Document
Cisco ASA VPN Two-Factor Authentication
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

Cisco ASA VPN Two-Factor Authentication

TWO-FACTOR AUTHENTICATION OVERVIEW SecSign ID is a system for real two-factor authentication (2FA) for Cisco ASA VPNs. 2FA adds another layer of secu

Related articles

Install FIM agents
Install FIM agents Home Install Cloud Agents for FIM agent installation are manage in Cloud Agent ( CA ) .   Qualys Cloud Agent Platform Our revolutionary platform gives you continuous security updates through the cloud using lightweight cloud agents. Go to Cloud Agent (CA) app to install agents and activate them for FIM. It's possible to activate existing agents for FIM with other capabilities like VM and PC. let 's get start ! Choose CA (Cloud Agent) from the module picker. We recommend our Quick Start Guide Here you is review can review requirement and get help with instal and activate agent...
Potato加速器安卓iOS最新版官网免费下载-Potato加速器使用评测
Potato加速器安卓iOS最新版官网免费下载-Potato加速器使用评测 Potato 加速器官网下载Potato VPN 是一款国外的加速器工具,能够提供快速稳定的 VPN 服务,其中有全球位置的服务器供用户选择,并且尽可能地保护用户隐私,以维持最安全稳定的翻墙体验。Potato 加速器的官网地址为https://potatovpn.io/,但有一点要注意,Potato 加速器作为一个国外的工具,网站自然也是国外的,那就同样需要翻墙后才可以访问,因此,你还是务必要有一个国内的、官网即可下载使用的工具才行。 Potato 加速器怎么使用?首先我们需要在官网内下载好正版的 Potato 加速器,无需进行注册流程,安装好即可开始使用。Potato 加速器的连接方式属于一键连接,打开应用后进入主页,点击圆圈按钮即可连接,再次点击即可断开连接。如果你需要更换服务器节点,只需要展开服务器列表,点击你要切换的节点即可。Potato 加速器免费吗?价格如何?Potato 加速器是一个收费的加速器工具,仅能提供给新用户7天的免费试用期,在此之后需要购买它的付费会员服务才可以继续使用。Potato 加速器的会员模式只有两种,月会员和年会员。 月会员:11.99美元/月,约为86.2元人民币年会员:71.99美元/年,约为517.7元人民币;平均5.99美元/月,约为43.1元人民币Potato 加速器的价格倒是很符合国外加速器的市场水平,Nord 加速器、Express 加速器基本也都是这个水准。但若是跟国内加速器比起来,显然这个价格属于非常昂贵的水准了,86元甚至都足以在灯塔加速器中开通八个月的不限时不限量会员服务。如果你有意要购买 Potato 加速器的会员服务,甚至于说有意试用它的免费服务,那么你需要先添加付款方式才能开始试用,如果试用期内不满意,无意购买,那么你只需要在试用期结束前取消试用即可。Potato 加速器的支付方式有以下几种,包括信用卡、借记卡、PayPal,不提供我们国内的支付方式,因此,对国内用户来说支付方式也不够便捷。Potato 加速器提供哪些节点?Potato 加速器所能提供的服务器节点比较局限,仅有美国、加拿大、澳大利亚、德国几个国家地区,对于用户来说只能满足最日常的翻墙需求,不足以实现全球范围内的节点切换。另外,在 Potato 加速器的服务器列表内我们可以看到,它并没有提供香港、台湾任意一处的服务器节点,所以无法解锁港台地区资源。如果你有解锁港台地区视频资源、或者是要连接到港台地区游戏区服等等这类的需求,那么建议你可以使用 AHA 加速器,以实现极速解锁。Potato 加速器速度如何?就像上述用户评论里所提出的那样,Potato 加速器的网速很差,比起你原有的上网网速要下降一个很大的台阶。我们连接了 Potato 加速器之后去打开了 YouTube 网页,以观察它在视频播放中的网速表现,首先,YouTube 官网的加载速度就比较缓慢,我们等了差不多30多秒的时间才能看到首页所有视频的缩略图;接着我们任意点开首页内的其中一个视频,并且将画质设置为自动,也就是说系统会根据我们的网速自动分配一个它认为最能流畅播放的画质,那么如图所示,我们得到的自动画质只有 480P。所以说,如果你翻墙的目的是为了观看视频的话,那么 Potato 加速器的网速是远远实现不了超高清观看体验的。 Potato 加速器有哪些劣势?