Configure Remote Access VPN Secondary Authentication

When remote access VPN authentication is configured to use both client certificate and authentication sever, VPN client authentication is done using both the client certificate validation and AAA server.

Before you begin

  • Configure two authentication (AAA) servers— the primary and secondary authentication servers, and required identity certificates. The authentication servers can be RADIUS server, and AD or LDAP realms.

  • Ensure that the AAA servers are reachable from the Firepower Threat Defense device for the remote access VPN configuration to work. Configure routing (at Devices > Device Management > Edit Device > Routing) to ensure connectivity to the AAA servers.

Procedure


Step 1

On your Cisco Defense Orchestrator web interface, choose Devices > VPN > Remote Access.

Step 2

Select a remote access policy and click Edit; or click Add to create a new remote access VPN policy.

Step 3

For a new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit.

Step 4

Click AAA > Authentication Method, AAA or Client Certificate & AAA.

  • When you select the Authentication Method as:

    Client Certificate & AAA—Authentication is done using both client certificate and AAA server.

    • AAA—If you select the Authentication Server as RADIUS, by default, the Authorization Server has the same value. Select the Accounting Server from the drop-down list. Whenever you select AD and LDAP from the Authentication Server drop-down list, you must manually select the Authorization Server and Accounting Server respectively.

    • Whichever authentication method you choose, select or deselect Allow connection only if user exists in authorization database.

  • Use secondary authentication — Secondary authentication is configured in addition to primary authentication to provide additional security for VPN sessions. Secondary authentication is applicable only to AAA only and Client Certificate & AAA authentication methods.

    Secondary authentication is an optional feature that requires a VPN user to enter two sets of username and password on the AnyConnect login screen. You can also configure to pre-fill the secondary username from the authentication server or client certificate. Remote access VPN authentication is granted only if both primary and secondary authentications are successful. VPN authentication is denied if any one of the authentication servers is not reachable or one authentication fails.

    You must configure a secondary authentication server group (AAA server) for the second username and password before configuring secondary authentication. For example, you can set the primary authentication server to an LDAP or Active Directory realm and the secondary authentication to a RADIUS server.

    Note

    By default, secondary authentication is not required.

    Authentication Server— Secondary authentication server to provide secondary username and password for VPN users.

    Select the following under Username for secondary authentication:

    • Prompt: Prompts the users to enter the username and password while logging on to VPN gateway.

    • Use primary authentication username: The username is taken from the primary authentication server for both primary and secondary authentication; you must enter two passwords.

    • Map username from client certificate: Prefills the secondary username from the client certificate.

      • If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN (Distinguished Name) as username option, the system automatically retrieves the user identity.

        See Authentication Method descriptions for more information about primary and secondary field mapping.

      • Prefill username from certificate on user login window: Prefills the secondary username from the client certificate when the user connects via AnyConnect VPN client.

        • Hide username in login window: The secondary username is pre-filled from the client certificate, but hidden to the user so that the user does not modify the pre-filled username.

    • Use secondary username for VPN session: The secondary username is used for reporting user activity during a VPN session.

For more information, see Configure AAA Settings for Remote Access VPN.