PingID Administration Guide

Configuring Cisco ASA VPN for PingID MFA

Configure Cisco ASA VPN to work with PingID multi-factor authentication (MFA).

Before you begin

Configure the necessary settings in PingOne and PingFederate.

About this task

Configuring Cisco ASA for MFA involves the following steps:

  • Adding an AAA server group

  • Adding a Radius PCV server configuration

  • One or both of the following steps:

    • Configuring a clientless SSL VPN

    • Configuring the network client profile

The following video describes the configuration process for your Cisco ASA VPN.

Steps

  1. In the Cisco ASDM client, create an AAA Server Group to manage the security required for the RADIUS PCV Server configuration.

    1. In the Cisco ASDM client, click Configuration, and then click Remote Access VPN. A screen capture of the Configuration tab in the Cisco ASDM client.

    2. In the Remote Access VPN navigation tree, go to AAA/Local Users → AAA Server Groups.

      A screen capture of the Remote Access VPN navigation tree in the Cisco ASDM client. The AAA/Local User and AAS Server Groups sections are highlighted.

    3. In the AAA Server Groups pane, click Add.

      A screen capture of the AAA Server Groups pane in the Cisco ASDM client. A red rectangle highlights the Add button near the top right corner.

      Result:

      The Add AAA Server Group dialog box opens.

      A screen capture of the Add AAA Server Group dialog box in the Cisco ASDM client.
    4. Enter values for the following parameters:

      • AAA Server Group: Enter the new server group name.

      • Protocol: Select the RADIUS protocol.

      • Accept the default values for all other fields, as shown in the AAA Server Group dialog box.

    5. Click OK.

  2. Add a new RADIUS PCV server configuration to the server group that you just created.

    1. In the AAA Server Groups pane, from the Server Group list, double-click the server group that you created in the previous step. A screen capture of the AAA Server Groups pane in the Cisco ASDM client.

    2. In the Servers in the Selected Group pane, click Add. A screen capture of the Servers in the Selected Group pane in the Cisco ASDM client. The Add button is circled.

      Result:

      The Add AAA Server dialog box opens.

      A screen capture of the Add AAA Server dialog box in the Cisco ASDM client.
    3. Enter values for the following parameters:

      • Server Name or IP Address: Enter the IP address or server name of the PingFederate server that contains the RADIUS PCV server.

      • Timeout: Change the timeout value to 60 seconds.

        This allows sufficient time for MFA to receive the necessary authentication approval.

      • Server Authentication Port: Enter the port number configured in the RADIUS Server PCV. The default value is 1812.

      • Server Accounting Port: Enter the port number configured in the RADIUS Server PCV.

        The Server Accounting Port number should be the next consecutive port following the port number configured for the Server Authentication Port. The default Server Authentication Port value is 1813.

      • Server Secret Key: Enter the shared secret configured in the RADIUS Server PCV.

    4. Click OK.

  3. Configure a Clientless SSL VPN.

    If you do not plan on using a clientless SSL VPN, you can skip to the next section, which provides instructions on configuring the network client profile.

    This includes the following steps:

    • Configuring the connection profile by configuring the connection profile name, linking the AAA Server group to the Clientless SSL VPN profile, and selecting the related security policy.

    • Configuring the connection alias.

    • Configuring the group URL by defining the URL link that you provide to the user. The user enters the URL to sign on to the system through a browser.

      1. In the Remote Access VPN navigation tree, go to Clientless SSL VPN Access → Connection Profiles.

        A screen capture of the Remote Access VPN navigation tree in the Cisco ASDM client.

      2. In the Connection Profiles section, click Add. A screen capture of the Connection Profiles section in the Cisco ASDM client. The Add button is circled.

        Result:

        The Add Clientless SSL VPN Connection Profile dialog box opens.

        A screen capture of the Add Clientless SSL VPN Connection Profile dialog box in the Cisco ASDM client.
      3. Enter values for the following parameters:

        • Name: Enter the relevant server name.

        • Authentication Method: Select AAA.

        • AAA Server Group: Select the server group that you created in step 1.

      4. In the left pane, go to Advanced → Clientless SSL VPN. If the following message appears, click Yes.

        A screen capture of a
      5. In the Connection Aliases section, click Add.

        A screen capture of the Add Connection Alias dialog box in the Cisco ASDM client.

      6. In the Add Connection Alias dialog box, enter a name in the Alias field.

      7. Select the Enabled check box. Click OK.

      8. In the Group URLs area, click Add.

      9. In the Add Group URL dialog box, enter the server URL in the URL field.

        The group URL is the address you provide to the user to sign on to the Cisco VPN, and must have the format https://<Cisco host name or IP address>/<Alias name>.

      10. Select the Enabled check box, and then click OK.

        Result:

        The URL is added to the Group URLs list.

        A screen capture of the Add Clientless SSL VPN Connection Profile window in the Cisco ASDM client, showing a URL in the Group URLs list.
      11. Click OK.

  4. Configure the Network Client Profile to provide enough time for MFA to receive authentication approval.

    If you carried out the steps in the previous section to configure a clientless SSL VPN, and do not plan on using a network client, you can skip the steps in this section.
    1. In the Remote Access VPN navigation tree, go to Network (Client) Access → AnyConnect Client Profile.

    2. In the AnyConnect Client Profile pane, double-click the existing VPN profile. A screen capture of the AnyConnect Client Profile pane in the Cisco ASDM client.

    3. In the Profile Tree, select Preferences (Part 2).

      A screen capture of the Preferences (Part 2) window in the Cisco ASDM client.

      Result:

      The Any Connection Profile Editor – PingID dialog box opens.

    4. Set the Authentication Timeout (seconds) field to 60. Click OK.

      This allows sufficient time for MFA to receive the necessary authentication approval when working with IPSec client.

    5. In the AnyConnect Client Profile pane, click Apply.

      Result:

      The changes are applied and your configuration is complete.