1

I’ve been asked to set up two-factor VPN authentication for my company and I’m a little lost on what the best way to accomplish this would be.

If possible, my plan is to have users who have a company smartphone use the Google Authentication app as their second factor, and to purchase something like a YubiKey for those users who don’t have a phone. I’ve been reading about how to accomplish this over the past few days but I’m getting stuck and would like your opinions on what the best way to accomplish this would be.

Our current AnyConnect VPN configuration authenticates users with their Active Directory passwords through Windows NPS. Our ASA points to our domain controller as a RADIUS server and we have NPS configured so that users who are in a certain AD group have VPN access.

Now, I’m wondering how to add the second authentication method. I know services like Duo and RSA SecurID exist, but those would get quite expensive for the number of VPN users that we have, so ideally we’d like to use a solution that is free if one exists.

I’ve seen some articles online that suggest that Google Authenticator might be doable through FreeRADIUS on Linux using PAM, but the issue for me there is that I’m a Windows admin and have been struggling with trying to understand all of the configuration steps required to get that working. I’ve set up a couple test servers but haven’t been able to get the authentication working correctly. In addition to that, I’m not sure if this method would work for a hardware key for the non-Authenticator users.

Has anyone here had any experience setting up two-factor authentication like this? If so, I’d appreciate if you could share your knowledge with me here.

Thanks!

6 Spice ups
2

Yubikeys are not cheap. We went with Duo (they do have a mobile authenticator app) and Yubikey and I have to say that Duo is really fitting our needs.

3

They’re not the cheapest things in the world, no, but the number of users that I would have on a YubiKey would be significantly less than the number of VPN users overall since the majority of VPN users also have a phone, hence the desire to not need to pay for something like Duo for every user.

4

We also just setup Duo with AnyConnect, and it is a great solution!

We are also evaluating YubiKeys, but for an app like AnyConenct, you really need a third-party doing the MFA.

Bonus with Duo, once a user is licensed, you can secure pretty much anything for the same price. Office365, VPN, web apps, etc. And teh setup is fast and easy, they have guides online, and our account rep was able to help us setup and troubleshoot the AnyConnect setup quickly.

5

A less expensive solution would be certificate authority on site and issue them for your users.

6

My company uses Symantec VIP. When remote users login (with Symantec pin & password not AD password) the asa forwards the request to our acs machine (tacacs) & the acs machine forwards the request to a Local Symantec server (program running on windows vm) which calls Symantec in the cloud. AD does come into play on the Local Symantec server so that just company users are able to authenticate.

Some how I imagine you will need your NPS server to communicate with Google authenticator. Im not a server guy so I guess a good question would be, can the NPS server forward auth requests from an AD user to Google authenticator? Can Google authenticator respond back the the NPS server to approve the second factor?

Since your having problems working with linux you may be better off seeing if a free tacacs+ server that can be installed in windows can sync with AD & call on the Google authenticator. You would have to change your asa from radius to tacacs+.