Many of the students that attend the Cisco MARS classes I teach must comply with an increasing number of regulations for security practices. Not least among these is the set of requirements known as the Payment Card Industry Digital Security Standard (PCI DSS). One such requirement in the newer version of this standard is referenced below, namely that a user be required to enter two sets of login credentials at a login page. This article will cover the new double authentication option for VPN tunnel traffic introduced in ASA OS 8.2.
For the ASA, the second set of authentication credentials is specified under the Advanced menu for an ASDM VPN Connection Profile as shown below:
As can be seen above, there are a LOT of information options displayed. The first field is mandatory and either requires a pre-defined server group or one to be created using the Manage button. For the ASA, the choices are RADIUS, TACACS+, NT Domain, SDI (now RSA SecurID®), Kerberos, LDAP, and HTTP Form. The last one of these is actually an XMLHTTPRequest and will be covered in a separate blog article.
As is typical for more basic AAA implementations, the option for using the LOCAL database in case there is failure contacting the Server Group is still present. Below that is the option to use only one username, the primary one. Even though the choice is given to use a Secondary Server for the attributes, the documentation for this feature states that if an authorization server is configured for this connection profile the secondary server will be ignored.
In the middle window pane an interface-specific Secondary Server Group can be specified. With this implementation, an organization could segregate the double authentication requirement to only certain subnets or corporate branches. Below this we see two checkboxes and three radio buttons all having to do with implementing digital certificates. Note that the first radio button is selected by default and the fields shown are what typically correspond to the user and group fields in the certificate.
While the radio button immediately below this gives the option to use the entire DN (or Distinguished Name) as the username (a long multi-field phrase), the button below gives the option of using a script. If the Add button is selected, the following window pops up:
There are essentially two options shown here:
- choose a value for the username from the drop-down menu (some of the values are shown here) and apply appropriate filters, if desired
- use a custom script in the LUA script programming language.