Give it a useful name, enter the IP address of the RADIUS server or the Cisco ASA depending on your setup. On the WiKIDAdmin click on the Network Clients tab. This can either be your RADIUS server if you are using freeradius or NPS or the ASA itself if you want them talking directly. If you have not downloaded the WiKID two-factor authentication server, get on that. NPS will perform authorization based on the user name alone. Once that is complete, the users will login with their AD user name and the OTP. We recommend you first test the ASA/NPS connection using AD passwords and then add the WiKID server as a radius server on NPS. At this point, you should configure NPS for two-factor authentication. The ASA is ready for two-factor authentication. You may need to add DNS servers and a domain name. Give it a name, such as Two-factor Profile and select the AAA Server Group you created earlier. Next, click on Connection Profiles in the left window.Ĭlick Add (or Edit if you have one already). Remember RADIUS is encoded - not encrypted, so no RADIUS over the open Internet! Hit OK. This is the shared secret that will need to be the same on your RADIUS server. Set the Accounting port to 1813 and create or enter a Server Secret Key. Clearly they have put all their money into updating the ASDM.). (The standard changed from 1645 in 2000 so it's completely understandable that Cisco hasn't updated yet. Under RADIUS Parameters, change the Server Authentication Port to 1812. Again, we recommend tying in authorization by AD as a user would only need to be disabled in AD to be locked out completely. Specify the interface and IP address of either your RADIUS server - NPS if you are trying in Active Directory or the WiKID server if you are not. Now, you will see that you can Add a server in the bottom panel under 'Servers in the Selected Group'.
Give the server group a useful name such as " Two-factor-Auth". Under Remote Access VPN select AAA/Local Users and click on AAA Server Group.Ĭlick the Add button to add a server group. We recommend using RADIUS as your protocol for a number of reasons - it is a good standard, works everywhere and can be configured to incorporate authorization via Active Directory or LDAP allowing simple user disablement.
We assume you have your VPN already configured. If you have questions about the network architecture, please see our eGuide on adding two-factor authentication to your network. Once that is set up, you can configure the ASA to proxy authentication request directly to WIKID or through the MS Radius server NPS to WiKID. If you have not downloaded the WiKID Strong Authentication server, we recommend you start there. This document covers how to use radius to add two-factor authentication via WiKID to an ASA using the ASDM management interface. The Cisco ASA is a very popular VPN solution.
0 kommentar(er)
