Cisco AnyConnect

Cisco AnyConnect is a uniform security endpoint agent which deliver multiple security services to protect the enterprise. Also, it provides visibility along with the control which is required you to identify who and which devices are accessing the extended enterprise.

You can enable two-factor authentication (2FA) for your Cisco AnyConnect Managed AD directory to increase security level. When you enable 2FA, your users enter their username and password (first factor) as usual, and they have to enter an authentication code (the second factor) which will share on your virtual or hardware 2FA solution. To enable 2FA you can enable RADIUS authentication in Cisco AnyConnect and configure policies in miniOrange to enable or disable 2FA for users.

miniOrange 2FA for VPN Login

The 2-factor authentication can be of two types depending on the VPN clients.

• VPN Clients that support RADIUS Challenge.
• VPN Clients that do not support RADIUS Challenge.

• First step is user's username & password get validated against the credentials stored in Active Directory and 2nd request sends a success response, this request is sent to validate the 2-factor authentication of the user, on successful authentication user is granted access to the application.
• Authentication methods : All Authentication methods supported by miniOrange. Software Token, Push Notification, OTP over Email to name a few.
• RADIUS Clients that support this authentication type:
  -> OpenVPN
  -> Palo Alto
  -> Fortinet
  -> Cisco AnyConnect




Enable Two-Factor Authentication for Cisco AnyConnect with miniOrange

Guidelines to configure RADIUS authentication in Cisco AnyConnect Secure Connect with miniOrange.




Step 1: Add the Radius Client in miniOrange

• Login into the Admin Dashboard.
• Click on Apps >> Manage Apps.
• Click on Configure Apps.
• Select Radius tab and select Radius Client.




• Configure details below to add Radius Client.

Client Name:	Cisco AnyConnect Secure or any other name for your reference
Client IP:	IP address of Cisco AnyConnect Secure VPN server which will send Radius authentication request
Shared Secret:	Security key (Keep this with you, you will need to configure same in Cisco AnyConnect Secure)

• Click on Save.





Step 2: Enable 2 factor authentication

• Click on Policies tab >> App Authentication Policy.




• Click on Add Policy tab
• In Step 1 Select “Cisco AnyConnect Secure” in Application section.
• In Step 2 Select “DEFAULT” in Group Name and enter Policy name as “Cisco AnyConnect Secure” add policy then Select First factor as “PASSWORD”.
• Enable Second factor then click on Save.




Step 3: Setup LDAP authentication ( OPTIONAL)

• Select User Stores then click on Add User Store.





• Select “AD/LDAP” tab and configure it with your LDAP settings.





Area	Field value
Directory Type	Active Directory or your directory type
LDAP Server URL	Your AD server URL or IP address
Bind Account DN	Click on AD FS>>Domain>>respective Users>> Properties>>Attribute Editor then copy the value of distinguishedName & paste it against Bind Account DN.
Bind Account Password	Password for Bind user account above
Search Bases	Search Base is a user search location. It means where to search for a user.Example: cn=users,dc=miniorange,dc=com
Search Filter	If you want to add extra conditions on user search you can add it in Search Filter.Example:(&(objectClass=*)(mail=?))(&(objectClass=*)(samaccountname=?))

• Enable “Active LDAP” and “Sync user in miniOrange” option and click on save.




• Click on Test Configuration to check whether you have enter valid details. For that, it will ask for username & password.




• After this, it will show you the list of User stores. Click on “ Make Default “.






Step 4: Configure Cisco AnyConnect with miniOrange RADIUS server

• Login to Cisco ASA ASDM.




• Click on AAA Local Users >> AAA Server Groups >> Add.





Property	Explanation
Accounting Mode	Indicates how accounting messages are sent. Recommended single mode.
Reactivation Mode	Specifies the method by which failed servers are reactivated.
Dead Time	Time for which a RADIUS server is skipped over by transaction requests
Max Failed Attempts	Maximum number of retransmission attempts. Recommended 1.

• Select "Protocol" as RADIUS then Click on "Add".
• Select the newly created group and Under Servers in the Selected Group click on Add .




Property	Explanation	Example
Interface Name	Name of protected Cisco interface.	inside
Timeout	Authentication timeout.	60
Server Authentication Port	RADIUS authentication port.	It should be 1812
Server Accounting Port	RADIUS accounting port	It should be 1813
Retry Interval	Length of time between retries	5
Server Secret Key	It shared between the miniOrange RADIUS Connector and its client
Microsoft CHAPv2 Capable	Whether or not the RADIUS server uses CHAPv2.	It should be unchecked

• Click on Clientless SSL VPN Access >> Connection Profiles.
• Select Default WEB VPNGroup and click on Edit.




• For the AAA Server Group select group made in steps 3-5.
• Click on Ok .



Step 5 : Configure Timeout for Cisco Anyconnect

Cisco AnyConnect client will timeout after 12 seconds on Windows and after 30 seconds on Mac OS X by default.


• Click on AnyConnect Client Profile then click on Add button .





• Uncheck Auto Reconnect option.





• In the sidebar, click on Preferences(Cont) and scroll down then enter 60 for Authentication Timeout Values (or 10 seconds longer than the AAA RADIUS server timeout and 20 seconds longer than the LoginTC RADIUS Connector Request Timeout)




• Click on Ok .
• In the sidebar, click on Server List >> Add to add a server.




• Enter the FQDN of your Cisco ASA VPN exposed end-point in the Hostname and a hostname or IP Address in the Host Address then click on ok .



• Click on Apply .
• Click on Group Policies which is under Network (Client) Access.
• Click on the group policy which you have assigned to your VPN (e.g. DfltGrpPolicy).




• Under Advanced >> AnyConnect Client Select your profile.


• Click on Configuer >> Remote Access VPN >> Network (Client) Access >> AnyConnect Customization/Localization >> GUI Text and Messages.
• Now, Edit the language file as msgid for "Second Password" and msgstr for "VIP Access Security Code"

Step 6 : miniOrange 2FA for Cisco AnyConnect Login



• Connect to Cisco Cisco AnyConnect.
• Enter Username, Password and Second Password.




For Further Details:

Two Factor authentication
Clientless VPN SSL
Configure Cisco AnyConnect Secure Mobility Client