What special enterprise VPN supported by Cisco devices creates VPN tunnels?
How does a virtual private network (VPN) work?A VPN extends a corporate network through encrypted connections made over the Internet. Because the traffic is encrypted between the device and the network, traffic remains private as it travels. An employee can work outside the office and still securely connect to the corporate network. Even smartphones and tablets can connect through a VPN. Show
What is secure remote access?Secure remote access provides a safe, secure way to connect users and devices remotely to a corporate network. It includes VPN technology that uses strong ways to authenticate the user or device. VPN technology is available to check whether a device meets certain requirements, also called a device’s posture, before it is allowed to connect remotely. Is VPN traffic encrypted?Yes, traffic on the virtual network is sent securely by establishing an encrypted connection across the Internet known as a tunnel. VPN traffic from a device such as a computer, tablet, or smartphone is encrypted as it travels through this tunnel. Offsite employees can then use the virtual network to access the corporate network. Remote Access VPNSecure Firewall Threat Defense Remote Access VPN OverviewSecure Firewall Threat Defense provides secure gateway capabilities that support remote access SSL and IPsec-IKEv2 VPNs. The full tunnel client, AnyConnect Secure Mobility Client, provides secure SSL and IPsec-IKEv2 connections to the security gateway for remote users. AnyConnect is the only client supported on endpoint devices for remote VPN connectivity to Secure Firewall Threat Defense devices. The client gives remote users the benefits of an SSL or IPsec-IKEv2 VPN client without the need for network administrators to install and configure clients on remote computers. The AnyConnect mobile client for Windows, Mac, and Linux is deployed from the secure gateway upon connectivity. The AnyConnect apps for Apple iOS and Android devices are installed from the platform app store. Use the Remote Access VPN Policy wizard in the Secure Firewall Management Center to quickly and easily set up SSL and IPsec-IKEv2 remote access VPNs with basic capabilities. Then, enhance the policy configuration if desired and deploy it to your Secure Firewall Threat Defense secure gateway devices. You can configure the following settings using the remote access VPN policy:
You can use the following examples to allocate limited bandwidth to VPN users and to use VPN identify for user-id based access control rules:
Remote Access VPN FeaturesThe following section describes the features of Secure Firewall Threat Defense remote access VPN:
AAA
VPN Tunneling
Monitoring
AnyConnect ComponentsAnyConnect Secure Mobility Client DeploymentYour remote access VPN Policy can include the AnyConnect Client Image and an AnyConnect Client Profile for distribution to connecting endpoints. Or, the client software can be distributed using other methods. See the Deploy AnyConnect chapter in the appropriate version of the Cisco AnyConnect Secure Mobility Client Administrator Guide. Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL or IPsec-IKEv2 VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, remote users must enter the URL in the form https://address. After the user enters the URL, the browser connects to that interface and displays the login screen. After a user logs in, if the secure gateway identifies the user as requiring the VPN client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure connection, and either remains or uninstalls itself (depending on the security appliance configuration) when the connection stops. In the case of a previously installed client, after login, the Secure Firewall Threat Defense security gateway examines the client version and upgrades it as necessary. AnyConnect Secure Mobility Client OperationWhen the client negotiates a connection with the security appliance, the client connects using Transport Layer Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. When an IPsec-IKEv2 VPN client initiates a connection to the secure gateway, negotiation consists of authenticating the device through Internet Key Exchange (IKE), followed by user authentication using IKE Extended Authentication (Xauth). The group profile is pushed to the VPN client and an IPsec security association (SA) is created to complete the VPN. AnyConnect Client Profile and EditorAn AnyConnect client profile is a group of configuration parameters, stored in an XML file that the VPN client uses to configure its operation and appearance. These parameters (XML tags) include the names and addresses of host computers and settings to enable more client features. You can configure a profile using the AnyConnect Profile Editor. This editor is a convenient GUI-based configuration tool that is available as part of the AnyConnect software package. It is an independent program that you run outside of the Secure Firewall Management Center. Remote Access VPN AuthenticationRemote Access VPN Server AuthenticationSecure Firewall Threat Defense secure gateways always use certificates to identify and authenticate themselves to the VPN client endpoint. While setting up the remote access VPN configuration using the wizard, you can enroll the selected certificate on the targeted Secure Firewall Threat Defense device. In the wizard, under Access & Certificate phase, select “Enroll the selected certificate object on the target devices” option. The certificate enrollment gets automatically initiated on the specified devices. As you complete the Remote Access VPN configuration, you can view the status of the enrolled certificate under the device certificate homepage. The status provides a clear standing as to whether the certificate enrollment was successful or not. Your Remote Access VPN configuration is now fully completed and ready for deployment. Obtaining a certificate for the secure gateway, also known as PKI enrollment, is explained in Certificates. This chapter contains a full description of configuring, enrolling, and maintaining gateway certificates. Remote Access VPN Client AAAFor both SSL and IPsec-IKEv2, remote user authentication is done using usernames and passwords only, certificates only, or both.
