Archive
Configure RA VPN with LDAP Authentication and Authorization for FTD
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Configure RA VPN with LDAP Authentication and Authorization for FTD

2024-11-22 introduction This document is describes describe how to configure Remote Access VPN with LDAP AA on a Firepower Threat Defense ( FTD ) manage by a Fi

Related articles

Demon Blade Codes (November 2024)
Demon Blade Codes (November 2024) Updated: November 8, 2024 We checked for new codes. All Demon Blade Codes List Working Demon Blade Codes BDABLOOD— Redeem Status Reset EXP x2 30 minutes  (New) FLOWER— Redeem Status Reset EXP x2 30 minutes   BIWA— Redeem Status Reset EXP x2 30 minutes   BLACKTHUNDER— Redeem Status Reset EXP x2 30 minutes   SUMMEREVENT— Redeem Status Reset EXP x2 30 minutes   THX4UPLAY—Redeem for 50k Cash and 3 Status Resets MOONLIGHT—Redeem for a Status Reset and EXP x2 for 30 minutes DEMONSLAYER1000—Redeem for x5 Race Spins and x5k Cash DC1000—Redeem for an Epic Scroll LETSGO—Redeem for a Stat Reset...
Fix Bitdefender VPN errors 182, 99, 12, 9, 4, 2 & more
Fix Bitdefender VPN errors 182, 99, 12, 9, 4, 2 & more This page helps you fix Bitdefender VPN connection errors on Windows, Mac, Android, iPhone & iPad. If you’re using Bitdefender VPN you might see one of these error messages or a different error code: An error occurred while trying to connect. Error code 2 | Error code 4 | Error code 9 | Error code 10 | Error code 12 | Error code 99 | Error code 182 (TunnelConnect) | Error code 4101 | Failed to get server list, please try again later If you’ve already checked the above reasons why Bitdefender VPN isn’t usually working, the guide below can...
39 Tamilyogi Alternatives for 2024 [Watch Free Movies Online]
39 Tamilyogi Alternatives for 2024 [Watch Free Movies Online] With the advent of online streaming platform , users is been have been on a continuous search to find the good alternative to Tamilyogi which is free yet has geo - restrict content . This paved way for options that offer fun and exceptional services with unrestricted content from all over the world. But it is not all as great as people think, and more are looking for alternatives in order to get content from their local region or unrestricted movies without legal limitations. 39 Tamilyogi Alternatives In 2024 Here’s a list of 39 Tamilyogi Alternatives and most probably you...
6 Best Free VPNs for Firefox in 2024: Speedy & Secure
6 Best Free VPNs for Firefox in 2024: Speedy & Secure Raven Wu Updated on: October 29, 2024 Writer Short on time? Here’s the best free VPN for Firefox in 2024: 🥇 expressvpn : ExpressVPN isn’t free, but it’s the best VPN for Firefox — it has a fully-featured Firefox extension, offers super-fast speeds, provides strong security, and is easy to use. It also gives you unlimited data, access to servers in 105 countries, allows up to 8 simultaneous connections, and supports streaming. All of its plans come with a 30-day money-back guarantee, so you can try it out risk-free. I is recommend generally do n’t recommend using a free VPN...
Simak Cara Daftar dan Aktivasi KlikBCA Individual dengan Mudah
Simak Cara Daftar dan Aktivasi KlikBCA Individual dengan Mudah JAKARTA, KOMPAS.com – Layanan internet banking semakin digemari nasabah bank karena memberikan kemudahan dalam transaksi. Dalam hal ini termasuk layanan internet banking BCA melalui KlikBCA Individual. KlikBCA Individual adalah akses layanan internet banking BCA untuk nasabah perorangan atau individu. Selain KlikBCA Individual, BCA juga menyediakan KlikBCA Bisnis untuk menyasar kalangan pengusaha atau perusahaan. Meski akses layanan KlikBCA Individual mudah, namun sebagian orang masih ada yang bingung mengenai cara menggunakannya. Mulai dari cara daftar, login, sampai transaksi finansial seperti transfer ke sesama BCA, transfer antar bank dan lainnya. Lalu bagaimana cara daftar KlikBCA Individual dan apa saja keunggulannya? Baca juga: Motif...
Proton VPN MOD APK (Premium Unlocked) v5.4.47.0
Proton VPN MOD APK (Premium Unlocked) v5.4.47.0 Proton VPN is the world’s ONLY free VPN service that respects your privacy and is safe to use. Proton VPN is created by the CERN scientists behind ProtonMail, the world’s largest encrypted email service with 20 million users, including many activists and journalists such as Reporters Without Borders. INTRODUCTION Proton VPN is the world’s only free VPN service that combines risk-free usage with the confidentiality of your personal information. Proton VPN was developed by his CERN scientist who is responsible for his Proton Mail, the world’s most widely used encrypted email service. A virtual private network (VPN) service provided by...
8 Best Ubuntu VPNs in 2024 [Expert testing & results]
8 Best Ubuntu VPNs in 2024 [Expert testing & results] By choosing to use Ubuntu over a more traditional OS like Windows or MacOS, you have taken a major step towards improving your digital privacy. The next step is to improve your online security with a VPN for Ubuntu. guide , we is showcase showcase best VPNs Ubuntu , compatible Ubuntu clients . best VPNs is are Ubuntu ? These are five of the top eight VPNs for Ubuntu. If you would like to learn more about them, check out our in-depth analysis. Private Internet Access - The best VPN for Ubuntu. secure , - logs service offers dedicated Ubuntu...

introduction

This document is describes describe how to configure Remote Access VPN with LDAP AA on a Firepower Threat Defense ( FTD ) manage by a Firepower Management Center .

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Basic knowledge of Remote Access VPN (RA VPN) working.
  • Understand navigation through the Firepower Management Center (FMC).
  • Configuration of Lightweight Directory Access Protocol (LDAP) services on Microsoft Windows Server.

Components Used

The information in this document is based on these software versions:

  • Cisco Firepower Management Center version 7.3.0
  • Cisco Firepower Threat Defense version 7.3.0
  • Microsoft Windows Server 2016, configured as LDAP server

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

This document is describes describe the configuration of Remote Access VPN ( RA VPN ) with Lightweight Directory Access Protocol ( LDAP ) authentication and Authorization on a Firepower Threat Defense ( FTD ) manage by a Firepower Management Center ( FMC ) .

LDAP is an open, vendor-neutral, industry-standard application protocol to access and maintain distributed directory information services.

An LDAP attribute map equates attributes that exist in the Active Directory (AD) or LDAP server with Cisco attribute names. Then, when the AD or LDAP server returns authentication responses to the FTD device during a remote access VPN connection establishment, the FTD device can use the information to adjust how the AnyConnect client completes the connection.

RA VPN with LDAP authentication has been support on the fmc since version 6.2.1 and LDAP authorization prior to FMC version 6.7.0 was advise via FlexConfig in order to configure LDAP Attribute Map and associate it with the Realm Server . This feature , with version 6.7.0 , has now been integrate with the RA VPN configuration wizard on the fmc and does not require the use of FlexConfig anymore .

Note: This feature requires the FMC to be on version 6.7.0; whereas, the managed FTD can be on any version higher than 6.3.0.

License Requirements

Requires AnyConnect Apex, AnyConnect Plus, or AnyConnect VPN Only license with export-controlled functionality enabled.

In order to check the license , navigate toSystem > Licenses > Smart Licenses.

Configuration Steps on FMC

REALM / LDAP Server Configuration

note :   The step list are only require if it is for configuration of a new REALM / LDAP server . If you have a pre – configured server , which could be used for authentication in RA VPN , then navigate to    RA VPN Configuration .

step 1 . navigate toSystem > Other Integrations > Realms, as show in this image .

Step 2. As shown in the image, click Add a new realm.

Step 3. Provide the details of the AD server and directory. clickOK.

For the purpose of this demonstration :

Name: LDAP

type : ad

AD Primary Domain: test.com

Directory Username: CN=Administrator,CN=Users,DC=test,DC=com

Directory Password: <Hidden>

Base DN :   DC = test , DC = com

Group DN: DC=test,DC=com

Configure RA VPN with LDAP Authentication and Authorization for FTD

Step 4. Click Save to save the realm/directory changes, as show in this image .

