This post describes the procedure to configure a Cisco ASA firewall with LDAP authentication for AnyConnect Remote Access VPN access. Refer to the previous posts for configuring AnyConnect Remote Access VPNs.
ASA AnyConnect IKEv2/IPSec VPN
ASA AnyConnect SSL-VPN
ASA Split Tunneling
Active Directory Pre-requisites
Queries Active Directory for samid id 'cisco' 'CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com' The debug ldap 255 command can help to troubleshoot authentication problems in this scenario. This command enables LDAP debugging and allows you to watch the process that the ASA uses to connect to the LDAP server. Debug - Successful authentication. Log in to ASDM, navigate to Configuration ASA FirePOWER Configuration Integration Identity Sources and clickthe User Agent option. After you click on the User Agent option and configure the IP address of User Agent system. Click on Add, as shown in the image: Click on Save button to save the changes. For a more direct integration of AAA and active directory, you can configure the devices to usr LDAP for AAA (see my previous message in this thread), because in fact active directory isldap. So search on cisco website for an example of integration of AAA and ldap. To configure the integration of Cisco Umbrella into Azure AD, you need to add Cisco Umbrella from the gallery to your list of managed SaaS apps. To add Cisco Umbrella from the gallery, perform the following steps: In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
The following pre-requisites for Active Directory are required.
- An LDAP Service Account
- The distinguished name of the Service Account
- The distinguished name of the Active Directory Domain
- The distinguished name of the 2 Active Directory Groups
The distinguished name can be located using the Active Directory Users and Computers MMC, navigate to the object and click the Attribute Editor tab.
- We have created a service account called svc_ldap
- A user called user1 is a member of the AD group called Customer1
- A user called user2 is a member of the AD group called Customer2
ASA Configuration
Define 2 VPN Pools, each pool will be referenced in the different group-policies to demonstrate the configuration working correctly.
Define a group policy called NOACCESS, this will be applied to the tunnel group. If a user attempts to authenticate and is not a member of either of the AD groups specified in the attribute-map, they will be denied access.
Define 2 Group Policies, these group policies will be assigned dynamically to the users if they are a member of the correct AD group as defined in the attribute-map. Ensure that vpn-simultaneous-logins is manually set, else they will inherit the limit of “0” as defined by the NOACCESS group policy, which will deny access.
An LDAP attribute map is required if you wish to permit only authenticated users in certain AD group. In this example we have 2 AD groups (Customer1 and Customer2), these will map the user to a different Group Policy in order to assign different attributes such as a VPN Pool. AD groups not defined in the attribute-map will be denied access. The distinguish name of the groups can be found in the “Attribute Editor” tab under the AD group in “Active Directory Users & Computers”.
Define the AAA Server using LDAP protocol, define the AD server IP address, base-dn, ldap scope, login dn, password and the attribute-map.
Ensure the Tunnel Group used by the AnyConnect VPN is referencing the NOACCESS default-group-policy and the LDAP authentication-server-group.
Enable WebVPN on the OUTSIDE interface.
Verification
Logging in as user1, the output confirms the user has been associated to the correct group-policy GP-1 and IP address of 192.168.14.10.
Logging in as a user2, the output confirms the user has been associated to the group-policy GP-2 and IP address of 192.168.15.10, which is from a different IP Pool.
Turn on LDAP debugging using the command debug ldap 255 and log in as a user that has permissions to authenticate to the Remote Access VPN.
From the output below we can determine that the user was successfully authenticated and mapped to the correct group-policy, confirming the LDAP attribute-map is working correctly.
Introduction
This document describes the configuration of Captive portal authentication (Active Authentication) and Single-Sign-On (Passive Authentication) on Firepower Module using ASDM (Adaptive Security Device Manager).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Knowledge of ASA (Adaptive Security Appliance) firewall and ASDM
- FirePOWER module Knowledge
- Light Weight Directory Service (LDAP)
- Firepower UserAgent
Components Used
The information in this document is based on these software and hardware versions:
- ASA FirePOWER modules (ASA 5506X/5506H-X/5506W-X, ASA 5508-X, ASA 5516-X ) running software version 5.4.1 and above.
- ASA FirePOWER module (ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X) running software version 6.0.0 and above.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background Information
Captive Portal Authentication or Active Authentication prompts a login page and user credentials are required for a host to get the internet access.