AAA servers enable managed devices acting as secure gateways to determine who a user is (authentication), what the user is permitted to do (authorization), and what the user did (accounting). Some examples of the AAA servers are RADIUS, LDAP/AD, TACACS+, and Kerberos. For Remote Access VPN on Secure Firewall Threat Defense devices, AD, LDAP, and RADIUS AAA servers are supported for authentication. Refer to the section Understanding Policy Enforcement of Permissions and Attributes to understand more about remote access VPN authorization. Before you add or edit the Remote Access VPN policy, you must configure the Realm and RADIUS server groups you want to specify. For more information, see Create a Realm and Realm Directory and Add a RADIUS Server Group. Without DNS configured, the device cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames, it can only resolve IP addresses. The login information provided by a remote user is validated by an LDAP or AD realm or a RADIUS server group. These entities are integrated with the Secure Firewall Threat Defense secure gateway.
Once authenticated via a VPN connection, the remote user takes on a VPN Identity. This VPN Identity is used by identity policies on the Secure Firewall Threat Defense secure gateway to recognize and filter network traffic belonging to that remote user. Identity policies are associated with access control policies, which determine who has access to network resources. It is in this way that the remote user blocked or allowed to access your network resources. For more information, see the About Identity Policies and Access Control Policies sections. Understanding Policy Enforcement of Permissions and AttributesThe Secure Firewall Threat Defense device supports applying user authorization attributes (also called user entitlements or permissions) to VPN connections from an external authentication server and/or authorization AAA server (RADIUS) or from a group policy on the Secure Firewall Threat Defense device. If the Secure Firewall Threat Defense device receives attributes from the external AAA server that conflicts with those configured on the group policy, then attributes from the AAA server always take the precedence. The Secure Firewall Threat Defense device applies attributes in the following order:
Understanding AAA Server ConnectivityLDAP, AD, and RADIUS AAA servers must be reachable from the Secure Firewall Threat Defense device for your intended purposes: user-identity handling only, VPN authentication only, or both activities. AAA servers are used in remote access VPN for the following activities:
For both activities on the same AAA servers, in addition to making the servers reachable over the Management interface for user-identity handling, do one of the following to provide VPN authentication access to the same AAA servers:
For more information about various interfaces, see Regular Firewall Interfaces. After deployment, use the following CLI commands to monitor and troubleshoot AAA server connectivity from the Secure Firewall Threat Defense device:
License Requirements for Remote Access VPNThreat Defense LicenseThreat Defense remote access VPN requires Strong Encryption and one of the following licenses for AnyConnect:
Requirements and Prerequisites for Remote Access VPNModel SupportThreat Defense Supported DomainsAny User RolesAdmin Guidelines and Limitations for Remote Access VPNsRemote Access VPN Policy Configuration
Concurrent VPN Sessions Capacity Planning (threat defense virtual Models)The maximum concurrent VPN sessions are governed by the installed threat defense virtual smart-licensed entitlement tier, and enforced via a rate limiter. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the licensed device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.
Concurrent VPN Sessions Capacity Planning (Hardware Models)The maximum concurrent VPN sessions are governed by platform-specific limits and have no dependency on the license. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.
For capacity of other hardware models, contact your sales representative. Controlling Cipher Usage for VPNTo prevent use of ciphers greater than DES, pre-deployment checks are available at the following locations in the Secure Firewall Management Center: For more information about SSL settings and IPsec, see Configure SSL Settings and Configure Remote Access VPN IPsec/IKEv2 Parameters. Authentication, Authorization, and Accounting
Client Certificates
Unsupported Features of AnyConnectThe only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser. The following AnyConnect features are not supported when connecting to a threat defense secure gateway:
Configuring a New Remote Access VPN ConnectionThis section provides instructions to configure a new remote access VPN policy with Secure Firewall Threat Defense devices as VPN gateways and Cisco AnyConnect as the VPN client.
Prerequisites for Configuring Remote Access VPN
Create a New Remote Access VPN PolicyYou can add a new remote access VPN Policy only by using the Remote Access VPN Policy wizard. The wizard guides you to quickly and easily set up remote access VPNs with basic capabilities. Further, you can enhance the policy configuration by specifying additional attributes as desired and deploy it to your Secure Firewall Threat Defense secure gateway devices. Before you begin
Procedure
Update the Access Control Policy on the Secure Firewall Threat Defense DeviceBefore deploying the remote access VPN policy, you must update the access control policy on the targeted Secure Firewall Threat Defense device with a rule that allows VPN traffic. The rule must allow all traffic coming in from the outside interface, with source as the defined VPN pool networks and destination as the corporate network.
