LabMinutes# SEC0096 - Cisco ACS 5.4 AnyConnect VPN RADIUS Authentication and Authorization

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to lamb is calm in the lab video series in Cisco ACS you can find a complete list of ACS videos on a website by clicking on the link above and sign up for our newsletters to receive the latest video updates in this video we will configure radius authentication and Cisco ACS for anyconnect VPN and we were also trying to use ACS to push down VPN group policy and per user ACLs to the VP end users here's our lab setup we have a Cisco UCS version 5.4 installed the IP of 100 domain controllers the IP of dot forty now we have a firewall VPN that has the inside connected to a switch on VLAN 10 and the outside connected to our test machine at the peel and 11 now for our test machine we're going to have an anyconnect client install and for our test users we have three users - you have them as going to be located on the ad the first users admin one is part of the network admin user groups is going to be assigned a class attribute oh you equal network admin with network admins corresponds to the group policy names on the aasa' as well as downloadable ACL that will deny ICMP but allow everything else now for the user support one this part of network support will be assigned to a network support group policies and Ollie has access to is going to be ICMP only local one is the user on the ACS itself that's part of local group a local admin and he will be assigned a network admin group policies and also will be deny cmp but allow everything else so just to give you a little bit of background when you configure web VPN with multiple group policies by default there's a possibility that user will be able to see all the different group policies showed up on the web interface when you log in as part of the drop-down and if you're not careful the user might be able to choose the group that they don't belongs to and get more than we're accessed or privileged today as opposed to another way that you can kind of address that is to come up with a unique group URL and then you assign that to each of your users but again those URL can be exchanged among the users or get discovered by the users and even that way the user will be able to lock in to a different group policies so by doing it this way as far as having the group policy to assign down to ACS per user you pretty much eliminate the user having to have a knowledge of what groups there belongs to so you don't even see a drop-down as shown in this picture here while the eni's is just to enter their credential and then on the back end we're going to use the ACS to place that users into an appropriate group policy so our lab has been pre-configured with basic web VPN on the a SA so let's hop on to a firewall just to show you all we have configured videos show run user we have a single user named Cal Cisco created and we also have a PI P local pool for assigning IPS we have a split tunnel access list that's Canal allow user to access once a to 16 subnet we have a web ppm configuration and by default we have a ton of group lists enable so user can choose between the VPN groups maybe do show run tunnel group you see here we have to tunnel group created network admin and network support and these are those has corresponding group de leus that will show up as part of the drop down and we also have corresponding group policies for network support that does not allow split tunnel sótano everything and the network admin that is allow a split tunnel okay so let's go ahead and do a quick test and make sure our current configuration works with local authentication and that's what we have configure so far so here on our Windows 7 test machine we're going to connect to a VPN add one one one one so connect okay we're just going to accept certificate and you can see right here without to tunnel groups that we have created network admin network support we can first try to lock in as a network admin then with the username Cisco and password Cisco and again these are the local accounts on the aasa' and let's have a ping going to how domain controller and I can see it's trying to establish VPN connection and now we are connected to the VPN and it was just like a quick look at the stats here got assigned the IP at 11:32 and since it's a network admin we get a split tunnel as well okay you can see I'll ping is now going so let's lock out of that and then reconnect using a second group and now instead of Network admin we're going to switch over to network support and then Cisco and then okay okay now I'm getting out ping and have a look at the route detail for the network support we do not have split tunnel display show up as on zero so this is exactly what I mean by if you not lock this down a single user can potentially lock you into any one of the groups that you have configured just like how we did it right here with the user named Cisco they lock into both network support and network admin ok so let's disconnect so let's start out config on the aasa' first we're going to need to make sure how firewall since we're going to have the aasa' authenticated against a UC as using radius we need to make sure the network device let me walk back in since it's time out so we need to make sure the firewall is added as a radius network device so under the network devices here we have a firewall and so primarily have tac-x used now we get enable radius with again share secret of Cisco and here just to show you that we also have a local user local one this part of local admin identity group that we're going to use as out there test user in this lab okay now moving down to policy element what we're going to do is to create a device filter for our VPN firewall then we can easily use the