Cisco ASA Integration

General Overview

This guide explains the configuration of multi-factor authentication (MFA) for Cisco ASA (Adaptive Security Appliance) utilizing Mirket as the identity provider. Prior configuration and deployment of Cisco ASA are required before setting up MFA with Mirket.

Cisco ASA offers various MFA configuration modes. In this integration, we've configured RADIUS authentication with Mirket.

This integration was tested with version 9.12(2) of Cisco ASA 5506.

Preparation Steps

Before proceeding with these procedures, ensure the following:

You've completed the installation and configuration of the Mirket (go to Mirket Installation Steps).
Cisco AnyClient VPN client users can authenticate via the Cisco ASA with a static password and establish a VPN connection successfully.
You've installed the Cisco AnyConnect Secure Mobility Client application.

Configuring Cisco ASA

Configure the Mirket Radius to the AAA Server Groups

For RADIUS authentication in Cisco ASA, you need to add a RADIUS server (the Mirket server ip address) in the AAA Server Groups.

Follow these steps to configure a RADIUS server:

Launch Cisco Adaptive Security Device Manager (ASDM).

Select the Configuration tab and go to Device Management > Users/AAA > AAA Server Groups.
Then, click on the Add option next to the AAA Server Groups field.
Enter a server group name in the AAA Server Group field.
Choose the "RADIUS" option from the Protocol dropdown list.
Then click on OK to confirm settings to create an AAA server group. Keep the remaining settings as default values.

Choose the AAA Server group you created under the AAA Server Groups list.
Click on the Add option next to the Servers in the Selected Group section to include a AAA Server for the chosen AAA Server group.

Choose the interface for connections to the Mirket (Radius Server) from the Interface Name dropdown list.
Input the IP address of the Mirket (Radius Server) in the Server Name or IP Address field.
Keep the Timeout default value as 10 in the Timeout field.
Input the RADIUS server port in the Server Authentication Port field. The default value of Mirket is set to 1812.
Input the RADIUS server account port in the Server Accounting Port field. The default value of Mirket is set to 1813.
Input a shared secret key to communicate with the RADIUS server (Mirket Radius) in the Server Secret Key field. In Mirket use this same secret key when configuring a RADIUS client resource.
Input a password in the Common Password field.

Then click on OK to confirm settings to create an AAA server.

Click on Apply to save changes.

Configure Standard ACL for Mirket User Group

To establish the remote VPN connection, configure an access control list (ACL) within the firewall for the VPN client users. Make sure that the ACL name corresponds with the name of the Mirket group used for authentication.

Go to Firewall > Advanced > Standard ACL. Then click on Add > Add ACL to create an ACL.
Enter a name in the ACL Name field. Note: Make sure that the ACL name corresponds with the name of the Mirket group used for authentication.

Click on OK to confirm settings to create ACL.

Select your ACL and then click on Add > Add ACE to create an ACE within your ACL.
Choose the internal network from the Address dropdown list that VPN client users will access.

Click on OK to confirm the settings to create ACE.

Click on Apply and then click on Save.

VPN Connection Configuration

To set up RADIUS-based authentication in the Cisco ASA, you need to configure a VPN connection. In this instance, we utilize Cisco AnyConnect VPN, a VPN client that establishes a secure, remote-access VPN tunnel to the Cisco ASA.

Create a Group Policy for AnyConnect Connection

Tunnel groups determine the group policy for a particular connection. When a user isn't assigned to a group policy, the default one for the connection is utilized. In this scenario, we established a new group policy for Mirket authentication.

Go to Remote Access VPN > Network(Client) Access > Group Policies. Then click on Add > Internal Group Policy to create an internal group policy.
Enter a group policy name in the Name field. Then click on More Options.
Check the Clientless SSL VPN, SSL VPN Client, IPsec IKEv1, and IPsec IKEv2 checkboxes and uncheck the Inherit checkbox in the Tunnelling Protocols field.

Go to Advanced > Split Tunneling to configure the Split Tunneling settings.
In the Policy field, uncheck the Inherit checkbox. Choose the Tunnel Network List Below option from the dropdown list.
In the Network List field, uncheck the Inherit checkbox. Choose the Standard ACL group you previously created from the dropdown list.

Click on OK to confirm settings to create a group policy.

