Working 2-factor-authentication with Cisco ASA (IPSec, SSL)

2009-08-10T21:18:41+01:00

I configured 2 factor authentication using the Yubikey and a system password to authenticate against a Cisco VPN. FWIW, here's a quick run-down of the settings I used. I have an ASA 5505 running 8.2.1 and am using a Fedora Core 8 box to authenticate against.

Code:

# cat /etc/pam.d/radiusd
#%PAM-1.0
auth required /usr/local/lib/security/pam_yubico.so authfile=/etc/raddb/yubikey.map id=16 debug
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth

Code:

# cat /etc/raddb/yubikey.map
mlindgren:abcdefgkijkl [use the first twelve characters of your yubikey's OTP]

For /etc/raddb/radiusd.conf and users, I used the settings from the how-to:

Quote:

1. Edit the radiusd configuration file “/etc/raddb/radiusd.conf” to make following changes:
* Change user and group to “root” to provide the root privileges to radiusd demon so that it can call and use pam modules for authentication. NOTE: Generally, it is not a good security practice to assign root privileges to a user for a demon. However, since use of PAM requires root privileges, this is a mandatory step here.
* In “authenticate” section uncomment pam to direct radiusd demon to use pam module for authentication
2. Edit the client configuration file “/etc/raddb/clients.conf” to add sample client for testing
3. Edit the user configuration file “/etc/raddb/users” to make following change:
* Change "DEFAULT Auth-Type = System" to "DEFAULT Auth-Type = pam" for using pam modules for user authentication

I also added the following section at the bottom of clients.conf

Code:

client x.x.x.x {
        secret = somepassword
        shortname = ASA
}

Over on the ASA:

Code:

aaa-server TEST protocol radius
aaa-server TEST (inside) host x.x.x.x
key somepassword
 authentication-port 1812
 accounting-port 1813
!

The last thing I had to do was disable iptables, or add a firewall rule for freeradius, I decided to disable iptables

Code:

#/etc/init.d/iptables stop

Didn't specifically see this posted anywhere, so I thought I'd contribute. We are thinking about implementing this at our company for our remote users.

Regards,

Mattias

EDIT: feel free to move the post to a different board, I realize now this may not be the right area to post in.

Statistics: Posted by mlindgren — Mon Aug 10, 2009 9:18 pm

Yubico Forum

Working 2-factor-authentication with Cisco ASA (IPSec, SSL)