AnyConnect VPN on FTD with DUO MFA and ISE Posture Validation

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to do security remote access VPN with multi-factor authentication a nice posture workflow my name is sandy piano in this video tutorial I am going to cover any connect to a nice how to use these three component together to perform MFA and posture validation for remote access users I intend to cover two workflows in this video tutorial and cover demo for each of these workflow in subsequent video tutorials so let me just introduce the two workflows here so the first workflow here is as follows we have got a user who on his laptop any connect roaming client or any connect security client mobile secure mobility client is already installed right it's the same user who is already an enrolled user into so he has do mobile app installed on his mobile this user now tries to connects to the VPN gateway and is prompted for username and password the VPN gateway here in this example on and my demos is going to be a sa or fire power thread defense the VPN gateways are configured further with a radius authentication server which happens to be in this case as do authentication proxy I have installed this do authentication proxy on one of the server do authentication proxy in turn is configured with primary authentication servers as an ad client in the configurations and uses ad as a primary authentication source once the username and passwords are verified and guot proxy sends the request to the dual cloud for this request to be successful you need to allow ow bound access for the source as authentication Boxey towards do a cloud on TCP for forte it's an outbound requests when the request reaches do a cloud for policy evaluation based on the policy the dual cloud sends a push notification to the user the user has to accept the push notification on received on his mobile once it's accepted the access except message is returned by or the proxy back to the VPN gateway which is step six here and this is where we do small tweaking and changes so same firewall is now configured with another radius server or radius authentication server which happens to be Cisco identity services engine so squad entity services engine in terms points to ad as a authentication source okay and it's the same username password which is forwarded to eyes eyes checks the availability of the same user existence in the ad and after that eyes performs the partial validation so there are three authorization rules defined for unknown posture non-compliant posture and a compliant posture okay and as part of this the the catch is I'm I'll show you in the configuration I have two separate Tripoli server defined on this same fire power three defensive devices and for authentication I am using towards proxy but for authorization I am using identity services engine and that makes me reach the end goal or achieve the end goal of questioning the incoming user right here okay once the posture is successful the user is marked as compliant the user is able to successfully connect back so this is flow one which I would be on straighting before that before going to flow to let me just show you the configuration for this workflow and how does this this VOC so so very first let me just show you where is my 5 ft d so I'm using f MC and if I show you my devices then I go to remote access VPN I have already a VPN configured here if I go inside here is my connection profile as I had explained you and if you look at here I have my authentication source which is 2 and for authorization and accounting I am using identity services engine where are these defined these are defined here so I have defined to radius our group the first one happens to be 200 here is the PI P defined 10 20 60 10 which for me happens to be right here so this server happens to be 10 20 60 10 for me this is the server where I have Duat proxy service running and has part of the configurations I have kept mark the the s keys as hidden but as you can see here this configuration specifically where I am pointing or have configured FTD address so 10 2016 1 is the management interface IP of FTD and as the shared secret as I explained in the workflow doors proxy is pointing to ad as primary authentication source which I have defined in a separate component right here so this is where my primary authentication sources define which is e d and my details are defined over here basis of T and the group to search okay so this is where the configuration exists will be coming back we'll come back and we'll look at the logs here once the authentication once we test out the authentication so going back to the configuration so this is the first one which is duo hot proxy second I have what I've done is I have configured eyes radius server so ten twenty sixty eight and if I do nslookup I start that's my eye server you see it's ten twenty 68 so the 10 2016 8 is my eye server what I am pointing here as I explained the catch is you need to say any bail authorized only make sure you turn on entry accounting updates and dynamic authorization or coa because the user profile will move from unknown to probably non-compliant or compliant right so you need coh so that's my second server right here so two servers configured which are called in this order authentication is due but for the rescission I am relying on nice and then let me just show you what I have configured in hi so I just jumped through my policy set as I mentioned Oh F as I mentioned it's configured the firewall is configured as to point towards ice as a radius server so firewall is configured first of all as a radius client here on ice and then what I have done is I have configured a policy set for FTD which is done here in this I am regularly pointing to my ad server so let's get inside this policy set my tent occasion policy still points