Anyconnect 4.9 SAML authentication with FTD 6.7 and Okta IDP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi this is a demonstration of anyconnect connecting to octa idp using saml so here i have my anyconnect client and i'm running uh version 4.9 5042. if you're running lower i suggest you upgrade but it's not required to run 4.9 okay just 4.9 has a lot of fixes but still let's see we can go through um connection pro right here so you can use your anyconnect profile or for a demonstration stick i'm just going to type the actual url to connect to right into here so i have one called octa so it's my irvine dmz 4115 cisco.com octa i'm gonna hit connect and now i'm gonna get prompted for octa authentication so i'm being redirected to the octa authentication portal within the interconnect framework here that's my name password and at the same time i have duo multi-factor authentication enabled integrated into this octa saml authentication process it's not required it's just optional i just happen to have it so i use it i send myself a push and on my phone i get a pop-up from duo saying authentication requests i'm gonna hit approve all right then my vpn session is established i'm done so i'm going to go ahead and bring up just some information ignore all the other miscellaneous modules they're really just the vpn that we're interested in so you can see that my vpn session i'm connected doing split tunneling include that's my ip address 10 11 41 and so i've got bits and bytes transmit and receive so it's all good so i'm connected let me go ahead and get into the firepower management side for ftd 6.7 so this is running 6.7 i can see that analysis so activity active sessions i have je lynn my active session that's been logged 10.11.40 okay now on the vpn side i'm going to go into devices r a vpn and here's that our vpn policy that i created and within this argument policy i have multiple connection profiles octa azure regular username password so let's go and take a look at octa my connection profile is called octa of a group policy called group policy octa and then here's just a client address a regular anyconnect configuration that's maybe in pool dsp server i have one i don't my authentication here now i'm picking saml usually we're used to picking you know aaa certificate etc but in this case i'm just doing saml then my authentication server the field below is my octa-sso server and i'll show you how that's created in a few seconds here then my authorization i'm still pointing this over to ice because i have it in case i need to do a posture or some sort of coa as well as accounting okay but you can leave these blank if you wanted to and then the alias is just uh this is my alias name for the connection and then this is the group url that i connected to right herb dmz 4115d at cisco.com octa again but you can embed all this information in any connect xml profile for the client uh group policy i pretty much left everything as almost default here i have a vpn protocol i'm simply using ssl there's an ip address pool you can specify here banner nothing dns this is my dns information i enable split tunneling in here with the acl that i'm matching and then any connect again i'm not pushing down any profiles but if you wanted to you can upload the interconnect connection profiles into here that will get downloaded to the client same thing for the management profile management tunnel profile same thing and then the modules ssl all that i just left this default because it's just sort of simple and clean here okay so back to my uh this octa sso server where do i configure that i go into objects i just create another new tab okay i go into the aaa single sign-on server and you see here there's an octa sso that i created by using the add single sign-on button here and here that's where i fill that in so this is where the octa-sso single-sided server that i picked within my device profile you saw earlier okay then now this is the saml configuration that i need to get from octa so this is pointing to my octa so i have my octa portal running i log them octa port on the background and if you go into applications you can see the list of my applications that i have configured and mine the one i'm using now is vpn ftd vpn 6.7 so i go into that one and then i'll look at the single sign-on configurations okay and you can you can pretty much just leave most of this blank well you don't have to configure anything go and look at the view setup instructions right here it's octa does a pretty good job of telling you how to configure it so they actually pre-populate your [Music] you have the certificate here you'll need to download in a second here but like for example the for asa you can use cli but here for example these on step number uh seven here we go starting with six right this is the entity id that you need to copy and paste into fmc fire problem management center so this is the entity id which is called the saml sdp so go into here and copy it into the identity provider because that's octa then there's a single sign on url and a logout url grab the information from here this is the sign out url or ssl sorry sso saml so cut cut and paste that into here that's the ssl sample and then there's a log out url that you'll grab down here this is the log out okay so go and cut and paste this long string into your fm fmc in here that's it so those are three values then you have your base url that's my basically the fully qualified domain name of my appliance and then the identity certificate which you'll need to import so you need to grab the certificates from here cut and paste this save it and import it so we're done here and leave the rest