Before you beginComplete the remote access VPN policy configuration using the Remote Access VPN Policy wizard. Procedure
(Optional) Configure NAT ExemptionNAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections with your protected hosts. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption enables you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT). Use static identity NAT to consider ports in the access list. Before you beginCheck if NAT is configured on the targeted devices where remote access VPN policy is deployed. If NAT is enabled on the targeted devices, you must define a NAT policy to exempt VPN traffic. Procedure
Configure DNSConfigure DNS on each Secure Firewall Threat Defense device in order to use remote access VPN. Without DNS, the devices cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames. It can only resolve IP addresses. Procedure
Add an AnyConnect Client Profile XML FileAn AnyConnect client profile is a group of configuration parameters stored in an XML file that the client uses to configure its operation and appearance. These parameters (XML tags) include the names and addresses of host computers and settings to enable more client features. You can create an AnyConnect client profile using the AnyConnect Profile Editor. This editor is a GUI-based configuration tool that is available as part of the AnyConnect software package. It is an independent program that you run outside of the management center. For more information about AnyConnect Profile Editor, see Cisco AnyConnect Secure Mobility Client Administrator Guide. Before you beginDownload the AnyConnect Profile Editor from Cisco Software Download Center. Procedure
(Optional) Configure Split TunnelingSplit tunnel allows VPN connectivity to a remote network across a secure tunnel, and it also allows connectivity to a network outside VPN tunnel. You can configure split tunnel if you want to allow your VPN users to access an outside network while they are connected to a remote access VPN. To configure a split-tunnel list, you must create a Standard Access List or Extended Access List. For more information, see Configuring Group Policies. Procedure
Verify the ConfigurationProcedure
Create a Copy of an Existing Remote Access VPN PolicyYou copy an existing remote access VPN policy to create a new one with all the settings, including the connection profiles and access interfaces. You can then assign devices to the new policy and deploy the VPN on the assigned devices as required. You can use the VPN policy when you want to retain most of the settings or create a backup of a VPN policy.
Procedure
Setting Target Devices for a Remote Access VPN PolicyYou can add targeted devices while you create a new remote access VPN policy, or change them later. Procedure
What to do next
Associating a Local Realm with a Remote Access VPN PolicyWhen a local realm is created and local users are added, you can add it to a remote access VPN to enable local user authentication. For information about creating and managing realms, see Manage a Realm. For information about configuring local user authentication for remote access VPNs, see Configure AAA Settings for Remote Access VPN. Procedure
What to do next
Additional Remote Access VPN Configurations Configure Connection Profile SettingsRemote Access VPN policy contains the connection profiles targeted for specific devices. These policies pertain to creating the tunnel itself, such as, how AAA is accomplished, and how addresses are assigned (DHCP or Address Pools) to VPN clients. They also include user attributes, which are identified in group policies configured on the threat defense device or obtained from a AAA server. A device also provides a default connection profile named DefaultWEBVPNGroup. The connection profile that is configured using the wizard appears in the list. Procedure
Configure Multiple Connection ProfilesIf you decide to grant different rights to different groups of VPN users, then you can configure specific connection profiles or group policies for each of the user groups. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Connection profiles and group policies provide the flexibility to do so securely. You can configure only one connection profile when you create a VPN policy using the Remote Access Policy wizard. You can add more connection profiles later. A device also provides a default connection profile named DefaultWEBVPNGroup. Before you beginEnsure that you have configured remote access VPN using the Remote Access Policy wizard with a connection profile. Procedure
Configure IP Addresses for VPN ClientsClient address assignment provides a means of assigning IP addresses for the remote access VPN users. You can configure to assign IP Address for remote VPN clients from the local IP Address pools, DHCP Servers, and AAA servers. The AAA servers are assigned first, followed by others. Configure the Client Address Assignment policy in the Advanced tab to define the assignment criteria. The IP pool(s) defined in this connection profile will only be used if no IP pools are defined in group policy associated with the connection profile, or the system default group policy DfltGrpPolicy. IPv4 Address Pools—SSL VPN clients receive new IP addresses when they connect to the Secure Firewall Threat Defense device. Address Pools define a range of addresses that remote clients can receive. Select an existing IP address pool. You can add a maximum of six pools for IPv4 and IPv6 addresses each.
Procedure
Configure AAA Settings for Remote Access VPNBefore you begin
Procedure
RADIUS Server Attributes for Secure Firewall Threat DefenseThe Secure Firewall Threat Defense device supports applying user authorization attributes (also called user entitlements or permissions) to VPN connections from the external RADIUS server that are configured for authentication and/or authorization in the remote access VPN policy.
The following user authorization attributes are sent to the Secure Firewall Threat Defense device from the RADIUS server.
