LabMinutes# SEC0111 - Cisco ISE 1.2 AnyConnect VPN RADIUS Authentication and Authorization (Part 1)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to them is calm in a lab video series and Cisco is one too you can find complete list of all ice videos on our website by clicking on the link above and sign up for our newsletters to receive the latest video updates in this video we will configure radius authentication and Cisco is to work with anyconnect VPN and we were trying to use eyes to push down VPN group policies and per user ecl's to VPN user so why would you want to do this if you have dealt with IPSec Line VPN you know that you can somewhat restricting users to only connect to their own user VPN group by handing out a certain PCF file to them but with anyconnect VPN that concept is no longer there usually users are either prompted to select a group at locking page just like how we show it on this diagram right here that's a drop-down as you can see if you choose to do the group list or you need to know a specific locking URL if you choose to do a group URL method but nothing would stop user to find out and choose a different user groups that did not belong to and end up with additional access so having eyes mapping out users to group policies not only solved the problem with unauthorized access but also simplify user locking process now that they no longer need to have any knowledge of which group they need to choose at the lock-in page I just want to mention that these video is basically a repeat of another video we have already and that is SGC 0 0 96 ACS 5.4 anyconnect VPN radiates authentication authorization but instead of using Cisco ACS here in this video we're going to be using cisco eyes now here on our network diagram we have a cisco eyes 1.2 on VLAN 32 and on the same VLAN we have a domain controller and the certificate authority server when I Windows 2008 machine IP F dot 40 and here we have a Cisco aasa that we can figure for anyconnect VPN and the inside connected VLAN 10 the IP of T 5 2 and the outside with the VLAN 11 the IP of 1 1 1.1 and on the outside we have our test windows 7 machine that we're going to be using to test our VPN from as far as the users we have 2 users on the Active Directory the first users admin 1 is part of the network admin ad group that's going to be getting a group policy of network admin as well as the balan table ACL that's deny ICMP but allow everything else the second 80 user is support one that's part of the network support ad group and that's going to get a different group policies for a network support but this particular user will only be allowed to do ICMP now for those of you who still like to use a local user database on eyes we also going to have a local user called local one that will be created on ice that's going to be part of a local user group or identity group of local admin and that user is going to be part of a network admin group policy just like admin one so it's also going to get a downloadable a co-op deny ICMP and allow everything else okay so let's start off by walking through some of the existing configuration on the firewall that we have so you guys kind of get an idea of what we have right now so let me bring up the console to the firewall right here stitchers to show run user name show currently we have a user name local to the firewall for a Cisco with the password Cisco and then we have a low IP local pool for our IP address of the VPN user doucher around access list we have a split tunnel access list on a VPN it allows a connection to anything that's once a two 16/16 and we have a web PPN or anyconnect VPN enable with a image for our windows and currently we have a tunnel group lists enable and here we have a list of our tunnel group that we're going to use initially the first one is the network admin and we also have the second group which is a network support and that's you can see here it maps to the corresponding group policy as well and each of these has a group alias for our group list and if you look on that our group policy we have a network support that will be tunneling everything and we also have a network admin group policies that has a split tunnel with the ACL that we just saw and both of these groups also has the anyconnect client enable as the default type of VPN okay so next let's try to do a quick test for mal test PC out here with what we have configured already so let me bring up a web browser and the IP or the IP of the firewall is 1 1 1 1 now you can see here since we are doing a group list you see we have where the user has an option to pick either of the group and just use a Cisco Cisco first going to try and network admin accept certificate and since we already have a anyconnect client kind of installed although you can initiate the connection from the web lock-in you can see it ends up connecting or established a VPN on the any connect mobile and your scheme ability client itself and now currently we are connected so if you're trying to ping let's say now window 2008 which is 32 dot 40 let's see it doesn't look let's ping a bowl so let's see what IP that we got is supposed to do 16 11 let's make sure I'll switch test a route to that ok and we do let's look at our route detail you can see we got our split tunnel there you go maybe you just didn't wait long enough there actually at the I went through in the last ping so we know that's good ok I'm stopping the switch so that's for the network admin group policy make let's try into this time initiate the connection from the anyconnect client itself and stand off the web and connect and one thing I haven't really show you is that we also have the client profile configure as part of the secure mobility configuration on the SDM as you can see here even when you initiate the connection from the client itself you still get that drop down option so this time we going to trying to connect to network support using the exact same user account Cisco and time in passport Cisco as you can see the same user Cisco currently can access both whether it's network admin or network support VPN group okay so let's just verify our connectivity and that's trying to ping one more time and there you go and you can see that the ping is going through so we are good with both of the group policies that we have ok next let's take a look at out 80 users that we are going to be dealing with on now Active Directory user and computer right here we have how first lady user admin 1 there's a member of network admin user group as well as a support one that's part of a network support user group ok now for our third user that's going to be local to Isis to see if we have that user already if we done let's go ahead and create one so under administration and this is how is one to web interface under the user you can see we currently have no user so before we go ahead and create the user refers to want to create a identity group for the user so let's go ahead and add for the name I'm going to call it local space admins or local admin will click Submit just like how we have it right here on the diagram and then once we have the identity group we can create the user so under users click app for the name we say it's going to be local one password we're going to do Cisco one two three with uppercase C the first C Francisco and then we're going to assign the user to the group we just created called local admin and then click Submit since we will be utilizing the Active Directory user group we need to make sure that first of all is to have a good