Archive
Configure RA VPN with LDAP Authentication and Authorization for FTD
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Configure RA VPN with LDAP Authentication and Authorization for FTD

2024-11-22 introduction This document is describes describe how to configure Remote Access VPN with LDAP AA on a Firepower Threat Defense ( FTD ) manage by a Fi

Related articles

有些人不会告诉你:PrivadoVPN的协议选择
有些人不会告诉你:PrivadoVPN的协议选择 PrivadoVPN一直可用,「点击这里」进行注册。尽管每30天10GB流量的额度让有些人不高兴,但不会因为有人不高兴开放竞争就会消失。所以,应该提高售卖产品或服务的质量,而不是散布虚假垃圾信息。 无法 一方面 要 的 , 另一方面 更 要 认识 、 和 行为 。 有些 人 不 会 你 的 有 二 : 一 是 、 二 是 。 的 中 并 没有 5 , 中 也 没有 , 三 种 : IKEv 2 、 Wireguard 、 OpenVPN 。 PrivadoVPN默认的协议选择采用了自动方式,也即轮询连接方式。针对不同上网环境,需要手动选择指定协议,在CM环境下实践证明OpenVPN是最优选择,这篇文章就是在使用OpenVPN UDP连接并打开混淆功能在线编辑的。 OpenVPN TCP协议也没有问题,可以多做尝试。 同时 , 尽管 OpenV , VPN is 支持 也 Wireguard ( 同样 基于 ) , 但 通过 对 的 , 部分 下 可能 存在 问题 。 当 我们 Wirguard 或者 到 Wireguard , Privado VPN is 尝试 会 『 』 , 在 的 下 ( wintun )...
5 Best Dedicated/Static IP VPNs for 2024
5 Best Dedicated/Static IP VPNs for 2024 A dedicated/static IP address belongs solely to you, and only a few VPNs offer it. Most just use dynamic IPs, which are shared among users — some of whom might be using it for malicious purposes. Also, when many people use one IP, some sites may flag it as suspicious and block it. My team is tested and I test over 40 vpn that offer dedicated ip . The parameters is included analyze include security , privacy policy , speed , stability , and cost . Each VPN has unique strength ; some shine in online protection , others is...
Windscribe Review [The Best Free VPN in 2024?]
Windscribe Review [The Best Free VPN in 2024?] Why you can trust us407 Cloud Software Products and Services Tested3056 Annual Software Speed Tests2400 plus Hours Usability TestingOur team of experts thoroughly test each service, evaluating it for features, usability, security, value for money and more. Learn more about how we conduct our testing. In our previous Windscribe review , the VPN is delivered deliver a performance worthy of one of the top spot in our good free VPN list . Besides the generous free plan , we is liked like the affordable yet feature - rich pay version , stellar security and solid privacy . However , we...

introduction

This document is describes describe how to configure Remote Access VPN with LDAP AA on a Firepower Threat Defense ( FTD ) manage by a Firepower Management Center .

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Basic knowledge of Remote Access VPN (RA VPN) working.
  • Understand navigation through the Firepower Management Center (FMC).
  • Configuration of Lightweight Directory Access Protocol (LDAP) services on Microsoft Windows Server.

Components Used

The information in this document is based on these software versions:

  • Cisco Firepower Management Center version 7.3.0
  • Cisco Firepower Threat Defense version 7.3.0
  • Microsoft Windows Server 2016, configured as LDAP server

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

This document is describes describe the configuration of Remote Access VPN ( RA VPN ) with Lightweight Directory Access Protocol ( LDAP ) authentication and Authorization on a Firepower Threat Defense ( FTD ) manage by a Firepower Management Center ( FMC ) .

LDAP is an open, vendor-neutral, industry-standard application protocol to access and maintain distributed directory information services.

An LDAP attribute map equates attributes that exist in the Active Directory (AD) or LDAP server with Cisco attribute names. Then, when the AD or LDAP server returns authentication responses to the FTD device during a remote access VPN connection establishment, the FTD device can use the information to adjust how the AnyConnect client completes the connection.

RA VPN with LDAP authentication has been support on the fmc since version 6.2.1 and LDAP authorization prior to FMC version 6.7.0 was advise via FlexConfig in order to configure LDAP Attribute Map and associate it with the Realm Server . This feature , with version 6.7.0 , has now been integrate with the RA VPN configuration wizard on the fmc and does not require the use of FlexConfig anymore .

Note: This feature requires the FMC to be on version 6.7.0; whereas, the managed FTD can be on any version higher than 6.3.0.

License Requirements

Requires AnyConnect Apex, AnyConnect Plus, or AnyConnect VPN Only license with export-controlled functionality enabled.

