Cisco AnyConnect – With Google Authenticator 2 Factor Authentication

KB ID 0001256 

Problem

This was asked as a question on Experts Exchange this week, and it got my interest. A quick search turned up a bunch of posts that said, yes this is possible, and you deploy it with FreeRADIUS and it works great. The problem was, a lot of the information is a little out of date, and some of it is ‘wrong enough’ to make the non-technical types give up. But I persevered, and got it to work.

Disclaimer: This is not an exercise in deploying AnyConnect, I’ve got that covered to death all over the website, use the search function above, or simply go to the following article;

Cisco ASA 5500 AnyConnect Setup From Command Line

So before proceeding I’ll assume you have AnyConnect setup, and you can connect with a local username.

Disclaimer 2: Please don’t email me with questions like, “Can I take this and integrate it with Active Directory, eDirectory” etc. Or “I’m trying to get this to work with ‘insert name of some Linux distro” and I’m getting an error. 

Prerequisite: You will need to have the Google-Authenticator app on a device, (probably an IOS or Android phone), and have that running, and ready to accept a new identity/account.

Solution

Setup FreeRADIUS

I’m not a Linux guru, I just downloaded the latest version of Ubuntu Server (16.04.1 at time of writing). and deployed it as an ESX host.

Non Linux Types Note: A lot of the commands below require you to either be logged on as root, or ‘su‘ to root, (if that’s not an option, you will need to prefix the commands with ‘sudo‘.

Ubuntu Enable Root Account: I quickly learned that these days the root account is disabled, (for sensible reasons). However because of the way FreeRADIUS works, it needs to run under the root account.

[box]

sudo passwd root
ENTER AND CONFIRM PASSWORD
sudo passwd -u root

[/box] 

Ubuntu: Install Prerequisites: We need to get all current updates, then install NTP, (because the authenticator keys are time specific). Then there are some tools that we will need to install the Google Authenticator software. 

[box]

apt-get update
apt-get install autotools-dev
apt-get install autoconf
apt-get install libtool
apt-get install ntp
apt-get install build-essential libpam0g-dev freeradius git libqrencode3 

[/box] 

Install Google Authenticator: This is quite cool, (if like me you don’t do a lot of Linux). We need to connect to a folder on a web server, then move into that ‘Directory’ and install the software. 

[box]

cd ~
git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install

[/box] 

 Configuring FreeRADIUS and Google-Authenticator 

Ubuntu has nano installed by default thats what I’m going to use, if you’re a sandal wearing ‘vi’ user, then feel free to use that instead.

First we are going to change FreeRADIUS, so it runs under the ‘root’ account.

[box]nano /etc/freeradius/radiusd.conf[/box]

At the bottom of the file, change the user and group from freerad to root, save the file and exit.

Like so:

 

Next we are going to create a group called radius-disabled, then if you need to deny a user access, you can simply make them a member of this group.

[box]addgroup radius-disabled[/box]

Then configure FreeRADIUS to reject members of that group.

[box]nano /etc/freeradius/users[/box]

Locate the lines indicated below;

Change and un-comment them, to add the following text;

[box]

DEFAULT Group == "radius-disabled", Auth-Type := Reject
        Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM

[/box] 

So it looks like below, then save and exit the file;

Enable Pluggable Authentication Mode (PAM): Edit the following file;

[box]nano /etc/freeradius/sites-enabled/default[/box]

Locate the line with ‘pam’ in it and uncomment it (remove the hash/pound sign), like so

Before;

After;

Exit and save the changes.

Configure FreeRADIUS to use Google Authenticator: Edit the following file;

[box]nano /etc/pam.d/radiusd[/box]

Locate all the lines that start with an ‘@’ symbol and comment them out, (prefix them with a “#”), then paste the following text onto the end of the file;

[box]

auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

[/box]

Before;

 

After;

Testing Google-Authenticator and FreeRADIUS

The easiest way to do this is setup a test user, then create a password for them, then assign a Google-Authenticator Code to that user, on your Linux server;

[box]

adduser tommytester
ENTER AND CONFIRM PASSWORD
su tommytester
ENTER THE PASSWORD
google-authenticator

[/box]

Now you can either scan the QR code into the Google Authenticator app on your phone, or type in the ‘secret-key‘. 

