Cisco Vpn Authentication Active Directory



To configure the integration of Cisco AnyConnect into Azure AD, you need to add Cisco AnyConnect from the gallery to your list of managed SaaS apps. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. On the left navigation pane, select the Azure Active Directory service. First we will go through the steps to configure the RADIUS server on Windows so we have access to Active Directory for authentication. You must first ensure the “Network Policy and Access Services” role is installed on the server. Once this role is installed we will go into NPS (Local) RADIUS Clients and Servers RADIUS Clients. Cisco ASA – AnyConnect VPN with Active Directory Authentication Complete Setup Guide. This article will discuss setting up Cisco Anyconnect with LDAP/Domain Authentication. I will be showing both the ASDM/GUI and CLI commands. I recommend the GUI method once, then use the CLI once you understand it. Replace the following below with your own: '10.0.1.10' with your AD/DNS Server 'DC=SDC,DC=LOCAL' with the base DN of your Domain, my domain was SDC.LOCAL 'CN=administrator,CN=Users,DC=SDC,DC.

User Authentication and Access Privilege Management

Effectively managing the VPN users and their access privileges is the core consideration in any remote access VPN design. There are mainly two aspects:

  • A scalable and secure solution to authenticate users
  • Decisions on what access privilege to grant to the users based on various user and security attributes

Many organizations migrate from the existing IPsec-based remote access VPN solutions to SSL VPN, whereas other organizations simply add SSL VPNs to their existing remote access VPN. The good news is that SSL VPNs fit well into the existing authentication infrastructure.

User Authentication

Although this section focuses on user authentication, first step back to have a quick look at the big picture. AAA stands for authentication (which defines who you are), authorization (which defines what you are allowed to do), and accounting (which provides a record of what you did). User authentication is a key step in an SSL VPN solution. Aside from validating users' credentials, user authentication allows an SSL VPN gateway to assign the user to a policy group. The assignment is made by using a user's organization group information, which is derived during the authentication phase, along with other attributes, such as endpoint security posture and time of day. The policy group defines the authorization privileges of the users.

Choice of Authentication Servers

You have a wide variety of identity technologies to choose from for authenticating users. The common choices are passwords, RADIUS, TACACS+, one-time password (OTP) systems, public-key infrastructure (PKI), smart cards, and so on. For remote access VPN authentication, a two-factor OTP system provides the strongest security and manageability combination. It is also common for small- to medium-sized companies to leverage existing user directory infrastructure such as Lightweight Directory Access Protocol (LDAP), Windows NTLM, or Windows XP/2000 Active Directory for VPN user authentication. To use this, you need to apply and enforce strong password policies because the strength of the security relies on those policies.

The design of the AAA system can vary depending on the size of your network and the disparity of access methods. For an SSL VPN device, the choices of authentication servers fall mainly into two categories:

  • A dedicated AAA server running RADIUS: The AAA server is the interface between the SSL VPN appliance and the identity servers, such as corporate LDAP servers or OTP systems. Cisco Secure ACS is an example of this type of AAA server. The SSL VPN appliance communicates with the AAA server using the RADIUS protocol. Often, the AAA server sends a query to the external identity databases for identity authentication, and returns the authentication result to the SSL VPN appliance. The AAA server can speak different protocol languages with various identity databases such as LDAP, SecureID, and Windows Active Directory. An advanced AAA server, such as Cisco Secure ACS, can also retrieve additional user attributes from the external user identity servers, such as the users' roles in the organization or the users' password expiration information. All these user attributes can be used later in the authorization phase to determine the access privilege.
  • An SSL VPN appliance communicating directly with the identity server: In this case, the SSL VPN appliance needs to be able to communicate with various types of identity servers, such as LDAP, OTP systems, or Windows domain controllers. This becomes fairly common because most current SSL VPN vendors support multiple types of authentication servers. This mode is most common to small- to medium-sized companies that do not have disparate access methods, and hence have no need to have a central root AAA system.

When you choose to use this method, pay attention to what additional information the SSL VPN appliance can retrieve from the authentication servers, other than the results of the user authentication. For the later authorization phase, it is often useful for the SSL VPN appliance to also be able to get the users' organizational information. Enabling the SSL VPN appliance with this additional capability requires more integration between the SSL VPN appliance and the authentication server.

AAA Server Scalability and High Availability

The scalability and availability of the AAA server directly affect the availability of your VPN network and the user experience.

For a small- to medium-sized VPN network, it is relatively easy to address this design issue. Because the number of the VPN users is relatively small, the scalability of the AAA server is less of an issue. Also, because small to medium deployment normally does not have dispersed Internet VPN access, the AAA servers normally reside on a local network, and network delay and resiliency are not problematic. You should have a backup or secondary AAA server to provide local high availability. Most SSL VPN appliances support checking a secondary AAA server in case the primary server is not available.

For a medium to large enterprise network, the scalability and resiliency of the AAA systems are important and need to be carefully designed. For a remote access VPN deployment, you probably need to integrate your authentication requirements with the AAA infrastructure that is already in place to support other access methods.