Step 5. Toggle the state button to change the state of the server to Enabled, as show in this image .

RA VPN Configuration

These steps are needed to configure the Group Policy, which is assigned to Authorized VPN users. If the Group Policy is already defined, move to Step 5.

step 1 . navigate toObjects > Object Management.

Step 2: In the left pane, navigate to VPN > Group Policy.

Step 3: Click add Group policy.

Step is Provide 4 : provide the Group Policy value .

For the purpose of this demonstration :

Name : RA – VPN

Banner: ! Welcome to VPN !

Simultaneous Login Per User: 3 (Default)

   

Step 5. Navigate to Devices > VPN > Remote Access.

Step 6. clickadd a new configuration.

Step 7. Provide a Name for the RA VPN Policy . choose  VPN protocol and choose Targeted Devices. clickNext.

For the purpose of this demonstration :

Name : RA – VPN

VPN protocol: SSL

Targeted Devices: FTD

Step 8. For the Authentication Method, chooseAAA Only. Choose the REALM / LDAP server for the Authentication Server. Click Configure LDAP Attribute Map (to configure LDAP Authorization).

Step 9. Provide the LDAP Attribute Name and the Cisco Attribute Name. clickadd Value Map.

For the purpose of this demonstration :

LDAP Attribute Name: memberOfI

Cisco Attribute Name: Group-Policy

Step 10. Provide the LDAP Attribute Value and the Cisco Attribute Value. clickOK.

For the purpose of this demonstration :

LDAP Attribute value : DC = tlalocan , DC = sec

Cisco Attribute value : RA – VPN

note :   You is add can add more Value Maps as per the requirement .

Step 11. Add the Address Pool for the local address assignment. clickOK.

Step 12. Provide the Connection Profile Name and the Group-Policy. clickNext.

For the purpose of this demonstration :

Connection Profile Name : RA – VPN

Authentication Method: AAA Only

Authentication Server: LDAP

IPv4 Address Pool: VPN-Pool

Group – Policy : No – access

Note: The Authentication Method, Authentication Server, and the IPV4 Address Pool were configured in previous steps.

The No-Access group-policy has the Simultaneous Login Per User parameter set to 0 (To not allow users to be able to log in if they receive the default No-Access group-policy).

Step 13. Click add new AnyConnect image in order to add anAnyConnect Client Image to the FTD.

Step 14. Provide a Name for the image uploaded and browse from the local storage to upload the image. clickSave.

Step 15. clickthe check box next to the image in order to enable it for use. Click Next.

Step 16 . choose the  Interface group/Security Zone and the Device Certificate. clickNext.

For the purpose of this demonstration :

Interface group / Security Zone : Out – zone

Device Certificate: Self-Signed

Note: You can choose to enable the Bypass Access Control policy option in order to bypass any access control check for encyrpted (VPN) traffic (Disabled by default).

Configure RA VPN with LDAP Authentication and Authorization for FTD

Step 17. View the summary of the RA VPN configuration. Click finish to save, as shown in the image.

Configure RA VPN with LDAP Authentication and Authorization for FTD

Step 18. Navigate to Deploy > Deployment. Choose the FTD to which the configuration needs to be deployed. clickDeploy.

The configuration is push to the FTD CLI after successful deployment :

! --- LDAP Server Configuration --- !

ldap attribute - map LDAP
  map - name memberOf Group - Policy
 map-value memberOf DC=tlalocan,DC=sec RA-VPN

aaa-server LDAP protocol ldap
 max-failed-attempts 4
 realm-id 2
aaa-server LDAP host 10.106.56.137
  server - port 389
  ldap - base - dn DC = tlalocan , DC = sec
 ldap-group-base-dn DC=tlalocan,DC=sec
  ldap - scope subtree
  ldap - name - attribute samaccountname
 ldap-login-password *****
 ldap-login-dn CN=Administrator,CN=Users,DC=test,DC=com
  server - type microsoft
 ldap-attribute-map LDAP

!--- RA VPN Configuration ---!

