Cisco AnyConnect – With Google Authenticator 2 Factor Authentication

KB ID 0001256 

Problem

This was asked as a question on Experts Exchange this week, and it got my interest. A quick search turned up a bunch of posts that said, yes this is possible, and you deploy it with FreeRADIUS and it works great. The problem was, a lot of the information is a little out of date, and some of it is ‘wrong enough’ to make the non-technical types give up. But I persevered, and got it to work.

AnyConnect-GoogleAuth-Radius

Disclaimer: This is not an exercise in deploying AnyConnect, I’ve got that covered to death all over the website, use the search function above, or simply go to the following article;

Cisco ASA 5500 AnyConnect Setup From Command Line

So before proceeding I’ll assume you have AnyConnect setup, and you can connect with a local username.

Disclaimer 2: Please don’t email me with questions like, “Can I take this and integrate it with Active Directory, eDirectory” etc. Or “I’m trying to get this to work with ‘insert name of some Linux distro” and I’m getting an error. 

Prerequisite: You will need to have the Google-Authenticator app on a device, (probably an IOS or Android phone), and have that running, and ready to accept a new identity/account.

Solution

Setup FreeRADIUS

I’m not a Linux guru, I just downloaded the latest version of Ubuntu Server (16.04.1 at time of writing). and deployed it as an ESX host.

Non Linux Types Note: A lot of the commands below require you to either be logged on as root, or ‘su‘ to root, (if that’s not an option, you will need to prefix the commands with ‘sudo‘.

Ubuntu Enable Root Account: I quickly learned that these days the root account is disabled, (for sensible reasons). However because of the way FreeRADIUS works, it needs to run under the root account.

sudo passwd root
ENTER AND CONFIRM PASSWORD
sudo passwd -u root
 

Ubuntu: Install Prerequisites: We need to get all current updates, then install NTP, (because the authenticator keys are time specific). Then there are some tools that we will need to install the Google Authenticator software. 

apt-get update
apt-get install autotools-dev
apt-get install autoconf
apt-get install libtool
apt-get install ntp
apt-get install build-essential libpam0g-dev freeradius git libqrencode3 
 

Update Ubuntu

Install NTP Ubuntu

Install Google Authenticator: This is quite cool, (if like me you don’t do a lot of Linux). We need to connect to a folder on a web server, then move into that ‘Directory’ and install the software. 

cd ~
git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install
 

 Configuring FreeRADIUS and Google-Authenticator 

Ubuntu has nano installed by default thats what I’m going to use, if you’re a sandal wearing ‘vi’ user, then feel free to use that instead.

First we are going to change FreeRADIUS, so it runs under the ‘root’ account.

nano /etc/freeradius/radiusd.conf

At the bottom of the file, change the user and group from freerad to root, save the file and exit.

Like so:

Allow Root FreeRadius

 

Next we are going to create a group called radius-disabled, then if you need to deny a user access, you can simply make them a member of this group.

addgroup radius-disabled

Then configure FreeRADIUS to reject members of that group.

nano /etc/freeradius/users

Locate the lines indicated below;

RADIUS Reject Users

Change and un-comment them, to add the following text;

DEFAULT Group == "radius-disabled", Auth-Type := Reject
        Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
 

So it looks like below, then save and exit the file;

RADIUS Reject Users PAM

Enable Pluggable Authentication Mode (PAM): Edit the following file;

nano /etc/freeradius/sites-enabled/default

Locate the line with ‘pam’ in it and uncomment it (remove the hash/pound sign), like so

Before;

Free RADIUS Enable PAM

After;

Free RADIUS Enable PAM config

Exit and save the changes.

Configure FreeRADIUS to use Google Authenticator: Edit the following file;

nano /etc/pam.d/radiusd

Locate all the lines that start with an ‘@’ symbol and comment them out, (prefix them with a “#”), then paste the following text onto the end of the file;

auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

Before;

RADIUS config file

 

After;

RADIUS Two Factor

Testing Google-Authenticator and FreeRADIUS

The easiest way to do this is setup a test user, then create a password for them, then assign a Google-Authenticator Code to that user, on your Linux server;

adduser tommytester
ENTER AND CONFIRM PASSWORD
su tommytester
ENTER THE PASSWORD
google-authenticator

Now you can either scan the QR code into the Google Authenticator app on your phone, or type in the ‘secret-key‘. 

RADIUS Secret Key

Once done, you should be looking at a 6 digit number, that changes every 30 seconds;

 Google Authenticator App

Test Authentication on the FreeRADIUS Server first! To do that issue the following command;

radtest tommytester password456743 localhost 18120 testing123

Note: the password for tommytester is ‘password‘ and the 6 digit code is added to the end of it, the testing123 value is set within FreeRadius in the /etc/freeradius/clients.conf file.

RADIUS Secret Key

Successful Authentication

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302971 localhost 18120 testing123
Sending Access-Request of id 165 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302971"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=165, length=20
tommytester@RADIUS-HOST:/home/petelong$

Unsuccessful Authentication

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302973 localhost 18120 testing123
Sending Access-Request of id 36 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302973"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=36, length=20
tommytester@RADIUS-HOST:/home/petelong$

Troubleshooting: If there’s a problem, make sure that the time on the FreeRADIUS server is correct, (is NTP getting blocked at the firewall?) Then what I do is, SSH into the server from another session, and enable debugging, then back at the console test authentication again, then you can see the debugging output on the other screen, which will point you in the right direction.