Once done, you should be looking at a 6 digit number, that changes every 30 seconds;

 

Test Authentication on the FreeRADIUS Server first! To do that issue the following command;

[box]radtest tommytester password456743 localhost 18120 testing123[/box]

Note: the password for tommytester is ‘password‘ and the 6 digit code is added to the end of it, the testing123 value is set within FreeRadius in the /etc/freeradius/clients.conf file.

Successful Authentication

[box]

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302971 localhost 18120 testing123
Sending Access-Request of id 165 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302971"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=165, length=20
tommytester@RADIUS-HOST:/home/petelong$

[/box]

Unsuccessful Authentication

[box]

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302973 localhost 18120 testing123
Sending Access-Request of id 36 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302973"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=36, length=20
tommytester@RADIUS-HOST:/home/petelong$

[/box]

Troubleshooting: If there’s a problem, make sure that the time on the FreeRADIUS server is correct, (is NTP getting blocked at the firewall?) Then what I do is, SSH into the server from another session, and enable debugging, then back at the console test authentication again, then you can see the debugging output on the other screen, which will point you in the right direction.

To enable debugging;

[box]

service freeradius stop
freeradius -XXX

[/box]

Add the Cisco ASA Firewall as a RADIUS Client: You need to add the firewall as a ‘client’ before it can authenticate. Edit the following file;

[box]nano /etc/freeradius/clients.conf[/box]

Add the following test to the end of the file, (cisco123 is the shared secret we will enter on the ASA later);

[box]

client 192.168.110.1 {
 secret = cisco123
 shortname = CiscoASA
 nastype = cisco
}

[/box]

Configure Cisco ASA for FreeRADIUS Authentication

On the ASA you create an AAA group, set its authentication type to RADIUS, then add the FreeRADIUS server as a host, specify the secret key you used above. REMEMBER you need to specify the ports or authentication will fail, (you get a no response error).

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 192.168.110.85
 authentication-port 1812
 accounting-port 1813
 key cisco123
 radius-common-pw cisco123
 exit

[/box]

 The ASA also need to have the correct time for authentication to work, I’ve covered that elsewhere, run through the following article;

Cisco ASA – Configuring for NTP

Change AnyConnect AAA Authentication Method: With nothing set, your AnyConnect is probably using its LOCAL database of usernames and passwords, we now need to change it to use the RADIUS host we just setup. You do that in the AnyConnect’s ‘tunnel-group general-attribures’  section. Issue a show run tun command, to see the tunnel groups listed.

[box]

Petes-ASA# show run tun
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable

[/box]

Then add your RADIUS GROUP as the authentication server.

[box]

Petes-ASA# tunnel-group ANYCONNECT-PROFILE general-attributes 
Petes-ASA(config-tunnel-general)# authentication-server-group PNL-RADIUS

[/box]

Test RADIUS Authentication on the Cisco ASA First: I’ve covered this in the past see the following article;

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Remember that the password will be the user password, followed by the 6 digit number displayed on the authenticator.

[box]

Petes-ASA# test aaa-server authentication PNL-RADIUS host 192.168.110.85 username tommytester password password125689
INFO: Attempting Authentication test to IP address <192.168.110.85> (timeout: 12 seconds)
INFO: Authentication Successful
Petes-ASA#

[/box]

Or. if you prefer to use the ASDM;

Finally you can test authentication from your remote AnyConnect client.

 

Related Articles, References, Credits, or External Links

NA

I’m Going on Holiday, What do I need to Disable on my iPhone?

KB ID 0000622 

Problem

Here in Europe the big mobile Telco’s are being forced to keep roaming prices down. But going abroad with all your data services turned on can mean you might come back to a big bill.

Solution

1. On most peoples phones “Data Roaming” is already disabled (Mines always off).Data Roaming is designed to let you use another provider’s phone network if your carrier signal is too weak. On some sites it says you cant use your phone abroad if you have this disabled I DISAGREE, I’ve got it disabled and I use my phone every time I’m out of the country?

Settings > General > Network > Data Roaming.

2. If you see ActiveSync and/or have mail pushed to your phone, you might want to also disable “Mobile Data” to stop that happening while your away.

