AnyConnect VPN on FTD with DUO MFA and ISE Posture Validation -Workflow 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

- Oh security remote access VPN with multi-factor authentication and ice partial workflows my name is Sandeep yada welcome to this tutorial in this tutorial I am going to cover a combination of any connect duo and ice for MFA and partial validation for remote access users I have already covered a divorce workflow one and the related demo in this as promised in this tutorial I am going to focus on workflow - so let's go ahead and look at the second workflow so in workflow - basically we have user on on the user laptop he has any connect secure mobility client already installed this is the same user who is already enrolled in duo so he has got duo mobile app installed on his phone now the user tries to make remote access or VPN connection to the VPN headed and that's when he would be prompted for username and password so we will see this the VPN gateway in this scenario is fire power threat defense and from now what I'm going to talk this is where the well flow changes compared to workflow 1 right so in this workflow right now what we will do is they will configure radius as both in eyes as a radius or the indication server okay in turn what we're going to do is we are going to configure eyes to be pointing to an external radius server which is in this case do OAuth proxy which points to Active Directory or E declined as a primary authentication tools so in the username passcode which are submitted in submitted in step 1 are given to do proxy and evaluated against Active Directory and it found to be valid the earth proxy is going to make API request to the application for the policy evaluation to the duo cloud for this one must ensure that there is a out one access from source as dual proxy towards do a cloud on TCP for 40 it's pure out wand connectivity do OAuth proxy will do the policy evaluation and as part of the application policy it is going to ensure that or do a push has sent back to the end-user then user has to ensure that if it's a genuine request he accepts the do a push notification received on his mobile phone and after accepting the do a push after accepting the duo push our access accept message will be written at this point we are going to do one more change or or as part of this workflow we are going to do one more change in eyes so whenever we receive access accept message from the earth proxy eyes needs to continue to the authorization policy evaluation right and this is where we will be doing posture check where we will check whether the user is compliant or non-compliant and accordingly we will do a change of a transition to revise the permission for this same user and if user is found to be compliant then we are going to then the user will be able to successfully connect so let's jump to the demo let's look at these settings where do we do this so so so to start with let's look at this first configuration where a SA or sorry FTD will be configured to be pointing towards eyes as radius seven so so we are back in the pod and this is where I've configured eyes as a radius server let's go and look at eyesight so okay let me jump here so on eyes I have added FTD here is FTD added as a radius Cline and eyes on FTD eyes is added as a radius server so this is a change of number one let's get back to the chain number two so at the power of change to what we are doing is eyes is supposed to be pointing to us do OAuth proxy and do what proxy is eventually configured for primary authentication source has eighty so let's get back and look at this change now so here is do what proxy service running on this server let's go and look at the earth proxy configuration file so here's a dual proxy configuration file as mentioned eyes is pointing towards do auth proxy as radius client here is the IP and dot eight and if I show you the nslookup my eye server is 2068 right so twenty dot sixty dot eight happens to be my eyes now as I mentioned do earth proxy is further down the line pointing to ad as primary authentication source which is configured in here so in this segment I am configuring that my ad server is my primary authentication source and I'm going to read all the users of this particular group so this is also taken care following this the next change is on eyesight so let's go to ice on ice we we are going to configure dot proxy as external radius server so if you check here where is odd proxy 20.6 3.10 and if you check in or proxy this is where I saw this where the radius peered ship happens sorry not this one it's this one this way the radius pier ship happens between Earth proxy and ice server okay once this is done please make note of server timeout keep it a 90 second and connection attempts to be around a three next you need to configure a radius server sequence where I am going to point to the auth proxy which I define here under external radius server the one of the important setting is right here under advanced attribute settings which is once you receive access except message from auth proxy ice should locally continue with authorization policy evaluation right so once you have done this the last change what you need to do is in policy set so you're going to go to policy set and the policy said this is where the policy set defined for FTD and you need to make sure that you change your proxy sequence to do this was defined here so my this sequence points to do what proxy which is defined here right so with this setting let's now go ahead and test this out so I already have a user connected what we can do is we can disconnect this user so this happens to be one of the user and this happens to be another test machine or another user so let's use Alex as a user over here you and you see the user is connected this is where this is where it is saying that is connecting to ice as part of system scan of the pasta module I say connect anyway and this is where posture evaluation happens and the posture check completes the user machine is found to be compliant and you will see the user machine has access and this is where we expect the user to be able to browse the Internet as usual he was on VPN alright and so this happens to be the first user if you look at the statistics the VPN is connected is connecting from this public IP right here and the roaming client goes into a disabled state because the user is on VPN this is due to that restricted for detection setting defined in any connect profile the system scan will show that the bar sharing happened the endpoint was compliant the bar shooting was done by this server and these were the products evaluated as part of the scan summary so this happens to be one user and let's just quickly do so we did Alex let's do another user Erik here we expect [Music] I preferably will try to deny this and say it was a mistake and the user is denied access let's try pretending getting the same user but with passphrase so I'm going to just key in the passphrase and click OK and the passphrase was in so we should expect user Eric to be showing us again this is for the posture so we should expect user Eric to be connected and it should show as passphrase he was allowed basis of passphrase in duo console right so so the very first thing let's do that let's jump to do console and look to authentications for Alex and Eric and one of them was through passcode right so Alex I had approved it through do a push that's good he was connecting from 12.10 for Eric the first time I did do a push as you can see here but I denied it saying it was a mistake and then I tried making the second a time using the passcode as explained a passcode will not give you the int user location so this is one now let's get back to identity services engine and let's see what happened so let me just try to get some more results so so we see that the partial status has completed for the to users Eric and Alex and their end points are marked as combined they both were connected on on FDD firewall which is hosted at 60.1 and and eventually now we can go back to the firewall and look at the VPN you can look at the last one over results and basically this is the second workflow where we are using using so you see Eric and Alex those are our two users and yeah so this is the second workflow where we are configuring an external radius server which is pointing to do what proxy and then finally making changes in radius server sequence and making sure that once this completes we go through the authorization so just to review back what we did is right here we take a prompt we we use both push and password method and then we did authorization policy valuation and basis of which we allowed the end-user to connect on this VPN because the user was compliant that's all I had for this video I hope you enjoyed thank you and have a nice day

Info

Channel: CCIE NextWave

Views: 1,870

Rating: undefined out of 5

Keywords: DUO MFA, DUO and ISE, DUO and Anyconnect, Cisco DUO and ISE Integration, DUO and ISE Integration, ISE and DUO MFA Integration, DUO with ISE Posture, DUO and ISE Posture

Id: LAyBZAv0vP0

Channel Id: undefined

Length: 14min 59sec (899 seconds)

Published: Mon Apr 13 2020