Solved

Google Authenticator instead of RSA tokens for VPN access?

Posted on 2016-11-04
13
49 Views
Last Modified: 2016-11-17
I've been asked by management to look into this and see if it is possible.
I've never used Google Authenticator myself but was aware you could use it for secure access to google apps and some other third party sites.

I wasn't aware it could be used instead of VPN to access an enterprise network.
Management got this idea because they are using Google Authenticator for secure access to a third party site for a business service they use.

Their question is if we could use it to authenticate for remote access to our network. This would give them the same access they have now i.e to all PCs and servers in the network they need for their work.

I came across this article while looking into this: https://www.wikidsystems.com/blog/5-issues-enterprises-should-consider-before-using-google-authenticator-for-ssh/

#5 is listed as a serious concern. We have many, many servers so I imagine this would be a concern for us as well if true.

Our VPN access is currently managed by a Cisco ASA 5510.

Is this feasible to implement this on an Enterprise network? Where can I find documentation on getting this configured?
0
Comment
Question by:SeeDk
  • 6
  • 4
  • 2
  • +1
13 Comments
 

Author Comment

by:SeeDk
Comment Utility
So after some more research online, I've found that it's technically possible using a combination of FreeRADIUS + Cisco ASA.
I would configure FreeRADIUS to use Google Authenticator and then configure the ASA to use the FreeRADIUS server.

http://networkengineering.stackexchange.com/questions/3198/two-factor-authentication-for-sslvpn-cisco

http://www.supertechguy.com/help/security/freeradius-google-auth

However, this seems to me like a lot of information is left out.
The installation of the FreeRADIUS server...it looks too easy.
So, I just follow these steps...and automatically the server can authenticate requests into the enterprise network?

Maybe I am just not understanding (probably...) how the RADIUS server works.
So I will RTFM: http://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf to get a better idea.

In the meantime, I was wondering if someone could confirm this is how it basically works:

1. The FreeRadius server is already on the internal network.
2. By logging into the Freeradius server, you are as a result logged into the internal network.
3. Thus, you can access any internal network resources using your network credentials (in our case, mostly Windows with a few Linux)
4. The ASA will be accessible via the internet and , if configured to use the FreeRADIUS server for authentication, will allow steps 1 - 3 to be done remotely.

One more question for now, since our ASA is currently already configured to be using RSA token authentication with our RSA server:

Would I be able to enable the FreeRadius authentication as a secondary authentication 'profile' on the ASA while leaving the current one using RSA untouched?
So that I can test the FreeRadius+GoogleAuth access without impacting the RSA token access?

Edit: Forgot to mention we are using Cisco Anyconnect as the VPN client. Would I be able to add the GoogleAuth as a secondary profile on the ASA for Anyconnect while leaving the RSA setup untouched?
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
Different groups can use different authentication methods
ACLs to restrict traffic can be applied to to each group
0
 

Author Comment

by:SeeDk
Comment Utility
Hi ArneLovius,

Thanks for the reply, I've kept looking into this and can see better how it can be done.
Now I understand how RADIUS works, that it is only used to process authentication and the ASA would handle the access after receiving confirmation from the RADIUS.

So, I saw what you mentioned about different groups here as well: https://supportforums.cisco.com/discussion/10849371/two-radius-server-1-cisco-router

My understanding from this is that I can create a different group but, as you said, they must use different authentication methods.

Ideally, I would have liked to create another 'remote access' group in addition to the current one set with RSA authentication.
Then, I could test the Google Auth 'remote access' group without impacting the RSA 'remote access' group.

But it looks like this is not possible?
I can only set up one 'remote access' group and then other groups must use different protocols (like Telnet)?
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
I've spent all day getting Google Authenticator to work with FreeRADIUS - most of the online posts are well out of date.
I dont see why you couldn't have both this and RSA  -obviously you will require two different tunnel groups and authentication methods. Ill be posting how to get Google-Authenticator to work with FreeRADIUS and Anyconnect over the next few days. Once I get it written up'

P
0
 

Author Comment

by:SeeDk
Comment Utility
Thanks Pete, I was able to get some helpful information on the Cisco forums which is saying this is possible.
I will try to make it work myself as well.
Have there been many changes since those articles were written?
0
 

Author Comment

by:SeeDk
Comment Utility
Also, how secure is this compared to RSA tokens? Is it a comparable level of security our would this be less secure?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
Comment Utility
Hi I dont know whats going on with the commenting on this website at the moment?

