Overview
For this setup, ensure you have WebADM
, OpenOTP
, and Radius Bridge
installed and properly configured. Please refer to the installation guides for WebADM and Radius Bridge for these purposes. The ASA configuration for Radius authentication can be found at the following link
Allow ASA as Radius Client in Radius Bridge
On your Radius Bridge server, edit the /opt/radiusd/conf/clients.conf
and add a RADIUS client (with IP address and RADIUS secret) for your ASA SSL VPN server.
client ASA-SSL {
ipaddr = <ASA Server IP>
secret = testing123
}
Configuring Radius Bridge AAA Server in Cisco ASA
Configuring OTP authentication on ASA involves adding a RADIUS AAA Server configuration to a new or existing Connection Policy. Here are the steps to add both the new RADIUS AAA Server and Connection Policy:
-
Log in to your Cisco ASA Device Manager administration UI.
-
From the top menu, select "Configuration" and then navigate to "Remote Access SSL VPN" from the left menu.
-
Under "AAA/Local Users," select "AAA Server Groups."
-
Click on "Add" in the AAA Server Groups page that opens.
-
Configure as follows:
- Name: OpenOTP_Servers
- Protocol: RADIUS
- Leave the rest as defaults and click "Add" or "OK" to commit.
This setup will establish the RADIUS AAA Server group named "OpenOTP_Servers" for OTP authentication on your Cisco ASA.
-
In Servers in the Selected Group section select Add.
-
In Add AAA Server view set (see example picture below):
- Interface - interface through which Cisco communicates with OpenOTP. This should be management or intranet.
- Server Name or IP Address - OpenOTP IP address or hostname.
- Timeout - i.e. 10 seconds. (For push login, configure at least 30s)
- Server Secret Key - value testing123 (preconfigured to OpenOTP).
- Leave other values as default and commit add.
-
Cisco ASA - OpenOTP RADIUS connectivity is now configured. The remaining step is to activate the new RADIUS Server on or more of Cisco ASA Connection Profiles, whereas here we create a test profile.
-
Select Clienteles SSL VPN Access —> Connection Profiles
-
Click Add in Connection Profiles section.
-
In Add Clientless SSL VPN Connection Profile set (see example picture below):
- Name - OpenOTP_Test_Profile
- AAA Server Group - select the previously created server group
OpenOTP_Servers. - In Clienteles SSL VPN menu entry on left:
- In Connection Aliases section select Add.
- Enter Alias OpenOTP (user will display a drop-down menu on login with
OpenOTP as one entry). - Click OK
-
In Login Page Settings section check Allow users to select connection profile.
-
Cisco ASA is now configured, and you can proceed to test your login.
Don't forget to authorize the communication on 1812 UDP port (default RADIUS port for the authentication) from your ASA system to your WebADM instance at the firewall level.
Simple push-based authentication with ASA
This chapter is only relevant if you want to use simple push to Accept/Reject as the 2nd-factor authentication.
Cisco ASA radius authentication timeouts are typically too short for the user to be able to authenticate with a simple push. To use push authentication, you must edit the /opt/radiusd/conf/radiusd.conf
and enable fix_timeout = yes
option.
If you have configured multiple Radius Bridge servers in high-availability mode into your ASA AAA Server Group, you also need to ensure that the Cisco ASA config-aaa-server-host timeout setting is longer than your Push Timeout.
Another timeout needs to be considered with OpenOTP push login is the Anyconnect Client timeout. This timeout is configurable under the ASDM console > AnyConnect Client Profile > Preferences (2) > Authentication Timeout Values :
In order for changes to take effect on the client side, a success login from AnyConnect client needs to be done. After that, the new profile file will be downloaded and applied to Annyconnect client. Next login, the authentication timeout set to 60 seconds will be applied.