 debug Debug Debug: 0 OK: Token accepted from 127.0.0.1Then everything went well, and we can perform
Step 5Configure the Cisco ASA
Let's agree that we already have a configured group and policies for access via SLL VPN, configured in conjunction with Active Directory, and we need to add two-factor authentication for this profile.
1. Add a new AAA server group:
2. Add our multiOTP server to the group:
3. Rule connection profile, setting the group of Active Directory servers as the primary authentication server:
4. On the Advanced tab Advanced -> Authentication also select a group of Active Directory servers:
5. On the Advanced tab Advanced -> Secondary authentification select the created server group in which the multiOTP server is registered. Note that the Session username is inherited from the primary AAA server group:
Apply settings and
Step 6 is the last one
We check if two-factor authentication for SLL VPN works for us:
Voila! When connecting via the Cisco AnyConnect VPN Client, a second one-time password will also be requested.
I hope that this article will help someone, and that it will give someone food for thought, how you can use this, free OTP server, for other tasks. Share in the comments if you wish.
Source: habr.com