EN
No results found
We couldn't find anything using that term, please try searching for something else.
Configure ISE Posture over AnyConnect Remote Access VPN on FTD
2024-11-13 Introduction This document describes how to configure Firepower Threat Defense (FTD) version 6.4.0 to posture VPN users against Identity Services Eng
Introduction
This document describes how to configure Firepower Threat Defense (FTD) version 6.4.0 to posture VPN users against Identity Services Engine (ISE).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- AnyConnect Remote Access VPN
- Remote Access VPN configuration on the FTD
- Identity Services Engine and posture services
Components Used
The information in this document is based on these software versions:
- Cisco Firepower Threat Defense ( FTD ) software versions 6.4.0
- Cisco Firepower Management Console (FMC) software version 6.5.0
- Microsoft Windows 10 Cisco AnyConnect Secure Mobility Client Version 4.7
- Cisco Identity Services Engine (ISE) version 2.6 with Patch 3
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
Network Diagram and Traffic Flow
1. The remote user uses Cisco Anyconnect for VPN access to the FTD.
2 . FTD is sends sends RADIUS Access – Request user ISE .
3. That request hits the policy named FTD – VPN – Posture – Unknownon the ISE. The ISE sends a RADIUS Access-Accept with three attributes:
4. If DACL is sent, RADIUS Access-Request/Access-Accept is exchanged in order to download content of the DACL
5. When the traffic from the VPN user matches the locally-defined ACL, it is redirected to ISE Client Provisioning Portal. ISE provisions AnyConnect Posture Module and Compliance Module.
6 . agent installed client machine , it is searches automatically searches ISE probes . ISE detected successfully , posture requirements checked endpoint . example , agent is checks checks installed anti – malware software . it is sends sends posture report ISE .
7. When ISE receives the posture report from the agent, ISE changes Posture Status for this session and triggers RADIUS CoA type Push with new attributes. This time, the posture status is known and another rule is hit.
- user compliant , DACL permits access sent .
- If the user is non-compliant, then a DACL name that permits limited access is sent.
8. The FTD removes the redirection. FTD sends Access-Request in order to download DACL from the ISE. The specific DACL is attached to the VPN session.
Configurations
FTD/FMC
Step 1. Create Network Object Group for ISE and Remediation Servers (if any). Navigate to Objects > Object Management > Network.
Step 2 . Create Redirect ACL . NavigateObjects > Object Management > Access List > Extended. ClickAdd Extended Access List and provide the name of Redirect ACL. This name must be the same as in the ISE authorization result.
Step 3. Add Redirect ACL Entries. Clickthe Add button . Block traffic DNS , ISE , remediation servers exclude redirection . Allow rest traffic , triggers redirection is be ( ACL entries is be specific needed ) .
Step 4. Add ISE PSN node/nodes. Navigate to Objects > Object Management > RADIUS Server Group. ClickAdd RADIUS Server Group, then provide name, enable check all checkboxes and click the plus icon.
Step 5.opened window, provide ISE PSN IP address, RADIUS Key, select Specific Interface and select interface from which ISE is reachable (this interface is used as a source of RADIUS traffic) then select Redirect ACL which was configured previously.
Step 6. Create Address Pool for VPN users. Navigate to Objects > Object Management > Address Pools > IPv4 Pools. ClickAdd IPv4 Pools and fill the in details.
Step 7. Create AnyConnect package. Navigate to Objects > Object Management > VPN > AnyConnect File. ClickAdd AnyConnect File, provide the package name, download the package from Cisco Software Download and select Anyconnect Client Image File Type .
Step 8 . NavigateCertificate Objects > Object Management > PKI > Cert Enrollment. ClickAdd Cert Enrollment, provide , chooseSelf Signed Certificate in Enrollment Type. Clickthe Certificate Parameters tab and provide CN.
Step 9 . Launch Remote Access VPN wizard . NavigateDevices > VPN > Remote Access and click Add.
Step 10. Provide the name, check SSL as VPN Protocol, choose FTD which is used as VPN concentrator and click Next.
Step 11. Provide Connection Profile name, select Authentication/Accounting Servers, select the address pool which was configured previously and click Next.
Note: Do not select the authorization server. It triggers two Access Requests for a single user (once with the user password and the second time with password cisco).
Step 12. SelectAnyConnect package that was configured previously and click Next.
Step 13. Selectinterface from which VPN traffic is expected, select Certificate Enrollment that was configured previously and click Next.