Some good design guidelines for deploying a Cisco Secure Access Control Server (ACS) have been documented in the white paper 'Guidelines for Placing ACS in the Network,' which can be found at http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080092567.shtml. In this white paper, the general design recommendations documented for scalability, resiliency, and device placement should apply to most AAA server deployments.

The following sections briefly highlight the important factors that need to be considered.

AAA Server Scalability

When you consider AAA server scalability, keep the following points in mind:

  • The maximum number of users supported by the AAA server.
  • The number of authentication requests per second the AAA server can handle.
  • The type of database. For an internal user database on the AAA server itself, check its scalability to find out how many local users can be defined.

AAA Server High Availability and Resiliency

When you consider AAA server high availability (HA) and resiliency, keep the following points in mind:

  • Consider a local secondary AAA server.
  • For dispersed network access and VPN geographic HA design, consider placing a AAA server at each location that has business-critical impact.
  • Incorporate a robust AAA server database synchronization mechanism.

Resource Access Privilege Management

After user authentication, the remote access VPN device should be able to authorize the user with resource access privileges based on the user's attributes. As described earlier, because of the ubiquity of the SSL VPN, its design needs to ensure the integrity of the endpoint. Hence the resource authorization also goes beyond the standard user attributes to include other security attributes. Download autocad 2007 full version 64 bit. The following is a list of attributes that can be used to determine resource access privilege:

  • Sign-in URL: For an SSL VPN device that offers different sign-in URLs to different groups of users, the sign-in URL can be used to decide the type of resource this group of users is entitled to.
  • User's digital certificate: The organization information in the user's certificates can be used to map users to corresponding roles that allow different resource access.
  • The result of endpoint security assessment: This point is discussed in more detail within the context of the security considerations. In essence, the posture of the endpoint can be used as a dynamic factor to decide users' access privilege to sensitive corporate resources.
  • Time of day.
  • Browser types.
  • User attributes: These are the typical user attributes in the user identity database. For example, the marketing group in the LDAP database can be mapped to an internal marketing group in the SSL VPN.

Some of these attributes, such as endpoint security posture and users' IP addresses, are collected prior to user authentication. Some of the attributes, such as endpoint security posture, should be periodically reevaluated during the user session to dynamically determine the user's access privileges based on the most current situation.

To clarify these concepts, we give an example of how an SSL VPN system can use some of these attributes to perform dynamic access privilege management. In this case study, a salesperson attempts to access corporate resources using an SSL VPN. Depending on the result of the endpoint assessment, the salesperson is granted different levels of resource access.

Scenario 1: Salesperson Accesses the VPN from a Kiosk Computer at a Sales Conference
  • Step 1 The salesperson initiates the VPN request by entering https://vpn.companyxyz.com into the browser.
  • Step 2 Upon receiving the access request, the SSL VPN appliance collects some user attributes and performs the endpoint security checking. The results are as follows:
    • IP address = Outside
    • Client digital certificate = Not present
    • Proper antivirus client installed and enabled = No
  • Step 3 Based on the results in Step 2, the SSL VPN chooses an authentication method for the user and performs user authentication:
    • Authentication method = Strong, OTP
  • Step 4 After successful user authentication, the SSL VPN appliance also retrieves the user's organization information through a separate authorization step:
    • User's organization group = Sales
  • Step 5 Based on the user attributes so far, the SSL VPN appliance maps the user to a VPN group or role:
    • VPN role = sales_insecure
  • Step 6 The sales_insecure role decides the user access privilege:
    • User privilege = Web access only
    • Session timeout = 30 minutes
    • Periodic security checking = Yes
    • Require secure desktop = Yes
    • Note: The secure desktop can be launched much earlier at the preauthentication phase based on the IP address attribute. This way, the user password entered into the client browser can be protected from software such as keystroke loggers.
  • Step 7 The salesperson logs in and starts to access the bookmarked web applications, such as OWA. More granular application-level access control can be applied at this phase.
Scenario 2: The Same Salesperson Accesses the VPN from a Corporate-Owned Laptop at Home
  • Step 1 The salesperson initiates the VPN request by entering https://vpn.companyxyz.com into the browser.
  • Step 2 Upon receiving the access request, the SSL VPN appliance collects some user attributes and performs the endpoint security checking. The results are as follows:
    • IP address = Outside
    • Client digital certificate = Yes
    • Proper antivirus client installed and enabled = Yes
  • Step 3 Based on the results in Step 2, the SSL VPN chooses an authentication method for the user and performs user authentication:
    • Authentication method = Strong, OTP
  • Step 4 After successful user authentication, the SSL VPN appliance also retrieves the user's organization information through a separate authorization step:
    • User's organization group = Sales
  • Step 5 Based on the user attributes so far, the SSL VPN maps the user to a VPN group or role:
    • VPN role = sales_secure
  • Step 6 The sales_secure role decides the user access privilege:
    • User privilege = Tunnel client
    • Session timeout = 12 hours
    • Periodic security checking = Yes
    • Require secure desktop = No
  • Step 7 The salesperson logs in and starts to access the corporate network using the tunnel client mode. Additional granular IP-based access control can be applied at this phase.
-->

In this tutorial, you'll learn how to integrate Cisco AnyConnect with Azure Active Directory (Azure AD). When you integrate Cisco AnyConnect with Azure AD, you can:

Cisco Vpn Authentication Active Directory Client

  • Control in Azure AD who has access to Cisco AnyConnect.
  • Enable your users to be automatically signed-in to Cisco AnyConnect with their Azure AD accounts.
  • Manage your accounts in one central location - the Azure portal.

