Anyconnect with Okta SAML & ISE Posture thru Radius Authorization

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi this is a demo of a si integrating with octave sam'l for authentication and also doing ice and radius authorization for ice posture so the workflow is that the anyconnect client will initiate a VPN tunnel request to the a SA and then the a ste will pass on the user request our user credentials over to octupole for sam'l authentication and on top of that we're adding on dual multi-factor authentication then once that is successful a si will initiate a radius authorization request over to ice to start the posture process to say I want to start posture ice is going to issue a redirect to the ASA's to a client to redirect over to ice ice well we'll start the provisioning process of the ice posture module down to the Annie connect client and then also start the posture process in general and if the client checks out to be compliant at the end then I stills aasa to go ahead and let the user through and let them connect all right let's start by looking at the user experience and we'll go through the flow here let's start with the user experience and here I have an any kind of client VPN that's already been installed and just never mind the roaming security module it's just extra here so I'm just connect to my ERV lab a sa one and I'm landing in the octa tunnel group that have been configured in my a sa so our start by hitting connect and then the a sa redirects the user over to the octa workflow for authentication here so this is my customized page in the octet partl i'm gonna log in straight Yulin and then user authentication okay and I passed that and then the second authentication is the duo multi-factor authentication that I configure in the octupole so it's gonna issue a push to me I'm gonna hit send me a push to my phone and my phone I just got a buzz in a request I'm going to hit approve in the duo app and now I passed through authentication and I've landed in the octa group policy banner over the ante clinic so that's a good sign and now you can see that the VPN has connected I'm connected VPN the timers are going so it looks great but our goal is to start the ice posture provisioning and posture process for this client right being a new client but let's take a look at at this point what is happening in the aasa' here so I hit a refresh for my a SA I see that jln user has connected if I log on to the details click on the details and I moved down to get more detailed of my flow I see that ice a sa worked together to start a redirect URL so ice push this down to a sa say there's a redirect URL to go to ice up tend out to that 100 and also a redirect ACL called posture rhetoric has been initiated in the a a sage self right ice to call this and if I go back to configuration you can see that in the ACL manager there is a posture redirect URL ACL that's been configured so my first line is to says deny traffic on the ice Dean I simply in this manner just means that don't redirect so I just wanted to go ice then also DNS I want dns to go through my a sa to go to the DNS server so I don't want to redirect that either and then I'm gonna simply redirect everything else for HTTP HTTP right that basically says redirect all this type of traffic to go to ice for the posture portal there all right so let me go back to the client side but actually before that let me show you on the ice side that in ice authorization profile I created a a a posture redirect rule and then this is underneath the web redirection for the common tasks and this is where ice calls the POS underscore redirect ACL in the AAC you can see down here this these are the two radius may be pairs of transactions that's being sent to the a sa now the static IP hostname FQ in a checkbox here I've checked and I put in the IP address of my ice server you don't need to do this if your client coming through the VPN tunnel can resolve to the ice hostname by the internal DNS server just in my lab I haven't quite set up the DNS infrastructure so I just hard code the IP address of my server here so it gets added to this URL redirect a statement but if you don't put this in here you know the client is resolved to like the fqdn name of your iced device and it'll just work okay ok back to the client side now at this point I need to get the ice posture module and go through a posture process I'm gonna go ahead and start the browser on the client and I'm just going to access a resource in my lab my internal network and by that redirect ACL is going to capture traffic and then redirect me over to the ice portal ice poor older so now you can see my 10.2 dot 2040 got redirected over to ten out 2.2 the 100 and here's the ice client provisioning portal I'm gonna hit start and it's getting ready and it's gonna start the provisioning process of what to do next to get this installed here alright so here's my first time here so this get means directions and now basically I need to download the any connect installer and here's downloading the Annie connect ice NSA so which is the NSA is just the network setup assistant to provision the modules that I needed it's two and a half Meg's here it's downloading and once this is good I will start this let's let it finish okay know that module has been downloaded I'm gonna start it yes and it's a network setup assistant I'm gonna trust it will not really trust a connection because my client hasn't is not trusting ice I don't have the the right certificate setup so we'll just have to manually go through this hit connect and now the download is executing and is downloading the ice posture module for 4.8 and that's three megabytes in size so it's not really a large file for the posture module then after this is downloaded and they don't install