Re: Best practices for VPN authentication

spfister336 · ‎02-18-2021

We are using a pair of ASA 5525Xs for remote access and site-to-site VPN. Currently, remote access VPN users are authenticated with a local database on the ASA. We are thinking of changes to how we're set up. One thing we're considering is to start using client identity certificates to stop VPN account use by unauthorized computers. Another idea is to change from local authentication to Active Directory authentication. We were wondering about what the best practices are.

- Are there any drawbacks to using AD credentials to authenticate VPN users also?

- Should our ASAs authenticate directly against AD, or should we use an ISE server and use AD as an external source? We don't have an ISE server currently, but were considering it to replace our old TACACS+ server

Rob Ingram · ‎02-18-2021

@spfister336

Using MFA/2FA would be the most secure. You could configure aaa (RADIUS/AD/LDAP) and MFA (such as Duo or Okta etc).

You could also combine aaa with a user certificate, the presence of a user certificate would be enough to confirm that the device connecting to the VPN is AD domain join and a corporate owned asset. The user certificates can be pushed to the corp laptops automatically using Windows GPO.

You should configure the ASA to authenticate directly to ISE, you can authenticate to AD as an external identity store. If you use RADIUS you can also dynamically authorise by AD user group, and apply different settings (IP Pool, Group Policy, DACL) dynamically. You would also be to run posture checks, to confirm the corp AV/FW is running). You cannot do this if just authenticate to AD directly or using local ASA accounts.

Also consider running ASA 9.12+ and AnyConnect 4.7+, as combine they both support DTLS 1.2 which provides the best performance.

HTH