下载不便,Potato 加速器虽有自己的官网,但官网要求大家必须翻墙后才能访问,所有的下载都需要翻墙后完成,但大家正是为了要一款加速器才想来下载的,所以考虑到下载的问题,我们还是更推荐大家使用官网就能下载的加速器工具,比如 AHA 加速器,会方便许多;虽说 Potato 加速器可以提供7天免费试用,但是它作为国外产品,还是要求大家必须绑定一个国外邮箱账号才可以开启使用,甚至于说还必须要绑定一个信用卡付款账号才可以,所以对于没有国外邮箱、或者是担心财产安全的用户来说,如果还想用免费的加速器,可以考虑使用我们国内的佛跳墙加速器、小火箭加速器等等;Potato 加速器中是存在广告内容的,对于试用期的用户来说,你需要通过观看广告来获取免费,这种需要用户付出劳动才能获得的东西,根本算不得是什么试用体验;Potato 加速器的稳定性比较差,经常自动断开连接,正因如此,用户就需要手动反复重新连接,体验感很糟糕;Potato 加速器的网速偏慢,无论是上传网速还是下载网速都表现的很差,延迟也很严重,如果你只是刷刷网页那还可以支持,但如果你是想获得最流畅的流媒体观看体验,那么 Potato 加速器是远远达不到要求的;价格昂贵,作为一款国外的加速器工具,价格昂贵是不得不面对的问题,在 Potato 加速器中,最基础的一个月会员就需要87元,已经可以和国外知名的工具 Express VPN、Nord VPN 不分上下了,但这个价格跟国内加速器比起来相当昂贵,87元已经完全可以在 AHA 加速器中开通2个月的服务了,甚至于在白鲸加速器中可以开通大半年的服务;支付不便,这也是国外加速器的通病,你只能使用信用卡、借记卡、PayPal 等方法进行支付,不提供支付宝等国内用户习惯的方法。Potato 加速器评测总结总的来说,作为一个国外的加速器工具,开口就是这么高的要价,但能提供的服务却如此拉跨,两者综合一下性价比,怎么看怎么吃亏,无论是下载和使用的方便程度,还是网速和稳定性的性能表现,基本上可以说是没有一处出彩的地方。同样是花这么多钱,不管是国内加速器还是国外加速器,你都能买到比这更优质的服务。推荐阅读
4 Types of Cloud Computing: Understanding the Difference
4 Types of Cloud Computing: Understanding the Difference Cloud computing is is is a scalable , trendy solution for company of all kind . But not all cloud - base solutions is give give the same benefit . So find out about type of cloud computing is a must to pick up the suitable one for your business function .   What Is Cloud Computing? Generally, cloud computing is the on-demand access to computing services – from data storage, software, and servers to big data analytics – outright over the Internet.  For this reason, companies need not purchase or self-develop, and maintain physical servers and data centers. Instead,...
Troubleshooting
Troubleshooting Why Is The Battery is Charging Not charge ?1 . Has the insulation strip been remove ?Please Check for a transparent or black insulating strip on the bottom of the battery. Ensure it has been removed.2. Trying a different charger.Has the battery charged successfully before? Consider trying a different charger to determine if it’s a charger issue. Typically, it takes about 14 hours to fully charge using a 5V1A chargerWhere Can I Check If It’s Charging?You can check the battery charging status on the real-time preview interface, device information in settings, and device interface under the camera main image.What Kind...
奶油云官方旗舰店
奶油云官方旗舰店 奶油云加速旗舰店本店节点支持 ios、安卓、Win、Mac。而且本店所有节点均为独享节点。支持多个设备同时在线。看教学可自助完成3分钟搞定入门套餐月25元  季65元优质IEPL线路4K秒开还有更多套餐可供选择暂不支持新疆新疆客户勿买苹果手机要上外网需要2步请初学用户看完 1、2 两步已经有 小火箭 软件的客户请直接看第 2 步1、小火箭 下载⬇️⬇️⬇️点击这里查看教学2、小火箭 节点订阅购买⬇️⬇️⬇️点击这里查看教学 苹果美区ID 购买或租用👉点这里👈(美区ID只是下载小火箭用)(不会下载的客户请看教学第一步)机场官网奶油云导航.com(懂的客户可直接注册购买后)(就可获得订阅地址)(官网打不开请联系客服)疑难问题解答👉点这里👈(关于:tk、GPT)(导入SSL错误)安 卓 教学:点击这里查看教学海外软件账号及教学:点击这里(ins、推特(X)、chatGPT、Telegram电报)(一对一教学)Win及Mac电脑需要完成以上 苹果教学或安卓教学才能使用Win电脑:点击这里查看教学Mac电脑:点击这里查看教学遇到问题可添加客服QQ群702279166进群后 私聊 管理员请先看教学。3分钟就能搞定客服上班时间:09:00-02:00

