Deploying AnyConnect with ASA5500 - SafePlus Live Berlin 2017/BRKSEC-2501.pdf · Labrats Inc....
Transcript of Deploying AnyConnect with ASA5500 - SafePlus Live Berlin 2017/BRKSEC-2501.pdf · Labrats Inc....
Deploying AnyConnect with ASA5500
Håkan Nohre, Consulting Systems Engineer, CISSP, GIAC Pen Tester
BRKSEC-2501
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Who Am I?
• Live in Sweden (Stockholm)
• Consulting Systems Engineer (EMEAR)
• With Cisco since 1997
• Focus on Cyber Security, GIAC Pen Tester #9666, CISSP#76731
• Other sessions here at Cisco Live
• It's Cats vs Rats in the Attack Kill Chain! - BRKSEC-2309
• Hacking in the Attack Kill Chain v2 - LTRSEC-3300
3BRKSEC-2501
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What We Won't Cover
• Clientless SSL VPN via Web Portal
• AnyConnect with IOS and IPSEC/IKEv2 : see BRKSEC-3054
• AnyConnect Web Security, NAM, NVM: see BRKSEC-2051
• Roadmaps
• Licensing
but may be covered in other Cisco Live sessions
BRKSEC-2501 4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
More info in Mega Slide Deck!
• This breakout based on my prezo in previous years: BRKSEC-3033
• ”Advanced AnyConnect Deployment and Troubleshooting with ASA5500”
• Now more focus on use cases and scenarios
• Moving some configuration, advanced stuff/troubleshooting to mega-slides
5BRKSEC-2501
Mega-slide-deck:
https://cisco.box.com/v/brksec2051-megaThis Breakout!
Is a subset of…
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Scenario : Labrats
• Pharmaceutical Research Conglomeraterun by Rats and Cats
Conglomerate two or more corporations engaged in
entirely different businesses that fall under
one corporate group
Wikipedia definition
**
*
*
Legal Disclaimer Any similarities between Labrats and any
other organization is (most likely) a
coincidence
BRKSEC-2501 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Scenario : Labrats
• Using Corporate Devices
• Windows, MACs, iPADs
• Embracing BYOD
• Key Requirements :
• Security
• Easy to Use
• IPv6
*
*
BRKSEC-2501 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Checking Securing the Client
Introduction AnyConnect
Fundamentals
AAA Deep Dive
Client Certificates
AAA Deep Dive
RADIUS & LDAP
Customizing the User
Experience
Provisioning Client
Certificates
Agenda
BRKSEC-2501 8
AnyConnect
Network Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Clientless SSL VPN or AnyConnect?
9
Clientless SSL VPN AnyConnect
End User ExperienceWeb Browser to access
some applicationsJust like in the Office
Access Control Granular at URL levelNetwork ACL:
IP, TCP/UDP port, SGT
Installation of client SW Yes, Thick ClientNo, uses browser.
Maintenance
New versions of
browsers, java,
applications…
Once setup works fine
*
* Features may depend on OS, browser version, Java, Active-X, endpoint security settings.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Note: SSL VPN uses TLS, not SSL!
• SSL originally developed by Netscape Communications (1994).
• Used to secure the web – https://
• SSL has since been replaced by TLS (Transport Layer Security)
• Current version is TLS 1.2
10BRKSEC-2501
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The TLS Handshake
Application Data Application Data
ClientHello
Client Version, ClientNonce
SessionID, Ciphersuites
ServerHello,
ServerCertChain, ServerHelloDone
Server Version, ServerNonce
Selected Ciphersuite, CertificateChain
(Option: CertRequest)
ClientKeyExchange,
ChangeCipherSpec,
ClientFinished
Encrypted pre_master_secret
PRF computation
ChangeCipherSpec, ServerFinished
PRF computation
Client Server
BRKSEC-2501 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Datagram TLS (DTLS) - RFC 6347
• TLS uses TCP as the transport protocol
• Tunnelling over TLS means
• TCP applications use double layers of TCP! – (double layers of retransmissions etc)
• UDP applications still use TCP
• DTLS solves the problem: TLS uses UDP instead of TCP!
• Cisco’s implementation
• DTLS optional, fall-back to TLS if needed (e.g. if UDP/443 blocked by proxy or FW)
• TLS tunnel is maintained in parallel for keep-alives, and as backup
• Any firewall need to allow both UDP 443 and TCP 443
12BRKSEC-2501
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect also supports IPSec
• AnyConnect only supports IKEv2 (not IKEv1) for IPSec
• ASA IPSEC/IKEv2 for Remote Access is not compatible with 3rd party clients (e.g. Microsoft Windows 7 native L2TP/IPSec with IKEv2).