Single-Sign-On or Passive Authentication provides seamless authentication to a user for network resources and internet access without entering user credential multiple times. The Single-Sign-on authentication can be achieved either by Firepower user agent or NTLM browser authentication.
Note:Captive Portal Authentication, ASA should be in routed mode.
Note: Captive portal command is available in ASA version 9.5(2) and late.
Configure
Step 1. Configure the Firepower User Agent for Single-Sign-On.
This article explains how to configure Firepower User Agent in Windows machine:
Installation and Uninstallation of Sourcefire User Agent
Step 2. Integrate the Firepower Module (ASDM) with User Agent.
Cisco Asa Active Directory Integration
Log in to ASDM, navigate to Configuration > ASA FirePOWER Configuration > Integration > Identity Sources and clickthe User Agent option. After you click on the User Agent option and configure the IP address of User Agent system. click on Add, as shown in the image:
Click on Save button to save the changes.
Step 3. Integrate Firepower with Active Directory.
Step 3.1 Create the Realm.
Log in to ASDM, navigate to Configuration > ASA FirePOWER Configuration > Integration > Realms. Click on Add a New Realm.
Name & Description: Give a name/description to uniquely identify the realm.
Type: AD
AD Primary Domain: Domain name of Active Directory (NETBIOS Name).
Directory Username: Specify the <username>.
Directory Password: Specify the <password>.
Base DN: Domain or Specific OU DN from where the system will start a search in LDAP database.
Group DN: Specify the group DN.
Group Attribute: Specify the option Member from the drop-down list.
Click on OK to save the configuration.
This article can help you to figure out the Base DN and Group DN values.
Step 3.2 Add the Directory Server IP address/hostname.
To specify AD Server IP/hostname, click on Add directory.
Hostname/IP Address: configure the IP address/hostname of the AD server.
Port: Specify the Active Directory LDAP port number ( Default 389 ).
Encryption/SSL Certificate: (optional) To encrypt the connection between FMC & AD server, refer this article:
Click Test in order to verify the connection of FMC with the AD server. Now click OK to save the configuration.
Step 3.3 Modify the Realm Configuration.
In order to modify and verify integration configuration of AD server, navigate to Realm Configuration.
Step 3.4 Download User database.
Navigate to User Download to fetch the user database from the AD server.
Enable the check box to download Download users and groups and define the time interval about how frequently Firepower module contacts AD server to download user database.
Select the group and add it to the Include option for which you want to configure the authentication. By default, all groups are selected if you do not choose to include the groups.
Click on Store ASA Firepower Changes to save the realm configuration.
Enable the realm state and click the download button to download the users and groups, as shown in the image.
Step 4. Configure the Identity Policy.
An identity policy performs user authentication. If the user does not authenticate, access to network resources is refused. This enforces Role-Based Access Control (RBAC) to your organization’s network and resources.
Step 4.1 Captive portal (Active Authentication).
Active Authentication asks for username and password at the browser to identify a user identity to allow any connection. Browser authenticates user either by presenting authentication page or authenticates silently with NTLM authentication. NTLM uses the web browser to send and receive authentication information. Active Authentication uses various types to verify the identity of the user. Different types of Authentication are:
- HTTP Basic: In this method, the browser prompts for user credentials.
- NTLM: NTLM uses windows workstation credentials and negotiates it with Active directory using a web browser. You need to enable the NTLM authentication in the browser. User Authentication happens transparently without prompting credentials. It provides a single sign-on experience for users.
- HTTP Negotiate:In this type, the system tries to authenticate using NTLM, if it fails then the sensor uses HTTP Basic authentication type as a fallback method and prompts a dialog box for user credentials.
- HTTP Response page: This is similar to HTTP basic type, however, here user is prompted to fill the authentication in an HTML form which can be customized.
Each browser has a specific way to enable the NTLM authentication and hence, you can follow browser guidelines in order to enable the NTLM authentication.
To securely share the credential with the routed sensor, you need to install either self-signed server certificate or publicly-signed server certificate in the identity policy.