device type firewall that we had created as part of the device on network device group but not all the firewall might be a VPN farm also just to pick out the certain firewalls that's a VPN firewall we can create a device filter call LM say VPN and then we're going to pick our firewall from the based on device name and here with firewall one click ok click Submit now we're going to create a double ACL let's describe the diagram here we got deny one that's deny ICMP and once that's only allow ICMP so let's create our first one call LM no ICMP and then we just copy and paste and make sure it's no typo so first we deny ICMP any any and then we permit IPE any any spit I'll quit next one call LM ICMP only and this one will be a simple permit ICMP any any there's no typo and then submit now we are going to create a and authorization profiles that will use the downloadable ACL so click create first one let's call LM VPN and this one is going to be for a network admin so network admin and then we'll select our downloadable ACL and that is no ICMP and then on top of that we said we are going to push down oh you equal network admin and that is under radius attribute and it's going to be tight our attribute class click OK and for the value is o you equal Network admin and again just to reiterate this corresponds to the group policy network admin right here so you can actually just copy that and make sure there's no typos and don't forget to add submit we'll create another one for our network support call LM VPN - network support double ACL ICMP only and then R it is attribute this time the value is going to be ill you equal network support okay add and submit next we're going to move down to access policy so since this is the consider new service so might as well create a new access service with the name LM ptn and this will be type network access next and for VPN we are dealing with PAP so that's all we need to allow which is PAP click finish and let's go ahead and activate the service under service selection rule now we can create a rule call LM - VPN protocol is going to be radius and we specify the area device filter already called LM VPN okay we're going to drop that under LM VPN now as far as the here under LM VPN or after you have to save that to activate it click on identity and LM VPN now we have to specify the identity source that we want to use to authenticate the user and we can just use what we created in the previous video with the cert ad local to cover both certificate base and user base although we not dealing with the certificate based authentication here save and then we do authorization policies and now we have to customize our conditions is by default just compound condition then we now I'm going to use compound so move the out of the way and then we add protocol we get a condition based on ad user groups as well as the local identity groups okay create now for our first rule this is going to be for the network admin user groups will call LM VPN network admin protocol and kind of redundant but doesn't hurt so radius for the 80 external group this is going to be for Network admin and it all those conditions are met we're going to assign a authorization profile call a Lam VPN network admin okay next we do why for network support so we can do is duplicate below it's going to be network support protocol radius group name that has to be changed to network support authorization profile has to be changed as well to network support okay and our last one for our local user so we'll call them VPN local ëthe min same protocol though we're not going to use ad external group instead of going to use the local identity group which is local admin and we said we want the local admin to have network admin authorization profile make sure the default is not permitted access because we do not want it to accidentally be allowed access because it's matched a default rule okay and then Save Changes okay now we're going to move on to a configuration on the firewall so first we need to add a radius servers to firewall so to put a dash server we get a name it radius protocol radius and I'm going to do triple-a server by default it's inside interface we can also specify it hose once a to 16 30 to 100 just the IP of our ACS and then some of the parameters you can do key share key is Cisco and then you can do we try in the bowl to for example you can also have timeout if you wish to modify the timeout before the server is mark unreachable can do timeout let's say five second okay now if you look back at our web Fijian configuration we have the ton of group list enable however now that we are going to be using ACS to assign the group we no longer wants that options to be presented to the user so what we want to do is to remain remove the tunur group list you know that and also now that we no longer going to have separate Lockean pages or tunner groups for users since everybody is going to be now coming in through the default ton of groups so we can do sure run all and then let's look at what default tunner group that we going to use and here let's find one that's relevant to what we do which is the web VPN right here you can see by default the web bpn group is using local authentication so we need to change that to use our new radio server so the authentication server group and radius point to al radius server so video show around tano group you see other we have these other teller groups configure we're not even going to use it from now on you're just going to everybody is going to be coming in through the default on your group okay now we have the configuration in place we can start testing so the first thing when it tries to lock in using the loco account to the aasa' is to make sure that we no longer utilize the local user off the a si