ASA SSL VPN
  Download PDF

1. WebADM/OpenOTP/Radius Bridge

For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s).

2. Register your ASA SSL VPN in RadiusBridge

On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your ASA SSL VPN server.

Ex:

client ASA-SSL {
    ipaddr          = <VPN Server IP>
    secret          = testing123
}

3. Configuring new RADIUS AAA Server to Cisco

Configuring OTP authentication to ASA means adding a RADIUS AAA Server configuration to a new or an existing Connection Policy. To do add both new RADIUS AAA Server and Connection Policy:

  1. Log in to your Cisco ASA Device Manager administration UI.
  2. From the top menu, select Configuration and then from left menu Remote Access SSL VPN.
  3. Under AAA/Local Users select AAA Server Groups.
  4. In AAA Server Groups page that opens select Add.
  5. Set (see example picture below):
  • Name - OpenOTP_Servers
  • Protocol - select RADIUS
  • Leave rest as defaults and commit add.


6. In Servers in the Selected Group section select Add.

7. In Add AAA Server view set (see example picture below):

  • Interface - interface through which Cisco communicates with OpenOTP. This should be management or intranet.
  • Server Name or IP Address - OpenOTP IP address or hostname.
  • Timeout - i.e. 10 seconds.
  • Server Secret Key - value testing123 (preconfigured to OpenOTP).
  • Leave other values as default and commit add.


8. Cisco ASA - OpenOTP RADIUS connectivity is now configured. Remaining step is to activate the new RADIUS Server on or more of Cisco ASA Connection Profiles, whereas here we create a test profile.

9. Select Clienteles SSL VPN Access —> Connection Profiles

10. Click Add in Connection Profiles section.

11. In Add Clientless SSL VPN Connection Profile set (see example picture below):

  • Name - OpenOTP_Test_Profile
  • AAA Server Group - select the previously created server group OpenOTP_Servers.
  • In Clienteles SSL VPN menu entry on left:
  • In Connection Aliases section select Add.
  • Enter Alias OpenOTP (user will display a drop-down menu on login with OpenOTP as one entry).
  • Click OK


12. In Login Page Settings section check Allow users to select connection profile.

13. Cisco ASA is now configured and you can proceed to test your login.

Note

Don’t forget to authorize the communication on 1812 UDP port (default RADIUS port for the authentication) from your ASA system to your WebADM instance at the firewall level.