Settings > General > Network > Mobile Data.

3. That’s Data stopped but your phone will still function as a phone. WARNING you may still be charged “call forwarding” if your phone rings and you let it go to answer phone while you are away. I don’t mind that, because I prefer to keep my phone on. If you want to disable the phone and text features as well, e.g. You Just want to use the Camera, iPod, and Alarm capabilities. Then just put the phone in Airplane mode, (which isn’t a word Apple! The word is Aeroplane!)

Settings > Airplane Mode.

Related Articles, References, Credits, or External Links

NA

Dropbox – Windows, Linux, Apple and Dropbox Portable (USB) Installation

KB ID 0000409

Problem

You would like to sync your files/folders between more than one machine? Dropbox, is a service that lets you keep files in “The Cloud” and synchronise them across multiple machines and platforms. It’s one of those things that once you start to use it you wonder what you did before you had it. Simply put it’s like having a USB drive that you don’t need to carry around with you, and even if you still carry your USB drive, you can run Dropbox portable on that as well.

Sign up for a free Dropbox account.

Solution

Sync Files From Windows <> Linux <> Apple

Running Dropbox Portable from your USB Drive

Download DropboxPortable.

Related Articles, References, Credits, or External Links

All credit for the Dropbox Portable version used above (DropboxPortableAHK) should go to user against t for taking the time to create and support it – Thanks

Exchange 2003 – ActiveSync Stops working after IP change

KB ID 0000345

Problem

My colleague swapped over one of our clients to a new IP range last week, all went well except ActiveSync stopped working on the clients phones, it took a while for the penny to drop. But this problem was caused by the “fix” for the “Active Sync Support Code:85010014” that’s outlined in MS KB817379.

You need to grant access to the servers new IP address.

Solution

1. Lets make sure that this is the problem, on the Exchange server, Start > Run > Regedit > Navigate to > HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMasSyncParameters.

2. If there is a string value in the right hand windows called ExchangeVDir this IS the problem > Take note of what its set to (In the example below its called “exchange-oma”).

3. On the server, Start > Administrative Tools > Internet Information Services (IIS) Manger.

4. Expand your servername > Web Sites > Default Web site > Locate the directory you noted in step 2 > Right click > Properties > Directory Security > IP address and name restrictions > Edit > Ensure the servers new IP address and 127.0.0.1 are in there.

5. Click OK > Apply > OK > Close IIS manager.

6. Click Start > Run > services.msc > Locate the IIS admin service > Right click it > Restart.

Related Articles, References, Credits, or External Links

NA

Active Sync on Small Business Server 2003 with iPhone

KB ID 0000336 

Problem

I don’t know why but ActiceSync will NOT work out of the box with SBS 2003, for a long time I’ve just told my clients “it can’t be done”. However after the problem went off the boil for a while, it was the topic of conversation in the office, I did some searching and came up with a solution.

You don’t need IMAP – you don’t need ISA server – you just need 5 minutes.

Solution

1. It may seem daft to say this, but you need to install and configure ActiveSync before you do anything, if its not set up it will never work with an iPhone!

ActiveSync setup and tested with a Windows Mobile Device.

Note: for use of the Windows Mobile Emulator click here

2. On the SBS Server, click Start > Administrative Tools > Internet Information Services (IIS) Manager > Expand Web Sites > Default Website > Locate the “Microsoft-Server-ActiveSync” folder >Right Click > Properties.

3. Select the “Directory Security” Tab > “IP address and domain name restrictions” section > Edit > Select “Granted access” > OK > Apply > OK.

4. Then either reboot the server, restart the IIS Admin service, or issue an “iisreset /noforce” command.

 

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect – Essentials / Premium Licenses. Explained

KB ID 0000628 

Problem

Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing.

When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.

Solution

Cisco ASA AnyConnect Premium Licenses.

You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.

*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).

Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).

For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).

Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.

Cisco ASA AnyConnect Essential Licenses

When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.

Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.

Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.

Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.

Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Next Generation Platform (X)

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000

*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Cisco AnyConnect Mobility License’

Cisco ASA 5500 – Adding Licenses

 

iPhone – Taking Screenshots / Screendumps

KB ID 0000361

Problem

All iPhones (above version 2 on 3G, 3GS and iPhone4) have the ability to take screenshots without having to download an app!