Step 14. Check the summary page and click Finish.
Step 15. Deploy configuration to FTD. Click Deploy and select FTD VPN concentrator .
ISE
Step 1. Run Posture Updates. Navigate to Administration > System > Settings > Posture > Updates.
Step 2. Upload Compliance Module. Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources. ClickAdd and select Agent resources Cisco site
Step 3 . Download AnyConnect Cisco Software Download , upload ISE . NavigatePolicy > Policy Elements > Results > Client Provisioning > Resources.
ClickAdd and select Agent Resources Local Disk. Choose Cisco Provided Packages under Category, select AnyConnect package from local disk and click Submit.
Step 4. Create AnyConnect Posture Profile. Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources.
ClickAdd and select AnyConnect Posture Profile. Fill in the name and Posture Protocol.
Under * Server rules put * and put any dummy IP address under Discovery host.
Step 5. Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources and create AnyConnect Configuration. ClickAdd and select AnyConnect Configuration. SelectAnyConnect Package, provide Configuration , selectCompliance Module, check Diagnostic and Reporting Tool, select Posture Profile and click Save.
Step 6. Navigate to Policy > Client Provisioning createClient Provisioning Policy. ClickEdit and then select Insert Rule Above, provide name, select OS, and choose AnyConnect Configuration created previous step .
Step 7. Create Posture Condition under Policy > Policy Elements > Conditions > Posture > Anti-Malware Condition. In this example, predefined “ANY_am_win_inst” is used.
.
Step 8 . NavigatePolicy > Policy Elements > Results > Posture > Remediation Actions createPosture Remediation. In this example, it is skipped. Remediation Action can be a Text Message.
Step 9. Navigate to Policy > Policy Elements > Results > Posture > Requirements createPosture Requirements. Predefined requirement Any_AM_Installation_Win is used.
Step 10 . Create Posture PoliciesPolicies > Posture. Default posture policy for any AntiMalware Check for Windows OS is used.
Step 11 . NavigatePolicy > Policy Elements > Results > Authorization > Downlodable ACLS and create DACLs for different posture statuses.
example :
- Posture Unknown DACL – allows traffic to DNS, PSN and HTTP and HTTPS traffic.
- Posture NonCompliant DACL – denies access to Private Subnets and allow only internet traffic.
- Permit All DACL – allows all traffic for Posture Compliant Status.
Step 12 . Create Authorization Profiles Posture Unknown , Posture NonCompliant Posture Compliant statuses . order , navigatePolicy > Policy Elements > Results > Authorization > Authorization Profiles.Posture Unknown profile, select Posture Unknown DACL, check Web Redirection, select Client Provisioning, provide Redirect ACL name (that is configured on FTD) and select the portal.
In the Posture NonCompliant profile, select DACL in order to limit access to the network.
In the Posture Compliant profile, select DACL in order to allow full access to the network.
Step 13. Create Authorization Policies under Policy > Policy Sets > Default > Authorization Policy. condition Posture Status VNP TunnelGroup .
Verify
Use section order confirm configuration works properly .
On ISE, the first verification step is RADIUS Live Log. Navigate to Operations > RADIUS Live Log. Here, user Alice is connected and the expected authorization policy is selected.
Authorization policy FTD – VPN – Posture – Unknownis matched and as result, FTD-VPN-Profile is sent to FTD.
Posture Status Pending.
The Result section shows which attributes are sent to FTD.
On FTD, in order to verify VPN connection, SSH to the box, execute system support diagnostic-cli and then show vpn-sessiondb detail anyconnect. output , verify attributes sent ISE applied VPN session .
