12-14-2010 01:16 PM
Hi,
My client is looking for phonefactor two way authentication integration with Cisco ASA, Anybody has done this integration with ASA ?
Thanks.
12-14-2010 01:58 PM
Unfortunately ASA does not support "native" integration with phone factor 2 factor authentication.
Please kindly find the following on what authentication is supported on ASA for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_aaa.html
12-14-2010 02:38 PM
PhoneFactor absolutely works with Cisco ASA and is a very common implementation for them. First, you install the PhoneFactor Agent on a Windows server that is joined to your domain behind your firewall. Once installed and activated, you configure a RADIUS client within the Agent with the Cisco ASA's IP address. You also specify the shared secret that will be used for your RADIUS target in the ASA. You then go into the Cisco ASA and configure the RADIUS authentication target which points to the PhoneFactor Agent. You specify the PhoneFactor Agent's IP address and the same shared secret configured in the PhoneFactor Agent. You must also set the RADIUS timeout to at least 30 seconds (45 recommended) so that you have enough time to complete the two-factor authentication before the ASA times out.
If you are pulling group membership from Active Directory or using an LDAP target for your user store, you could use LDAP authentication instead of RADIUS authentication. If you contact PhoneFactor (1.877.668.6536), they can provide documentation and/or assistance on how to setup the PhoneFactor Agent to receive the RADIUS or LDAP authentication requests from the ASA.
12-14-2010 02:41 PM
Great, thanks Shawn for sharing. Great explaination too..
12-14-2010 10:27 PM
Hi Shawn,
Thanks for your reply. So, for my clarification, I have to setup the RADIUS server host on ASA pointing to the phonefactor agent address and the secret key.
aaa-server phonefactor host 1.1.1.1 (IP address of the Phonefactor agent)
key cisco
authentication-port 1812
accounting-port 1813
Thanks.
12-15-2010 07:41 AM
That is correct. The ASA will then send its RADIUS authentication request to the PhoneFactor Agent. If PhoneFactor has been configured to receive the RADIUS request from that client, it can then validate the username and password provided by the ASA against Active Directory, another LDAP target or another RADIUS server. If those first-factor credentials are correct, it will then perform the second-factor authentication by calling the phone of the user who is logging in.
12-22-2010 01:47 PM
Hi Shawn,
We did configure the ASA with the folowing config:
aaa-server RadiusServers (inside) host 172.16.1.100 (Phonefactor agent address)
timeout 60
key cisco
authentication-port 1812
accounting-port 1813
and on Phone factor aggent we did configure ASA's inside interface address and the key cisco. The problem is the phone factor agent is not getting any request from ASA. Anything I need to check on the ASA or at the agent?
Thanks.
12-22-2010 02:08 PM
If there are any firewalls in between the ASA and the PhoneFactor Agent, the RADIUS ports (1812, 1813) must be open in them. To determine whether the PhoneFactor Agent is receiving the RADIUS request or not, you should check the PhoneFactorRadiusSvc.log in the C:\Program Files\PhoneFactor\Logs folder (assuming you installed in the default location and have enabled RADIUS Authentication in the Agent). If the Agent is receiving the RADIUS request, but authentication is failing, please contact your PhoneFactor sale representative who can have a sales engineer take a look and help you determine what is not configured correctly.
12-22-2010 02:28 PM
Hi Shawn,
There is no oher firewall in between and we have checked the log file. It shows that no request is coming from the ASA rather than it shows the request is coming from another windows server (which is not configured to send any request to phone factor) . Any idea?
12-22-2010 02:47 PM
Are you sure of your IP addresses? Do the RADIUS requests you see in the PhoneFactor logs correspond with the times you have tried to authenticate through the ASA? Do the ASA logs give you and indication of what happens when you try to login? If the IP addresses are correct, the ASA should be sending its RADIUS request to PhoneFactor, and PhoneFactor should be listening for the RADIUS request from that client. Just for kicks, try adding the IP address that you are seeing in the PhoneFactor RADIUS log as a RADIUS client in the agent, try your authentication and see if it goes through. If you are still stuck, call PhoneFactor and ask them to have a Sales Engineer or Support Engineer walk through your configuration with you via WebEx. It sounds like something simple isn't configured quite right.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide