August 4, 2017 at 15:16Configure Cisco AnyConnect VPN with 2FA (Active Directory and Certificate) through ASDM
- Tutorial
I want to note right away - I’m not going to arrange a holivar on the account of which is better - ASDM or console: all felt-tip pens are different in taste and color ... I prefer ASDM and I make settings for this plan through it. Therefore, the article will be saturated with pictures (screenshots).
So, let's get started. Let's start by configuring the LDAP server (in our case, it is DC ActiveDirectory), for this we go to Configuration> DeviceManagement> Users / AAA> AAA Server Groups and create a group, call it OFFICE , Protocol, specify LDAP
Configuration Cisco ASA AAA Server Groups
In order to add the server to the created group, we need to first create the LDAP Atribute Map. To do this, go to the appropriate section: Configuration> DeviceManagement> Users / AAA> LDAP Attribute Map and create a new map: in our case, it is Map Name: AD , Mapping of Attribute Name> LDAP Attribute Name: memberOf , Cisco Attribute Name: IETF-Radius -Class
LDAP Attribute Map
Now you can add a server (configure connection to a domain controller), specify the interface through which we will connect, DC IP address, Server Type: Microsoft, Base DN, Naming Attribute: sAMAccountName, Login DN, Login Password, just created LDAP Attribute Map: AD, Group Base DN:
AAA Server - Microsoft DC
Add AAA Server
After adding the server, we do the verification, go through authentication with the AD account:
Test AAA Server - Authentication
Now you can add the certificate of the certification authority (using Microsoft CA, I will not talk about setting it up as part of the article, the only thing to remember: Cisco ASA does not accept certificates with the Signature algorithm RSASSA-PSS , which Microsoft suggests using by default (we changed it to sha512RSA ):
Identity Certificates Signature algorithm RSASSA-PSS - sha512
Go to Configuration> Device Management> Certificate Management> Identity Certificates and import in the PKCS12 format (* .pfx certificate + private key):
Identity Certificates Signature algorithm sha512RSA (ECDSA 521 bits)
With the preparatory steps completed, you can proceed to configure profiles for AnyConnect VPN. For example, we will use 2 profiles, which will have different IP Address Pools and resp. ACL, Dynamic Access Policies, Group Policies and, accordingly, 2 ActiveDirectory groups. When connecting users via VPN, we use the “Tunneling only the specified networks” policy, the so-called Split Tunneling , so as not to drive all user traffic through VPN. But it’s “on the fan”, maybe someone, on the contrary, will need this - lately it’s very relevant;)
Let's start with IP Address Pools , for this we ’ll go toConfiguration> Remote Access VPN> Network (Client) Access> Address Assignment> Address Pools
Create an address pool (segment) for administrators (let's name VPN_Admins, for example):
Address Assignment - Address Pools
Next, create a policy (this is the main part of the profile settings in which you can set: protocols that will be used for tunnels, access time, number of simultaneous logins, close access to specific VLANs, set timeouts, set DNS servers, configure Split Tunneling , client firewall, etc., etc.) - in general, you should pay special attention to this setting ! So, let's start: Configuration> Remote Access VPN> Network (Client) Access> Group Policies, Add Internal Group Policy
All parameters set are purely individual - in our case, a little paranoid. The protocols that are allowed to create a tunnel (Tunneling Protocols), the time period for access via VPN (Access Hours), the number of simultaneous connections with one account (Simultaneous Logins), the maximum time for Session, etc.:
Configuration> Remote Access VPN> Network (Client) Access> Group Policies> Add Internal Group Policy
The next useful setting is the Servers tab, in which we can specify the internal. DNS servers, for VPN users of AnyConnect, so that they can access internal resources by name:
Configuration> Remote Access VPN> Network (Client) Access> Group Policies> Edit Internal Group Policy - Servers
Now let's move on to another interesting option - setting up Split Tunneling . As I wrote earlier, we will use the “tunnel only specified networks” policy (we don’t wrap all user traffic in the tunnel and allow access to local resources - the option “ Local Lan Access ” will be discussed separately later):
Configuration> Remote Access VPN> Network (Client) Access> Group Policies> Edit Internal Group Policy> Advanced> Split Tunneling>
Previously, we indicated which networks / hosts we allowed access to, now we will restrict access to them via protocols / ports (another ACL ):
Configuration> Remote Access VPN> Network (Client) Access> Group Policies> Edit Internal Group Policy> Advanced> AnyConnect Client> Client Firewall> Private Network Rule
As a result, after connecting to the AnyConnect VPN client, you can see the routes to the tunnel and the rules of the firewall :
AnyConnect Client> Route Details
AnyConnect Client> Firewall
Now you can go directly to creating an AnyConnect profile, go to Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Connection Profiles>, Add AnyConnect Connection Profile
and specify: Name , Aliases , then Authentication Method (AAA and certificate) ,AAA Server Group ,Client Address Pools , Group Policy - everything created earlier!
Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Connection Profiles> Add AnyConnect Connection Profile> Basic
And now a little life hack - we will extract the E-mail value from the user certificate and
( E-mail value should be
Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Connection Profiles> Add AnyConnect Connection Profile> Advanced> Authentication> Username Mapping from Certificate
When the profiles are configured, we can already connect, because the default policy DfltAccessPolicy for all authenticated users will work out (it has the highest priority). We want different ActiveDirectory groups to use their own profile and work out their own group policy \ access policy. Therefore, go to: Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies and disable DfltAccessPolicy (in fact, we do not prohibit, but do Terminate with a notification to the user - a good diagnosis is that the user is not included in the ActiveDirectory group):
Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies
Terminate connection from users who are not in the access group
After the policy is disabled by default, create a new one:
Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies> Add Dynamic Access Policy
Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies> Add Dynamic Access Policy with AAA Attributes
where g_vpn_level_01 is the security group created in ActiveDirectory where we include the necessary admin accounts to connect via VPN AnyConnect with the VPN-ADMINS profile :
Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies> Add Dynamic Access Policy with AAA Attributes> Get AD Groups
Well, the final “touch” - I recommend saving the created profile to a file (useful, for example, for synchronizing profiles for StandBy unit during Failover configuration):
Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Client Profile
After the profile is saved - it can be "tuned up" a little: remember I spoke about the option " Local Lan Access "? She's just setting up here. And here you can also configure the choice of certificate store; AnyConnect client auto-update enable / disable the ability to connect to a computer via rdp, when connected vpn; specify the protocol version (IPv4 or IPv6 or both); Certificate and server settings mobile policies. In general - there is something to "tweak" to your needs!
Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Client Profile> Edit
For the second group - “ VPN-USERS ” we do the same ...
PS: for console lovers - I ’ll post the configuration later
P.PS: don’t count it for advertising, - just most like it: Duo Security
So, let's get started. Let's start by configuring the LDAP server (in our case, it is DC ActiveDirectory), for this we go to Configuration> DeviceManagement> Users / AAA> AAA Server Groups and create a group, call it OFFICE , Protocol, specify LDAP
Configuration Cisco ASA AAA Server Groups
In order to add the server to the created group, we need to first create the LDAP Atribute Map. To do this, go to the appropriate section: Configuration> DeviceManagement> Users / AAA> LDAP Attribute Map and create a new map: in our case, it is Map Name: AD , Mapping of Attribute Name> LDAP Attribute Name: memberOf , Cisco Attribute Name: IETF-Radius -Class
LDAP Attribute Map
Now you can add a server (configure connection to a domain controller), specify the interface through which we will connect, DC IP address, Server Type: Microsoft, Base DN, Naming Attribute: sAMAccountName, Login DN, Login Password, just created LDAP Attribute Map: AD, Group Base DN:
AAA Server - Microsoft DC
Add AAA Server
After adding the server, we do the verification, go through authentication with the AD account:
Test AAA Server - Authentication
Now you can add the certificate of the certification authority (using Microsoft CA, I will not talk about setting it up as part of the article, the only thing to remember: Cisco ASA does not accept certificates with the Signature algorithm RSASSA-PSS , which Microsoft suggests using by default (we changed it to sha512RSA ):
Identity Certificates Signature algorithm RSASSA-PSS - sha512
Go to Configuration> Device Management> Certificate Management> Identity Certificates and import in the PKCS12 format (* .pfx certificate + private key):
Identity Certificates Signature algorithm sha512RSA (ECDSA 521 bits)
With the preparatory steps completed, you can proceed to configure profiles for AnyConnect VPN. For example, we will use 2 profiles, which will have different IP Address Pools and resp. ACL, Dynamic Access Policies, Group Policies and, accordingly, 2 ActiveDirectory groups. When connecting users via VPN, we use the “Tunneling only the specified networks” policy, the so-called Split Tunneling , so as not to drive all user traffic through VPN. But it’s “on the fan”, maybe someone, on the contrary, will need this - lately it’s very relevant;)
Let's start with IP Address Pools , for this we ’ll go toConfiguration> Remote Access VPN> Network (Client) Access> Address Assignment> Address Pools
Create an address pool (segment) for administrators (let's name VPN_Admins, for example):
Address Assignment - Address Pools
Next, create a policy (this is the main part of the profile settings in which you can set: protocols that will be used for tunnels, access time, number of simultaneous logins, close access to specific VLANs, set timeouts, set DNS servers, configure Split Tunneling , client firewall, etc., etc.) - in general, you should pay special attention to this setting ! So, let's start: Configuration> Remote Access VPN> Network (Client) Access> Group Policies, Add Internal Group Policy
All parameters set are purely individual - in our case, a little paranoid. The protocols that are allowed to create a tunnel (Tunneling Protocols), the time period for access via VPN (Access Hours), the number of simultaneous connections with one account (Simultaneous Logins), the maximum time for Session, etc.:
Configuration> Remote Access VPN> Network (Client) Access> Group Policies> Add Internal Group Policy
The next useful setting is the Servers tab, in which we can specify the internal. DNS servers, for VPN users of AnyConnect, so that they can access internal resources by name:
Configuration> Remote Access VPN> Network (Client) Access> Group Policies> Edit Internal Group Policy - Servers
Now let's move on to another interesting option - setting up Split Tunneling . As I wrote earlier, we will use the “tunnel only specified networks” policy (we don’t wrap all user traffic in the tunnel and allow access to local resources - the option “ Local Lan Access ” will be discussed separately later):
Configuration> Remote Access VPN> Network (Client) Access> Group Policies> Edit Internal Group Policy> Advanced> Split Tunneling>
Previously, we indicated which networks / hosts we allowed access to, now we will restrict access to them via protocols / ports (another ACL ):
Configuration> Remote Access VPN> Network (Client) Access> Group Policies> Edit Internal Group Policy> Advanced> AnyConnect Client> Client Firewall> Private Network Rule
As a result, after connecting to the AnyConnect VPN client, you can see the routes to the tunnel and the rules of the firewall :
AnyConnect Client> Route Details
AnyConnect Client> Firewall
Now you can go directly to creating an AnyConnect profile, go to Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Connection Profiles>, Add AnyConnect Connection Profile
and specify: Name , Aliases , then Authentication Method (AAA and certificate) ,AAA Server Group ,Client Address Pools , Group Policy - everything created earlier!
Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Connection Profiles> Add AnyConnect Connection Profile> Basic
And now a little life hack - we will extract the E-mail value from the user certificate and
(.*)@cut it off with a regularity @domain.ru( E-mail value should be
%AD username%@somedomain.ru) and substitute it in the Username field when connecting. Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Connection Profiles> Add AnyConnect Connection Profile> Advanced> Authentication> Username Mapping from Certificate
When the profiles are configured, we can already connect, because the default policy DfltAccessPolicy for all authenticated users will work out (it has the highest priority). We want different ActiveDirectory groups to use their own profile and work out their own group policy \ access policy. Therefore, go to: Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies and disable DfltAccessPolicy (in fact, we do not prohibit, but do Terminate with a notification to the user - a good diagnosis is that the user is not included in the ActiveDirectory group):
Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies
Terminate connection from users who are not in the access group
After the policy is disabled by default, create a new one:
Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies> Add Dynamic Access Policy
Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies> Add Dynamic Access Policy with AAA Attributes
where g_vpn_level_01 is the security group created in ActiveDirectory where we include the necessary admin accounts to connect via VPN AnyConnect with the VPN-ADMINS profile :
Configuration> Remote Access VPN> Network (Client) Access> Dynamic Access Policies> Add Dynamic Access Policy with AAA Attributes> Get AD Groups
Well, the final “touch” - I recommend saving the created profile to a file (useful, for example, for synchronizing profiles for StandBy unit during Failover configuration):
Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Client Profile
After the profile is saved - it can be "tuned up" a little: remember I spoke about the option " Local Lan Access "? She's just setting up here. And here you can also configure the choice of certificate store; AnyConnect client auto-update enable / disable the ability to connect to a computer via rdp, when connected vpn; specify the protocol version (IPv4 or IPv6 or both); Certificate and server settings mobile policies. In general - there is something to "tweak" to your needs!
Configuration> Remote Access VPN> Network (Client) Access> AnyConnect Client Profile> Edit
For the second group - “ VPN-USERS ” we do the same ...
PS: for console lovers - I ’ll post the configuration later
P.PS: don’t count it for advertising, - just most like it: Duo Security