Create or Update Aliases for a Connection ProfileAliases contain alternate names or URLs for a specific connection profile. Remote Access VPN administrators can enable or disable the Alias names and Alias URLs. VPN users can choose an Alias name when they connect to the Secure Firewall Threat Defense device. Aliases names for all connections configured on this device can be turned on or off for display. You can also configure the list of Alias URLs, which your endpoints can select while initiating the Remote Access VPN connection. If users connect using the Alias URL, system will automatically log them using the connection profile that matches the Alias URL. Procedure
Configure Access Interfaces for Remote Access VPNThe Access Interface table lists the interface groups and security zones that contain the device interfaces. These are configured for remote access SSL or IPsec IKEv2 VPN connections. The table displays the name of each interface group or security-zone, the interface trustpoints used by the interface, and whether Datagram Transport Layer Security (DTLS) is enabled. Procedure
Configuring Remote Access VPN Advanced Options Cisco AnyConnect Secure Mobility Client ImageCisco AnyConnect Secure Mobility Client ImageThe Cisco AnyConnect Secure Mobility client provides secure SSL or IPsec (IKEv2) connections to the Secure Firewall Threat Defense device for remote users with full VPN profiling to corporate resources. Without a previously-installed client, remote users can enter the IP address of an interface configured to accept clientless VPN connections in their browser to download and install the AnyConnect client. The Secure Firewall Threat Defense device downloads the client that matches the operating system of the remote computer. After downloading, the client installs and establishes a secure connection. In case of a previously installed client, when the user authenticates, the Secure Firewall Threat Defense device, examines the version of the client, and upgrades the client if necessary. The Remote Access VPN administrator associates any new or additional AnyConnect client images to the VPN policy. The administrator can unassociate the unsupported or end of life client packages that are no longer required. The Secure Firewall Management Center determines the type of operating system by using the file package name. If the user renamed the file without indicating the operating system information, the valid operating system type must be selected from the list box. Download the AnyConnect client image file by visiting Cisco Software Download Center. Adding a Cisco AnyConnect Mobility Client Image to the Secure Firewall Management CenterYou can upload the Cisco AnyConnect Mobility client image to the Secure Firewall Management Center by using the AnyConnect File object. For more information, see File Objects. For more information about the client image, see Cisco AnyConnect Secure Mobility Client Image. Click Show re-order link to view a specific client image.
Procedure
Update AnyConnect Images for Remote Access VPN ClientsBefore you beginInstructions in this section help you update new AnyConnect client images to remote access VPN clients connecting to Secure Firewall Threat Defense VPN gateway. Ensure that the following configurations are complete before updating your AnyConnect images:
Procedure
Add a Cisco AnyConnect External Browser Package to the Secure Firewall Management CenterIf you have an AnyConnect external browser package image on your local disk, use this procedure to upload the same to the Secure Firewall Management Center. After you upload the external browser package, you can update the external browser package for your remote access VPN connections. You can upload the Cisco AnyConnect external browser package file to the Secure Firewall Management Center by using the AnyConnect File object. For more information, see File Objects. Points to Remember
Procedure
Remote Access VPN Address Assignment PolicyThe Secure Firewall Threat Defense device can use an IPv4 or IPv6 policy for assigning IP addresses to Remote Access VPN clients. If you configure more than one address assignment method, the Secure Firewall Threat Defense device tries each of the options until it finds an IP address. You can use the IPv4 or IPv6 policy to address an IP address to Remote Access VPN clients. Firstly, you must try with the IPv4 policy and later followed by IPv6 policy.
Configure Certificate MapsCertificate maps let you define rules matching a user certificate to a connection profile based on the contents of the certificate fields. Certificate maps are used for certificate authentication on secure gateways. The rules or the certificate maps are defined in Certificate Map Objects. Procedure
Configuring Group PoliciesA group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience. For example, in the group policy object, you configure general attributes such as addresses, protocols, and connection settings. The group policy applied to a user is determined when the VPN tunnel is being established. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile.
Procedure
Configuring LDAP Attribute MappingAn LDAP attribute name maps LDAP user or group Attribute name to a Cisco-understandable name. The attribute map equates attributes that exist in the Active Directory (AD) or LDAP server with Cisco attribute names. Any standard LDAP attribute can be mapped to a well-known vendor specific attribute (VSA). One or more LDAP attribute(s) can be mapped to one or more Cisco LDAP attributes. When the AD or LDAP server returns authentication to the threat defense device during remote access VPN connection establishment, the threat defense device can use the information to adjust how the AnyConnect VPN client completes the connection. When you want to provide VPN users with different access permissions or VPN content, you can configure different VPN policies on the VPN server and assign these policy-sets to each user based on their credentials. You can achieve this in threat defense by configuring LDAP authorization, with LDAP attribute maps. In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute, such as the Active Directory (AD) attribute memberOf, to the VPN-Group attribute that is understood by the VPN headend. An LDAP attribute map consists of three components:
When a user connects to remote access VPN, if the memberOf field matches the configured value, then group policy VPN-Group is applied to the user's VPN Session. The group policies used in an LDAP attribute map are added to the list of group policies in a remote access VPN configuration. When a group policy is removed from a remote access VPN configuration, the associated LDAP attribute mapping is also removed. Procedure
Configuring VPN Load BalancingAbout VPN Load BalancingVPN load balancing in threat defense allows you group two or more devices logically and distribute remote access VPN sessions among the devices equally. VPN load balancing shares AnyConnect VPN sessions among the devices in a load balancing group. VPN load balancing is based on simple distribution of traffic without taking into account throughput or other factors. A VPN load-balancing group consists of two or more threat defense devices. One device acts as the director, and the other devices are member devices. Devices in a group do not need to be of the exact same type, or have identical software versions or configurations. Any threat defense device that supports remote access VPN can participate in a load balancing group. Threat Defense supports VPN load balancing with AnyConnect SAML authentication. All active devices in a VPN load-balancing group carry session loads. VPN load balancing directs traffic to the least-loaded device in the group, distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability. Components of VPN Load BalancingFollowing are the components of VPN load balancing:
Prerequisites for VPN Load Balancing
Guidelines and Limitations for VPN Load Balancing
Configure Group Settings for VPN Load BalancingProcedure
Configure Additional Settings for Load BalancingProcedure
Configure Settings for Participating DevicesThe device participation settings determines how the devices share load in VPN load balancing. Configure a participating device by enabling VPN load balancing on the device and defining device-specific properties. These values vary from device to device. You can provide a priority number for the devices participating in load balancing; a higher priority number gives a device a better chance of becoming the director over other devices. But you cannot select a device to be the director of the group. Procedure
Configuring IPsec Settings for Remote Access VPNsThe IPsec settings are applicable only if you selected IPsec as the VPN protocol while configuring your remote access VPN policy. If not, you can enable IKEv2 using the Edit Access Interface dialog box. See Configure Access Interfaces for Remote Access VPN for more information. Procedure
Configure Remote Access VPN Crypto MapsCrypto maps are automatically generated for the interfaces on which IPsec-IKEv2 protocol has been enabled. You can add or remove interface groups to the selected VPN policy in Access Interface. See Configure Access Interfaces for Remote Access VPN for more information. Procedure
IKE Policies in Remote Access VPNsInternet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations (SAs). The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE establishes SAs for other applications, such as IPsec. Both phases use proposals when they negotiate a connection. An IKE proposal is a set of algorithms that two peers use to secure the negotiation between them. IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters are used to protect subsequent IKE negotiations.
Unlike IKEv1, in an IKEv2 proposal, you can select multiple algorithms and modulus groups in one policy. Since peers choose during the Phase 1 negotiation, this makes it possible to create a single IKE proposal, but consider multiple, different proposals to give higher priority to your most desired options. For IKEv2, the policy object does not specify authentication, other policies must define the authentication requirements. An IKE policy is required when you configure a remote access IPsec VPN. Configuring Remote Access VPN IKE PoliciesThe IKE Policy table specifies all the IKE policy objects applicable for the selected VPN configuration when AnyConnect endpoints connect using the IPsec protocol. For more information, see IKE Policies in Remote Access VPNs.
Procedure
Configure Remote Access VPN IPsec/IKEv2 ParametersProcedure
Configure AnyConnect Management VPN TunnelA management VPN tunnel provides connectivity to the corporate network whenever a client system is powered up, without the VPN users having to connect to the VPN. This helps organizations keep their endpoints up-to-date with software patches and updates. Management tunnel disconnects when the user-initiated VPN tunnel is established. This section provides information about configuring AnyConnect management VPN tunnel on threat defense. Configuring an AnyConnect management tunnel on threat defense using the management center web interface requires the following settings:
For detailed instructions to configure an AnyConnect Management VPN tunnel, see Configuring AnyConnect Management VPN Tunnel on Threat Defense. Requirements and Prerequisites for AnyConnect Management VPN TunnelSoftware and Configuration RequirementsEnsure that you have the following before you configure the AnyConnect Management tunnel on using the threat defense using the management center web interface:
Certificate Requirements
Limitations of AnyConnect Management VPN Tunnel
Configuring AnyConnect Management VPN Tunnel on Threat DefenseProcedure
Multiple Certificate AuthenticationMultiple certificate based authentication gives the ability to have the threat defense validate the machine or device certificate, to ensure the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow VPN access using the AnyConnect client during SSL or IKEv2 EAP phase. The multiple certificates option allows certificate authentication of both the machine and user via certificates. Without this option, you could only do certificate authentication of either machine or the user, but not both. Limitations of Multiple Certificate Authentication
Configuring Multiple Certificate AuthenticationBefore you beginBefore you configure multiple certificate authentication, ensure that you have configured the certificate enrollment object that is used to obtain the identity certificate for each Secure Firewall Threat Defense device. For more information, see Certificate Map Objects. Procedure
Customizing Remote Access VPN AAA SettingsThis section provides information about customizing your AAA preferences for remote access VPNs. For more information, see Configure AAA Settings for Remote Access VPN. Authenticate VPN Users via Client CertificatesYou can configure remote access VPN authentication using client certificate when you create a new remote access VPN policy using the wizard or by editing the policy later. Before you beginConfigure the certificate enrollment object that is used to obtain the identity certificate for each Secure Firewall Threat Defense device that acts as a VPN gateway. Procedure
Configure Remote Access VPN Login via Client Certificate and AAA ServerWhen remote access VPN authentication is configured to use both client certificate and authentication server, VPN client authentication is done using both the client certificate validation and AAA server. Before you begin
Procedure
Manage Password Changes over VPN SessionsPassword management allows a remote access VPN administrator to configure the notification settings for the remote access VPN users on their password expiry. Password management is available in AAA settings with authentication methods AAA Only and Client Certificate & AAA. For more information, see Configure AAA Settings for Remote Access VPN. Procedure
Send Accounting Records to the RADIUS ServerAccounting records in remote access VPN help the VPN administrator track the services that users access and the amount of network resources they consume. Accounting information includes when users sessions start and stop, usernames, the number of bytes that pass through the device for each session, the service used, and the duration of each session. This data can then be analyzed for network management, client billing, or auditing. You can use accounting alone or together with authentication and authorization. When you activate AAA accounting, the network access server reports user activity to the configured accounting server. You can configure a RADIUS server as the accounting server so that all the user activity information is sent from Secure Firewall Management Center to the RADIUS server.