and at the same time it has to download the compliance module as well and compile modules 4.3 as of today and the compliance module basically is like take a look at this website there's an e connect ice posture support for compliance module compliant module basically it's just a definition of from ops lot of all the anti-malware anti-spyware companies lots of hundreds of them out there or the different versions that we support so it's it's a database that we checked against ok you go back to the client side alright for about thirty seconds away it looks like a little bit shy at the halfway through so once this is downloaded installed and we'll complete the posture process you okay no the downloader is installing both modules and says installation is complete and I'm done so at this point you can see here I'm going to close the browser in the back because I don't need that anymore you can see here that it's connected a VPN still and scanning is going to connect it to my ice device you're connecting as a certificate and one of the checks that I configure ahead of time is to check for you can see here your PC is missing the corporate anti-malware installation please install but I made it this to be optional so it's not required so let me hit skip for now and so he basically bypasses that and now the system scan is going to complete and we are done now the client has been branded compliant to corporate policy ok and if I check here underneath VPN that's all the normal status that the tunnels still working on the system scan just means what did it check for I check for two requirements one was a required component for a file check on my PC and that was completed and the second one was to check for anti-malware and you saw that I skipped it because I made it optional okay so that means I still passed all right so if we go back to the a sa Sai let's take a look at it now the a sa session now shows that here's my session I showed you earlier if I go to details and now I don't have the and the redirect ACL anymore it's now a new ACL - got pushed down us this sa BP and underscore allow also I am allowed to go through because I gone through compliance check and if I take a look at ice I says let's go look at the authentication process I started by refresh okay here we go so I started with Jay Kulina swisco.com was my identity that's my MAC address at 52 Delta 9 Windows 10 device and I was I landed in the a si posture redirect policy I saw that I showed you earlier and then after I remediated or I downloaded the ice posture module and I went through the posture check and then I was deemed as a compliant that's my new authorization policy and now I got a case if you can allow all and if I want to look at the details here for the specific activity I can see that it's that's my IP address of my client getting on the Cisco Network and I am compliant by policy and and this is the authorization profile everything looks really good CoA was pushed and this is the final ACL that was pushed they say we can't allow all by ice okay now let's go ahead and change a few things so this is the simple one let's change a condition to see what happens when I don't pass posture well actually before that let me show you what I configure in terms of a policy from a policy set perspective and ice let's go ahead down to my default because I'm not doing dollar next map or a wire or a wireless so I configure an authorization policy that showed me there's three different states one was any kind of compliant and so it means if I'm coming in via the AAA firewall I and I am a compliant device then I get the allow all policy and if I am non-compliant still checking on the ACA firewall and I'm non-compliant and then I get a limited or remediation ACL that gets push and then it none of these two conditions are met and then I really will be stuck on the posture redirect portal that's what we saw earlier when I first got on I didn't have the posture module I wasn't matching any of these two conditions I was in his posture rhetoric state and then that's when I launched the browser downloaded the posture module okay and if I want to look at the authorization policies again that's they make any changes and these are the a sa view can allow all or limited limited it just means I'm pushing down a limited ACL okay and the limited ACL would have a typical ACL permit dee-nice statements that I configure okay alright so let's go back and take a look at a slightly different condition now like what happens if I don't I'm gonna go ahead and hit disconnect here if I'm logging out of my clients so and then at the same time I have configure a posture check to check for a specific file on my machine and it's in my seed directory a file check and it's called test file but I'm going to make it so it's non-compliant I'm gonna doing no test file so it's not there so it won't match okay so now let's go ahead and start my authentication process again okay so I'm here in the group again but this time I'm connected VPN but system scan is checking my PC right now for compliance and in this state it should fail compliance because I don't have the right file so you can see here my file requirement is missing that I had configured and if I had setup remediation or remediate server I can actually fix it but this actually doesn't do anything says file requirement is missing cuz I I don't have any remediation action setup okay so basically I'm really stuck here and my device will be deemed as non-compliant your device is posture is non-compliant okay and I can't really fix it unless I change that file so here's another interesting state so let's go back and take a look at the a SA now of here's my user session again I'll hit refresh and I look at details and you can see here down a si got pushed down told