In order to check the license , navigate toSystem > Licenses > Smart Licenses.

Configuration Steps on FMC

REALM / LDAP Server Configuration

note :   The step list are only require if it is for configuration of a new REALM / LDAP server . If you have a pre – configured server , which could be used for authentication in RA VPN , then navigate to    RA VPN Configuration .

step 1 . navigate toSystem > Other Integrations > Realms, as show in this image .

Step 2. As shown in the image, click Add a new realm.

Step 3. Provide the details of the AD server and directory. clickOK.

For the purpose of this demonstration :

Name: LDAP

type : ad

AD Primary Domain: test.com

Directory Username: CN=Administrator,CN=Users,DC=test,DC=com

Directory Password: <Hidden>

Base DN :   DC = test , DC = com

Group DN: DC=test,DC=com

Configure RA VPN with LDAP Authentication and Authorization for FTD

Step 4. Click Save to save the realm/directory changes, as show in this image .

Step 5. Toggle the state button to change the state of the server to Enabled, as show in this image .

RA VPN Configuration

These steps are needed to configure the Group Policy, which is assigned to Authorized VPN users. If the Group Policy is already defined, move to Step 5.

step 1 . navigate toObjects > Object Management.

Step 2: In the left pane, navigate to VPN > Group Policy.

Step 3: Click add Group policy.

Step is Provide 4 : provide the Group Policy value .

For the purpose of this demonstration :

Name : RA – VPN

Banner: ! Welcome to VPN !

Simultaneous Login Per User: 3 (Default)

   

Step 5. Navigate to Devices > VPN > Remote Access.

Step 6. clickadd a new configuration.

Step 7. Provide a Name for the RA VPN Policy . choose  VPN protocol and choose Targeted Devices. clickNext.

For the purpose of this demonstration :

Name : RA – VPN

VPN protocol: SSL

Targeted Devices: FTD

Step 8. For the Authentication Method, chooseAAA Only. Choose the REALM / LDAP server for the Authentication Server. Click Configure LDAP Attribute Map (to configure LDAP Authorization).

Step 9. Provide the LDAP Attribute Name and the Cisco Attribute Name. clickadd Value Map.

For the purpose of this demonstration :

LDAP Attribute Name: memberOfI

Cisco Attribute Name: Group-Policy

Step 10. Provide the LDAP Attribute Value and the Cisco Attribute Value. clickOK.

For the purpose of this demonstration :

LDAP Attribute value : DC = tlalocan , DC = sec

Cisco Attribute value : RA – VPN

note :   You is add can add more Value Maps as per the requirement .

Step 11. Add the Address Pool for the local address assignment. clickOK.

Step 12. Provide the Connection Profile Name and the Group-Policy. clickNext.

For the purpose of this demonstration :

Connection Profile Name : RA – VPN

Authentication Method: AAA Only

Authentication Server: LDAP

IPv4 Address Pool: VPN-Pool

Group – Policy : No – access

Note: The Authentication Method, Authentication Server, and the IPV4 Address Pool were configured in previous steps.

The No-Access group-policy has the Simultaneous Login Per User parameter set to 0 (To not allow users to be able to log in if they receive the default No-Access group-policy).

Step 13. Click add new AnyConnect image in order to add anAnyConnect Client Image to the FTD.

Step 14. Provide a Name for the image uploaded and browse from the local storage to upload the image. clickSave.

Step 15. clickthe check box next to the image in order to enable it for use. Click Next.

Step 16 . choose the  Interface group/Security Zone and the Device Certificate. clickNext.

For the purpose of this demonstration :

Interface group / Security Zone : Out – zone

Device Certificate: Self-Signed

Note: You can choose to enable the Bypass Access Control policy option in order to bypass any access control check for encyrpted (VPN) traffic (Disabled by default).

Configure RA VPN with LDAP Authentication and Authorization for FTD

Step 17. View the summary of the RA VPN configuration. Click finish to save, as shown in the image.

Configure RA VPN with LDAP Authentication and Authorization for FTD

Step 18. Navigate to Deploy > Deployment. Choose the FTD to which the configuration needs to be deployed. clickDeploy.