okay connect anyway you can see we no longer see the dropdowns to select the user group we're going to use the username Cisco password Cisco you can see immediately we failing authentication although at the beginning of the lab we saw that we can use the account to login successfully and that's now because we're not we no longer pointing to the local user to the aasa' but instead we are making a radius authentication to the ACS so instead of using Cisco let's use the admin one account and login you can see we are now attending cating while we waiting for that I switch over to monitoring and reporting in the background you can see the VPN is connected already and let's check on our up dedication log you can see here the first attempt with the username Cisco I get passed on to the ACS for the radius authentication and obviously Cisco is is not a valid user on the ACS or the ad now we have the admin one successfully login let's take a quick look at the detail and here at the negation method for VPN is PAP class oh you equal get pushed down and as well that's the per user ACL with LM no ICMP read the negation detail got PAP ASCII username then occasions coming from firewall the NASS port type is virtual authorizes your profile match to network admin with indicate against ad and authorization rule is also a network admin and these are only groups and we've seen this multiple times already okay now going on to the firewall and show VPN session then you connect just to look at the detail of the connection the IPS being assigned is 11:32 which came from the pool IPS user coming from is one 11.2 group policy you can see it gets placed under network admin group policy while the tunur group the users coming in through the default web ppm group which is the default group then you guys sorta do show access list just look at the content of the downloadable ACL that was pushed down from the ACS then you can see right here with deny ICMP any any with commit everything else okay so now you can see although we connected on the VPN I'll ping is not going through that's because it's being denied however if you're trying to browse let's say 32 that 100 which is the ACS itself you can see the anything but the ICMP traffic or activity is working okay so that's pretty much verified al admin one user mix that's trying to disconnect from here and lock in using support one connect sip admin one is support one shows one then okay okay and now we are connected so again go back to the ACS take a look at the authentication log here we see the LM ICMP only ACL was pushed down and again it says where he has a show up as a cisco navy pier and now the oh you equal becomes network support everything else I'm not going to go through since it looks pretty much identical as what we saw before and now on the a sa the end do a show VPN session any connect you see here the group policy is now show up as a network support and the user is still coming through a default web PP and tunnel group okay now on the test machine itself and see the ping is now going through since all we are allowing is ICMP and if you're going trying to browse the web to the ACS server at the USO 82 1632 dot 100 you can see that we are not connecting again we do show access list on the firewall cause the users being about is ICMP traffic only and there's a good sixty-seven council ready so now for our third test user which is local to ACS let's go ahead and connect connect and now user is local one just go connect now going to the ACS to see this coming through already it did and this is a user named local one same thing being pushed oh you equal network admin with no ICMP now you can see this time edenia store is being used as internal user instead of ad okay and now ping should stop right there in the background because we are not allowing paying you look at the ACS is deny paying and we look at the VPN session again we back on to the network admin for the local one user and still use the default tunnel group okay last verification step is to go to the ACS oh you can see we can browse to the EC s from this particular host okay just to show you real quick back on now authorization profile the just pick one of these under the radius attribute there's a lot more radius attribute that you can use with cisco over there's IP seven or anyconnect VPN then you can assign down from acs to the firewall on to the you go to the asin to the user so you can look at things like VPN right here radio cisco VPN attribute and some things that you can configure as you can see there's a lot of options that you can push down from acs as part of radius reply and most of these corresponds to the configuration option that you can do under the group policies or things like banner client firewall I can keep alive DNS scope and things like UDP port so as you can see that when you use the ACS to assign group policies to the VPN user you essentially take away users ability to attempt to lock in or switch between the VPN groups at the same time we'd use the configuration as far as when you have to configure the tunnel group right here instead of having a separate town or group you just basically utilize the default ton or group and that can save a lot of configuration especially if you have a lot of VPN user group to deal with so that wraps up my video on ACS 5.4 anyconnect VPN with radius authentication authorization you can visit a website to view an extensive list of our lab videos and sign up to get access to additional lab contents thank you for watching lab mints comm and I'll see you guys the next video

Info

Channel: Lab Minutes

Views: 30,858

Rating: undefined out of 5

Keywords: acs, radius, vpn, anyconnect

Id: OmhWqi7vFEc

Channel Id: undefined

Length: 21min 22sec (1282 seconds)

Published: Mon Jul 29 2013