of the blank imported into i'm gonna hit cancel import it into the category called pki certificate enrollment and here's the octa saml so paste that certificate from the octa portal into here configure your enrollment type to be manual check the ca only so make sure you check this because you're not generating additional identity certificates from octa and then do make sure you check the skipped ca check to be basically now doing a validation of the certificate you're trusting it because you're importing it directly from the octa saml provider there okay so this step must be done here so that's your octa sample so once that is done again it goes back to here that your octa sample you're pointing to right here that's the identity provider certificate and then the uh the service provider here is basically your identity sort of your firepower or asa appliance but it's not really required because there's no asterisk behind the title here like this other one this one has an asterisk so it needs to have a certificate so just leave the rest of it blank uh check this reauthentication and log in and hit save okay so that's pretty much done then the last step you have to do is go into devices go into certificates okay let's go back to our vpn real quick and then we'll jump to certificates more certificates i want to review since i'm doing octa look take a look at the access interface my std appliance um i have it configure the uh i guess the global certificate points to my local lab ca so it's i have a windows 16 2016 ca that's managing certificate for all my devices so that's my global certificate that i trust and then [Music] see here advanced really not much to do in the advanced screen except just to i just uploaded my anyconnect images for mac and windows okay and then one last step you need to do is the certificates here go into the devices certificates because you've got to get these certificates deployed to the appliance so what you would do is hit the add button add pick the device in my case it's the firepower 4115 and certificate enrollment i want to enroll in whichever idp so i have three listed here and i've already done so earlier you can see here i have a windows 2016 ca so when i added the windows 2016 ca i it downloaded the windows 2016 ca certificate well actually i actually added that earlier as well in the pki section but here um there will be a little icon here for identity a certificate of my device of my firepower appliance and if you click on this this is where well this is showing you my signed certificate but before you do this when you click on this it'll actually generate a csr for you a certificate signing request of your appliance and you cut and paste that csr into your uh in my case it's my windows 26 ca i cut and paste it into there have it sign and then i downloaded that signed certificate back into here okay so you can see this is the result of it i have a issuer is the 2016 root ca and my site and my device is the 4115 appliance so that'll get done here then but you also got to do the same thing for octa so it'll just trust that octa certificate saml certificate that we installed earlier so it'll be placed here we're not generating an identity certificate from octet that's why we had checked one of those check boxes and then after when this is done and you do the same thing for azure if you're adding to the azure and then you just simply hit deploy that's it and then you're done now one last final step to do is in the octa portal so we've taken metadata from octa idp and configure it into my firepower appliance but now we need to take some firepower information and configure it into the octa idp here so these are the assertion consumer service url entity id and the logout service so here you would grab this from your ftd or asa appliance so you can simply ssh into your appliance and then once you get into your appliance or my ftd appliance i go into the uh i'll show you right here i logged in and then i went into see here yeah so yeah log into the linux i want you to log into ftd you're actually on the firepower side and you just need to type in system support diagnostics diag to get you into this screen and then one and then once you get into this here we go system support diagnostics cli and that logs you in from the firepower side into the asa portion of the code where you can get the metadata of for xaml authentication so you issue a command called show saml metadata and then your connection profile for me i call it octa now once you do that show command this is where you grab the entity id right there and you copy this into the octa right here entity id so you copy it into here same thing with the assertion consumer service url i take the assertion consumer service and i cut and pasted this url i finished with octa inside the quotation mark here copy that into right there and then the sign out url would be the single logout service and that's the actual uh url just cut and paste from here and put it into here okay and that's really it um it's pretty simple with octa and don't forget once you configure saml settings you make sure you enable your assignment because you have to allow users to use this specific application that you just created here okay and uh that's it hopefully it's simple enough and uh if you can get yours working awesome send me a note if you have any thoughts or questions thanks for watching
Info
Channel: Ciscolive Security Fan
Views: 554
Rating: undefined out of 5
Keywords: Anyconnect, FTD 6.7 SAML authentication with Okta
Id: LpFIr9swEWM
Channel Id: undefined
Length: 15min 23sec (923 seconds)
Published: Fri Feb 12 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.