• Why would you prefer SSL over IPSec/IKEv2?
• It is more likely to work anywhere – through firewalls and proxies!
• Why would you want to use IPSec/IKEv2 instead of SSL?
• Usually only reason is if mandated by compliance
See BRKSEC-3054
IOS FlexVPN Remote Access, IoT and Site-to-Site
advanced Crypto VPN Designs
BRKSEC-2501 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect VPN Concentrator Platforms
• ASA 5500, ASA5500X
• Firepower 4100/9300 running ASA code
• ASAv
• ASAv in AWS and Azure
• ISR/ASR routers running IOS
• No feature parity with ASA
• Support for AnyConnect Terminating on platforms running Firepower Threat Defense (FTD) on near-time roadmap (6.2.1)
• Phased implementation
BRKSEC-2501 14
ASA ASAv
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Labrats Inc. Participates in FTD 6.2.1 beta
• Slides on how to configure using Firepower Threat Defense (FTD) using Firepower Management Center (FMC) in mega slide deck
15BRKSEC-2501
FMC 6.2.1 beta
Mega-slide-deck:
https://cisco.box.com/v/brksec2051-mega
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Concentrator Management Option: ASA
• ASDM for easy management and troubleshooting
• 100% feature support – recommended management in most deployments
• Used in this breakout!
• CLI – beware that not all config is visible in “show running”
• will also require management of XML files
• Cisco Security Manager (CSM)
• For configuration of multiple ASAs
• Beware – does not support all features
16BRKSEC-2501
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Windows Version Reminder!
• Versions older than 3.1MR13 or 4.2MR1 will no longer run on Windows from 2/14/2017
• Due to Microsoft code signing enforcement• http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-
and-timestamping.aspx
• http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect43/release/notes/b_Release_Notes_AnyConnect_4_3.html#reference_AA75AD8674C4409DBA57F2EBD9CAE3BB
Warning
I remembered my customers! I asked my wife to
remind me I had something important to do on
2/14/2017!
BRKSEC-2501 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect - Installation
• Installation Options
• download from ASA or ISE (requires admin privileges)
• use Desktop Management System
• Appstore, Google Play ... (mobile devices)
• Optional modules to install• DART
• Posture
• ISE Posture
• Start-Before-Login
• AMP Enabler
• Web security, Network Access Manager
• Feedback Module
• Network Visibility
• Umbrella Roaming Security
BRKSEC-2501 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
On the Client: AnyConnect Configuration Files
• AnyConnect Configuration Files are stored on the client in the following directories:
Windows 7 and Windows
VISTAC:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client
Windows XP C:\Documents and Settings\All Users\Application
Data\Cisco\Cisco AnyConnect VPN Client
MAC OS X and Linux /opt/cisco/anyconnect/
Windows 7 and Windows
VISTAC:\Users\username\AppData\Local\Cisco\
Cisco AnyConnect VPN Client\preferences.xml
Windows XP C:\Documents and Settings\username\Local
Settings\ApplicationData\
Cisco\Cisco AnyConnect VPN Client\preferences.xml
MAC OS X and Linux /Users/username/.anyconnect
BRKSEC-2501 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
On the Client: AnyConnect Configuration Files
• Apply to all Users logged onto the machine
AnyConnect Client Profiles
(described later)
AnyConnect Local Policy
Security Settings
Default User, Default Hosts etc.
BRKSEC-2501 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Local Policy File
• Not downloaded from ASA (use your favorite desktop management system)
• XML file defining important aspects of AnyConnect behavior• allowing user to accept untrusted ASA certificates
• allowing client software updates from ASA (and from which ASAs)
• allowing client profile updates from ASA (and from which ASAs)
• certificate stores, credentials caching etc.
AnyConnect Local Policy
<FipsMode>true</FipsMode>
<BypassDownloader>true</BypassDownloader>
<RestrictWebLaunch>true</RestrictWebLaunch>
<StrictCertificateTrust>true</StrictCertificateTrust>
<EnableCRLCheck>false</EnableCRLCheck>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<ExcludePemFileCertStore>false</ExcludePemFileCertStore>
Standalone Profile Editor
BRKSEC-2501 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Policy File Example : • If the server certificate is not trusted, do you
want the user to be able to accept the certificate?
