Knowledgebase business article search

How do I configure my Cisco® ASA IPSec device for use with ESET Secure Authentication?

Solution

Introduction


This article describes how to configure a Cisco® ASA IPSec deviceto authenticate users against an ESA Server. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.

Before your Cisco® ASA IPSec device can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the Cisco® ASA IPSec device. Once these configurations have been specified, you can start logging into your Cisco® ASA IPSec device using ESA OTPs.

NOTE:

This integration guide utilizes VPN does not validate AD user name and password VPN type for this particular VPN appliance. If you wish to utilize other VPN type, refer to generic description of VPN types and verify with the vendor if the VPN appliance supports it.

Step I - RADIUS client configuration


To allow the Cisco® ASA IPSec device to communicate with your ESA Server, you must configure the Cisco® ASA IPSec device as a RADIUS client on your ESA Server:

  1. Launch the ESA Management Console (found under Administrative Tools).
  2. Navigate to RADIUS Servers and locate the hostname of the server running the ESA RADIUS service.
  3. Right-click the hostname and select Add Client from the context menu.
  4. Configure a RADIUS client (see Figure 1-1).

Configuring your RADIUS client

  • To prevent locking any existing, non-2FA enabled AD users out of your VPN we recommend that you allow Active Directory passwords without OTPs during the transitioning phase. It is also recommended that you limit VPN access to a security group (for example VPNusers).
  • Make sure that the check box next to Mobile Application is selected.

Figure 1-1

ESA has now been configured to communicate with the Cisco® ASA IPSec device. You must now configure the Cisco® ASA IPSec device to communicate with the ESA Server.

Step II - Configue your Cisco® ASA device


Follow the steps below:

  1. Log into your Adaptime Services Device Manager.
  2. Navigate to Configuration Remote Access VPN.
  3. Click Network (client) Access, → IPSec(IKEv1) Connection Profiles.
  4. Create a new Connection Profile:
    1. Navigate to the Basic tab of the IPSec Remote Access Connection Profile window.
    2. Under IKE Peer Authentication, enter the pre-shared key that will be entered into each end-user's VPN client. It should be a strong password.
    3. click Manage in the Authentication section.
    4. click Add under AAA Service Groups.
    5. Enter a name for your new group (for example, ESA-RADIUS), ensure that the protocol is set to RADIUS and then click OK.
    6. Select your Server Group and click Add in the Servers in selected group panel.
    7. Set the following parameters to the values shown below (see Figure 2-1):
      1. Interface Name: The ASA interface on which your ESA RADIUS server may be reached
      2. Server Name or IP Address: The hostname/IP address of your ESA RADIUS server
      3. Timeout: 30 seconds
      4. Server Authentication Port: 1812
      5. Server Account Port: N/A since ESA does not support RADIUS accountint, but set to 1813
      6. Retry Interval: 10 seconds
      7. Server Secret Key: The shared secret from your RADIUS server (see Figure 1-1)
      8. Microsoft CHAPv2 Capable: Not selected
    8. Click OK.
    9. Click OK.
    10. Click PPP in the left panel and ensure that only PAP is selected.
    11. Click Client Address Assignment:
      1. Select or create the DHCP pool you want to use.
      2. Click OK.
    12. Click the Default Group Policy section:
      1. Select the policy you want to use.
      2. Verify that Enable IPSec Protocol and Enable L2TP IPSec Protocol are selected.
    13. Click OK.

Figure 2-1

Step III - Test the connection


To test the newly configured connection:

  1. Make sure your VPN client is configured correctly:
    1. Verify that the Group Authentication radio button is selected in the Authentication tab of the VPN client's connection properties.
    2. Make sure that the pre-shared key used in step 4-b is entered into both password fields.
  2. Connect to your IPSec VPN using an account with Mobile Application 2FA using ESA enabled. When prompted for a password, append the OTP generated by the Mobile Application to your AD password. For example, if the user has an AD password of Esa123 and an OTP of 999111, type Esa123999111.

 

Troubleshooting

If you are unable to authenticate via the ESA RADIUS server, ensure you have performed the following steps:

  1. Run a smoke test against your RADIUS server, as per the Verifying ESA RADIUS Functionality document.
  2. If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration (that does not use 2FA) and verify that you are able to connect
  3. If you are still able to connect using the old settings, restore the new settings and verify that there is no firewall blocking UDP 1812 between you VPN device and your RADIUS server
  4. If you are still unable to connect, contact ESET technical support.


Was this information helpful?