to my internal ad server and once the sex this is successful I expect the profiles to hit one of these to start with posture unknown and I expect this profile authorization profile to be given so authorization pre posture beep Indu oh that's my authorization profile and let me just show you what is what is there in that pre posture VPN duo authorization profile so it's right here I have access accept message two to go there is a ACL web both redirect and the portal and I have done one more thing this is specifically done for DTO compliance here in India where as part of directorate of telecommunication compliance letter it's important that all the tele workers who are working from home every time they connect to the VPN gateway they should be allocated or the same user should be allocated the same IP every time and they have to submit the user the IP and the work location details to the deity so we have defined so I have defined this attribute called Ms radius framed attribute in ad server for all these users so every time they connect they always get that static IP defined in the ad server and that value is passed a streamed IP address as part of the radius result or radius response packet so having said this let's get back to the testing phase so we come back here here is one of my user he is not on VPN sorry so let's get started I'm going to say connect Erik is the user Here I am entering the primary password for primary authentication a endpoint side so we connect we give the family login and this goes the user is connected you see the posturing is happening we are connected then I click on connect anyway and the user is marked as compliant so this is user one and now let's go back and look at the results so we go to radius ly blocks and the user here was actually Eric so a couple of things to note let's go and look at if them if it happen so can go to reports and look at authentication logs here so what you see is it's in India time but there's a user it's connecting to this application and from where this has happened do push was my method for MFA now let's get back sorry now let's get back to the results so if you look at the result so if you look at the results here is Eric he's connecting to VPN on FTD does the authentication policy which we were looking at here VPN TD right and then he has gone at and he has hit authorization profile called posture check policy is for a posture check and the authorization profile given was pre posture we vineyard do what we checked okay and during this time it was saying it is spending the poshest data so spending and this is when it is saying Pasha status is marked as compliant was it this machine yeah so this is a machine you see the VPN is already marked as connected the roaming client which was earlier active has gone into disabled State and there was a last Pasha scan status so we can go to system scan and we can look at the statistics it shows as complying the posture was validated against I start my eyes device which is right here and these were the product were which were evaluated and yeah so it's marked as compliant so this is one of the user connected already connected and up and running on on VPN we can evaluate if the Mail's are working fine you should be able to go and access the email it's working perfect right here the internal web page or the proxy or the FTP all the sites are working fine here and this is where we come back and we look at the logs so going back here and going to the logs so recently the user what we we tested out was Eric and you can see code to AXS except he was allowed so this is where the MFA code shows up that it was MFA happened doesn't change we can give it a try with another user in this case it will be Eric again the MFA comes you login [Music] you okay posture it's connecting we for partial validation and it's valid it's compliant it's accessible and then our user is able to access Internet and as expected everything is working fine basically we can so so this is anyway the new roaming new client this is any kind of version 4.8 mr3 release and you don't get to see the umbrella status right here except it's protect it's active or not but you can go back and check here so I am on VPN and as you can see because of trusted network detection my roaming client is in disabled state compliance is nine point is Marcos as compliant so where do you go and check this on FMC you can actually go and check here under analysis and user activity this is where you can you can check your VPN users VPN authentication in between users another place to go and check this is overview dashboard let's get back to just given it so we go to overview and we click on dashboard right here and then you can click on switch dashboard you can go to access control user statistics and that will show you the VPN users last six or so this usually can take some time to load the events here but this very will get your VP and related information this dashboard already exists on FMC so we just tested out this with two of the users Alex and Eric both are shown here one connected eight minutes back and seven two minutes back they are connected to this FTD these are being some users from last couple of hours all of them are using 4.80 3 which is mr3 release and all of them are pretty much connecting from us location so just to device on the workflow this is the workflow and that's how you go and achieve this so thank you for watching please do watch the next video where I'm going to cover the second workflow on this and thank you and have a nice day

Info

Channel: CCIE NextWave

Views: 3,711

Rating: undefined out of 5

Keywords: DUO MFA with ISE, DUO MFA and ISE Posture, ISE and DUO MFA, Anyconnect VPN and DUO MFA, DUO MFA and FTD, FTD with DUO MFA

Id: jsE2YXIxCUM

Channel Id: undefined

Length: 21min 5sec (1265 seconds)

Published: Mon Apr 13 2020