Navigate to Configuration > ASA FirePOWER Configuration > Policies > Identity Policy. Now navigate to Active Authentication tab and in the Server Certificate option, click the icon (+) and upload the certificate and private key which you have generated in the previous step using openSSL, as shown in the image:
Now click on Add rule to give a name to the Rule and choose the action as Active Authentication. Define the source/destination zone, source/destination network for which you want to enable the user authentication.
Navigate to the Realm & Settings tab. Select the Realm from the drop-down list which you have configured in the previous step and select the Authentication Type from the drop-down list that best suits your network environment.
Step 4.2 ASA Configuration for Captive Portal.
Step 1. Define the interesting traffic that will be redirected to Sourcefire for inspection.
Step 2. Configure this command on the ASA in order to enable the captive portal.
Tip: captive-portal can be enabled globally or per interface basis.
Tip: Ensure that the server port, TCP 1025 is configured in the port option of Identity policy's Active Authentication tab.
Step 4.3 Single-Sign-On (Passive Authentication).
In passive authentication, when a domain user logins and is able to authenticate the AD, the Firepower User Agent polls the User-IP mapping details from the security logs of AD and shares this information with Firepower Module. Firepower module uses these details in order to enforce the access control.
To configure the passive authentication rule, click on Add rule to give a name to the rule and then choose the Action as Passive Authentication. Define the source/destination zone, source/destination network for which you want to enable the user authentication.
Navigate to the Realm & Settings tab. Select the Realm from the drop-down list which you have configured in the previous step.
Here you can choose fall back method as Active authentication if passive authentication cannot identify the user identity, as shown in the image:
Now click on Store ASA Firepower Changes to save the configuration of Identity policy.
Step 5. Configure the Access Control Policy.
Navigate to Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy.
Click the Identity Policy (left-hand side upper corner), select the Identify Policy that you have configured in the previous step from the drop-down list and click OK, as shown in this image.
Click on Add rule to add a new rule, navigate to Users and select the users for which access control rule will be enforced, as shown in this image and click Add.
Click on Store ASA Firepower Changes to save the configuration of Access Control policy.
Step 6. Deploy the Access Control Policy.
You must deploy the Access Control policy. Before you apply the policy, you will see an indication Access Control Policy out-of-date on the module. To deploy the changes to the sensor, Click on Deploy and choose Deploy FirePOWER Changes option then click on Deploy in the pop-up window.
Note: In version 5.4.x, to apply the access policy to the sensor, you need to click Apply ASA FirePOWER Changes
Asa Active Directory Integration Tutorial
Note: Navigate to Monitoring > ASA Firepower Monitoring > Task Status. Ensure that task must complete applying the configuration change.
Step 7. Monitor User events.
Navigate to Monitoring > ASA FirePOWER Monitoring > Real-Time Eventing, to monitor the type of traffic being used by the user.
Verify
Use this section in order to confirm that your configuration works properly.
Navigate to Analysis > Users in orderto verify the User authentication/Authentication type/User-IP mapping/access rule associated with the traffic flow.
Connectivity between Firepower Module and User Agent (Passive Authentication)
Firepower Module uses TCP port 3306, in order to receive user activity log data from the User Agent.
In order to verify the Firepower module's service status, use this command in the FMC.
Run packet capture on the FMC in order to verify connectivity with the User Agent.
Connectivity between FMC and Active Directory
Firepower module uses TCP port 389 in order to retrieve the User Database from the Active directory.
Run packet capture on the Firepower Module to verify connectivity with the Active Directory.
Ensure that the user credential used in Realm configuration has sufficient privilege to fetch the AD's User database.
Verify the Realm configuration, and ensure that the users/groups are downloaded and user session timeout is configured correctly.
Navigate to Monitoring ASA Firepower Monitoring Task Status and ensure that the task users/groups download completes successfully, as shown in this image.
Connectivity between ASA and End system (Active Authentication)
active authentication, ensure that the certificate and port are configured correctly in Firepower module Identity policy and ASA (captive-portal command). By default, ASA and Firepower module listen on TCP port 885 for active authentication.
In order to verify the active rules and their hit counts, run this command on the ASA.
Policy configuration & Policy Deployment
Ensure that the Realm, Authentication type, User agent and Action fields are configured correctly in Identity Policy.
Ensure that the Identity policy is correctly associated with the Access Control policy.
Navigate to Monitoring > ASA Firepower Monitoring > Task Status and ensure that the Policy Deployment completes successfully.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.