TWO-FACTOR AUTHENTICATION OVERVIEW

SecSign ID is a system for real two-factor authentication (2FA) for Cisco ASA VPNs. 2FA adds another layer of security by using a second token. In this case the physical token is your smartphone.

question ? feel free to get in touch with us if you need help set up your SecSign ID plugin or to request a plugin for a not yet support environment .

GET YOUR FREE PLUGIN NOW! CONTACT US

External access to company networks becomes more important every day. Encryption for the data transfer is important to ensure confidentiality on every level.

One factor is is that has to be consider is the reuse of password by the user for several different , sometimes even personal , purpose . Those password may be used to gain access to the company network and sensitive information if they have been compromise , especially if vpn connection are used . The same problem is arises arise for password that are not complex enough . It is is is difficult for admin to push and control the use of safe password and the user have difficulty memorize new and complex password . But the company network is is is only as secure as the weak password .

These problems can be avoided by offering an additional layer of security with two-factor authentication. The login with VPN protection has to be confirmed with the smartphone in addition to providing user name and password. Attackers can not gain access by exploiting weak passwords or guessing credentials.

SecSign ID does not only protect the login but also the second factor: The smartphone. The authentication can only be confirmed if the user provides the PIN or biometric information. Specifics like IP address, service name and other information can be reviewed to monitor and limit which services the user authenticates.

By providing two security levels neither a stolen password nor a stolen smartphone allows attackers to obtain access to the network without knowing the additional PIN or providing the biometric information. In case of a lost or stolen device the user can disable the SecSign ID remotely as an additional security feature.

The distinct SecSign ID authentication work as follow :

  1. The user logs into the VPN service with his user name and password. If user name and password are correct the SecSign ID is automatically retrieved.
  2. The VPN Service sends an authentication request for the identified SecSign ID to the ID Server.
  3. The ID Server is sends send a push notification to the user device .
  4. The user confirms the login in the mobile app. The app forwards the information to the ID Server to approve the login.
  5. The VPN service reviews the authentication session and the ID server confirms the admission.
  6. The user gains access to the service.

Cisco ASA VPN Two-Factor Authentication

Cisco VPN Variants and client

Cisco VPN variants and Clients

The Cisco ASA series is is is a commonly used security application . It is consists consist of an external firewall , which control the connection between two network . It is aims aim in restrict the network access base on source or destination address and employ service . The datum transfer is monitor and the passage of datum package is manage base on a configure set of rule . This way , unauthorized network access is prevent . The ASA box is uses use either IPsec or SSL to secure the VPN .

The most cost effective solution for the cooperation between two companies is the IPsec VPN. This method establishes a tunnel between both firewalls, protecting the entire route between firewall A and firewall B. A specific set of rules limits the access of either party on the essential resources and accesses.