to push down a AAS a VPN underscore limited ACL okay so that's a different ACL than the allow also this is working as advertised and if I take a look at the eye side from a take a look at the live logs there we go so I started in the posture redirect right here je Lin posture redirect process I was stuck in the apostate redirect and then I went through posture check but I failed posture check so now I've landed in the a si limited authorization probably profile with limited access okay now let's take a look at a few other things what happened on the a si site how was this all configured on the a si side I configured from the remote access VPN perspective here's my octa connection profile okay you can see here it's doing sam'l to octa and these are all the sam'l configurations that I configure I have another video that I recorded prior to show you how to set this up to please refer to that then the normal VPN setup is all the same you would always do with remote access VPN for a SI but here to initiate the authorization for a process on the a SA this is where I set up the authorization server group appointed over to ice and then if I manage this and look at what's in here within the ice server group I've set it up and I enabled dynamic authorization and also use authorization only mode meaning that there's no password being share for the communication is really just focusing on authorization talking to ice and saying okay pass back some attributes and take action here okay so and then down here is see what else hit live configured so that's pretty much it here so really at this point from the user perspective they're stuck here and only way to fix themselves is to cancel on fix the file disconnect here fix them fix them so now it's test file again you know go through the authentication process one more time okay now I ever indicated back to my group and now can see that the scanning module is going to work and it's doing a scan on my PC and this time the filed check should pass and then I also should get an option to skip through the here we go yep so my file check went through and now it just basically said here's my malware again that I I'm skipping since I like a grace period I'm allowing and postures done I am compliant and if I go back to ice refresh here as I went through redirect initially and then I am granting the allow all policy okay all right well take a quick break and the next section will be on how did I configure the posture checks okay back from our demo here from a posture check perspective is a quite of a longer process so let's start by taking a look at policy results and I'll show you how my two checks were configured so we start by you got to go to when you configure a posture assessment you got to go to the client provisioning portal and download some modules from Cisco so you can go to agent resources ok click here and should assuming your ice instance is connected has connectivity out to the internet it should be able to reach Cisco comm and then there's some modules for network supplicant provisioning for mac and windows etc that you want to configure but one of the main things we were interested in is the compliance modules right that was a module that was pushed down to the any kind of client so you want to pick grab the latest probably the last two versions of the any connect compliance module for Windows or Mac ok and so it's just highlight those and then hit save and no download to your ice module or ice instance as I've done here earlier now so that's a compliant module now to set up any connect modules if you know the a s a VPN started that you got to create the XML profiles and then also push down the module so first of all we have to do is install or upload the anyconnect client it's a package PKG file that nests that needs to be added so if i so i would need to go to add resources from local disk and then i'm going to do a cisco provided package and here i'm going to browse to my local and connect PKG file that I downloaded from swisco.com so in this case is 4.8 - 0 4 5 so I'm gonna hit the web deploy for the Windows version ok and I hit open and then you can see here that it uploaded this PKG files who becomes a windows test out for windows for 4.8 and then I can hit okay but I've done this ahead of time so I'm not gonna do it this time here so now now my anyconnect image the pkg file is uploaded to ice I need to create a xml profile for anyconnect posture okay so what that means is I'm going to create a and connect posture profile that will create the xml profile okay so I can just put a name in here in the profile and then you can pretty much leave all these parameters alone by default cuz they should work unless you want to tune in for different timers different prompts later on so I advise you to just start by leaving it a default there really the only thing you need to configure down here is to server name rules and this allows you to allow specify which PSN servers that the clients can connect to okay so by default you can just put a star a wild-card to allow to connect any of your PSN s that's gonna be in use that's fine and then everything else you can just leave it as default and then hit submit so that creates a xml profile for you for any up for posture any connect posture but i've done this ahead of time so i'm going to cancel so i have one called anyconnect posture you can see here that I created ahead of time and I you know I call it AC posture everything's pretty much default what with the exception of I added a few extra wording for descriptions and things like that so it's not really important all right so once we create the xml profile now let's go ahead and create the anyconnect final configuration here so that means we need to go to the add and do any connect configuration