Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
190
Views
0
Helpful
3
Replies

cisco asa webpage password selection

Vasiliy P
Level 1
Level 1

‎05-14-2024 01:52 AM

Hello, friends.
We have encountered a very interesting problem.
We have a page on the Internet, through which passwords are being collected and as a consequence users are blocked on radius. We need this page to allow users to download anyconnect client program for different operating systems.
We realize that we can block this page, but that would add to our problems.
Can you tell me if anyone has encountered a solution to this problem?
Is it possible to solve this problem in such a way - authorization under a common login and password not related to profiles and radius (local AAA)?

Labels:
Preview file
34 KB
Preview file
17 KB
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎05-14-2024 02:02 AM

you can disable and try using any MDM and SCCM to distribute the VPN packages to devices - is this works ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Vasiliy P
Level 1
Level 1
In response to balaji.bandi

‎05-15-2024 11:11 PM

Hello, can you show an example of how to do it or send me a link to the instructions please?

0 Helpful

tvotna
Spotlight
Spotlight

‎05-17-2024 02:23 AM

This issue has been discussed many times on this forum. Switching to LOCAL AAA won't help much in a sense that intruders will continue trying to guess passwords of users configured locally on the ASA. If passwords are complex, they won't succeed. ASA won't lock out corresponding accounts by default. In this sense switching to LOCAL will help.

The comprehensive solution is to 1) upgrade the ASA to a release with corresponding WebVPN vulnerabilities fixed; 2) use certificate authentication in default tunnel groups (connection profiles); 2) not use default tunnel groups for connections and create your own tunnel groups instead; 3) not use group-alias binding method and use group-url method instead; 4) user cert+AAA authentication for users if possible; 5) for AAA component of cert+AAA authentication use OTP.

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

 

0 Helpful
Customers Also Viewed These Support Documents