Documentation
Introduction

Use this guide to enable 2-Factor Authentication and Single Sign-on (SSO) access via HTTP Form to Cisco ASA.

This integration is available for Clientless Cisco ASA only

Prerequisites

1. Have Clientless Cisco ASA

2. Configure the OATH Provisioning Realm in the SecureAuth IdP Web Admin

3. Create a New Realm for the Cisco ASA integration

4. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Registration Methods – the 2-Factor Authentication methods that will be used to access this page (if any) must be defined
SecureAuth IdP Configuration Steps
Data

 

1. In the Profile Fields section, map the OATH Seed Property to a directory Field, e.g. postalAddress, and check Writable

Click Save once the configuration have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

2. In the Post Authentication section, select Post to ASA from the Authenticated User Redirect dropdown

3. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/PostToASA.aspx)

URL Redirect

 

4. Set the URL to the URL of the ASA Login page, e.g. https://asa.company.com/+webvpn+/index.html

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Cisco ASA Configuration Steps
AAA Server Group

 

1. Log into the Cisco ASA admin console, and from the Configuration menu, open AAA / Local Users under Remote Access VPN, and select AAA Server Groups

2. Provide a friendly AAA Server Group name

3. Select HTTP Form from the Protocol dropdown

4. Click OK

New AAA Server

 

5. Add a new AAA Server for the newly created AAA Server Group

6. Select the interface that communicates with the SecureAuth IdP server from the Interface Name dropdown

7. Set the Server Name or IP Address to the IP Address of the SecureAuth IdP server

8. Set the Timeout to 60 seconds (recommended)

9. Select https from the Start URL dropdown, and set it to the IP Address of the SecureAuth IdP server, followed by a forward slash (/), e.g. 10.10.1.1/

10. Set the Action URI to the IP Address or Fully Qualified Domain Name (FQDN) of the SecureAuth IdP server, followed by the OATH Provisioning Realm and /oath.ashx, e.g. https://secureauth.company.com/secureauth998/oath.ashx

11. Set the Username to username

12. Set the Password to otp (case-sensitive)

13. Set the Authentication Cookie Name to authcookie

14. Click OK

ASA Connection Profile

 

15. To assign the newly created AAA Server Group to the ASA Connection Profile to be used, select the name provided in step 2 from the AAA Server Group dropdown

HTML File

16. Create an HTML File that conducts a <META http-equiv="refresh"> redirect to the Cisco-integrated SecureAuth IdP realm (SecureAuth IdP Configuration Steps above)

Sample Custom .inc Page
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">

<title>New Page 3</title>

<base target="_self">
</head>

<p align="center">

<i><b><font color="#FF0000" size="7" face="Sylfaen"> .</font></b></i></p>

<body onload="csco_ShowLoginForm('lform');csco_ShowLanguageSelector('selector')">

<META http-equiv="refresh" content="1;URL=https://secureauth.company.com/secureauth1">

Replace the https://secureauth.compay.com/secureauth1 with the actual FQDN of the SecureAuth IdP appliance and realm name

17. Save the .html file as a .inc extension locally, e.g. Test.inc

Import HTML File

 

18. To import the file to Cisco ASA, from the admin console, go to Configuration --> Remote Access VPN --> Clientless SSL VPN Access --> Portal --> Web Contents --> Import

19. Click Browse Local Files and select the .inc file (Test.inc)

20. Select No from the Require authentication to access its content? options

21. Click Import Now

Customization Object

 

22. From the admin console, go to Configuration --> Remote Access VPN --> Clientless SSL VPN --> Portal --> Customization --> Add

23. In the General section, provide a Customization Object Name, e.g. Test

Logon Page

 

24. In the Logon Page section, select Replace pre-defined logon page with custom page (full customization)

25. Click Manage, and select the imported web content, i.e. Test.inc

26. Click OK (twice)

Clientless SSL VPN Connection Profile

 

27. In the Connection Profile used in step 15, and select Clientless SSL VPN under Advanced

28. Select the Customized Object created in steps 22-26 (Test) from the Login and Logout Page Customization dropdown

29. Enable Alias and / or Group URL options as preferred

30. Click OK