Active/Standard ASA - Two-Factor VPN Capabilities?

alistair.cowan · ‎09-20-2011

Hi Folks,

I have been asked to deploy a small-scale remote access solution to one of our existing network perimeters. I have been carrying out some online research and think I have identified a low-cost solution, but I'd appreciate it if my thinking could be confirmed by the experienced support community!

Current Setup: ASA 5520 8.4(2) pair configured in Active/Standby acting as perimeter firewall

Requirement: Deploy Remote Access VPN with Two-Factor Authentication

Userbase: 5 - 10 users

VPN-Exposed Destination: A single host on inside - ports 3389/tcp (Remote Desktop) and 22/tcp (SFTP)

Solution Consideration: Needs to be as low cost as possible!

The 2FA solution I am leaning towards is the ASA's local user database (what you know) in conjunction with per-user certificates (what you have) - does this seem feasible?

I also have three queries:

First Question - I believe that as the ASA is operating as A/S failover, I cannot use the ASA's local CA server - could someone please confirm if this is a case of "can not" or "should not"? I believe the CA database cannot be replicated between the ASA units, but temporarily losing VPN capability in the event of a failover situation is an acceptable risk for this environment.

Second Question - If the local ASA CA is not an option, are there any potential pitfalls I should be aware of with leveraging a Windows Server 2003 R2 domain controller CA on the inside of the firewall as an alternative?

Final Question - I was hoping that Cisco's IPSEC VPN Client would allow for two-factor authentication, but it appears this is not the case and only the SSL VPN supports this. This will unfortuntely require a license purchase; would the AnyConnect Essentials (ASA-AC-E-55XX=) suffice, as I believe this will be the lowest cost option? We want to keep it as simple as possible, and purely require the users to have directly-routed access to the inside host on the two ports stated (we don't want to use the 'clientless' HTTPS-based VPN portal, for example).

Also, apologies for the cross-post; I'd originally posted this in the "Remote Access" forums but there doesn't appear to be much activity there and I didn't receive a response.

Many thanks in advance,

Alistair

Marcin Latosiewicz · ‎09-20-2011

Alistair,

This is my personal opinion and not Cisco best practice or anything like this.

You do not want to find yourself in a situation where you need to open up a TAC case because you had a crash on a device which has Local CA and failover enabled. If the problem will be with Local CA crashing the box TAC can tell you this is not a supported setup and you should disable this feature.

That's why I think, if HA is a function here, better go for CA on MS server (you can enable SCEP - MSCEP and have an easy enrollment). MS CA server requires some tweaking and might allow flexibility when applying some standards, but is usually considered quite standard.

IPsec does support AAA and cert authentication.

Cert authentication is auethenticating the group in MM5/MM6 while AAA is used in xauth/modeconfig to authenticate the user.

One thing to remember though is that Anyconnect will eventually take over old IPsec client's throne. New anyconnect has IKEv2 capabilities (although propritary for now). If you plan to have this setup running for a while, check behavior with IPsec, but consider testing with anyconnect for long term/multiplatform support.

HTH,

Marcin

jonoberheide · ‎09-22-2011

At the risk of sounding spammy, I'd encourage you to check out Duo Security:

http://www.duosecurity.com/vpn

http://www.duosecurity.com/docs/cisco

It's low-cost: first 10 users are free and only $3/user/month after the first 10, so your service would be _free_. A demo of the ASA integration is available here, just use your email address as both the username and password and you'll be walked through enrollment and authentication:

http://demo-cisco.duosecurity.com/

Regards,

Jon Oberheide