• .... or do you want AnyConnect to refuse to connect?
<StrictCertificateTrust>
false
</StrictCertificateTrust>
AnyConnect Local Policy
<StrictCertificateTrust>
true
</StrictCertificateTrust>
BRKSEC-2501 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Troubleshooting Toolbox (Windows)
MMC console with snap-ins:
Event Viewer
Certificate (Current User)
Certificate (Local Computer)
BRKSEC-2501 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DART Tool (Windows and MAC)• DART Tool can be installed with the client
• Similar to “show tech” on client
• Gathering of OS Data and log files in large zip file
GOT DART?
BRKSEC-2501 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Troubleshooting Toolbox (iOS, Android)
One click email of logs
Possible to view
Profiles and
Certificates
BRKSEC-2501 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Fundamentals : ASA Server Certificate
• ASA certificate should be trusted by clients
• Public (well-known) Certificate Authority (e.g. Verisign, Thawte)
• Enterprise Certificate Authority, e.g. Microsoft Active Directory
• Self-Signed (need to import certificate to all clients)
• AnyConnect 4.1: check of CRL is configurable (Local Policy File)
• FQDN in Subject
Enterprise CA
Internet Intranet
Public CA
Warning
ASA
BRKSEC-2501 26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ensure Clients Trust the ASA Certificate
• AnyConnect uses OS to validate certificate
• Microsoft Windows: MS CAPI
• MAC OS: Keychain
• Linux: Varies with distribution
• Tip: Examine warnings with browser
• Untrusted CA chain
• Mismatch domain name
• Validity time (GOT NTP?)
BRKSEC-2501 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Fundamentals : IPv4 and IPv6
• AnyConnect supports IPv6 tunneled inside IPv4 or IPv6
• management/control servers (CA, AD, RADIUS) IPv4 only
DNS
IPv4
Internet
web
fileshare
IPv4/IPv6
Intranet
CA, AD, RADIUS
Virtual Adapter
IPv6
InternetVirtual Adapter
IPv4
IPv6
Dual Stack
IPv4/IPv6
ASA
BRKSEC-2501 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Checking Securing the Client
Introduction AnyConnect
Fundamentals
AAA Deep Dive
Client Certificates
AAA Deep Dive
RADIUS & LDAP
Customizing the User
Experience
Provisioning Client
Certificates
Agenda
BRKSEC-2501 29
AnyConnect
Network Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Don’t NAT/PAT VPN traffic
• If you need to NAT your outgoing IPv4 internet traffic, add exception for VPN
Internet
web
fileshare
IntranetASA
BRKSEC-2501 30
NAT
exception
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
High Availability Design: Active/Standby Failover
• Easy: Leveraging ASA failover
• Appears as one ASA sharing IP, MAC addresses
• Configuration changes replicated (incl. certs)
• AnyConnect Images not replicated
• AnyConnect Profiles not replicated
• VPN sessions replicated: seamless failover
• Requires L2 adjacencies between ASAs
• Not possible in AWS or Azure • ”workarounds” exist
BRKSEC-2501 31
ASA ASA
Outside IP/MAC
Inside IP/MAC
Failover link
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Load Balancing
• Multiple ASAs in a VPN Cluster
• Not the same as ASA Clustering technology (which does not support remote access VPN)
• Each ASA has separate config and IPs
• ASA ”master” also owns the shared virtual IP
• AnyConnect Client connects to master and is redirected to “least loaded” ASA
• No configuration or state-synch
• Rarely used today!
• Complexity and lack of seamless failover
• …more common when AnyConnect licenses wereper box, not shared across ASA deployment
BRKSEC-2501 32
ASA
Outside IPs
ASA ASA ASA
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect with Multiple Contexts
• ASA 9.5(1) and 9.6(2)
• One physical ASA with multiple contexts
• …with unique configurations
• Certificates,
• AnyConnect images
• Policies
• …with separate management views
• …with separate ip address spaces
cat rat
ASA
Cats
10.1.1.1
Rats
10.1.1.1same ip
possible
BRKSEC-2501 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA
AnyConnect in Global Networks – Let the user decide!
