The Authentication Protocol is “PAP_ASCII”, so there is no password-management for An圜onnect-users on the MX. After increasing the RADIUS timeout (default 3 seconds) MFA with the DUO authentication proxy directly worked like a charm. There is no dedicated MFA-Config, but with RADIUS we can access any MFA server of our choice.
But you can also use double authentication (certificate and AAA) which I didn’t test yet. Having a default config (that can not be tuned) that gives a “B” is a little bit awkward nowadays. SSLLabs only rates the VPN-Server with a “B” which is not state of the art any more. But there are a lot of non-FS algorithms enabled. The MX also only uses TLS/DTLS 1.2 which is great. On all my ASA implementations, I only enable TLS 1.2 with next-generation encryption and disable everything that has no Forward Secrecy (FS). It’s also not possible to import your own certificate. I expected that they implement an automatic Let’s Encrypt enrolment, but at least at the moment that is not possible. The documentation says that it should auto-renew before it expires. It comes from the QuoVadis Root CA which should be trusted on all relevant systems and is valid for three months. The certificate is automatically deployed for the DDNS hostname of the MX. What is different to an An圜onnect implementation on the ASA Certificate Enrollment Thats all that has to be done and it is working.
My first try was with a Meraki Z3 which should be supported, but that device did not want to enroll a public certificate. It was first announced at Cisco Live 2015 (at least that is where I first heard of it) and after no more than six years the first public beta (v16.4) is available. The support for An圜onnect VPNs is probably one of the most wanted features for Meraki customers.
0 kommentar(er)