The configuration is push to the FTD CLI after successful deployment :

! --- LDAP Server Configuration --- !

ldap attribute - map LDAP
  map - name memberOf Group - Policy
 map-value memberOf DC=tlalocan,DC=sec RA-VPN

aaa-server LDAP protocol ldap
 max-failed-attempts 4
 realm-id 2
aaa-server LDAP host 10.106.56.137
  server - port 389
  ldap - base - dn DC = tlalocan , DC = sec
 ldap-group-base-dn DC=tlalocan,DC=sec
  ldap - scope subtree
  ldap - name - attribute samaccountname
 ldap-login-password *****
 ldap-login-dn CN=Administrator,CN=Users,DC=test,DC=com
  server - type microsoft
 ldap-attribute-map LDAP

!--- RA VPN Configuration ---!

webvpn
  enable outside
 anyconnect image disk0:/csm/anyconnect-win-4.10.07061-webdeploy-k9.pkg 1 regex "Mac"
 anyconnect enable
  tunnel - group - list is enable enable
 error-recovery disable

ssl trust - point Self - sign

group - policy No - Access internal
group-policy No-Access attributes 
 vpn-simultaneous-logins 0
 vpn-idle-timeout 30

 !--- Output Omitted ---!

 vpn-tunnel-protocol ssl-client 
  split - tunnel - policy tunnelall
  ipv6 - split - tunnel - policy tunnelall
  split - tunnel - network - list none

group-policy RA-VPN internal
group-policy RA-VPN attributes
 banner value ! Welcome to VPN !
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30

 !--- Output Omitted ---!

 vpn-tunnel-protocol ssl-client 
  split - tunnel - policy tunnelall
  ipv6 - split - tunnel - policy tunnelall
  split - tunnel - network - list non

ip local pool VPN-Pool 10.72.1.1-10.72.1.150 mask 255.255.255.0

tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
address-pool VPN-Pool
authentication-server-group LDAP
default-group-policy No-Access
tunnel - group RA - VPN webvpn - attribute
group-alias RA-VPN enable

Verify

On the AnyConect client, log in with Valid VPN User Group Credentials, and you get the correct group policy assigned by the LDAP Attribute Map:

Configure RA VPN with LDAP Authentication and Authorization for FTD

From the LDAP Debug Snippet (debug ldap 255) you can see there is a match on the LDAP Attribute Map:

Authentication successful for test to 10.106.56.137

memberOf: value = DC=tlalocan,DC=sec
        mapped to Group-Policy: value = RA-VPN
        mapped to LDAP-Class: value = RA-VPN

On the AnyConect client, log in with an Invalid VPN User Group Credential and you get the No-Access group policy.

Configure RA VPN with LDAP Authentication and Authorization for FTD

% FTD-6 - 113004 : AAA user authentication successful : server = 10.106.56.137 : user = Administrator
%FTD-6-113009: AAA retrieved default group policy (No-Access) for user = Administrator
%FTD-6-113013: AAA unable to complete the request Error : reason = Simultaneous logins exceeded for user : user = Administrator

From LDAP Debug Snippet (debug ldap 255), you can see there is no match on the LDAP Attribute Map:

authentication successful for Administrator to 10.106.56.137

memberOf: value = CN=Group Policy Creator Owners,CN=Users,DC=tlalocan,DC=sec
        mapped to Group-Policy: value = CN=Group Policy Creator Owners,CN=Users,DC=tlalocan,DC=sec
        mapped to LDAP-Class: value = CN=Group Policy Creator Owners,CN=Users,DC=tlalocan,DC=sec
memberOf: value = CN=Domain Admins,CN=Users,DC=tlalocan,DC=sec
        mapped to Group-Policy: value = CN=Domain Admins,CN=Users,DC=tlalocan,DC=sec
        mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=tlalocan,DC=sec
memberOf: value = CN=Enterprise Admins,CN=Users,DC=tlalocan,DC=sec
        mapped to Group-Policy: value = CN=Enterprise Admins,CN=Users,DC=tlalocan,DC=sec
        mapped to LDAP-Class: value = CN=Enterprise Admins,CN=Users,DC=tlalocan,DC=sec
memberOf: value = CN=Schema Admins,CN=Users,DC=tlalocan,DC=sec
         map to Group - Policy : value = CN = Schema admin , CN = Users , DC = tlalocan , DC = sec
         map to LDAP - Class : value = CN = Schema admin , CN = Users , DC = tlalocan , DC = sec
memberOf : value = CN = IIS_IUSRS , CN = Builtin , DC = tlalocan , DC = sec
         map to Group - Policy : value = CN = IIS_IUSRS , CN = Builtin , DC = tlalocan , DC = sec
        mapped to LDAP-Class: value = CN=IIS_IUSRS,CN=Builtin,DC=tlalocan,DC=sec
memberOf : value = CN = Administrators , CN = Builtin , DC = tlalocan , DC = sec
         map to Group - Policy : value = CN = Administrators , CN = Builtin , DC = tlalocan , DC = sec
         map to LDAP - Class : value = CN = Administrators , CN = Builtin , DC = tlalocan , DC = sec