• Let the user choose gateway
• From dropdown
• Each gateway may have predefined backups
BRKSEC-2501 34
ASA ASAASA ASAASA
Enterprise WAN (MPLS-VPN)
New York Berlin Sydney
Internet
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA
AnyConnect in Global Networks: Automatic Selection
• Optimal Gateway Selection (OGS)
• Automatically selects gateway based on Round-Trip-Time (RTT) using HTTP(S) requests
• Calculation takes place after coming back from VPN suspension
• Caches the result per client location (defined with domain name/DNS server)
• Not supported with Always-On
• If password based authentication is used, another login may be necessary
BRKSEC-2501 35
ASA ASAASA ASAASA
Enterprise WAN (MPLS-VPN)
New York Berlin Sydney
Internet
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring Optimal Gateway Selection
BRKSEC-2501 36
Client
Profile
OGS calculation will take
place if VPN suspended for
longer than X hours
New Gateway selected if RTT
performance increased by X%
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA
Is the RTT over Internet the most Important Factor?
• Some server resources may be more important
• E.g Exchange server at home office
• Many Enterprise WANs are slower than the Internet
• Optimal Gateway Selection may be sub-optimal!
BRKSEC-2501 37
ASA ASAASA ASAASA
Enterprise WAN (MPLS-VPN)
New York Berlin Sydney
Internet
Mail server
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect : Straight or on the Rocks? (with ISE)
38BRKSEC-2501
Cisco Identity Services Engine (ISE)
See breakouts:
BRKSEC-3697 Advanced ISE Services, Tips and Tricks
TECSEC-2672 Intermediate - Network Access Control with ISE (Identity ServicesEngine)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect to ASA without ISE integration
• ASA has interfaces to potentially multiple AAA servers including the Directory, e.g.
• RADIUS to OTP servers
• LDAP to Enterprise Directory
• ASA manages posture enforcement
• ASA authorizes user based on
• AAA information: authentication method
• AAA information: AD group membership
• Posture: e.g. Antivirus up-to-date
• Authorization typically implies applying a pre-defined ACL to user session
39BRKSEC-2501
ASA
Internet
Inside
RADIUS
LDAP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect to ASA with ISE Integration (1)
• Most control logic moved to ISE
• Allowing for a more consistent policy
• Remote Access VPN
• Wired Campus
• Wireless Campus
• …determining access to internal resources based on
• AAA information: authentication method
• AAA information: AD group membership
• Posture: e.g. Antivirus, Patch Management
• Authorization can use Security Group TAGs (SGTs)
40BRKSEC-2501
ASA
Internet
Inside
RADIUS
ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional Segmentation
• Based on VLAN
• Tied to IP addressing
Source User Dest Application ?
10.1.1.0 192.168.1.0 HTTPS
HR 192.168.2.10 HTTPS
10.1.2.0 192.168.3.0 SIP
10.1.3.0 10.1.3.0 SCADA
Rules change with Network changes!
Expensive to maintain!
1 Tasman Everywhere
15 King St 25 Oxford St
3 Regent
St12 La Rambla
4 Oxford 15 Tottenham
BRKSEC-2501 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segmentation based on Security Groups TAGs
• All clients associated with Security Group TAG
• Based on • Identity,
• Device type
• Posture requirements
• Access method (vpn… campus)
• Location…
Source User Dest Application ?
iPAD HR Citrix HTTPS
IPphone PhoneServer SIP
Sensor ICSserver SCADA
Rule table independent of addressing!
Simple to maintain!
Increased granularity taking into account device type etc.
IPphone
Sensor
ICSserver
Gateway
CitrixiPAD
Sensor ICSserver
Ipphone Gateway
CitrixiPAD
BRKSEC-2501 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE information sharing with pxGrid
• ISE has full knowledge of who/what connects to network (via VPN, Wired ,Wireless)
• Shared with security components
• E.g Firewall, IPS, Analytics, Single-Sign-On…etc….
• So they know who the user is behind a certain IP address
• So they can tell infrastructure to quarantine device (Rapid Threat Containment)
43BRKSEC-2501
ASA
Internet
ISEpxGrid
IP 10.99.1.1 is
Itchy’s iPad
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Checking Securing the Client
Introduction AnyConnect
Fundamentals
AAA Deep Dive
Client Certificates
AAA Deep Dive
RADIUS & LDAP
Customizing the User
Experience
Provisioning Client
Certificates
Agenda
BRKSEC-2501 44
AnyConnect
Network Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Client
Profile
Connection Profile
(tunnel-group)
AAA in ASA : Some Important Concepts
Proving Who you are
Static Passwords (local to ASA, Active Directory, LDAP)
OTP (One-Time-Passwords), typically RADIUS
Certificates
Group Policy
Determining What You are and What You can do
ACL
Split Tunnelling
Proxy settings
Timeouts
etc..
