How to secure remote access for VPN with Portnox

How to Secure Remote Access Through Cisco’s ASA VPN by Employing a Zero-Trust Approach

Long before COVID-19 had forced millions of people to stay at home and work remotely, many companies already had team members that telecommuted or connected remotely to company resources while away on business travel. In general, VPNs and cloud applications have become commonly used tools by all of us, as they allow remote employees convenient access to much-needed company data.

From a security standpoint, a VPN will ensure the encryption of the traffic to the network, (and even include two-factor authentication), but it will not be able to provide information regarding the security posture of the endpoint. Furthermore, a VPN will not know if a device is compliant with security standards, and is oblivious to the risks connecting devices might pose to your company network. Moreover, VPNs do not provide a way to block the device from connecting to the VPN based on its security posture. Thus, they do not offer a means for proper secure remote access.

Typically, there isn’t a built-in system monitoring the endpoint while it is connecting to the VPN. As we previously discussed, you need to layer a zero-trust secure remote access solution on top of your corporate VPN so that at any given moment, endpoints can be denied access should their risk levels pass a pre-determined threshold.

Layering Portnox’s Zero-Trust Secure Remote Access Over Cisco’s ASA VPN

Portnox CLEAR controls secure remote access to the network by verifying user identity credentials and allowing connections for devices that have a low risk-assessment score. It continuously monitors the “health” state of both corporate and personal (BYOD) devices as they attempt to connect to the network and for as long as they remain connected. It also includes the option of enabling two-factor authentication for VPN connections.

how to secure remote access through VPN with Portnox

Let’s take a look at the steps required to configure your VPN security by using CLEAR to enable secure and trusted cloud-based RADIUS access with OTP, Push-To-Access or AgentP.

Preliminary Actions

Before configuring VPN authentication, you need to do the following:

  1. Verify your organization is registered on Portnox CLEAR Cloud Services (start your unlimited free account at any time or take advantage of our temporary offer of full Portnox CLEAR version free for three months).
  2. In the CLEAR portal, go to Settings > Services and expand CLEAR RADIUS Service.
  3. If the Enable Cloud RADIUS checkbox is not checked, click Edit and check the Enable Cloud RADIUS checkbox.
  4. Note the RADIUS server details required when configuring VPN access:
    • Cloud RADIUS IP – this is the IP address of the CLEAR RADIUS server
    • Authentication port
    • Accounting port
    • Shared Secret – this is the RADIUS client shared secret
  1. introducing Portnox's CLEAR radius serviceIn the CLEAR portal, go to Settings > Services and expand VPN 2FA Service. Then, under Strong Authentication Factor, make sure that either One-Time-Password (OTP), Push-To-Access or Portnox AgentP is selected. You can download AgentP from here.

leveraging MFA for VPN is easy with Portnox

  1. In the CLEAR portal, go to Groups and create a group for VPN users, or record the name of an existing group. Enable VPN access.

secure VPN access with Portnox in minutes

Make sure the endpoints for which you wish to secure VPN authentication, are enrolled with AgentP.

Configuring Cisco ASA VPN

In the following steps, we will configure the VPN authentication to be secured and protected based on RADIUS authentication and this should be performed in the Cisco ASA console.

Step 1 – Creating a RADIUS Authentication Server

Create a RADIUS server group by navigating to Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups and clicking Add.

create your own radius authentication server in a few clicksIn the Add AAA Server Group window that appears:

    • Specify a name for the AAA Server Group.
    • In Protocol select RADIUS.
    • Enter a Realm-id.

how to create an AAA server group with Portnox

Select the AAA Server Group you created, and in the Servers in the Selected Group section, click Add.

how to select your AAA server group to set up VPN security with PortnoxIn the Edit AAA Server window that appears:

  1. Enter the following CLEAR RADIUS server details, which you noted in Preliminary Actions, step 4:
    • In Server Name or IP Address, enter the Cloud RADIUS IP.
    • In Server Authentication port, enter the Authentication port.
    • In Server Accounting port, enter the Accounting port.
    • In Server Secret Key, enter the Shared Secret.
  1. Update the Timeout to 30 seconds.
  2. Verify that the Microsoft CHAPv2 Capable checkbox is checked.
  3. Click OK.

Step 2 – Configuring the VPN Connection Profile

Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles, and in the Connection Profiles section click Add.

Configuring the Cisco AnyConnect VPN profileIn the Edit AnyConnect Connection Profile window that appears – In the Basic tab:

    • Specify a Name for the connection profile.
    • Specify Aliases for the connection profile.
    • Select the AAA server group (created in Step ‎1).
    • Select Client Address Pools.
    • Check the Enable SSL VPN client protocol checkbox.
    • Specify DNS servers.
    • Specify Domain Name.editing your Cisco AnyConnect connection profile

In the Advanced tab:

Check the Enable password management checkbox.

enabling password management for Cisco AnyConnect VPNClick Apply.

Instructions for Providing VPN Credentials

The VPN 2FA method you selected (see Step 5 in Preliminary Actions) determines what the users need to provide to connect securely via VPN.

Providing VPN Credentials for 2FA  Using OTP

For successful VPN authentication when using the Portnox CLEAR RADIUS with 2FA and OTP, users are required to provide their Token (OTP) that is generated by AgentP + username + password, in the following format:

providing VPN Credentials for 2FA using OTP

Providing VPN Credentials for 2FA Using Push-To-Access

For successful VPN authentication using Portnox CLEAR RADIUS and 2FA using Push-To-Access, users are required to provide their username + password, which follow with push notification needs to be accepted.

providing VPN Credentials for 2FA using push-to-access

Providing VPN Credentials for 2FA Using Portnox AgentP

For successful VPN authentication using Portnox CLEAR RADIUS and 2FA with Portnox AgentP, users are required to provide their username + password. These will be verified with the specific AgentP on the device requesting access, to confirm that the device is the one it claims to be:

providing VPN credentials for 2FA using Portnox AgentP

Risk Assessment Policy

The last step is to add the security risk assessment policy for the VPN connection on CLEAR > Policies > Risk Assessment Policies for Windows, MAC OS X, Linux, iOS and Android.

how to set your device risk policy in Portnox CLEAR

setting risk assessment policies for Windows, MAC OS X, Linux, iOS and Android in Portnox CLEARAnd now, you can try the full version of CLEAR free for three months. Start here. It’s easy and fast.