How to configure SAML authentication in Anyconnect using FMC | #saml authentication in Anyconnect

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi there today we are gonna see uh how to configure any connect vpn using saml authentication on version 6.7 let's get into the session now [Music] in the demo today we are going to see ftd 2130 with the 6.7 ftd os and fmc virtual with the same version of version 6.7 and for the authentication we are going to use saml using octa cloud before we get started we need to understand some of the background information about when we configure any connect configuration on ftd whether it could be directly configuring on ftd or fmc there are some limitations when you use saml for authentication some of the bullet points that are already captured in the cisco website sam when you are configuring the saml either asa or ftd is supported only for authentication and not for the authorization and also when you configure sample authentication attributes it will be available only in dap evaluation and the an asa supports saml enable tunnel group that policy however you cannot check the username attribute when you are using the simulation why the saml authentication identity provider will mask the username information so before we get started this ml configuration we need to obtain some of the parameters from the saml provider in the lab scenario we are using octa for a saml configuration so the one you see here is called the metadata is something you will get it from the um your identity provider or saml provider they will be able to provide the information what we need to configure on the fmc which is like identity provider entity id sso url logout url identity provider certificate very key things and the key parameters that we need to configure on the fmc side now on the fmc console under remote access vpn policy wizard we need to configure the name and the available device which is going to be participate in configuring the any connect vpn wizard on the next page we will have to specify number of things like aaa server and authentication profile under aaa configuration we have to choose the authentication method as saml and the authentication server will have to configure the saml configuration over here uh naming naming it as a simulca server just like after underscore saml and as i said before we need to get all the necessary parameters with regards to saml configuration based on that we'll have to put the information over here like entity id logout url and then certificate over here for the certificate that was obtained from saml provider copy that cas certificate in an encrypted format and select enrollment type as a manual put that encrypted file or encrypted contracts over here and click save next is to configure the vpn ip pool for the specific group policy that we are going to create so based on your company network uh vpn pool uh you can go ahead and configure the range of you pinpoint what you needed to be assigned and now assign them a created vpn pool space for your group policy next step is to create the group policy name the group policy whatever you want and then create the description just for your sake of understanding if you have the banner you can create i'm just gonna pass it then you want to create a primary under secondary dns for your vpn connection to contact the dns server you might want to create a primary as well as a secondary dns over here after you create a primary and secondary dns you might want to create a win server also based on your infrastructure ram setup over here i'm going to configure same dns server as my main server both the primary and secondary next we need to specify the list of networks which only want to pass through the tunnel so here with i'm going to choose the standard access list policy and i'm going to configure a specific network for example and going to ingest into the tunnel so meaning by default my default route will be pointed to my local internet circuit and only the production traffic or my corporate traffic will will pass through the tunnel so this is called the split tunnel include configuration so once you configure the required number of subnets whatever you wanted to pass through through the tunnel you can just add those networks and call out in the standard access policy for this next in the any connect section we need to choose the profile that needs to be uh uploaded into the uh ftd box so when you say profile profile that consists of list of parameters or sequence of items that user initiates any connected vpn connection so in my case the xml file has been already created next in the ssl settings we we are going to keep the ssl compression and the detailers method both are disabled based on your infrastructure if you wanted to enable either of one or both you can go ahead and select it in my case i'm going to disable it as i do not require that on the connection settings i'm going to keep most of the settings are by default i'm not going to change anything specifically next under session settings i'm going to allow a simultaneous login for us to idle time out as 60 minutes and then maximum time of session would be a 1200 minutes on the next page we need to add any connect file um based on the version that you wanted to select for your infrastructure um if you have windows or mac or both based on that you need to select the image file and upload it into the fmc wizard it will make sure to push the policy when you deploy the configuration it will also push the latest uploaded image on the next page you want to allow the network interface where the vpn traffic should incoming in this case for example i'm selecting the insider interface but usually it should be the outside interface where the traffic is actually coming from so on the next control you'll have to choose the certificate the device certificate which was assigned since i'm i have passed through that step already i'm gonna choose the device certificate which is which is applicable for the infrastructure and the final setup or final stage you just need to finish click finish and all the configuration will be saved locally on the fmc you just need to select deploy and push the policy to the respective fpd that's all thanks for watching this video and don't forget to subscribe my channel and please pass on your comments

Info

Channel: SecGuru

Views: 374

Rating: undefined out of 5

Keywords: how to configure anyconnect authentication with saml on fmc, saml on fmc, saml authentication in Anyconnect, anyconnect authentication with saml on fmc, configure anyconnect authentication, How to configure SAML authentication, How to configure saml authentication palo alto, anyconnect vpn, remote access vpn, vpn concepts, fmc, saml authentication, saml vs oauth, saml, firepower threat defense, technology 2020, technology connections, remote access, cisco, secguru, cyber secguru

Id: -ByaWI6iGc4

Channel Id: undefined

Length: 11min 16sec (676 seconds)

Published: Mon Feb 01 2021