FTD 6.7.0-65 Anyconnect Integration with Azure SAML

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello this is a demo of how to set up your ftd anyconnect deployment and this is using ftd 6.7.0-65 for ravpn and integrating it with azure saml for authentication all right to start off our configuration let's take a look at this um we'll have to create there are a number of steps we have to configure uh first we'll have to create uh some things ahead of time like the anyconnect user vpn profile right this is done by using the anyconnect vpn profile editor you can download this from cco and once you download this you can install on your windows machine and you'll see there's a bunch of different profile editors and pick the one that says vpn profile editor here so i i launched it and i created a profile i checked my settings these are my settings most of them are on default make sure certificate override like i actually like to check that make sure we can look in both certificate stores and then from a vpn profile perspective number two is just default and the third piece that's most important is the actual server list this is what's going to get populated into the anyconnect client drop down menu where they select where they're going to connect to so i created multiple ones the ones that we're going to work with today is called 1120 ftd dash azure and that's my host name the user groups called azure okay so that's the entry i have created in here okay so i saved it to a profile called anyconnectvpnprofile.xml on my pc here all right so let's go ahead and jump to uh my firepower configuration and so you can see in my firepower vpn section this again this is firepower 6.7.0-65 i uploaded my anyconnect vpn profile here so i just added it into this menu here i've also added my anyconnect 4.9 for windows 4.9.3049 web deploy package ahead of time so i have to upload it here as well okay so those two packages and ignore this third one this is for the management tunnel for something else and then a few more things ahead of time you have to set up is a group url so i created a group url call ervdmz-1120ftd.cisco.com azure that's the actual group url that the client is going to be connecting to so that's just the the name there okay all right um so let's start by logging in to let's go ahead and take a look at our pki because doing saml there's a lot of certificates involved or not a lot of some so we need to go to pki go to certificate enrollment and i added in a azure saml entry here so i called azure saml so i just add certificate enrollment called azure saml and then i downloaded this certificate from my azure portal so just make sure you pick the enrollment type to be manual check the ca only box because you're not issuing certificate certificates from azure and then uh cut and paste these base64 pen file of your certificate from azure so you can trust azure fmc or trust azure and then also make sure you check this box skip check for ca flag for in base basic constraints of that certificate okay now where do i get the certificate so if you log into your azure portal i have it in the back here and i'll back it up here if you go to azure when you first log into your azure portal into your account there's an azure active directory i go into here okay and then it shows you my tenant information and then i go to the enterprise application and then i created an application called uh firepower threat defense ftd dash anyconnect okay so i created that application for azure to protect then i assign the user that i want to be allowed to use that this application and then i went to the single sign-on section and so the certificate i downloaded from step number three the saml certificate so you need for your portal just go to the certificate base 64. download into my pc and then i upload that into fmc so fort to trust it okay so we'll come back more for this now in my fmc so i download that certificate and open it up be a word file or editor and then i just cut and paste the certificate file into here so it's just a blob begin certificate and certificate cut and paste in there and you're good to go okay you can leave the rest of them all default okay so once you added that entry so now you have a saml entry azure saml for certificate it's like a trust point here now we can go back up to the aaa server and create a single sign-on server okay and you can see here i created azure saml sso entry already by clicking on the add single sign-on but i'll show you what it looks like in here so it's called azure saml sso and then there's the uh identity provider which is my azure account and i'll show you that in a second here then the base url this is the url that of my ftd appliance it's irv dmz 1120 ftd.cisco.com and then this is this identities provider certificate that called azure saml right this is the one that we downloaded i imported into the pki section and i i just did a drop down and picked my azure saml certificate that i created earlier now where do i fill in the rest of the information on top well like the entity id the single sign on url and the logout url all came from azure so if you go into azure portal and go down to step number four so you set up your firepower ftd anyconnect so this just cut and paste the login url azure ad identifier and log out url so just cut and paste these three lines and paste it right into here entity id uh sso url and log out your just cut and paste those line into there okay base url as i mentioned that's the url of the vpn connection profile a certificate we got identity provider which is service provider certificate that's the identity certificate of ftdsl but it's not really needed so there's no asterisk here so it's not a require parameter uh request timeout is no signature request timeout um by default is not but i put it for 300 seconds for like five minutes and then the request idp authentication to log in so just check that box and then that's it so that you're good to go there okay so now we have the single sign-on server uh created we can go into our device ravpn configuration okay so here i have already created an overall vpn policy call all any kind of vpn so let me go and edit this and then i had some other vpn set up already a connection profile so i added one here called azure okay so if i go into my azure profile and so it's called azure and then i have a group policy called group policy azure and then uh if i just go through the rest of the i assign an ip address pool locally 10.11.11 something and then i'm not doing dhcp server i'm just assigning it from an ftd box and then for aaa my authentication method is saml so make sure you pick saml not aaa or certificate just pick saml and then my authentication server in this case is going to be my azure saml ssl server that we created just a two minutes ago okay so pick that guy and then your authorization accounting is not really needed i just have it pointing over to my ice radius server for now but it's not really needed