ASA Group Lock (LOCAL & AAA) with Cisco DUO Multifactor Authentication

In this Video we will see how to configure Group-Lock feature with Cisco DUO on the ASA with Local & AAA (ISE) authentication. TIMESTAMPS INTRO ====== 0:00 Intro To The Topic 0:35 Topics Covered OVERVIEW ========= 1:51 Overview Of The Lab 7:32 The Problem Without Group-Lock LOCAL GROUP-LOCK ================= 8:29 Local Group Lock 9:49 Tunnel Group Lock Test DUO DESIGNS =========== 10:09 DUO Designs DUO LDAPS ========== 13:29 DUO LDAP Design 14:13 Rounds Of Authentication 15:05 LDAP Configuration 19:58 Testing LDAPS 23:00 Configure Second Round Of Authentication (DUO) 25:51 Testing Group-Lock with DUO (LOCAL) GROUP-LOCK with Cisco ISE (AAA) ======================= 29:51 Primary Authentication With Cisco ISE WEB LINKS ========== BLOG Link: https://doctornetworks.net/asa-tunnel... DUO-LDAP Documentation ======================= https://duo.com/docs/ciscoasa-ldap Using Cisco DUO's Radius Proxy has some limitations, it cannot push back radius attributes to you Firewall. That poses a problem if you want to use the group locking feature with it. Now instead of using the SSL VPN design with Radius of DUO, you need to implement SSL VPN Design with LDAPS for DUO in order to make tunnel group locking possible on the ASA. We will first perform local group lock on the ASA & test it. Then we will configure LDAPS for the Anyconnect VPN clients. Now with LDAPS method of DUO, the problem is people don’t understand how authentication works in this case. Lets break it down: – Primary Authentication (LOCAL or AAA) – Secondary Authentication (DUO Cloud) The first round of authentication is done either locally or via a AAA server like ACS/ISE. The second round of authentication is done via the DUO cloud. Now as the first round’s authentication can be LOCAL, we can leverage the “GROUP LOCK” feature here. that ties the user to a specific tunnel group. In the second round of authentication, the same username will be sent to the DUO cloud with either of the following DUO authentication mechanism: – PUSH – SMS – PHONE – NUMERIC CODE Lets create a username with “Group Lock”. The below commands are implemented sitting on the “Global Configuration” mode of the ASA. e.g. ASA(Config)# username ahmed password Cisco@1234 username ahmed attributes group-lock value TG-ONE Okay that takes care of the tunnel lock, as we haven’t defined any “Authentication” mechanisms in the tunnel group “TG-ONE”, the default authentication method is LOCAL. Now, lets look at how to configure the second round of authentication. The below commands are implemented sitting on the “Global Configuration” mode of the ASA. e.g. ASA(Config)# aaa-server DUO-LDAP protocol ldap aaa-server DUO-LDAP (outside) host api-beb486a3.duosecurity.com timeout 60 server-port 636 ldap-base-dn dc=DIX5VBLYL2H0LE6R5Z86,dc=duosecurity,dc=com ldap-naming-attribute cn ldap-login-password (Secret KEY of DUO) ldap-login-dn dc=DIX5VBLYL2H0LE6R5Z86,dc=duosecurity,dc=com ldap-over-ssl enable