I have been asked to deploy a small-scale remote access solution to one of our existing network perimeters. I have been carrying out some online research and think I have identified a low-cost solution, but I'd appreciate it if my thinking could be confirmed by the experienced support community!
Current Setup: ASA 5520 8.4(2) pair configured in Active/Standby acting as perimeter firewall
Requirement: Deploy Remote Access VPN with Two-Factor Authentication
Userbase: 5 - 10 users
VPN-Exposed Destination: A single host on inside - ports 3389/tcp (Remote Desktop) and 22/tcp (SFTP)
Solution Consideration: Needs to be as low cost as possible!
The 2FA solution I am leaning towards is the ASA's local user database (what you know) in conjunction with per-user certificates (what you have).
First Question - I believe that as the ASA is operating as A/S failover, I cannot use the ASA's local CA server - could someone please confirm if this is a case of "can not" or "should not"? I believe the CA database cannot be replicated between the ASA units, but temporarily losing VPN capability in the event of a failover situation is an acceptable risk for this environment.
Second Question - If the local ASA CA is not an option, are there any potential pitfalls I should be aware of with leveraging a Windows Server 2003 R2 domain controller CA on the inside of the firewall as an alternative?
Final Question - I was hoping that Cisco's IPSEC VPN Client would allow for two-factor authentication, but it appears this is not the case and only the SSL VPN supports this. This will unfortuntely require a license purchase; would the AnyConnect Essentials (ASA-AC-E-55XX=) suffice, as I believe this will be the lowest cost option? We want to keep it as simple as possible, and purely require the users to have directly-routed access to the inside host on the two ports stated (we don't want to use the 'clientless' HTTPS-based VPN portal, for example).
I agree that 5520's would be overkill for this minor VPN deployment if that was their only intended function, however the pair are responsibly for a much larger role in the perimeter design; the choice for the 5520s stems from other more important design requirements, including that all four network uplinks are GB to ensure the ASA is does not represent a throughput bottleneck.
Group certificate authentication was not deemed appropriate for two-factor authentication purposes by our industry security assessors, so per-user certificate authentication was recommended as the alternative.
I have now implemented the AnyConnect solution as planned, with username prefilled per-user certificates and the MS CA and all seems to be operating well. The low cost AnyConnect Essentials licenses provided more than enough functionality to satisfy this configuration.
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...