Click on Apply to save changes.

Establishing the VPN Client Address Pool

VPN address pools determine a range of addresses allocated to AnyConnect remote clients when configuring a remote VPN connection.

Go to Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools. Then click on Add > IPv4 Address Pool to create an IPv4 address pool.
Enter a name in the Name field.
Input a start IP address in the Starting IP Address field.
Input an end IP address in the Ending IP Address field.
Input the subnet mask in the Subnet Mask field.

Then click OK to confirm settings to create an address pool.

Click on Apply to save changes.

Upload AnyConnect Client Software

You're required to upload a specific image to the Cisco ASA to facilitate the AnyConnect VPN client's operation. This image allows users to download the AnyConnect software via the Cisco ASA portal. If an AnyConnect image hasn't been uploaded, you'll be prompted to do so when enabling AnyConnect VPN Client access.

In this scenario, we are using anyconnect-win-4.7.04056-webdeploy-k9.pkg.

Go to Remote Access VPN > Network (Client) Access > AnyConnect Client Software. Then click on Add to upload the AnyConnect client software.

Click on Upload. Then, click on the Browse Local Files option and choose the AnyConnect Client Image file.

Click on Upload File. Then click on OK to confirm settings.

Click on Apply to save changes.

Connection Profile Configuration for AnyConnect Connection

Go to Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.
Check the Enable Cisco AnyConnect VPN Client access on the interfaces selected in the table below checkbox in the Access Interfaces section.
Check the Allow Access and Enable DTLS checkboxes for the interfaces configured for VPN connections in the Access Interfaces list.

Click on the Add option in the Connection Profiles section.
Enter your AnyConnect connection profile name in the Name field.
Enter an alias name in the Aliases field.
Choose the AAA Server Group option from the dropdown list. This group is utilized for authentication with the Mirket RADIUS resource.
Under the Client Address Assignment section, input a DHCP Server IP address in the DHCP Servers field or enter a Client Address Pool for the VPN clients in the Client Address Pools field. For this instance, we are using the client address pool that we created.
Under the Default Group Policy section, choose the specified group policy from the Group Policy dropdown list. This policy is utilized for authentication with the Mirket RADIUS resource.
Check the Enable SSL VPN client protocol and Enable IPsec(IKEv2) client protocol checkboxes.
Input the IP address of the DNS server in the DNS Servers field. For this instance, we utilize a DNS server within the internal network, accessible to VPN clients.
If required, enter the domain name in the Domain Name field.

Then click on OK confirm settings to create an AnyConnect connection profile.
Check the Allow user to select connection profile on the login page checkbox under the Login Page Setting section.

Click on Apply to save changes.

Exclude VPN Traffic from Network Address Translation

If network address translation is enabled on the Cisco ASA, VPN traffic needs to be excluded from this translation. To do so, we define network objects for VPN traffic and create a NAT rule specifically for it.

Go to Firewall > Objects > Network Objects/Groups. Then click on Add > Network Object.
Enter "NETWOK_OBJ_192.168.100.0_24" in the Name field. This represents the internal network accessed by VPN clients.
Choose Network option from the Type dropdown list.
Input 192.168.100.0 in the IP Address field.
Input 255.255.255.0 in the Netmask field.
Enter a description for the network object in the Description field. It is optional. Then click on OK to confirm settings.

Click on Add to create another network object.
Enter "NETWOK_OBJ_192.168.35.0_24" in the Name field. This is the network designated as the address pool for VPN clients that we configured.
Choose Network option from the Type dropdown list.
Input 192.168.35.0 in the IP Address field.
Input 255.255.255.0 in the Netmask field.
Enter a description for the network object in the Description field. It is optional.

Then click on OK to confirm settings.

Go to NAT Rules. Then click on Add > Add NAT Rule Before "Network Object" NAT Rules.
Choose "internal" option from the Source Interface dropdown list.
Choose "External" option from the Destination Interface dropdown list.
Choose "NETWOK_OBJ_192.168.100.0_24" option from the Source Address dropdown list. This represents the internal network accessed by VPN clients.
Choose "NETWOK_OBJ_192.168.35.0_24" option from the Destination Address dropdown list. This is the network designated as the address pool for VPN clients that we configured.
Choose "any" option from the Service dropdown list.
Choose "Static" option from the Source NAT type dropdown list.
Check the Enable rule, Disable Proxy ARP on egress interface, and Lookup route table to locate egress interface checkboxes under the Options section. Keep the remaining settings as default values.