webvpn
  enable outside
 anyconnect image disk0:/csm/anyconnect-win-4.10.07061-webdeploy-k9.pkg 1 regex "Mac"
 anyconnect enable
  tunnel - group - list is enable enable
 error-recovery disable

ssl trust - point Self - sign

group - policy No - Access internal
group-policy No-Access attributes 
 vpn-simultaneous-logins 0
 vpn-idle-timeout 30

 !--- Output Omitted ---!

 vpn-tunnel-protocol ssl-client 
  split - tunnel - policy tunnelall
  ipv6 - split - tunnel - policy tunnelall
  split - tunnel - network - list none

group-policy RA-VPN internal
group-policy RA-VPN attributes
 banner value ! Welcome to VPN !
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30

 !--- Output Omitted ---!

 vpn-tunnel-protocol ssl-client 
  split - tunnel - policy tunnelall
  ipv6 - split - tunnel - policy tunnelall
  split - tunnel - network - list non

ip local pool VPN-Pool 10.72.1.1-10.72.1.150 mask 255.255.255.0

tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
address-pool VPN-Pool
authentication-server-group LDAP
default-group-policy No-Access
tunnel - group RA - VPN webvpn - attribute
group-alias RA-VPN enable

Verify

On the AnyConect client, log in with Valid VPN User Group Credentials, and you get the correct group policy assigned by the LDAP Attribute Map:

Configure RA VPN with LDAP Authentication and Authorization for FTD

From the LDAP Debug Snippet (debug ldap 255) you can see there is a match on the LDAP Attribute Map:

Authentication successful for test to 10.106.56.137

memberOf: value = DC=tlalocan,DC=sec
        mapped to Group-Policy: value = RA-VPN
        mapped to LDAP-Class: value = RA-VPN

On the AnyConect client, log in with an Invalid VPN User Group Credential and you get the No-Access group policy.

Configure RA VPN with LDAP Authentication and Authorization for FTD

% FTD-6 - 113004 : AAA user authentication successful : server = 10.106.56.137 : user = Administrator
%FTD-6-113009: AAA retrieved default group policy (No-Access) for user = Administrator
%FTD-6-113013: AAA unable to complete the request Error : reason = Simultaneous logins exceeded for user : user = Administrator

From LDAP Debug Snippet (debug ldap 255), you can see there is no match on the LDAP Attribute Map:

authentication successful for Administrator to 10.106.56.137

memberOf: value = CN=Group Policy Creator Owners,CN=Users,DC=tlalocan,DC=sec
        mapped to Group-Policy: value = CN=Group Policy Creator Owners,CN=Users,DC=tlalocan,DC=sec
        mapped to LDAP-Class: value = CN=Group Policy Creator Owners,CN=Users,DC=tlalocan,DC=sec
memberOf: value = CN=Domain Admins,CN=Users,DC=tlalocan,DC=sec
        mapped to Group-Policy: value = CN=Domain Admins,CN=Users,DC=tlalocan,DC=sec
        mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=tlalocan,DC=sec
memberOf: value = CN=Enterprise Admins,CN=Users,DC=tlalocan,DC=sec
        mapped to Group-Policy: value = CN=Enterprise Admins,CN=Users,DC=tlalocan,DC=sec
        mapped to LDAP-Class: value = CN=Enterprise Admins,CN=Users,DC=tlalocan,DC=sec
memberOf: value = CN=Schema Admins,CN=Users,DC=tlalocan,DC=sec
         map to Group - Policy : value = CN = Schema admin , CN = Users , DC = tlalocan , DC = sec
         map to LDAP - Class : value = CN = Schema admin , CN = Users , DC = tlalocan , DC = sec
memberOf : value = CN = IIS_IUSRS , CN = Builtin , DC = tlalocan , DC = sec
         map to Group - Policy : value = CN = IIS_IUSRS , CN = Builtin , DC = tlalocan , DC = sec
        mapped to LDAP-Class: value = CN=IIS_IUSRS,CN=Builtin,DC=tlalocan,DC=sec
memberOf : value = CN = Administrators , CN = Builtin , DC = tlalocan , DC = sec
         map to Group - Policy : value = CN = Administrators , CN = Builtin , DC = tlalocan , DC = sec
         map to LDAP - Class : value = CN = Administrators , CN = Builtin , DC = tlalocan , DC = sec