Overview

For this setup, ensure you have WebADM, OpenOTP, and Radius Bridge installed and properly configured. Please refer to the installation guides for WebADM and Radius Bridge for these purposes. The ASA configuration for Radius authentication can be found at the following link

Allow ASA as Radius Client in Radius Bridge

On your Radius Bridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your ASA SSL VPN server.

client ASA-SSL {
    ipaddr          = <ASA Server IP>
    secret          = testing123
}

Configuring Radius Bridge AAA Server in Cisco ASA

Configuring OTP authentication on ASA involves adding a RADIUS AAA Server configuration to a new or existing Connection Policy. Here are the steps to add both the new RADIUS AAA Server and Connection Policy:

  1. Log in to your Cisco ASA Device Manager administration UI.

  2. From the top menu, select "Configuration" and then navigate to "Remote Access SSL VPN" from the left menu.

  3. Under "AAA/Local Users," select "AAA Server Groups."

  4. Click on "Add" in the AAA Server Groups page that opens.

  5. Configure as follows:

    • Name: OpenOTP_Servers
    • Protocol: RADIUS
    • Leave the rest as defaults and click "Add" or "OK" to commit.

This setup will establish the RADIUS AAA Server group named "OpenOTP_Servers" for OTP authentication on your Cisco ASA.

ASA
  1. In Servers in the Selected Group section select Add.

  2. In Add AAA Server view set (see example picture below):

  • Interface - interface through which Cisco communicates with OpenOTP. This should be management or intranet.
  • Server Name or IP Address - OpenOTP IP address or hostname.
  • Timeout - i.e. 10 seconds. (For push login, configure at least 30s)
  • Server Secret Key - value testing123 (preconfigured to OpenOTP).
  • Leave other values as default and commit add.
ASA
  1. Cisco ASA - OpenOTP RADIUS connectivity is now configured. The remaining step is to activate the new RADIUS Server on or more of Cisco ASA Connection Profiles, whereas here we create a test profile.

  2. Select Clienteles SSL VPN Access —> Connection Profiles

  3. Click Add in Connection Profiles section.

  4. In Add Clientless SSL VPN Connection Profile set (see example picture below):

  • Name - OpenOTP_Test_Profile
  • AAA Server Group - select the previously created server group
    OpenOTP_Servers.
  • In Clienteles SSL VPN menu entry on left:
  • In Connection Aliases section select Add.
  • Enter Alias OpenOTP (user will display a drop-down menu on login with
    OpenOTP as one entry).
  • Click OK
ASA
  1. In Login Page Settings section check Allow users to select connection profile.

  2. Cisco ASA is now configured, and you can proceed to test your login.

Don't forget to authorize the communication on 1812 UDP port (default RADIUS port for the authentication) from your ASA system to your WebADM instance at the firewall level.

Simple push-based authentication with ASA

This chapter is only relevant if you want to use simple push to Accept/Reject as the 2nd-factor authentication.

Cisco ASA radius authentication timeouts are typically too short for the user to be able to authenticate with a simple push. To use push authentication, you must edit the /opt/radiusd/conf/radiusd.conf and enable fix_timeout = yes option.

If you have configured multiple Radius Bridge servers in high-availability mode into your ASA AAA Server Group, you also need to ensure that the Cisco ASA config-aaa-server-host timeout setting is longer than your Push Timeout.

ASA

Another timeout needs to be considered with OpenOTP push login is the Anyconnect Client timeout. This timeout is configurable under the ASDM console > AnyConnect Client Profile > Preferences (2) > Authentication Timeout Values :

ASA

In order for changes to take effect on the client side, a success login from AnyConnect client needs to be done. After that, the new profile file will be downloaded and applied to Annyconnect client. Next login, the authentication timeout set to 60 seconds will be applied.