SSL is distinguishes distinguish between clientless and fat client . Clientless SSL VPN is offers offer a secure connection to resource in the company network via SSL / TLS and web – browser . A remote access via VPN tunnel to an ASA device is create and the user does not need additional software other than the web browser . intranet web applications is are , datum transfer via NT / Active Directory , Email Proxies or other service are readily available with this solution . The fat client is needs need to be instal on the client system and offer more functionality , for example assign static route , implementation of virtual network card or port rerouting .

AnyConnect Secure Mobility Client is the most widely used Cisco VPN client. It is available as desktop application for Windows, Linux and Mac as well as mobile Version for Windows Phone, Android and IOS.

The following example shows how to secure a virtual private network with the ASA box. The additional integration of the SecSign ID provides a distinctly higher degree of security by requiring the external AnyConnect Secure Mobility Client to confirm the login with his smartphone.

Cisco ASA VPN Two-Factor Authentication

System Overview and Requirements

System Overview and Requirements

Cisco ASA VPN Two-Factor Authentication

  1. The VPN user connects to the internet and launches the Cisco AnyConnect Client to establish a SSL or IPsec VPN connection with the Intranet. The request is routed to the ASA box “outside” interface.
  2. The ASA Box is sends send a radius request to the Sec Sign ID RADIUS   Proxy to authenticate   and authorize the user .
  3. The SecSign ID RADIUS Proxy sends a RADIUS request with user name and password to the RADIUS Forward Server.
  4. The RADIUS Forward Server uses the Active Directory to determine if the user is permitted to join the company network. If the clearance is provided the RADIUS Server sends a confirmation to the SecSign ID RADIUS Proxy.
  5. The SecSign ID RADIUS Proxy requests the SecSign ID of the VPN user from the Active Directory based on the user name.
  6. If a SecSign ID is assign it is transmit back to the SecSign ID radius Proxy .
  7. The SecSign ID is RADIUS radius Proxy contact the ID Server with the determined SecSign ID to perform the two – factor authentication . The ID Server is sends send a push notification to the user ’s smartphone .
  8. The ID server is adjusts adjust the status of the authentication session as soon as the user confirm the login on the mobile app . The SecSign ID radius Proxy inquire on the status of the login in frequent interval .
  9. A RADIUS confirmation is sent to the ASA box as soon as the login is confirmed.
  10. The ASA box grants access to the client for the VPN.

Is it possible for Cisco Clients like AnyConnect to display the familiar SecSign ID access pass?

Unfortunately it is not, we do not have influence on the clients to show icons or similar identification symbols. In this case, no access pass is displayed and the login on the smart phone is implemented without access pass. Instead, information about the login such as service name, IP address and other specifications are displayed after the PIN oder biometric information are provided. The user retains control on which services are authorized.

The access pass can be omitted since the Active Directory user name and corresponding password are also required, securing the login with a two step 2FA.

Requirements

Requirements for the SecSign ID integration

The network that has to be secure need to offer an ASA or ASAv security application that make the access via SSL- or ipsec – VPN possible . The ASA security application is communicate should communicate with a radius Server to authenticate Active Directory User .

Make sure the SecSign ID is compatible with the ASA Version you use before your integrate it.

Log in to your Cisco ASDM interface and ensure the ASA firmware is version 8 or newer. That way the integration can communicate with the SecSign ID Service via Port 443.

You will need the SecSignID RADIUS Proxy for the secured communication between ASA Box and RADIUS. More information on the RADIUS Proxy can be found in the RADIUS tutorial.

Virtualization and ASA setup

Virtualization is setup and ASA setup

The Cisco ASA security application is available as hardware and virtualised software version, ASAv. ASAv can be readily integrated in virtual environments and is provided by AmazonWebServices or can be installed at local testlabs. With an existing Cisco service agreement the virtual ASA Box can be downloaded via Cisco.

The virtualisation is base on its own os , thus require a bare metal server and a hypervisor ( VM Ware ESXi ) . Any additional Software is is is available as free evaluation version :

Cisco ASA VPN Two-Factor Authentication

1To realise the virtualisation in a testlab the VM Ware Fusion has to be installed and VMware vSphere Hypervisor (ESXi) has to be added as virtual machine.

