Cisco ASA AnyConnect vpn configuration with radius authentication and dynamic acl

In this blog post, we will configure Cisco ASA firewall for AnyConnect VPN. Remote users will be authenticated against a radius server to get access to the VPN and traffic filtering/firewalling will be done using downloadable dynamic acl from the radius server.

Here we are using the exact same concepts from our previous blog post, just introducing radius authentication and downloadable acl from radius server.

Let's as usual introduce our topology -

01 - AnyConnect VPN Topology
01 - AnyConnect VPN Topology

The topology is straight forward. We have a inside network (192.168.6.0/24). Outside network is 192.168.199.0/24 where the ASA listens for anyconnect connections. And a management network 172.29.165.0/24 which is just a out-of-band management network for ASA.

We have a Win10-VPN-Client which will try to connect to inside network through anyconnect vpn. Debian-Client is just a client device in inside network to verify vpn connectivity. And Windows-NPS-Server is a radius server running NPS service. This NPS server is responsible for authenticating vpn users. And after successful authentication, the NPS server also sends a access control list, which the ASA receives and assigns to the vpn user.

Basic network connectivity configuration

Let's look at our interface and it's related IP configuration -

# show running-config interface 
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.6.1 255.255.255.0 
!
interface Management0/0
 no management-only
 nameif mgmt
 security-level 0
 ip address dhcp 

AnyConnect VPN configuration

We will activate a feature in the ASA so that our vpn traffic is not subjected to ASA's firewall inspection. Our vpn traffic will not be inspected by asa firewall. Instead it will be inspected by a vpn filter in ASA. Experienced ASA administrators knows about this feature; otherwise the readers can google about it to know more details.

!!! VPN traffic bypasses ASA firewall, instead will be inspected by a vpn filter
(config)# sysopt connection permit-vpn 

We will use a redirect from http to https so that VPN users see our anyconnect web page only in https.

(config)# http redirect outside 80

We will use strong security protocol suites on our vpn connection. We will only accept tlsv1.2 or dtlsv1.2 and use higher encryption cipher suite. This step is optional; but highly recommended.

!!! Activating only most secured options for creating tunnel over https/ssl protocol
ssl client-version tlsv1.2
ssl server-version tlsv1.2 dtlsv1.2
ssl cipher dtlsv1.2 high
ssl cipher tlsv1.2 high

As our authentication and traffic filtering (downloadable dynamic acl) will be done by radius/nps server, we will define those first -

!!! Define a radius server group
aaa-server anyvpn-radius-server-group protocol radius

!!! Add the actual server to our defined group
aaa-server anyvpn-radius-server-group (inside) host 192.168.6.11
  key test123
  authentication-port 1812
  accounting-port 1813

Then we will enable anyconnect vpn on the outside interface -

webvpn
  !!! Users can download anyconnect client package, when they connect to VPN web page.
  anyconnect image disk0:/anyconnect-win-4.9.01095-webdeploy-k9.pkg
  !!! Outside interface will listen for anyconnect connection
  enable outside
  !!! Finally we enable anyconnect
  anyconnect enable
  !!! Optional command, when we want to allow users to select a user group alias when logging through web browser.
  tunnel-group-list enable

We need an IP pool from where our successful authenticated users will be assigned an IP adress.

!!! Anyconnect users will get an IP adress from the pool below
ip local pool anyvpn-pool 192.168.7.101-192.168.7.200 mask 255.255.255.0

We will use split tunneling for our vpn. Only required networks will be tunneled through the VPN. For example, a remote user internet access will be done still through his local ISP, will not be routed through the VPN. In our case, we will only tunnel network traffic to our inside network (192.168.6.0/24).

!!! Only traffic to 192.168.6.0/24 is routed through the VPN
access-list split-networks standard permit 192.168.6.0 255.255.255.0