Before you beginConfigure a RADIUS group object with RADIUS servers to which authentication requests or accounting records will be sent. See RADIUS Server Group Options. Ensure that the RADIUS servers are reachable from the Secure Firewall Threat Defense device. Configure routing on your Secure Firewall Management Center at Devices > Device Management > Edit Device > Routing to ensure connectivity to the RADIUS server. Procedure
Delegating Group Policy Selection to Authorization ServerThe group policy applied to a user is determined when the VPN tunnel is being established. You can select a group policy for a connection profile while creating a remote access VPN policy using the wizard or update the connection policy for connection profiles later. However, you can configure the AAA (RADIUS) server to assign the group policy or it is obtained from the current connection profile. If the threat defense device receives attributes from the external AAA server that conflicts with those configured on the connection profile, then attributes from the AAA server always take the precedence. You can configure ISE or the RADIUS Server to set the Authorization Profile for a user or user-group by sending IETF RADIUS Attribute 25 and map to the corresponding group policy name. You can configure specific group policy to a user or user group to push a Downloadable ACL, set a banner, Restrict VLAN, and configure the advanced option of applying an SGT to the session. These attributes are applied to all users that are part of that group when the VPN connection is established. For more information, see the Configure Standard Authorization Policies section of Cisco Identity Services Engine Administrator Guide and RADIUS Server Attributes for Secure Firewall Threat Defense. Override the Selection of Group Policy or Other Attributes by the Authorization ServerWhen a remote access VPN user connects to the VPN, the group policy and other attributes configured in the connection profile are assigned to the user. However, the remote access VPN system administrator can delegate the selection of group policy and other attributes to the authorization server by configuring ISE or the RADIUS Server to set the Authorization Profile for a user or user-group. Once users are authenticated, these specific authorization attributes are pushed to the Secure Firewall Threat Defense device. Before you beginEnsure that you configure a remote access VPN policy with RADIUS as the authentication server. Procedure
Deny VPN Access to a User GroupBefore you beginEnsure that you have configured remote access VPN using the Remote Access Policy wizard and configured authentication settings for the remote access VPN policy. Procedure
Restrict Connection Profile Selection for a User GroupWhen you want to enforce a single connection profile on a user or user group, you can choose to disable the connection profile so that the group alias or URLs are not available for the users to select when they connect using the AnyConnect VPN client. For example, if your organization wants to use specific configurations for different VPN user groups such as mobile users, corporate-issued laptop users, or personal laptop users, you can configure connection a profile specific to each of these user groups and apply the appropriate connection profile when the user connects to the VPN. The AnyConnect client, by default, shows a list of the connection profiles ( by connection profile name, alias, or alias URL) configured in Secure Firewall Management Center and deployed on Secure Firewall Threat Defense. If custom connection profiles are not configured, AnyConnect shows the DefaultWEBVPNGroup connection profile. Use the following procedure to enforce a single connection profile for a user group. Before you begin
Procedure
Update the AnyConnect Client Profile for Remote Access VPN ClientsAnyConnect Client Profile is an XML file that contains an administrator-defined end user requirements and authentication policies to be deployed on a VPN client system as part of AnyConnect. It makes the preconfigured network profiles available to end users. You can use the GUI-based AnyConnect Profile Editor, an independent configuration tool, to create an AnyConnect Client Profile. The standalone profile editor can be used to create a new or modify existing AnyConnect profile. You can download the profile editor from Cisco Software Download Center. See the AnyConnect Profile Editor chapter in the appropriate release of the Cisco AnyConnect Secure Mobility Client Administrator Guide for details. Before you begin
Procedure
RADIUS Dynamic AuthorizationSecure Firewall Threat Defense has the capability to use RADIUS servers for user authorization of VPN remote access and firewall cut-through-proxy sessions using dynamic access control lists (ACLs) or ACL names per user. To implement dynamic ACLs for dynamic authorization or RADIUS Change of Authorization (RADIUS CoA), you must configure the RADIUS server to support them. When the user tries to authenticate, the RADIUS server sends a downloadable ACL or ACL name to the Secure Firewall Threat Defense. Access to a given service is either permitted or denied by the ACL. Secure Firewall Threat Defense deletes the ACL when the authentication session expires. Configuring RADIUS Dynamic AuthorizationBefore you begin:
Two-Factor AuthenticationYou can configure two-factor authentication for the remote access VPN. With two-factor authentication, the user must supply a username and static password, plus an additional item such as an RSA token or a passcode. Two-factor authentication differs from using a second authentication source in that two-factor is configured on a single authentication source, with the relationship to the RSA server tied to the primary authentication source. Secure Firewall Threat Defense supports RSA tokens and Duo Push authentication requests to Duo Mobile for the second factor in conjunction with any RADIUS or AD server as the first factor in the two-factor authentication process. Configuring RSA Two-Factor AuthenticationAbout this task:You can configure the RADIUS or AD server as the authentication agent in the RSA server, and use the server in Secure Firewall Management Center as the primary authentication source in the remote access VPN. When using this approach, the user must authenticate using a username that is configured in the RADIUS or AD server, and concatenate the password with the one-time temporary RSA token, separating the password and token with a comma: password,token. In this configuration, it is typical to use a separate RADIUS server (such as one supplied in Cisco ISE) to provide authorization services. You would configure the second RADIUS server as the authorization and, optionally, accounting server. Before you begin:Ensure that the following configurations are complete before configuring RADIUS two-factor authentication on Secure Firewall Threat Defense: On the RSA Server
For more information, see RSA SecureID Suite documentation. On the ISE Server
Configuring Duo Two-Factor AuthenticationAbout this task:You can configure the Duo RADIUS server as the primary authentication source. This approach uses the Duo RADIUS Authentication Proxy. (You cannot use a direct connection with the Duo Cloud Service over LDAPS.) For the detailed steps to configure Duo, see https://duo.com/docs/cisco-firepower. You would then configure Duo to forward authentication requests directed to the proxy server to use another RADIUS server, or an AD server, as the first authentication factor, and the Duo Cloud Service as the second factor. When using this approach, the user must authenticate using a username that is configured on both the Duo Cloud or web server, and the associated RADIUS server. The user must enter the password configured in the RADIUS server, followed by one of the following Duo codes:
For more information on login options with examples, see https://guide.duo.com/anyconnect. Before you begin:Before configuring two-factor authentication with Duo Authentication Proxy on Secure Firewall Threat Defense, ensure that you complete the following configurations:
Secondary AuthenticationSecondary authentication or double authentication in Secure Firewall Threat Defense adds an additional layer of security to remote access VPN connections by using two different authentication servers. With secondary authentication enabled, an AnyConnect VPN user must provide two sets of credentials to login to the VPN gateway. Secure Firewall Threat Defense remote access VPN supports secondary authentication in AAA Only and Client Certificate & AAA authentication methods. Configure Remote Access VPN Secondary AuthenticationBefore you begin
Procedure
Single Sign-on Authentication with SAML 2.0About SAML Single Sign-on AuthenticationSecurity Assertion Markup Language (SAML) is an open standard for logging users into applications based on their sessions in another context. Organizations already know the identity of users when users are logged in to their Active Directory (AD) domain or the intranet. They use this identity information to log users in to other applications, such as web-based applications by using SAML. Individual applications do not need to store credentials and users do not have to remember and manage different sets of credentials for individual applications. SAML sing sign-on (SSO) works by transferring the user’s identity from one place (the identity provider) to another (the service provider). SAML Single Sign-on with Secure Firewall Threat DefenseThe Secure Firewall Threat Defense device supports SAML 2.0 single sign-on (SSO) authentication for remote access VPN connections using the AnyConnect Secure Mobility Client. You need the following to configure SAML 2.0 SSO on Secure Firewall Threat Defense:
Guidelines and Limitations for SAML 2.0
Configuring a SAML Single Sign-on AuthenticationBefore you beginEnsure that you have done the following before you configure SAML single sign-on with threat defense remote access VPN:
Procedure
Configuring SAML AuthorizationAbout SAML AuthorizationSAML authorization supports user attributes delivered in SAML assertions within the AAA and Dynamic Access Policy (DAP) frameworks. The SAML assertion attributes can be configured on the Identity Provider as name-value pairs and they will be parsed as strings. The attributes received are made available to DAP so that they can be used when defining selection criteria within a DAP record. The SAML assertion cisco_group_policy is used to determine the Group Policy to be applied to the VPN session. Dynamic Access Policy Attribute RepresentationIn the DAP table, the DAP attributes are represented in the following format: aaa.saml.name = "value”Example, aaa.saml.department = ”finance" This attribute can be used in DAP selection as follows: Multi-Valued AttributesMulti-valued attributes are also supported in DAP and the DAP table is indexed : aaa.saml.name.1 = "value” aaa.saml.name.2 = "value"Active Directory memberOf AttributesThe Active Directory (AD) memberOf attribute receives a special processing that is consistent with the way it is handled through an LDAP query. Group names are represented by the CN attribute of the DN. Example Attributes received from the authorization server: memberOf = "CN=FTD-VPN-Group,OU=Users,OU=TechspotUsers,DC=techspot,DC=us" memberOf = "CN=Domain Admins,OU=Users,DC=techspot,DC=us”Dynamic Access Policy attributes: aaa.saml.memberOf.1 = "FTD-VPN-Group” aaa.saml.memberOf.2 = "Domain Admins"Interpretation of the cisco_group_policy AttributeA group-policy can be specified by a SAML assertion attribute. When an attribute "cisco_group_policy" is received by the threat defense, the corresponding value is used to select the connection group-policy Configure SAML AuthorizationEnsure that you have configured a single-sign on server like DUO and completed the required Identity Provider(IdP) and Service Provider(SP) settings. For more information, see Single Sign-on Authentication with SAML 2.0.