Solution

1. Assuming you have the screen open you would like to capture, press the “Home” button, and while still having it pressed briefly press the “Sleep/Lock” button

2. The screen should “flash white” briefly and providing you are not on silent, you should hear the camera shutter.

3. You can take multiple images and they will be stored in Photos > Camera Roll.

4. Should you wish to get them to your PC/Laptop simply connect via USB and with windows explorer navigate to my computer and open your iPhone.

5. Expand Internal Storage > DCIM > {folder name} > You can now copy/cut the images out.

 

Related Articles, References, Credits, or External Links

NA

 

iPhone and iPad – Configure the Cisco VPN Client

KB ID 0000360

Problem

You have already configured a Cisco ASA / PIX device to provide Client VPN connectivity, and you now wish to configure the iPhone/iPad Device.

Solution

Note: The screen shots are taken from an iPhone running (4.2.1) the process for iPad is the same.

1. Select Settings.

2. Select General.

3. Select Network.

4. Scroll to the bottom of the page and select VPN.

5. Add VPN Configuration.

6. Select IPSec.

7. Description = the connection a simple name > Server = Either the IP address or public name of the firewall > Account > Your username.

8. Group Name = Is the VPN group configured on the firewall > Secret = Is the shared secret for this Group Name.

Where do you get this information from? Basically from your IT department, they can find out by issuing a “more system:running-config” command on the firewall

code?

9. Flick the VPN switch to “On”.

10. Enter your username and password > OK.

11. It may say “Starting” for a while.

12. “Connected” is what we are looking for.

14. For the duration of the connection you will see the “VPN” icon on the phones information bar.

 

Related Articles, References, Credits, or External Links

NA

 

Cisco AnyConnect Error (iPhone)

KB ID 0000362

Problem

While using the Apple/Cisco Anyconnect App/Client you receive the following error.

Error:

The secure gateway has rejected the agent’s VPN request. A New connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the security gateway: No License.

 

Solution

The most pertinent information above is the last two words of the error message “No License”

This DOES NOT mean you have ran out of SSL/AnyConnect Licences!

This licence is a “One Off” purchase and will enable the feature on your ASA, be aware the licence is different for each model make sure you purchase the correct one!

AnyConnect Mobile, (or AnyConnect for Mobile) licence details can be found at Cisco’s website Below is the section we are interested in.

Update 2017: Applying a modern AnyConnect (v4) licence, will also enable the mobile feature as well.

Once the correct licences are installed this is what it SHOULD look liike.

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 – Adding Licenses

Android AnyConnect Error

Tether your iPhone or Using your iPhone as a Wireless Access Point (without jail breaking it)

KB ID 0000373 

Problem

Before you start, your provider has to allow tethering of your iPhone, if the option is not there you need to speak to them, some carriers will want to charge you more for the privilege, others will not care, thats not Apples fault, nor is it mine 🙂

Secondly, before you all start mailing in to berate me, yes I know I’m not turning my phone into a wireless access point, what I’m actually doing is tethering via bluetooth, which is very different, but if you in a hotel, or airport lounge with your laptop, do you want to argue semantics or get online?

Update: iPhone Personal Wireless Hotspot feature coming in version 4.3

Solution

Unfortunately (if you don’t like it) you have to have iTunes installed on the PC in question. This will put on all the Apple mobile device drivers you require.

1. If you are going to tether by the USB cable or via Bluetooth, the setup is the same. On the phone go to Settings > General > Network.

2. Select Internet Tethering, again if it’s not there, speak to your carrier/provider > it will be switched off by default.

3. Switch it on.

4. If you are connected via USB cable wait a few seconds and it will connect.

5. If you want to use bluetooth you will need to pair the phone and your computer, turn on bluetooth and pair the device.

6. The settings on your PC/Laptop will differ.

7. This is the sort of thing we are looking for.

8. On the PC Start > Devices and Printers > Locate the iPhone > Right click Connect using > Access Point.

9. All the while tethering is on, your phone will tell you.

Note: The performance you get will differ between USB and bluetooth, here are a couple of examples,

Via USB.

Via Bluetooth

 

Related Articles, References, Credits, or External Links

NA