ISE Configuration for VPN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to be configuring ice as the radius server to be used with VPN access on the aasa' before ice will accept any radius request from the aasa' we need to define the a SA as a network device and ice usually what I like to do when I'm configuring a new device type or access medium is that I like to create atom network device group for this type of device that way I can use that network device groups and policies later to do so I'll navigate to administration network resources and network device groups I'm going to click Add and add a new group named firewalls and put that as the under the parent group of all device types after that's done let's navigate over to administration Network resources and Network Devices then I'm going to click Add to add a new network device I'm going to name it a SAV and the IP address is going to be the ASA's inside interface and I'll go ahead and add it to the firewall network device group after that I'll check the box for radius and enter my radius shared secret now let's go ahead and save this new network access device now we're going to go ahead and configure our authorization policy elements first I'm going to navigate to policy policy elements results authorization and downloadable ACLs ASA's support regular downloadable ACLs just like switches do so we can create an ACL here and use it in our authorization profile that will later use in our policy I have a few of these ACLs built already so I'm going to click into employee only and you can see here that allows everything except traffic to the 10.10 1041 address when writing downloadable ACLs we can also check the current status underneath to make sure that the syntax is correct for this video I'm going to copy my employee only ACL and name it domain users now I'll need to create an authorization profile to place this ACL in an authorization profile is a collection of results that are granted after a successful authorization these are used as part of the access policy I'm going to navigate to the authorization profiles on the left-hand pane and then click Add I'm going to name this authorization profile VPN users and under common tasks I'll check the box for dackel and choose the domain users ACL that I just created on the bottom of this authorization profile there's the attribute details which are the raw a VP's that will be sent to the network access device now let's go ahead and click Submit now that I've added the network device and created some of the policy elements let's go ahead and create this policy I'm going to navigate to policy and then Policy sets to start creating that I'm gonna create a new policy set on top and I'll name it Acme - VPN I have to create a top-level condition that must be matched for this policy set to be evaluated for the condition I have only one VPN connection profile so I'll have this policy set evaluated whenever we see a radius request from a network access device in the firewall network device group for the allowed protocols I'm going to choose the default network access list this is just a built-in allowed protocol list ah nice if you wanted to get more specific with the allowed protocols you could create an allowed protocol list with just pop ASCII and that would work for VPN now let's go ahead and save this policy set and let's go ahead and expand it there's not much I need to change on the authentication policy if I don't want to the default rule is to evaluate authentication requests against all the user identity stores which basically means any Active Directory users or internal ice users if I wanted to I could change it to just Active Directory and that would work too I'll just leave it as it is right now though a successful authentication does not necessarily mean access there has to be a corresponding authorization rule that grants access expanding my authorization policy we can see that there's just one rule the default rule which is to deny access I'm going to go ahead and create an authorization rule above that default rule and I'm going to go ahead and name it domain user VPN the condition I'll use for this rules if there are part of the domain users Active Directory group if they are the result or the authorization profile that they will receive is the VPN users authorization profile that we created before so let's go ahead and save this policy set now we need to test it before we do I'm just going to go ahead and go to the radius live logs and then minimize ice and let's go ahead and pull up our VPN endpoint and attempt to connect for the first time since this is a new user connecting to VPN for the first time we're gonna have to have any connect installed let's navigate to the outside-in interface of the aasa' using our browser I'm going to log in with my ad credentials and before we can proceed my banner pops up I have to click continue to move past it now we can go ahead and click the button to download the anyconnect client for Windows should just take a moment and let's go ahead and launch this install I'll just click Next right through there so now that that's finished let's go ahead and go to the Start menu and launch any connect the anyconnect VPN client is already prefilled with the IP address of the ASA's outside interface if we install a public or trusted identity certificate on the aasa' that the endpoints trust we won't get any certificate error however if the SA is using the self-signed identity certificate like it is right now you might be blocked by a setting when initially trying to connect and you will received an untrusted certificate error no matter what to ensure the connection isn't blocked for your lab go into your settings on the anyconnect client and make sure that the block connections to untrusted servers option is unchecked we'll still get an untrusted certificate error but we can still connect to the VPN at that point so let's go ahead and connect to the VPN using the anyconnect client I'll click through that expected certificate warning and then I'll go ahead and enter my ad credentials to authenticate and of course our banner pops up and we have to accept it and it looks like we're now connected to the VPN so let's go ahead and test this out so my ice server is behind the firewall so I'm going to try to navigate to it using my browser so it's 10.10 1021 looks good it looks like we're able to get in and taking a look at any Kinect I can go ahead and pull up the settings again and look at the route details seeing that the routes to ten ten ten dot zero there since our dackel in our authorization profile is supposed to block ten ten ten dot 41 which is my wireless controller I'm gonna try to navigate to it in the browser I shouldn't be able to connect to it so let's see so it looks like it's just spinning there so that's good it's probably not going to connect but I want to go ahead and dig into this a little deeper so let me go ahead and pull up putty and try to SSH to the a sa give me a moment oh it looks like it failed in the background so I'm gonna go ahead and SSH into this so I'm going to dig into this a little deeper from the CLI I'm going to issue the show VPN session DB and II connect command and this should show me my any connect session from the output we can see the protocol used during this session the encryption algorithm Group Policy username associated with the session assigned IP address and so on now I'm going to issue the show access list command and we can see the per user access list of IP domain users so now that I'm done with that I'm going to go ahead and disconnect my VPN session and let's go ahead and go back to the radius live logs after refreshing the radius live logs I see my authentications so let me go ahead and click on more details here we can see which authorize ation rule and authentication rule it hit we can see that it has a tunnel group name of acne VPN now let's say you have several different tunnel groups on your a SA and you don't want to create a policy set that covers all of them or maybe you want to get specific in that actual policy set we can actually use the tunnel group as a condition either in the authorization and authentication rules or their top level condition itself let's go ahead and navigate back to policy and palsy sets and I'll show you an example of this I'll just modify the top-level condition to give you an example we'll add a new condition and the dictionary will be the Cisco VPN dictionary and I'm just going to do a search for a tunnel group name and I'll just change it to contains because it tends to be a little bit more accurate that way and I'll go ahead and type out Hackney - VPN and click Save so if you want to just specify specific tunnel groups you could either add them to the top level condition and the policy set or in the policy set or you can actually have individual rules that break up the different tunnel groups in the actual policy set and with that that brings us to the end of our lesson thank you guys so much for watching

Info

Channel: Katherine McNamara

Views: 9,739

Rating: undefined out of 5

Keywords: Cisco, ISE, Anyconnect, VPN

Id: SbzICd-kQoY

Channel Id: undefined

Length: 10min 41sec (641 seconds)

Published: Fri Mar 20 2020