To enable debugging;

service freeradius stop
freeradius -XXX

Add the Cisco ASA Firewall as a RADIUS Client: You need to add the firewall as a ‘client’ before it can authenticate. Edit the following file;

nano /etc/freeradius/clients.conf

Add the following test to the end of the file, (cisco123 is the shared secret we will enter on the ASA later);

client 192.168.110.1 {
 secret = cisco123
 shortname = CiscoASA
 nastype = cisco
}

Configure Cisco ASA for FreeRADIUS Authentication

On the ASA you create an AAA group, set its authentication type to RADIUS, then add the FreeRADIUS server as a host, specify the secret key you used above. REMEMBER you need to specify the ports or authentication will fail, (you get a no response error).

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 192.168.110.85
 authentication-port 1812
 accounting-port 1813
 key cisco123
 radius-common-pw cisco123
 exit

 The ASA also need to have the correct time for authentication to work, I’ve covered that elsewhere, run through the following article;

Cisco ASA – Configuring for NTP

Change AnyConnect AAA Authentication Method: With nothing set, your AnyConnect is probably using its LOCAL database of usernames and passwords, we now need to change it to use the RADIUS host we just setup. You do that in the AnyConnect’s ‘tunnel-group general-attribures’  section. Issue a show run tun command, to see the tunnel groups listed.

Petes-ASA# show run tun
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable

Then add your RADIUS GROUP as the authentication server.

Petes-ASA# tunnel-group ANYCONNECT-PROFILE general-attributes 
Petes-ASA(config-tunnel-general)# authentication-server-group PNL-RADIUS

Test RADIUS Authentication on the Cisco ASA First: I’ve covered this in the past see the following article;

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Remember that the password will be the user password, followed by the 6 digit number displayed on the authenticator.

Petes-ASA# test aaa-server authentication PNL-RADIUS host 192.168.110.85 username tommytester password password125689
INFO: Attempting Authentication test to IP address <192.168.110.85> (timeout: 12 seconds)
INFO: Authentication Successful
Petes-ASA#

Or. if you prefer to use the ASDM;

Test AAA 2 Factor Cisco ASA

Finally you can test authentication from your remote AnyConnect client.

AnyConnect and Google Authenticator

 

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

29 Comments

  1. Hi,

    What Linux distro are you using (Linux is not really my strongest subject 🙂

    P

    Post a Reply
  2. look easy enough with your detailed instructions.

    thanks!

    John

    Post a Reply
  3. looks great! I will try this. 🙂

    Post a Reply
  4. What if you needed to create a VPN user that was required to NOT have 2 factor authentication?

    Post a Reply
    • Create another connection profile that uses another aaa method.

      Pete

      Post a Reply
  5. Thanks for this write-up, it’s most helpful. I’ve run through it on a couple of Mint VMs for test environments now, one worked fine but the other reported it couldn’t find aclocal when running the bootstrap.sh. The resolution for this was to install the automake package as well.

    Post a Reply
  6. which version of anyconnect client you use?

    Post a Reply
    • This was done with v4 I think.

      Post a Reply
  7. Thanks for this great post. I configured to use FreeRadius + MS Active Directory + Google Authenticator to authenticate the VPN users. My question is, is there a good way to let user to generate the QR code themselves? Like go to a link and generate by clicking on the URL. currently I had to ask users to login to FreeRadius server using the command line to generate the codes. Any suggestions? thanks.

    yayali

    Post a Reply
    • Could you post the step that you did to get it to work with AD

      Post a Reply
    • Hi- could you please share the steps for free radius+ google Auth+ AD integration pls for vpn users.

      Post a Reply
  8. instead of doing git clone to get google-authenticator, it is available as an ubuntu package:
    apt-get install freeradius libpam-google-authenticator

    and then in /etc/pam.d/radiusd, comment out the existing include’s and set:
    auth requisite pam_google_authenticator.so forward_pass
    auth required pam_unix.so use_first_pass

    If you use pbis/likewise lwsmd for AD authentication, change the last line in /etc/pam.d/radiusd to:
    auth required pam_lsass.so use_first_pass

    When testing AD accounts using radtest, specify the username as domain\\username. If your password has an exclamation point in it, surround the entire password with single quotes.

    Post a Reply
  9. Am using cisco router instead of ASA firewall for cisco anyconnect, what configuration should I should use on router?

    Post a Reply
    • Sorry Richard, I’ve never done it and I don’t have one to work it out for you. 🙁

      P

      Post a Reply
  10. 144/5000
    Hi Peter,
    Thank you for this great documentation.
    Do you know whether you can also assign fixed IP addresses to the user?
    Best wishes
    Daniel

    Post a Reply
    • Not that I’m aware of.

      P

      Post a Reply
    • This setting is inside ASA configuration. I don’t remember the exact place.
      If you are using Authentication via LDAP you can use LDAP map to set this in an LDAP attibute.

      Post a Reply
  11. Any one else ave trouble with: apt-get install build-essential libpam0g-dev freeradius git libqrencode3
    root@ancs-ubu:/# sudo apt-get install build-essential libpam0g-dev freeradius git libqrencode3
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    E: Unable to locate package libqrencode3

    Post a Reply
    • Use sudo apt-get install build-essential libpam0g-dev freeradius git libqrencode4

      Post a Reply
  12. I figured out the issue. The 3 should now be a 4
    sudo apt-get install build-essential libpam0g-dev freeradius git libqrencode4

    Post a Reply
  13. We already have winows Radius. Can you create a doc with those steps 🙂

    Post a Reply
  14. Solved…Path has changed… /etc/freeradius/3.0/radiusd.conf

    Post a Reply
  15. I am unable to locate the libqrencode3 package. Who else faced this issue?

    Post a Reply

Leave a Reply to Erik Schellekens Cancel reply

Your email address will not be published. Required fields are marked *