AnyConnect behaviour...
- Which ASA and Connection Profile to connect to
- "Always On"
- which certificate to use, etc...
BRKSEC-2501 45
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Labrats Requirements
• Strong Authentication• Corporate devices (laptops, iPADs) use certs
• BYOD use OTP sent as text to mobile
• Granular Authorization• Depending on Active Directory group and
device (corporate vs. BYOD)
• Access Rights differ with regards to
ACL (Filter)
IP address pool
Split Tunneling
Client Profile
Restrict to VLAN
... Cats
from BYODRats
from BYOD
Cats
from Corp
Device
Rats
from Corp
Device.
AD Groups
Cats
Rats
GroupPolicy
CatsCorpGroupPolicy
RatsCorpGroup Policy
CatsBYOD
Group Policy
RatsBYOD
Connection
Profile Certs
Connection
Profile SMS
ASA
BRKSEC-2501 46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Avoid too many Group Policies
• You don’t have to create group policies to control where client is allowed to go!
• Pre-defined ACL can be applied to session
• Downloadable ACL applied to session
• Security Group TAG from ISE assigned tosession
• Only add Group Policies when needed!• … split tunnelling policy
• … certificate enrolment (covered later)
• ….don’t be too creative here!
Cats
from BYODRats
from BYOD
Cats
from Corp
Device
Rats
from Corp
Device.
AD Groups
Cats
Rats
GroupPolicy
Connection
Profile Certs
Connection
Profile SMS
ASA
BRKSEC-2501 47
ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Lists to Authorize User access
• ”Loose Hanging” Access Lists defined on ASA
• applied from different places in GUI, not from main Firewall Ruleset
• applied from RADIUS (Filter-ID)
ACL=
catsCorp
DAP
CatsCorp
ISE
Filter-ID
GroupPolicy
CatsCorp
BRKSEC-2501 48
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Groups in main Stateful Firewall Rule Table
Unselect, to let VPN traffic go
through Global/interface ACLs
Mix and Match
ACEs with and
without SGTs
BRKSEC-2501 49
ISE
Security
Group
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication and Authorization by RADIUS• RADIUS attribute IETF 25 (Class) is used to assign the group policy
• RADIUS Filter-ID can define a pre-defined ACL on ASA
• RADIUS SGT can be sent from ISE
Connection Profile
"SMS"
Default Group
PolicyGroup Policy
RatsBYODGroup Policy
CatsBYOD
AAA Server Group
RADIUS
Client Profile
"BYOD"
BRKSEC-2501 50
Security
Group
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connection Profile : How to Authenticate
AAA server group
AAA, Cert or Both?
Group-Policy used
unless overwritten by
Authorization Server
AAA Server Group
RADIUS
Connection Profile
BRKSEC-2501 51
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA configuration of ISE AAA Server Group
Interim Accounting
Authorization-Only
Dynamic Authorization
(CoA, Change of Authorization)
BRKSEC-2501 52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS Server Definition
Double check port numbers on
RADIUS server
Shared Secret must match with
RADIUS server
BRKSEC-2501 53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connection Profile: Where Send Accounting
• Possible to define AAA Server Group for RADIUS Accounting
Connection
Profile
AAA server group
used for Authorization
AAA Server Group
RADIUS
BRKSEC-2501 54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS: Keeping track of IP addresses
• Client physical ip address in RADIUS Calling-Station-ID
• Client virtual ip address in RADIUS Accounting Framed-IP-Address
• turn on RADIUS accounting for visibility
I
S
E
ACCOUNTING START- [email protected]
- Framed-IP-Address=10.99.19.1
ISE
ASA
Update
Session
Directory
for this IP
ACCESS REQUEST- [email protected]
- Calling-Station-ID=85.12.17.22
10.99.19.1
85.12.17.22
ISE
BRKSEC-2501 55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication by RADIUS Authorization by LDAP• User authenticated by RADIUS (typically strong authentication, OTP)
• Username used for LDAP lookup
• LDAP attributes are mapped to a Group Policy
Default Group
PolicyGroup Policy
RatsBYODGroup Policy
CatsBYOD
Connection Profile
"SMS"
Client Profile
BYOD
AAA Server Group
LDAP
AAA Server Group
RADIUS
LDAP
map
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connection Profile : How to Authorize
• Possible to define different AAA server group for authorization (if not specified, the same group is used for authentication and authorization).
