ASA web URL (anyconnect client download) with RSA?

LynK · August 03, 2015, 10:32:18 AM

Look for you security guru's out there to lend me hand.

I am setting up anyconnect SSL/IPsec for our corporate network (finally going off of easyvpn). My question is, when you https publicly to your ASA's anyconnect client download server, is there any way to include an RSA field in addition to the username/password?

Any documentation i have found on this is only on the client end. Not on the download page end.

Thanks,

deanwebb · August 04, 2015, 07:54:34 AM

As far as I've messed with it, no. Maybe have that page behind an HTTPS server page built specially to include that info?

LynK · August 04, 2015, 09:05:32 AM

Quote from: deanwebb on August 04, 2015, 07:54:34 AM
As far as I've messed with it, no. Maybe have that page behind an HTTPS server page built specially to include that info?

So dean, how are you guys deploying your anyconnect clients? Manually? Or are using using just AD credentials on the webpage? Are you using AD username & RSA passcode for the password?

I am curious.

routerdork · August 04, 2015, 10:23:22 AM

We use AD with RADIUS. This covers our AnyConnect and WLAN clients in most places.

LynK · August 04, 2015, 10:52:53 AM

Quote from: routerdork on August 04, 2015, 10:23:22 AM
We use AD with RADIUS. This covers our AnyConnect and WLAN clients in most places.

Router, I am not taking about the clients I am talking about the web ssl service where users connect to the ASA to download the packages. Do you only use AD on the login page? Seems like I am the only one concerned about brute-force login

routerdork · August 04, 2015, 11:29:31 AM

Quote from: LynK on August 04, 2015, 10:52:53 AM
Quote from: routerdork on August 04, 2015, 10:23:22 AM
We use AD with RADIUS. This covers our AnyConnect and WLAN clients in most places.

Router, I am not taking about the clients I am talking about the web ssl service where users connect to the ASA to download the packages. Do you only use AD on the login page? Seems like I am the only one concerned about brute-force login

Yes AD is on there as well.

LynK · August 04, 2015, 12:52:33 PM

Quote from: routerdork on August 04, 2015, 11:29:31 AM
Quote from: LynK on August 04, 2015, 10:52:53 AM
Quote from: routerdork on August 04, 2015, 10:23:22 AM
We use AD with RADIUS. This covers our AnyConnect and WLAN clients in most places.

Router, I am not taking about the clients I am talking about the web ssl service where users connect to the ASA to download the packages. Do you only use AD on the login page? Seems like I am the only one concerned about brute-force login
Yes AD is on there as well.

So only AD. So if someone wants to bruteforce Tom Smith's AD he could easily attempt. Download the client with the pre-created xml. Connect and use the same AD credentials for login.

routerdork · August 04, 2015, 01:28:30 PM

Quote from: LynK on August 04, 2015, 12:52:33 PM
Quote from: routerdork on August 04, 2015, 11:29:31 AM
Quote from: LynK on August 04, 2015, 10:52:53 AM
Quote from: routerdork on August 04, 2015, 10:23:22 AM
We use AD with RADIUS. This covers our AnyConnect and WLAN clients in most places.

Router, I am not taking about the clients I am talking about the web ssl service where users connect to the ASA to download the packages. Do you only use AD on the login page? Seems like I am the only one concerned about brute-force login
Yes AD is on there as well.

So only AD. So if someone wants to bruteforce Tom Smith's AD he could easily attempt. Download the client with the pre-created xml. Connect and use the same AD credentials for login.

Technically yes but someone would need more than an employee name. We don't use normal AD accounts, we aren't that crazy. No one has an AD account with their name or any other name. Everyone has a special letter/number combo assigned by HR so unless you get some inside info it's gonna be awhile to get through it.

LynK · August 05, 2015, 10:14:49 AM

Quote from: routerdork on August 04, 2015, 01:28:30 PM
Technically yes but someone would need more than an employee name. We don't use normal AD accounts, we aren't that crazy. No one has an AD account with their name or any other name. Everyone has a special letter/number combo assigned by HR so unless you get some inside info it's gonna be awhile to get through it.

We do the same at our ORG. The goal isn't for it to "take awhile". The goal is to mitigate the potential entirely.

LynK · August 07, 2015, 09:06:04 AM

Great news.

Finally was able to get both fields on the web portal and the client. We were also able to customize the strings associated with the login process. On the portal we were able to change the string orders to:

AD username
AD password
RSA passcode

however we are still trying to figure this out for the VPN clients... they still show

AD username
RSA passcode
AD password

LynK · August 14, 2015, 08:16:26 AM

Final result.

You can customize the SSL Portal (for clientless VPN // client download).

You can customize the login form for the portal.. however you cannot customize the client side. Here is the enhancement request

https://tools.cisco.com/bugsearch/bug/CSCum33580/?reffering_site=dumpcr

icecream-guy · August 14, 2015, 10:55:43 AM

Quote from: LynK on August 14, 2015, 08:16:26 AM
Final result.

You can customize the SSL Portal (for clientless VPN // client download).

You can customize the login form for the portal.. however you cannot customize the client side. Here is the enhancement request

https://tools.cisco.com/bugsearch/bug/CSCum33580/?reffering_site=dumpcr

nice, emailed my VPN admin to open a TAC case for this