Now we will define a group policy for the vpn -

group-policy anyvpn-radius-group-policy internal

group-policy anyvpn-radius-group-policy attributes 
  !!! We will just activate vpn with anyconnect client. Client-less access through web browser is not allowed.
  vpn-tunnel-protocol ssl-client 
  !!! We are doing split tunneling, only networks defined by split-networks will be tunneled through the vpn.
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-networks
  !!! Only one simultaneous login is allowed. 
  vpn-simultaneous-logins 1
  !!! No activity from the client within last 5 minutes, vpn will be terminated automatically.
  vpn-idle-timeout 5
  !!! Traffic through vpn will be subjected for inspection to a acl named anyvpn-filter.
  vpn-filter value anyvpn-filter
  !!! Define dns server and domain suffix for the vpn client.
  dns-server value 8.8.8.8
  default-domain value family.local
  webvpn
    anyconnect dpd-interval gateway 300
    anyconnect dpd-interval client 300
    !!! Setting mtu for anyconnect to avoid fragmentation
    anyconnect mtu 1400
    !!! When a user connects to the vpn adress from a web browser, it shows an option to download the vpn client.
    anyconnect ask enable default anyconnect
    !!! When a user disconnects from the vpn, the client remains installed.
    anyconnect keep-installer installed 

Now we will bind everything together with a tunnel group -

tunnel-group anyvpn-radius-tunnel-group type remote-access

tunnel-group anyvpn-radius-tunnel-group general-attributes
   !!! Authentication will be performed against radius/nps server
   authentication-server-group anyvpn-radius-server-group
   !!! Binding the group policy
   default-group-policy anyvpn-radius-group-policy
   !!! Binding the IP Pool
   address-pool anyvpn-pool

tunnel-group anyvpn-radius-tunnel-group webvpn-attributes
    !!! Authentication will be done using username/password
    authentication aaa
    !!! We will use url to select different groups. If we want to connect as a local authenticated user we will below url as our vpn connection string.
    group-url https://192.168.199.170/radius enable
    !!! This local authenticated group has a alias named "anyvpn-local-users" which is showed when we use web browser. 
    group-alias anyvpn-radius-users enable

If someone wants to do certificate based authentication, then we need to change "aaa" to "certificate" in the setting below. We are not using certificate based authentication.

tunnel-group anyvpn-radius-tunnel-group webvpn-attributes
    !!! Authentication will be done using certificate
    authentication certificate

NPS Server Configuration

Now we will configure Windows NPS (Radius) server. We start by adding our Cisco ASA firewall as a radius client.


02 - Add ASA as a radius client
02 - Add ASA as a radius client

Now we will define our policy which is straight forward, I am attaching pictures of how I have configured the policy - 

03-A - Network Policy For AnyConnect

03-A - Network Policy For AnyConnect 

03-B - Network Policy For AnyConnect
03-B - Network Policy For AnyConnect

03-C - Network Policy For AnyConnect
03-C - Network Policy For AnyConnect

This time instead of using vpn-filter; we are using downloadable access-list from the radius server to define what network access a user has. In our previous blog post; we have used below access list. I am using strike-though to indicate that this acl is not configured in the ASA firewall; but will be configured in the radius server. 

!!! Only icmp to inside network and ssh to Debian-Client is allowed. All other traffic is denied through anyconnect vpn.
access-list anyvpn-filter extended permit icmp any 192.168.6.0 255.255.255.0 
access-list anyvpn-filter extended permit tcp any host 192.168.6.5 eq ssh 
access-list anyvpn-filter extended deny ip any any log

This time this access-list will be defined in the radius/nps server and upon successful authentication; this acl will be sent from the radius server to the anyconnect vpn client. And this is called downloadable acl from radius server. 

03-D - Network Policy For AnyConnect (Downloadable ACL)
03-D - Network Policy For AnyConnect (Downloadable ACL)

Verification

Now we will try to connect to the VPN through the anyconnect client - 

04 - AnyConnect login with vpn client
04 - AnyConnect login with vpn client

Look at the connection string, it is same as the url defined in our tunnel group. After entering our credentials, we will be connected with the vpn.

Now we will have a look at the client's IP settings and routing table.

04 - AnyConnect client IP settings
04 - AnyConnect client IP settings

And the routing table - 

05 - AnyConnect client routing table
05 - AnyConnect client routing table

We can see from the routing table that dns address (8.8.8.8/32) and ASA's inside network (192.168.6.0/24) is routed through the tunnel.