Anyway - here are my findings, (hot off the presses) hopefully they will save you some stress!

Cisco AnyConnect – With Google Authenticator 2 Factor Authentication


Regards,

Pete
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
Comment Utility
Google Authenticator is not as secure as an RSA/Duo/Yubikey, this is because you can also run the Google Authenticator on a desktop computer, which could be the computer with the AnyConnect client

It is however more secure than just a username and password.
0
 

Author Comment

by:SeeDk
Comment Utility
@Pete

Thanks for the handy guide. Went through setting up the FreeRADIUS server. Will move on to test on ASA soon. Just one thing missing from your guide, you only mention downloading the Google Autheniticator package from https://github.com/google/google-authenticator but the PAM module is in a different location https://github.com/google/google-authenticator-libpam.
Both of these need to be downloaded, right?

@Arne
Doesn't RSA also have a desktop client?
https://www.rsa.com/en-us/products-services/identity-access-management/securid/software-tokens/software-token-for-microsoft-windows

In that respect, security seems to be similar.
However, there is one other aspect I can think of that is less secure and might stop me from adopting it here...assigning the authenticator.

With RSA, I can assign a token and configure it so the user can create their own unique PIN...without any user interaction.

With Google Authenticator, the user needs to log into the server, set their password (PIN equivalent), and then run the 'google-authenticator' command to get their QR code for remote access.
Giving all users access to a critical server doesn't sound secure.
The alternative, having the admin set up the users passwords, isn't a good alternative either. Even like this though, the user would still be able to easily access the server if they are tech-savvy.

Is there a way to roll this out that doesn't involve giving the users server access?
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
Comment Utility
With RSA, I've always controlled enrolment of tokens, and not allowed "soft tokens", with Google Authenticator, the user self enrols

The Google Authenticator code has to be generated per user, either by an admin and provided to them "securely", or by the user. At the moment the only way of generating the code is via a SSH session, if you do not want to provide each user with SSH access to the Linux server (which I can completely understand), then you have two options, generate the code manually for each of them, or write (or have written) a web front end for the application that generates the code.
0
 

Author Comment

by:SeeDk
Comment Utility
Thanks Arne, that essentially solves this question. I would not want users having SSH access to the server.
A web app, while possible, may be more trouble than it's worth.
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
And somebody has written a a web front end for AD authenticated user self enrolment of Google Authenticator to use with freeradius

https://www.privacyidea.org/

It's not "perfect", but its a lot easier then getting users to SSH to a linux box and run a command...
0
 

Expert Comment

by:Cornelius Kölbel
Comment Utility
I would like to add some more information to privacyIDEA, which was mentioned by @ArneLovious. (As I am the core developer of privacyIDEA).
The idea here is not being a web front end but a full featured authentication server with a mighty policy framework and even an event handler framework.

http://privacyidea.readthedocs.io/en/latest/policies/index.html
http://privacyidea.readthedocs.io/en/latest/eventhandler/index.html

You can connect your servers for privacyIDEA either via the privacyIDEA PAM module or a RADIUS PAM module.
All OTP (Google) tokens are managed in privacyIDEA.
The user can selfenroll the token (or the admin). The user can even get a simple enrollment wizard.

https://www.youtube.com/watch?v=diAGbsiG8_A

Kind regards
Cornelius

PS: Of course you are not restricted to use Google Authenticator. You can use any key fob token, SMS; email, Yubikey... ;-)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Google is more than just a search engine. Over the years the company has developed a wide range of online services that are readily available to all users. This article highlights how one can use Google services for simple project management.
Let’s list some of the technologies that enable smooth teleworking. 
This Micro Tutorial will demonstrate importing calendar invites from events such as webinars into your Google Calendar.
This Micro Tutorial will demonstrate using Google Doc how to import live data to another spreadsheet in Google Spreadsheets using the IMPORTRANGE function.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now