so when you do any kind of configuration it basically creates a file that I created here I call it any connect final and I'll show you what it looks like so within there when you create any configuration file you get to pick the any connect package that you uploaded earlier so 4.8 was the one I loaded and then you also need to pick the compliance module that you downloaded from swisco.com okay that's the checks for a V anti-spyware and things and these are the different modules that you want to deploy down to the client so I'm in this case I don't need to deploy a VPN because I already have it I'm only interested in iced posture module and by default it's always there so posture module is always on and only thing to get it working is that you need to associate the XML profile for any connect posture which we just created before that's called AC posture and then everything else you can just leave default and hit save and off you go okay so that's it so now you've completed the Annie connect side of it from a a client provisioning perspective and now we need to go over to posture and in turns and we start by looking at the conditions what are we going to check so from a posture perspective and Mike demo I have two conditions that I checked for one was the file condition okay and if all condition just mean picture showed you what I built I created one called file check test one by Jerry and if I go into there basically I'm checking for the existence of a file in a specific directory okay and you can make this as in-depth if you want to make sure that users don't go in and modify this so it's just a piece of identity or signature on the device to help you associate identify if that user device is a corporate PC or not and I'm checking you see the file exists and the second one I'm checking for is antivirus or anti-malware I call it anti-malware check and here I'm checking for BitDefender okay and as you can see here through the compliance module definitions there was tons and tons and tons up companies Kaspersky malwarebytes windows etc except they're all there so I just happened to pick one any anti any anti-malware vendor for now I'm checking for the installation so I have those two conditions that I've created now I need to associate this to the requirements okay so I didn't make any changes it's fine for posture I'm gonna go into requirements and I've added those two conditions into their requirements and so let's take a look at the first one it's a file check so I created a requirement if you click here and go insert a new requirement I created one called file check and I'm checking for Windows all using the compliance 4x module and then my condition is the one I just built to do a file check dis checked is my C Drive for a specific file and the remediation action is I'm prompting a message only so if I go to here and in my message only I just putting some wording of letting the user know what they were missing here so that's the first check the first requirement and the second requirement comes down here from the anti-malware I also create another anti-malware check requirement for window is all compliance module for dot X any kind of client and this is a condition that I created earlier and then again I'm doing a message only notification to the client ok so those two have been built and lastest and it's going to posture and now this is the posture policy what you will be enabling to check on the the client so I enable these two final policies for Windows anti-malware check for Windows test file check and then here I linked in those anti-malware requirements that I just told you about as well as the file check so I associated with those two now in these two policies if I drill into them so this is the amount where check 1 and you can see that there's a little symbol in front of this check for shows mandatory of the check mark and dash line means optional so I made my malware check optional it's allowed the user to bypass it okay so that's something you can do and then same thing with my file check I made this a mandatory requirement so if I drill into here and there's a checkbox in front of the condition here see if I click on its mandatory optional or audit audit just meaning you're just gonna bypass it and just log it only for auditing purposes but I made it mandatory so that the user must comply okay and then done alright next I'm gonna go to client provisioning this is the last step here where I provision how the policy is going to be applied to different platforms so by default there is IO OS platform Android Windows Mac OS Chromebook etc and so I created a unique one called a SAV PM posture and identity group is just any device and I'm looking for the Windows 10 operating system and I'm tying it to the aasa' firewall as a other condition so anything coming through the AAA firewall in terms of VPN will get this result and you see here from the result there's a nanny connect final that'll see any connect configuration we configure earlier as part of the posture fortune of it and then the remaining two piece aren't really being used in my use case you know I could have leave leave this rule out and just use the Windows policy here and this Windows policy would have captured it and applied any kind of configuration as well but this by default would have done Ethernet and the wire or Wireless etc so I just created a unique one for the firewall VPN just for the sake of this lab setup and demonstration okay hopefully you found this useful and thanks for watching
Info
Channel: Ciscolive Security Fan
Views: 2,939
Rating: undefined out of 5
Keywords: Anyconnect Okta Duo ISE Posture
Id: uUc-8XqWeII
Channel Id: undefined
Length: 30min 13sec (1813 seconds)
Published: Fri Mar 27 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.