Click on OK to confirm settings to create the NAT rule. Then click on Apply to save changes.

Configure Mirket

To enable Mirket to receive authentication requests from Cisco ASA, follow these steps:

Define Cisco ASA as a RADIUS client resource within Mirket.
Create an authentication policy for the Cisco ASA RADIUS client resource or include it in an existing authentication policy.
Attach the Cisco ASA resource to the Mirket Radius.

Add Cisco ASA as a Resource in Mirket with Radius Gateway

Before starting, ensure that you have installed Mirket Radius Gateway from the Configuration > Gateway. To add a Radius Gateway to the Mirket, follow these steps:

Go to Configuration > Gateway and click on the Add Radius Gateway button.
On the displayed screen, enter a name for your Radius Gateway in the Name field.
Enter the SAM value of the gateway in the Sam Value field. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls.
Enter the IP address of the server where the gateway is installed in the Host IP Address field.
Enter the authentication port value you set for the gateway in the Auth Port field. The default value is 1812.
Enter the accounting port value you specified for the gateway in the Acc Port field. The default value is 1813. Note: After completing these fields, you must create a RADIUS client for the newly created RADIUS Gateway.
Click on the Add Radius Client option at the bottom of the displayed screen.
Enter a name for your Radius Client in the Radius Client field.
Enter the IP address of the client(firewall) that will communicate with the gateway in the IP Address field.
Enter the secret key that the client will communicate with the gateway in the Secret Key field.

Click on the Save button to confirm the settings.

Configuring Radius Gateway

After creating the Radius Gateway, click on the Download > Config from the menu on the right side of the gateway.

This option will generate a script related to the gateway, which will be displayed from the RADIUS Setup config file. The config file will automatically begin downloading once this option is selected.

Replace the existing config file in the "C:\MirketRadius" directory with the downloaded file. Alternatively, copy the displayed script and paste it into the config file in "C:\MirketRadius".

Then, restart the Mirket Radius Service.

You can check whether the Radius Gateway you created is active by navigating to Configuration > Gateway.

User and Group configuration on Mirket

To set up multifactor authentication, make sure you have at least one user or group in Mirket.

If it is preferred to use a local user, you can first create a local group and then create a local user and make the user a member of the group. Alternatively, you can create a local user without creating a local group.

If it is preferred to use LDAP users, the priority External Source is created by pulling users from Active Directory or OpenLDAP in Mirket. Note: Before proceeding, ensure that you have installed Mirket LDAP Gateway. (Refer to create LDAP Gateway.)

Add a Radius Rule to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP, etc.).

First, you should follow these steps:

Go to Configuration > Radius Rules.
Click on the Add Radius Rule button.
On the displayed screen, enter a name for the rule in the Name field.
Enter the rule description in the Description field.
Select the Radius Client to which the rule will apply from the Radius Client dropdown list.
Enter the source IP addresses to which the rule will apply in the Source Adress field.
Select the source countries where the rule will be applied from the Source Country dropdown list.
Click on the Next button.

Specify whether the rule will be applied to a user or a group.
After specifying, click on the Next button.

Select the users or groups to which the rule will apply. Transfer your selections to the Selected Users/Groups table by clicking the arrow icon next to the Available Users/Groups table.
Click on the Next button.

Select the time period when the rule will run.
- All: The rule will run every day.
- Recurring: The rule will run on the specified days and times.
- One Time: The rule will run within the date range you specify.
After selecting, click on the Next button.

Specify whether the user or group will be granted access based on the rule in the Action field.
Select the authentication provider to which the rule will apply from the Auth Method dropdown list.

Click on Save to confirm the settings.

Test the Integration

To validate the integration between Mirket MFA and your Cisco ASA, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

In this example, we illustrate the use of the Approve/Deny authentication method.

Launch the Cisco AnyConnect VPN client.
Input your Cisco ASA IP address or public address and then click on Connect.

Then click on Connect Anyway in the Security Warning pop-up.

Choose your group for the VPN connection from the Group dropdown list.
Enter your Mirket username in the Username field.
Input your password in the Password field.
Click on OK. Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.