I have been asked to deploy a small-scale remote access solution to one of our existing network perimeters. I have been carrying out some online research and think I have identified a low-cost solution, but I'd appreciate it if my thinking could be confirmed by the experienced support community!
Current Setup: ASA 5520 8.4(2) pair configured in Active/Standby acting as perimeter firewall
Requirement: Deploy Remote Access VPN with Two-Factor Authentication
Userbase: 5 - 10 users
VPN-Exposed Destination: A single host on inside - ports 3389/tcp (Remote Desktop) and 22/tcp (SFTP)
Solution Consideration: Needs to be as low cost as possible!
The 2FA solution I am leaning towards is the ASA's local user database (what you know) in conjunction with per-user certificates (what you have) - does this seem feasible?
I also have three queries:
First Question - I believe that as the ASA is operating as A/S failover, I cannot use the ASA's local CA server - could someone please confirm if this is a case of "can not" or "should not"? I believe the CA database cannot be replicated between the ASA units, but temporarily losing VPN capability in the event of a failover situation is an acceptable risk for this environment.
Second Question - If the local ASA CA is not an option, are there any potential pitfalls I should be aware of with leveraging a Windows Server 2003 R2 domain controller CA on the inside of the firewall as an alternative?
Final Question - I was hoping that Cisco's IPSEC VPN Client would allow for two-factor authentication, but it appears this is not the case and only the SSL VPN supports this. This will unfortuntely require a license purchase; would the AnyConnect Essentials (ASA-AC-E-55XX=) suffice, as I believe this will be the lowest cost option? We want to keep it as simple as possible, and purely require the users to have directly-routed access to the inside host on the two ports stated (we don't want to use the 'clientless' HTTPS-based VPN portal, for example).
Also, apologies for the cross-post; I'd originally posted this in the "Remote Access" forums but there doesn't appear to be much activity there and I didn't receive a response.
This is my personal opinion and not Cisco best practice or anything like this.
You do not want to find yourself in a situation where you need to open up a TAC case because you had a crash on a device which has Local CA and failover enabled. If the problem will be with Local CA crashing the box TAC can tell you this is not a supported setup and you should disable this feature.
That's why I think, if HA is a function here, better go for CA on MS server (you can enable SCEP - MSCEP and have an easy enrollment). MS CA server requires some tweaking and might allow flexibility when applying some standards, but is usually considered quite standard.
IPsec does support AAA and cert authentication.
Cert authentication is auethenticating the group in MM5/MM6 while AAA is used in xauth/modeconfig to authenticate the user.
One thing to remember though is that Anyconnect will eventually take over old IPsec client's throne. New anyconnect has IKEv2 capabilities (although propritary for now). If you plan to have this setup running for a while, check behavior with IPsec, but consider testing with anyconnect for long term/multiplatform support.
It's low-cost: first 10 users are free and only $3/user/month after the first 10, so your service would be _free_. A demo of the ASA integration is available here, just use your email address as both the username and password and you'll be walked through enrollment and authentication:
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...