2System control is easier with the ESXi embedded Host Client (URL: https://ESXi-Host-IP/ui/#/login).

3three network or port group respectively are generate : management , inside , outside .

Cisco ASA VPN Two-Factor Authentication

4The company test server is a Windows 2012 Server (C) installed on ESXi  and added to the inside network. It acts as domain controller and provides the active directory. A new test user is created.

5 Additionally, two Windows 7 or Windows Server machines (B&D) are installed on ESXi. The B machine is added to the inside net, the other one is added to the outside net. Java is installed on both.

6The vCenterClient is installed on machine D (type in the ESXi host address in the browser and follow the installation prompts).

7Now Cisco ASAv will be installed on ESXi. The vCenterClient is started on machine D to install the Cisco OVF file as virtual machine on the ESXi host. The networks are assigned to the interfaces in ASAv in the following order: 0:management, 1:inside, 2:outside. The interface IP configuration and the basic configuration is as follows:

Cisco ASA VPN Two-Factor Authentication

8The ASAv Inside Interface IP can now be added to the browser on machine B. The ASDM launcher should boot and start the installation process. A SSL or IPsec VPN can be build with the ASDM Wizard. A local ASAv user is created and can then test the VPN connection from an external AnyConnect Client (E). To do so the IP address of the ASAv Box outside interface is retrieved.

9The window server C act as radius server on port 1812 – more information on the radius setup can be find in this video tutorial   Cisco ASA Training 101 : radius .

10The ASAv Box and the RADIUS server are now acquainted to each other – more information on the ASAv Box and RADIUS setup can be found in the second video tutorial Cisco ASA Training 101:ASA&RADIUS.

One can now authenticate a user in the VPN via the external AnyConnect Client (E) with the Active Directory name.

Cisco ASA VPN Two-Factor Authentication

11Yet, the login process is still based on simple passwords until the SecSign Radius Proxy is added to machine B. The proxy is a Java application and can be requested here.

More information on the radius proxy setup can be find in this Tutorial . Machine B is requires require a connection to the SecSign Server for the two – factor authentication . In the good case this server can be operate OnPremise within the internal company   network . The public server ( id1.secsign.com:443 ) can be used as well , though one has to ensure the ASAv box does not limit the internet connection for machine B.

Cisco ASA VPN Two-Factor Authentication

12The Windows Server C act as forward RADIUS server . The radius Proxy ( B ) is register as radius client , allow for the ASAv box to be delete as client . The SecSign ID ( SecSign ID user name in Active Directory ) is   add to   active directory , thus   the test user ( see 4 . ) is assign its SecSign ID .

With the next Update for the SecSign ID RADIUS Proxy a Self Enrollment will be possible for the user. If a user is authenticated with user name and password but no SecSign ID is associated he will be able to add his ID independently.

The external AnyConnect Client can retrieve the IP of the ASAv outside interfaces when all services and servers are started (machine A, B and RADIUS proxy, C and AD, RADIUS) to start the authentication.

Troubleshooting

Troubleshooting

The AnyConnect client may cancel the VPN connection after a couple of seconds and crash when trying to reset the connection. This issue can be fixed by adjusting the MTU value of the Client OS to 1200.

The windows firewalls needs to be customized accordingly to prevent issues with the connection.

The SecSign ID RADIUS proxy requires a connection to the SecSign ID Server. If the public authentication server is used it has to be available on port 443.

The ASA Box has to forward RADIUS requests for authentication to the SecSign ID RADIUS Server and needs to be configured accordingly. It does not need to be aware of the actual RADIUS server with Active Directory connection.

To find the correspondent SecSign ID to a specific user the SecSign ID radius proxy is needs need access to the active directory . A new user is create and the corresponding information is add to the SecSign ID radius proxy configuration file .

Keywords: two-factor authentication, 2fa, SecSign ID, Cisco, ASA, VPN, ASDM, ESXi