Cisco Anyconnect client SAML Authentication with Duo Single Sign-On

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi this is a demo of the anyconnect client doing ra vpn to the duo cloud hostess single sign-on service and that's the ensembl authentication is being used so let me give you an example here so this is a any kind of client connecting to the firepower threat defense appliance using any connect in the ssl so the client connects to makes the initial request to firepower threat defense and then the threat defense or ftd uh refer redirects the user over to the duo cloud to do a single sign-on service via saml and then so in this case i have configured for duo sso service and then duo uh acting as a proxy a saml and idp proxy uh forwards that request over to either octa or act of azure active directory in my example here i'm using azure active directory so it forwards it over to azure azure checks the user against database and if ok sends a request back to duo cloud saying go ahead and authorize that user because the user is valid and at that point sends it back to the firepower appliance and then the user is granted access to the destination of the original intent there so that's the general overflow and now let me show you the configuration here all right let me start by showing you the actual client experience the user here i'm gonna go have the user connect to my firepower threat defense appliance and i'm connecting to a group url or destination tunnel 1120 ftd.cisco.com duo sso that's the url that i configured so i'm going to go and hit connect and now i'm being redirected over to azure because that is the idp that the duo sso service is pointing to so i'm being authenticated by azure let me go and sign in and here i'm being prompted for a duo push because i configure duo multi-factor authentication is as part of the authentication process i'm going to send myself a push and there's my pop-up asking me for approve or deny i hit approve and there you go now i've successfully landed in the duo ssl tunnel welcome and i hit accept and now i am in the anyconnect tunnel there so that's how simple it is okay so now let me show you um the actual experi configuration side okay this is the firepower management center here so let me show you the uh configuration here so first of all um i have to enroll or download this certificate from uh the duo single side on service to the asa or to the ftd firepower throughout the defense appliance so it can trust it so i went ahead you go in here and configure a entry called duo sso or cloud hosted ssl entry that's the name and then here i configure ca only because i'm not issuing certificates from the duo cloud and then i cut and pasted the certificate from the duo cloud here okay and from the duo cloud is um is if you log into your duo portal and go into the applications and then what you did need to do is initiate a to protect an application and so when you click on protect the application you're going to type in cisco asa and this is the option that you want it's the two-factor authentication with sso hosted by duo so this is the one that you want but i've already created one so i'm not going to create one here so i go back to my applications okay so i go back to my applications so i have one that i renamed it cisco ftd duo cloud host sso and here this is the entity id a sign in url sign out url these are all the saml xm metadata that you need to cut and paste or copy and put that into the single sign-on server here but before that let me get back here so this is where you download the certificate so download your identity provider because the duo is the identity provider to the firepower threat defense at this point so download a certificate and open it and then simply cut and paste into the ca certificate here okay and hit save and you can leave everything else default okay so now you have a certificate that you trust and then in the single sign-on server for my duo uh hosted sso here let me go ahead and open this up and then so i created one called duo cloud ssl and this is the entity id sign in url sign out url this is where i cut and paste from the portal here cut and paste these three values into my ftd and then this is my base url where i am connecting to for vpn perspective and then this is a certificate that i downloaded just a few a minute ago here and that's really it okay and now once you've created this you go into the ra vpn section and if we go into my vpn policy and you'll see that i have multiple tunnel groups or connection profiles configured i have one for octa i have one for azure and this is my duo ssl one so i basically created an anyconnect vpn connection profile and the authentication method is saml authentication authentication method is saml right here and then this is the authentication single sound and surfer we just configure in the uh the objects page there and then everything else i'm just pointing out the radius for now because i'm not really using it and the rest of the configuration is pretty much default and you also got to create a group policy so it's very very easy very straightforward here okay now so that takes care of the connection the saml connection between 2 duo as the sc's duo as the idp but in reality duo is just an idp proxy or saml proxy so duo actually has to point over to azure and that's what i have configured in this case because duo is not an idp so duo in this case now if i go into single sign-on service i have to configure a authentication source and that's where i hit the add and i created one called saml sso and this is for azure so now you have to get this information give this information from duo from the entity id a search and consumer service url etc all of this uploaded to my azure saml server or azure ad service for saml and so in my case i've logged into my azure portal i have an application that i configured called duo cloud hosted ssl okay so just create a new application as a saml service and then you have to assign the users that are allowed to use this application and this is the sso single sign-on for saml portion of it here and here you go so you would take the duo entity id and this information enter that into here for the basic sample configuration and then from part number three here to saml sign on to certificates and all that actually three and four the certificate here you have to download for the duo portal as well as this login url azure ad identifier this information you cut and paste this into the duo portal okay and it basically is down here at the bottom down here from when i configured a single sign on service my azure saml that's the entity id uh sign on url sign out url and then the certificate that i trust of because we have to trust the azure single sign-on service okay and so that's really it you just configure these two bits of information and then you should be done so hopefully this gives you a good overview and good luck give it a try okay and give me comments if you have any questions thanks for watching

Info

Channel: Ciscolive Security Fan

Views: 992

Rating: undefined out of 5

Keywords: Anyconnect SAML with DuoSSO

Id: cKpOruEkojY

Channel Id: undefined

Length: 9min 48sec (588 seconds)

Published: Fri Feb 19 2021