here unless you want to do some uh other authorization actions later but it's not required then for alias this is uh i created an alias name called azure put the plus symbol here and you enable it and same thing with the group url um here i just hit the plus sign and i pick the the url that's my base url slash azure that the user is going to be connecting to so i just picked that option in there because i created that earlier so it's all done in here now let's go look at group policy my group policy is called group policy azure vpn protocol i left it as default ip address pool i picked my vpn pool no banner dns server this is my local dns server in my irvine lab it's a windows 2016 dns server the domain is there and split tunneling right now i'm just telling all traffic over vpn and sending all dns requests over vpn so this is sort of default here for any connect uh again this is the anyconnect profile that we created in the beginning with the profile editor so i just hit the add symbol in here and well actually drop down i picked the interconnect profile that i created earlier in the object page a management tunnel is not needed for now client module you can add whatever additional modules you want um i left the default because i'm just working with vpn ssl settings default then these are all default values for now in advance same thing filter traffic session id session setting is all default okay so that's it hit cancel and then um hit save now i've got to go check the access interface i've also enrolled my ftd with my lab window 26 ca so this is the certificate of my windows 2016 root ca so my ftd is trusting azure and also fdd is trusting my lab root ca okay so that's the ssl global identity certificate it's like a trust point um here now where did i get this so if i go back to my objects page i actually open a new tab here again if i go to the pki section i created a certificate a trust point okay you hit the add certificate enrollment but here i'm just editing and i imported the certificate from my windows 2016 ca into here so begin certificate this whole blob of base64 code paste it in here and i hit hit this skip check as well so i just paste it on here so this is a trustpoint format windows 2016 ca okay and if you don't know how to get that you can simply log into your windows ca search serve and i authenticate and i just downloaded downloaded a ca cert right here and base 64 and you just download the certificate and open up what's inside that certificate and paste it into this windows 2016 root ca here for that trust point okay um so that's where i got the uh lab ca there and then for the advanced section uh i just picked the any connect windows that i uploaded earlier and you can leave all other settings default okay and i'll just hit save i haven't really made much changes and then the last thing to do is the certificate enrollment you got to go to the devices certificate enrollment section and here you have to add your windows server because i'm i'm trusting my windows server as well as trusting azure saml site there so basically hit the add button and hit pick your device my device is the firepower 1120 and then you select a certificate you want to enroll right so i have a windows 16 ca and an azure sample okay so in this case um for azure for saml uh azure uh just pick azure saml and you can see this is just ca only and you hit add and and you'll get this outcome here this ca certificate and there's no identity certificate issue by azure here but i also did this for windows 2016 server this is a ca certificate and then i had to do a csr generate a csr for my asa firepower threat defense device firepower 11 of 20 device to um to get signed by windows 2016 ca okay so that's outside the scope of this demo right now mainly focusing on azure here okay so that's it so i make sure your ftd device is trusting both of them if you're going to be using both of them here but azure is definitely important here okay with that said that's pretty much done here so all the configurations have been done so now let's go ahead and go to my ftd box and i have actually if i'm already connected let me drop this connection here okay so you can see here here's my windows client uh my connection group url is ftd uh dash azure so i'm gonna go and hit connect this this i mean our this was already imported because i connected to her earlier but really you can type in the full url irv dmz dash 1120ft cisco.com azure that's the connection profile to connect but anyway i'll hit connect here and i'm going to log on to at this point is redirecting me to azure saml so i'm going to log in here okay and then type in my password with azure and i'm going to stay sign on that's fine and voila there it is azure connection has been connected and bring that window back up here and the user tunnel is up i'm connected i got an ip address of 10 11 11 13. then if i log into my ftd box let's see here show vpn session anyconnect this shows me my vpn session uh right here jerry at irvinesecurity.onmicrosoft.com 10 11 11 13. so i am connected here okay now one thing about uh i haven't mentioned is in the azure configuration um you also have to put in at the top step number one basic saml this is telling azure saml where to redirect the user back after authentication so you have to find get some information put some information in here so this so there's three lines you have to configure in this you just hit edit you gotta enter it into here and you can get the asa information that you input to azure from the cli so for example if i go to so you have to use a command show saml metadata azure azure is my connection profile name okay and this is where you enter the information the metadata uh there's the entity id right there so that's the azure so you can see that's https urbdnz-1120ft all the way to slash azure that cut and paste that into here and then you can also put the assertion consumer service url and that's also here a search and consumer url okay so grab the line over here says https down here tunnel group name equals azure so cut and paste that into here and then the last line is the log out url the log out url it's also down here says uh these last lines log out so here's the url to paste into there so you cut and paste that into here so the format is pretty much the same it's just you have to specify the fqdn of your ftd device at the very beginning and then you add on the additional fields okay so that's been populated uh and you download a certificate and that's pretty much it [Music] and then you can give a test so that is pretty much it for the my demo on how to set up azure with a firepower 6.7 ftd hopefully this is helpful and drop me a note if you have questions or suggestions thanks for watching

Info

Channel: Ciscolive Security Fan

Views: 3,886

Rating: undefined out of 5

Keywords: FTD 6.7.0-65 Anyconnect SAML with Azure

Id: wgttyx7UFMI

Channel Id: undefined

Length: 18min 13sec (1093 seconds)

Published: Mon Nov 23 2020