Anyconnect Management Tunnel + User Tunnel (Okta SAML+DuoMFA) demo

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello this is an anyconnect management and user tunnel demonstration thanks to Ned's Olivar for helping me set this up so we can record a demo so the use case is is this is an any connect user on their laptop before they even log on to their machine so the machine is powered up but they're not logged into the machine itself any connect would initiate a management tunnel and using machine certificate authentication and that would build a tunnel back to the corporate aasa ok so the user is completely unaware of this and nothing for them to do and with this tunnel up this allows corporate administrators to go ahead and remotely patch pcs push any updates when necessary after hours update scripts etc so it gives them a maintenance opportunity there now once the user wakes up and I went in the morning and they're ready to go to work and they log into their machine that management tunnel would drop and then the user tunnel would initiate ok using any of the configure allocation methods triple a saml or certificate authentication for the user in this demonstration I'm going to show you the sam'l authentication for the user tunnel and this is done through Octus animal plus the duo multi-factor authentication so let's go ahead and take a look at my a sa here here's my a SDM and I have a machine tunnel already up it's Windows 10 VM dash test that's the name of the machine and if I go to details I can see that hit refresh we go to detail here I can see that the authentication mode its certificate so they're showing me that it is a machine certificate being used for the specific machine ok so then now let's go ahead and jump over to my client machine and I'm gonna log into the machine here you okay you can see that the any kind of client has popped up as loaded and it's now prompting the user for authentication to initiate the user tunnel so I'm going to go ahead and login to knocked-up portal and now I am being prompted for the integrated duo multi-factor authentication I'm going to hit send me a push and then in the background you can see my duo request has popped up on a hit approved okay and there it is I've successfully authenticated and I am locked into my octa tunnel and if I go ahead and take a look at the VPN it shows that the management connection has dropped disconnected and the user tunnel is up now so the user is connected okay now let's go back to a SDM you can see here before it was a Windows 10 VM let me go ahead and do a refresh and now the user shows je Li n that's at Cisco comm that is my octa login name so I just that was showing up as a user tunnel and if I go to details you can see here that the authentication mode is sam'l oh and that is gone done through sam'l here so let me go ahead and close this and jump out of here and now just say I am done just I can disconnect here or I can logout doesn't really matter I'm just gonna go and sign out of my machine simulating that I am off work so I'm just gonna sign out now that I signed out my user tunnel should refresh itself okay let's do a refresh give it a second here and you can see here now it's no longer logged in this je Linden anymore it's now logged in as a went in VM - test again right it's the machine a tunnel that has or management tunnel that has coming up and it is again back to a certificate authentication from the machine ok hopefully found this demo very useful and thanks for watching next we're going to show you what the configuration looks like for the machine management tunnel with certificates and also the user tunnel using Octus animal authentication so here I have two connection profiles one for the machine or the management tunnel and one for the user tunnel I might call it octet so let's take a look at machine if I edit this the authentication method is for certificate only because I am you looking for certificates and then the address is normal my group policy is I have a group policy called machine tunnel if I edit that pretty much everything is default just make sure banner is not turned on that you for machine certificate authentication you don't want the banner pop-up to stop the authentication process everything's pretty standards and make sure your protocols are enabled for the right choices and then the server's DNS servers that's all fairly standard I have split tunnel turned on for tunnel all networks and then I have underneath any kind of client there's a client bypass protocol you have to enable and then I have the client profiles associated with this specific group and I'll show you my client profiles in another screen later okay but they should be here if you attach it in the client profile section then last but not least there's also custom attributes you need to configure a custom attribute called a management tunnel all allowed and that value has to be true this is part of the the split tunnel configuration there and now let's go back over to ok and then in my management tunnel I also have a group alias it's got my a si name as well as IP and then the management tunnel name that I configured ok and then in the octa user profile here i configure a typical connection profile but now my authentication method it's I have a configure to point to my sam'l server that I set up earlier and this is the octa single sign-on server in the cloud and these parameters were taken from my octuple and imported and put into here so it they would establish a secure connect communication with the aasa' ok and then from a group alias perspective I also have a tunnel name for the group URL call octa ok and if I go back to the group policy I have a group policy call octa for the user and then if I edit that policy again everything is very generic inherit default values and no split tunnel needs to be configure here because I'm not doing any split telling and then underneath any connect I have a profile everything is default I have a profile associated with it including the management tunnel and then custom attributes there's nothing configure because it's not needed ok you know in the client profile side I have two profiles one for the management tunnel and here and make sure if you configure it your management tunnel profile usage is any connect management VPN profile that's new edits to make sure you pick that and if I edit this the only thing I configured in here is the trusted network detection because if I'm on the corporate network I want the client to be off the VPN to be off and then if I'm untrusted not on the corporate network and you go ahead and initiate the VPN selection then the trusted DNS domain as well as a trusted DNS server within my lab that's all been configured and then last but not least is the VPN server list you must enter one here because this is an entry that shows up in the actual any kind of client for them to connect to ok so I have one with my a s a name and a management VPN name that I configured for the octa user profile it's here at the profile usage is anyconnect VPN profile and my configuration is pretty straightforward this is all fairly default for preferences part one and preferences part two again I have the trust network detection connected setup here to disconnect if I'm on the corporate network and then connect via VPN if I'm on the untrusted outside a corporate network and these are my trusted DNS server an IP address in my network and then the next piece you have to configure is the server list this is a server list that shows up in the any kind of client itself I want to call octa that's the aasa' name as well as octa ok and last but not least some underneath the Advanced section I have a any connect custom attribute and this actually goes along with the management VPN tunnel so I have a type called management tunnel all allowed and the description is the same name management tunnel all allowed and then you also have to create one custom master be a name for a type management tunnel all allowed and the name has to be true and the value has to be true all right so you create this and also make sure that these values show up in your management tunnel group policy and here's a group policy again or in a client and custom attribute it shows up in here ok if all goes well that's all it takes and hopefully this is helpful in getting you set up in your lab thanks for watching
Info
Channel: Ciscolive Security Fan
Views: 680
Rating: undefined out of 5
Keywords: Anyconnect Management Tunnel and Okta SAML
Id: KxvX150P33c
Channel Id: undefined
Length: 11min 5sec (665 seconds)
Published: Fri Apr 24 2020
Related Videos
Anyconnect with Okta SAML & ISE Posture thru Radius Authorization
Ciscolive Security Fan
2.9K
Anyconnect 4.9 SAML authentication with FTD 6.7 and Okta IDP
Ciscolive Security Fan
554
FTD 6.7.0-65 Anyconnect Integration with Azure SAML
Ciscolive Security Fan
3.8K
SAML 2.0: Technical Overview
VMware End-User Computing
257K
Cisco Anyconnect client SAML Authentication with Duo Single Sign-On
Ciscolive Security Fan
992
Anyconnect Management Tunnel(Cert Auth) + User Tunnel (Cert Auth)Demo
Ciscolive Security Fan
1.6K
SSL VPN with AnyConnect using Certificate-Based Authentication
Katherine McNamara
25K
Deploying ISE Posture from ASA instead of ISE
Ciscolive Security Fan
692
Controlling Anyconnect VPN clients based on the client's mac address
Ciscolive Security Fan
578
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.