Remote Access VPN Examples How to Limit AnyConnect Bandwidth Per UserThis section provides instructions to limit the maximum bandwidth consumed by VPN users when the users connect using the Cisco AnyConnect VPN client to Secure Firewall Threat Defense remote access VPN gateway. You can limit the maximum bandwidth by using a Quality of service (QoS) policy in Secure Firewall Threat Defense, to ensure that a single user or group or users do not take over the entire resource. This configuration lets you give priority to critical traffic, prevent bandwidth hogging, and manage network. If a When traffic exceeds the maximum rate, the Secure Firewall Threat Defense drops the excess traffic.
Create and Set up an Active Directory RealmThis section provides instructions to create a realm and specify the VPN users and user groups whose activity you want to monitor. Procedure
Create a QoS Policy and RuleQoS policies deployed to managed devices govern rate limiting. You can create a QoS policy by selecting a realm to limit the VPN bandwidth a user or user group can consume. Each QoS policy can target multiple devices; each device can have one deployed QoS policy at a time. Procedure
Create or Update a Remote Access VPN PolicyProcedure
How to Use VPN Identity for User-id Based Access Control Rules
Create and Set up an Active Directory RealmThis section provides instructions to create a realm and specify the VPN users and user groups whose activity you want to monitor. Procedure
Create an Identity Policy and an Identity RuleIdentity policies contain identity rules to perform user authentication based on the realm and authentication method associated with the traffic. Identity rules associate sets of traffic with a realm and an authentication method: passive authentication, active authentication, or no authentication. You must fully configure the realms and authentication methods you plan to use before you can invoke them in your identity rules. Procedure
Associate an Identity Policy with an Access Control PolicyYou must associate an identity policy with an access control policy that is deployed on the Secure Firewall Threat Defense device where the remote access VPN policy will be deployed. Procedure
Create or Update a Remote Access VPN PolicyProcedure
Configure Threat Defense Multiple Certificate AuthenticationMultiple Certificate-based AuthenticationMultiple certificate-based authentication allows the threat defense to validate the machine or device certificate. Multiple certificates can be enabled for certificate-based authentication in the remote access VPN connection profile. It can be combined with AAA authentication. The multiple certificates option in the remote access VPN connection profile allows certificate authentication of both the machine and user via certificates. This ensures that the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow RA VPN access. The administrator can choose if the username for the session should be taken from the machine certificate or user certificate. When multiple certificate-based authentication is configured, two certificates are obtained from the VPN client:
For detailed information about threat defense certificates, see Managing Threat Defense Certificates. Limitations
Pre-fill Username from CertificateThe Pre-fill username option allows a field from the certificates to be parsed and used for subsequent AAA authentication (primary and secondary). When two certificates are used for authentication, the Administrator can choose the certificate from which the username should be derived for the prefill functionality. By default, username for prefill is retrieved from the User certificate (second certificate received from AnyConnect). The prefilled username is used as the VPN session username when the Certificate Only authentication method is enabled. When AAA and certificate authentication is enabled, VPN session username will be based on the pre-fill option. Configure Multiple Certificate Authentication for Remote Access VPN
For information about remote access VPN AAA settings, see Configure AAA Settings for Remote Access VPN. Certificate Configuration in DAPYou can also configure certificate criteria attributes in a DAP record. The user and machine certificate received from the VPN client during multiple-certificate authentication is loaded into dynamic access policy (DAP) to allow policies to be configured based on the field of the certificate. You can make policy decisions based on the fields of a certificate used to authenticate that connection attempt.
For more information about DAP, see Dynamic Access Policies. History for Remote Access VPNs
Which secured Tunnelling protocol might be able to cross firewalls where IPsec is blocked?Which secured tunneling protocol might be able to cross firewalls where IPsec is blocked? - OpenVPN, is an open-source VPN protocol that uses a custom security protocol called OpenSSL for encryption. OpenVPN has the ability to cross many firewalls where IPsec might be blocked.
What openIKEv2 is an open-source VPN protocol that utilizes OpenSSL for encryption.
What is the nmap utility used for?Nmap builds on previous network auditing tools to provide quick, detailed scans of network traffic. It works by using IP packets to identify the hosts and IPs active on a network and then analyze these packets to provide information on each host and IP, as well as the operating systems they are running.
Which of the following virtualization products is an example of bare metal hypervisor?Examples of popular bare-metal hypervisors are Microsoft Hyper-V, Citrix XenServer and VMware ESXi.
|