Adaptive user authentication
Because CensorNet MFA can see the IP address its users are logging in from, the solution delivers a higher level of security for Cisco ASA. With this information the IT team can configure location-based authentication policies to allow users to log in with or without an OTP depending on whether they are logging in from a trusted network like the company headquarters, branch or home offices. In addition, CensorNet MFA can identify fraudulent login attempts from non-trusted sites and completely block access from these networks.
Cisco ASA configuration for CensorNet MFA
CensorNet MFA® is widely used by Cisco customers extending the Cisco ASA VPN concentrators with both IPsec and SSL VPN extensions.
Cisco Setup VPN group and radius client
1. Start ASDM and login to the Web interface.
2. Go to the wizard's menu and select IPsec VPN Wizard or SSL VPN Wizard (the following is from IPsec wizard, but configuration is quite similar)
3. Select Remote Access and click next:
4. Select the Cisco VPN Client option and click next:
5. Click next once you have set the Pre-Shared Key parameter:
6. Name the Server Group Name: CensorNet MFA® and set the IP address and the Server Secret key and click ok:
7. Select the AAA server option and select the SMSPasscode Group
8. Select the SMS Pool Name from the pull-down menu and click next. If you do not have a pool defined, click New… and create the IP pool, select it and click next:
9. Set encryption to 3DES, Authentication to SHA and Diffie-Hellman Group to 2 and click next:
10. Verify “Enable Perfect Forwarding Secrecy (PFS) is checked and click next:
11.You have now set up the Cisco ASA for CensorNet MFA® two-factor authentication.
Configuring CensorNet MFA® authentication for radius.
To set-up CensorNet MFA® for RADIUS, please consult the CensorNet MFA® Administrators Guide under the section “Configuring RADIUS Protection.
Using MSCHAPv2 protocol.
To use MSCHAPv2 protocol instead of PAP the ASA must have a bugfix for CSCtr85499 which should have been fixed in the following releases (please check cisco.com for CSCtr85499 for updated information): 8.4(4.2) 8.4(5) 8.6(1.4) 9.0(1) 9.1(1) 9.0(0.99) 100.8(0.133)M 100.8(33.4)M 100.7(13.75)M 100.8(11.21)M 100.7(6.79)M 100.9(2.1)M 100.8(27.7)M 100.9(0.1)M 8.4(4.99) 100.8(34.1)M When creating the AAA radius server make sure to enable Microsoft CHAPv2 capable
And in the Connection Profile “Enable password management”
In CensorNet MFA configuration tool you must make sure that Side-by-side is set to always
And ensure that there is a Network Policy allowing the user to log in and change password via the MSCHAPv2 protocol.