fyusifov-ftd-64# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : alice@training.example.com Index : 12 Assigned IP : 172.16.1.10 Public IP : 10.229.16.169 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1 Bytes Tx : 15326 Bytes Rx : 13362 Pkts Tx : 10 Pkts Rx : 49 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : DfltGrpPolicy Tunnel Group : EmployeeVPN Login Time : 07:13:30 UTC Mon Feb 3 2020 Duration : 0h:06m:43s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 000000000000c0005e37c81a Security Grp : none Tunnel Zone : 0 AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 12.1 Public IP : 10.229.16.169 Encryption : none Hashing : none TCP Src Port : 56491 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 23 Minutes Client OS : win Client OS Ver: 10.0.18363 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.01076 Bytes Tx : 7663 Bytes Rx : 0 Pkts Tx : 5 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 12.2 Assigned IP : 172.16.1.10 Public IP : 10.229.16.169 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 56495 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 23 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.01076 Bytes Tx : 7663 Bytes Rx : 592 Pkts Tx : 5 Pkts Rx : 7 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PostureUnknown-5e37414d DTLS-Tunnel: Tunnel ID : 12.3 Assigned IP : 172.16.1.10 Public IP : 10.229.16.169 Encryption : AES256 Hashing : SHA1 Ciphersuite : DHE-RSA-AES256-SHA Encapsulation: DTLSv1.0 UDP Src Port : 59396 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.01076 Bytes Tx : 0 Bytes Rx : 12770 Pkts Tx : 0 Pkts Rx : 42 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PostureUnknown-5e37414d ISE Posture: Redirect URL : https://fyusifov-26-3.example.com:8443/portal/gateway?sessionId=000000000000c0005e37c81a&portal=27b1bc... Redirect ACL : fyusifovredirect fyusifov-ftd-64#
Client Provisioning policies can be verified. Navigate to Operations > Reports > Endpoints and Users > Client Provisioning.
Posture Report sent from AnyConnect can be checked. Navigate to Operations > Reports > Endpoints and Users > Posture Assessment by Endpoint.
In order to see more details on the posture report, click Details.
After the report is received on ISE, posture status is updated. In this example, posture status is compliant and CoA Push is triggered with a new set of attributes.
Verify on FTD that new Redirect ACL and Redirect URL are removed for VPN session and PermitAll DACL is applied.
fyusifov-ftd-64# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : alice@training.example.com Index : 14 Assigned IP : 172.16.1.10 Public IP : 10.55.218.19 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1 Bytes Tx : 53990 Bytes Rx : 23808 Pkts Tx : 73 Pkts Rx : 120 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : DfltGrpPolicy Tunnel Group : EmployeeVPN Login Time : 16:58:26 UTC Mon Feb 3 2020 Duration : 0h:02m:24s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 000000000000e0005e385132 Security Grp : none Tunnel Zone : 0 AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 14.1 Public IP : 10.55.218.19 Encryption : none Hashing : none TCP Src Port : 51965 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client OS : win Client OS Ver: 10.0.18363 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.01076 Bytes Tx : 7663 Bytes Rx : 0 Pkts Tx : 5 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 14.2 Assigned IP : 172.16.1.10 Public IP : 10.55.218.19 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 51970 TCP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.01076 Bytes Tx : 7715 Bytes Rx : 10157 Pkts Tx : 6 Pkts Rx : 33 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PermitAll-5e384dc0 DTLS-Tunnel: Tunnel ID : 14.3 Assigned IP : 172.16.1.10 Public IP : 10.55.218.19 Encryption : AES256 Hashing : SHA1 Ciphersuite : DHE-RSA-AES256-SHA Encapsulation: DTLSv1.0 UDP Src Port : 51536 UDP Dst Port : 443 Auth Mode : userPassword Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.01076 Bytes Tx : 38612 Bytes Rx : 13651 Pkts Tx : 62 Pkts Rx : 87 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PermitAll-5e384dc0 fyusifov - ftd-64 #
Troubleshoot
This section provides information you can use in order to troubleshoot your configuration.
For detailed posture flow and to troubleshoot AnyConnect and ISE, check this link: ISE Posture Style Comparison for Pre and Post 2.2.
One of the common issues, when there is a spit tunnel is configured. In this example, default Group Policy is used, which tunnels all traffic. In case if only specific traffic is tunnelled, then AnyConnect probes (enroll.cisco.com and discovery host) must go through the tunnel in addition to traffic to ISE and other internal resources.
order check tunnel policy FMC , , check Group Policy VPN connection . NavigateDevices > VPN Remote Access.
, navigateObjects > Object Management > VPN > Group Policy clickGroup Policy configured for VPN.
Another common issue, when VPN users’ return traffic gets translated with the use of incorrect NAT entry. In order to fix this issue, Identity NAT must be created in an appropriate order.
First, check NAT rules for this device. Navigate to Devices > NAT and then click Add Rule to create a new rule.
In the opened window, under the Interface Objects tab, select Security Zones. In this example, NAT entry is created from ZONE-INSIDE to ZONE-OUTSIDE.
Under the Translation tab, select original and translated packet details. As it is Identity NAT, source and destination are kept unchanged:
Under the Advanced tab is check , check checkboxes shown image :