Prerequisites

To get started, you need the following items:

  • An Azure AD subscription. If you don't have a subscription, you can get a free account.
  • Cisco AnyConnect single sign-on (SSO) enabled subscription.

Scenario description

In this tutorial, you configure and test Azure AD SSO in a test environment.

  • Cisco AnyConnect supports IDP initiated SSO

Adding Cisco AnyConnect from the gallery

To configure the integration of Cisco AnyConnect into Azure AD, you need to add Cisco AnyConnect from the gallery to your list of managed SaaS apps.

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
  2. On the left navigation pane, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications.
  4. To add new application, select New application.
  5. In the Add from the gallery section, type Cisco AnyConnect in the search box.
  6. Select Cisco AnyConnect from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Configure and test Azure AD SSO for Cisco AnyConnect

Configure and test Azure AD SSO with Cisco AnyConnect using a test user called B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Cisco AnyConnect.

To configure and test Azure AD SSO with Cisco AnyConnect, perform the following steps:

Cisco Asa Vpn Authentication Active Directory Group

  1. Configure Azure AD SSO - to enable your users to use this feature.
    1. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
    2. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
  2. Configure Cisco AnyConnect SSO - to configure the single sign-on settings on application side.
    1. Create Cisco AnyConnect test user - to have a counterpart of B.Simon in Cisco AnyConnect that is linked to the Azure AD representation of user.
  3. Test SSO - to verify whether the configuration works.

Configure Azure AD SSO

Follow these steps to enable Azure AD SSO in the Azure portal.

Cisco authentication server
  1. In the Azure portal, on the Cisco AnyConnect application integration page, find the Manage section and select single sign-on.

  2. On the Select a single sign-on method page, select SAML.

  3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.

  4. On the Set up single sign-on with SAML page, enter the values for the following fields:

    a. In the Identifier text box, type a URL using the following pattern:< YOUR CISCO ANYCONNECT VPN VALUE >

    b. In the Reply URL text box, type a URL using the following pattern:< YOUR CISCO ANYCONNECT VPN VALUE >

    Note Code easeus partition master 12.5.

    These values are not real. Update these values with the actual Identifier and Reply URL. Contact Cisco AnyConnect Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

  5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate file and save it on your computer.

  6. On the Set up Cisco AnyConnect section, copy the appropriate URL(s) based on your requirement.

Note

If you would like to on board multiple TGTs of the server then you need to add multiple instance of the Cisco AnyConnect application from the gallery. Also you can choose to upload your own certificate in Azure AD for all these application instances. That way you can have same certificate for the applications but you can configure different Identifier and Reply URL for every application.

Create an Azure AD test user

In this section, you'll create a test user in the Azure portal called B.Simon.

Cisco Vpn Authentication Active Directory Linux

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. Select New user at the top of the screen.
  3. In the User properties, follow these steps:
    1. In the Name field, enter B.Simon.
    2. In the User name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Click Create.

Assign the Azure AD test user

In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Cisco AnyConnect.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Cisco AnyConnect.
  3. In the app's overview page, find the Manage section and select Users and groups.
  4. Select Add user, then select Users and groups in the Add Assignment dialog.
  5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.
  6. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see 'Default Access' role selected.
  7. In the Add Assignment dialog, click the Assign button.

Configure Cisco AnyConnect SSO

  1. You are going to do this on the CLI first, you might come back through and do an ASDM walk-through at another time.

  2. Connect to your VPN Appliance, you are going to be using an ASA running 9.8 code train, and your VPN clients will be 4.6+.

  3. First you will create a Trustpoint and import our SAML cert.

  4. The following commands will provision your SAML IdP.

  5. Now you can apply SAML Authentication to a VPN Tunnel Configuration.

    Note

    There is a feature with the SAML IdP configuration - If you make changes to the IdP config you need to remove the saml identity-provider config from your Tunnel Group and re-apply it for the changes to become effective.

Create Cisco AnyConnect test user

In this section, you create a user called Britta Simon in Cisco AnyConnect. Work with Cisco AnyConnect support team to add the users in the Cisco AnyConnect platform. Users must be created and activated before you use single sign-on.

Test SSO

In this section, you test your Azure AD single sign-on configuration with following options.

  • Click on Test this application in Azure portal and you should be automatically signed in to the Cisco AnyConnect for which you set up the SSO
  • You can use Microsoft Access Panel. When you click the Cisco AnyConnect tile in the Access Panel, you should be automatically signed in to the Cisco AnyConnect for which you set up the SSO. For more information about the Access Panel, see Introduction to the Access Panel.

Cisco Vpn Authentication Active Directory App

Next Steps

Cisco Asa Vpn Authentication Active Directory

Once you configure Cisco AnyConnect you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security.