connectivity to our ad so under external identity store all sources click on our active directory and we currently connected or is is currently connected to AD and let's verify under group and we currently has no user group so we need to add those at least for our network admin and network support so we're going to Reeve the group and then scroll down and trying to find right here with network admin and network support we'll click OK that's ad it's going to save the configuration ok next we need to add our VPN firewall so ice knows when the radius request comes in it can process it so under the demonstration again similar to the user we're going to first have to create a network device group so we can distinguish the request that comes in and know when it comes in from LVP and firewall now under the all device types I'm going to click Add and then we'll call it VPN firewall click Submit then we're going to jump over to Network Devices and then add a new network device and here we'll call it LM - firewall 1 the IP address that will be the insight interface IP which is also 216 10.25 - so 10 - 5 - we'll leave the location default and then for the device type will be VPN firewall for a dedication string or radius key or secret they'll use just Cisco show you that's just a simple Cisco we're not going to do this in Tempe setting so we're going to click Submit okay and going back to our diagram here we see two types of downloadable ACR they will be pushing down to the user as one is for deny ICMP and the other one is for ICMP only so now we're going to create a policy elements or downloadable ACL for that so that would be under policy element results and and authorization downloadable ACLs will click Add and the first one let's do the new ICMP or block all the ICMP is let's give it a name VPN - no - ICMP and for the dacl it will be deny ICMP any any and then permit IP any and make sure you click the check this in tag as long as the syntax valid will click Submit and then we create one more for ICMP only and then would be VPN - ICMP - only the ACL will be permit ICMP and okay check and then submit now we're going to have to create the authorization profile that's going to utilize the downloadable ACLs and there will be two separate authorization profiles do we need to create for the two separate access for the VPN and the first one is going to be for the network admin so we'll call it VPN - network - admin 4d ACL will be VPN no ICMP as we specify right here with deny ICMP for Network admin and then we need to add a radius attribute that will allow the VPN firewall to place the particular VPN user to the correct group policy that we want and that is a class attribute oh you you might have heard of this particular attribute already to do that here we go under the advanced attribute settings and since it's going to be radius attribute we have choose radius and now we're going to look for class right here type 25 and then for the value will be oh you evil Network admin and this particular value right here has to match exactly the name of your group policies so if you go back to the firewall right here we have a group policy name network on the scroll admin all uppercase ok so submit then we'll have to create one mole for the VPN network support so VPN - network - support dacl maps - ICMP only and then for the radius class oh you equal this time is going to have to be network support so let me copy that paste and then submit alright now that we have our result or authorization profiles we can go ahead and configure our policies so currently we have a since if you look at the menu we have a delegation authorization that mean we haven't really enable policy set so let's go ahead and do that under the system setting and policy set then click enable I mean you don't have to do this but with the ice one two you have that particular support for policy set obviously if you're doing is 1.1 adds up Realty 1.2 then you wouldn't have that option okay so with password just log back in it's just the policies that make it looks very similar to the ACS version 5 where you have the service selection rules and all that so case under policy now we click on policy set and we're going to have to create a policy set that will match a radius request coming from a VPN device so here we'll click edit I'm just going to call it a VPN for the name and for the condition we need to match the radius request and the first condition that we can do so let's do you advance condition and we can match the based on the device type that we specify earlier for our firewall and that would be under the device device type and we said we have a VPN firewall device and to make sure that the radius request company is for the VPN we can also add another attribute value for the radius it's something that I've already know in advance that the radius request coming in for the VPN it's going to have a attribute called net sport type and that will be equal to virtual for VPN okay so if those conditions are met we're just going to continue down through these policy begin starting with the authentication policy since we could just going to be using the same identity source for all type of requests there's no need to create a separate rule for that's just going to use the default rule and then for our datasource we're going to use the one that we created the sequence that's going to look at using the cert and then ad and then local and then guess okay so it's just it's a basically a lazy way of specifying your identity source so it's going to map are trying to match or lookup users in those sequence okay which is good enough for our testing here okay we'll leave the default allowed protocol to be default network access so that's for the authentication next for the authorization I'm going to have to create two rules for how to group policies or v4 VPN so let's create a new rule and call that VPN - Network - admin ok let's press our condition it's going to be very simple which is since we said it's going to be based on the ad group membership surfer our condition will go advanced option so like attribute under ad one here is the option for external groups and we select the two groups earlier under the external identity source for the active directory and here we have the network admin ok so if you're part of the network admin on ad you'll be matching this particular rule and once it happens we want to return a authorization profile of VPN network admin ok so let's duplicate below and state of a network admin it's going to become a network support and the external ad group this time is going to be network support make sure it's the correct one network support then we're going to change the authorization profile to VPN network support ok now we're going to add one more rule for out third user which is a local user that's part of a local ad a dandy group so this time let's add a new rule below I'm going to call that VPN - local - admin and then to match based on a user identity group you go under here and then choose your add an e group which is local admin and then we said that we going to give them the VPN network admin access ok and then let's make sure that we don't have the catch-all permit instead we deny by default so here are changed to deny access done and click Submit
Info
Channel: Lab Minutes
Views: 28,651
Rating: undefined out of 5
Keywords: ise, radius, vpn, anyconnect
Id: HcMf3q_lmYo
Channel Id: undefined
Length: 16min 44sec (1004 seconds)
Published: Mon Oct 28 2013
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.