Now we will try to do ssh to the Debian-Client (192.168.6.5) and we can login successfully  -

C:\Windows\system32>ssh root@192.168.6.5
root@192.168.6.5's password:
Linux deb10 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64

Now verify from the ASA -

Below command has long output, I am showing only the interested part - 

# show vpn-sessiondb detail anyconnect 

Session Type: AnyConnect Detailed

Username     : testvpnradius          Index        : 18
Assigned IP  : 192.168.7.101          Public IP    : 192.168.199.140
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA384
Group Policy : anyvpn-radius-group-policy
Tunnel Group : anyvpn-radius-tunnel-group
 
SSL-Tunnel:
  Tunnel ID    : 18.2
  Assigned IP  : 192.168.7.101          Public IP    : 192.168.199.140
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-ECDSA-AES256-GCM-SHA384                     
  Encapsulation: TLSv1.2                TCP Src Port : 52558                  
  TCP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 5 Minutes              Idle TO Left : 3 Minutes              
  Client OS    : Windows                
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.9.01095
  Filter Name  : AAA-user-testvpnradius-9bf08b7

From above output we can see that, all the necessary settings are applied to client - group-policy, tunnel-group and dynamic filter from radius server.

Now we will look at this downloadable acl which was applied to the connected vpn user -

# show access-list AAA-user-testvpnradius-9bf08b7
access-list AAA-user-testvpnradius-9bf08b7; 3 elements; name hash: 0x3540ac43 (dynamic)
access-list AAA-user-testvpnradius-9bf08b7 line 1 extended permit icmp any4 192.168.6.0 255.255.255.0 (hitcnt=0) 0xfb00f16e 
access-list AAA-user-testvpnradius-9bf08b7 line 2 extended permit tcp any4 host 192.168.6.5 eq ssh (hitcnt=0) 0x2ae6a86b 
access-list AAA-user-testvpnradius-9bf08b7 line 3 extended deny ip any4 any4 log informational interval 300 (hitcnt=34) 0x21df03fa

That's about it - How to configure anyconnect vpn with with radius authentication and dynamic acl.
Location: Sundsvall, Sweden

Comments

Post a Comment

Popular posts from this blog

Fortigate firewall AAA Configuration for management with TACACS+ protocol and Cisco ISE

Image
In this blog I will write about how to implement AAA services in Fortigate firewalls using Cisco ISE as an authentication server with TACACS+ protocol. First good to know our limitations. AAA means - Authentication (supported by ISE TACACS+), Authorization (partially supported by ISE TACACS+; Fortigate implements Admin-Profiles; so what a user can/cannot do is defined locally in the firewall with "Admin Profiles"; ISE just instructs the firewall to allocate one of those profiles), Accounting (not supported; instead configure syslog to get accounting data, Fortigate firewalls generate syslog messages for configuration changes made by a user). Let's jump to our configuration. Our topology is very simple; one Fortigate firewall and Cisco ISE server connected with the same management network which looks like below -  01 - Network Topology We have a management network 192.168.199.0/24. The firewall is at  .230  and Cisco ISE is at  .49  IP address. We are running the lates
Read more

Stacking switches Part - VI (Dell OS10 VLT - Virtual Link Trunking)

Image
In this blog I will configure MLAG (multi chassis link aggregation) for Dell OS10 switches. As every other vendor choses a fancy name of their implementation of MLAG; Dell is no exception to this. Dell calls their implementation VLT - Virtual Link Trunking . Let's look at our network topology - Two Dell OS10 switches will run peering between them and will run VLT/MLAG between them. Two Debian 10 linux machine will be connected with LACP bonding with both switches. They will simulate the client connection. Our topology looks like below - 01 - Dell OS10 VLT Topology Let's look at some terminology before configuration - VLT peer – The two switches participating in VLT are peer to each other. In a VLT domain a maximum of two switches are allowed. VLT interconnect (VLTi) – VLTi synchronizes state information between VLT peers. It synchronizes layer 2 and layer 3 control-plane information. These state/control-plane information includes MAC table, ARP table, IPv6 neighbors etc. VLT
Read more

Arista EOS AAA configuration for management with TACACS+ protocol and Cisco ISE (Part I)

Image
Today I will write about AAA configuration (SSH authentication, authorization and accounting) for Arista EOS switches with Cisco ISE as authentication server and AAA protocol will be TACACS . Our topology is very simple. One Arista switch and One Cisco ISE server is running on the same network. Our topology looks like below - 01 - Network Topology We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0. Let's define our AAA requirements - Arista switches comes with two pre defined user roles - "network-admin" and "network-operator" . We will use those two roles. Every user after successful authentication from tacacs server (ISE), will be authorized as either "network-admin" or "network-operator" role. In turn these two roles will determine read-write or read-only access to the switch. N ote: With TACACS, we can also do individual cl
Read more