AAA Server Group
AD_SamAccount (LDAP)
Connection Profile
AAA server group
used for Authorization
BRKSEC-2501 57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AAA Server Groups
• Using the same authentication protocol and characteristics
Several Servers in
a Group for redundancy
Same Protocol but
different Groups if
different characteristics
AAA Server Group
LDAP
AAA Server Group
RADIUS
BRKSEC-2501 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
LDAP Server Definition (Active Directory)
LDAP over SSL
ASA Credentials
Domain is labrats.se
Map LDAP attributes to ASA attributes (to
be covered)
Attribute for user lookup
BRKSEC-2501 59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A Good LDAP Browser is Useful• To learn LDAP structure, and for troubleshooting : http://www.softerra.com
memberOfCN=ITsupport,CN=Users,DC=labrats,DC=se
CN=Cats,CN=Users,DC=labrats,DC=se
sAMAccountName=scratchy
BRKSEC-2501 60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using Active Directory “memberOf” • A user in Active Directory can be a member of many groups
• But can only belong one Group Policy in ASA
• A group may be a member of another group in AD
• ASA will not do recursive lookup
Rats ITsupportCats
Mammals
BRKSEC-2501 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mapping “memberOf” to Group Policy• Map “memberOf” to ASA Group Policy with an LDAP attribute map
• Beware: First match will apply (many memberOf one Group Policy)
• Beware: No support for lookup of nested groups (“group in group”)
• Using Cisco ISE allows for better flexibility in assigning Group Policy
• DAP (covered later) allows for more flexibility in handling "many memberOf"
LDAP
map
Warning
CN=Rats,CN=Users,DC=labrats,DC=se : RatsBYOD
CN=Cats,CN=Users,DC=labrats,DC=se : CatsBYOD
BRKSEC-2501 62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Troubleshooting AAA• Checking that the right Group Policy has been assigned
BRKSEC-2501 63
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Troubleshooting VPN on FTD with FMC
64BRKSEC-2501
FMC 6.2.1 beta
Connection
Profile Group
Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Selection of Connection Profile (1)
Drop-Down list allows
user to select login
method (Connection Profile)
BRKSEC-2501 65
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Client Profiles• XML file created by ASDM, downloaded to client from ASA or pre-deployed to
client via desktop management system.
....
<AutomaticVPNPolicy>true
<TrustedDNSDomains>labrats.se</TrustedDNSDomains>
<TrustedDNSServers>10.1.41.10</TrustedDNSServers>
<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
<AlwaysOn>true
....
Client Profile
BRKSEC-2501 66
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
In the AnyConnect Client Profile : Server List
• Specify servers in the server list
• Do not specify Host Address
• May cause cert warnings
• Don’t have the user choose connection profile
• Save mouse clicks
...using the Connection Profile specified with
this Group URL
Client
ProfileConnect to host roddy.labrats.se
Blank
Connection
Profile
BRKSEC-2501 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Checking Securing the Client
Introduction AnyConnect
Fundamentals
AAA Deep Dive
Client Certificates
AAA Deep Dive
RADIUS & LDAP
Customizing the User
Experience
Provisioning Client
Certificates
Agenda
BRKSEC-2501 68
AnyConnect
Network Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication with Client Certificates
Application Data Application Data
ClientHello
ServerHello,
ServerCertChain, ServerHelloDone
Client Certificate Request
ClientKeyExchange,
ChangeCipherSpec,
Client Certificate
Encrypted Random
byte string
ClientFinished
ChangeCipherSpec, ServerFinished
BRKSEC-2501 69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication with Client Certificates
• Considered stronger authentication than passwords
• No need to manage passwords (password complexity, resetting passwords, expiring passwords...)
• Need to manage a PKI (Public Key Infrastructure) to enroll and revoke certificates
• Client Certificates may be tied to machine or user
• User certificates may be soft or hard (smart cards)
• We can make it difficult to move a certificate from one machine to another: Using client certificates allows us to distinguish corporate devices from other devices (employee iPADs etc)
BRKSEC-2501 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA must trust the Issuer of Client Certificates
• Install Issuer CA Certificate
• from file
• paste PEM file
• SCEP
• Issuer of client certificates may be different to the issuer of the ASA certificate
Install From
File
Install from
SCEP
Paste PEM
BRKSEC-2501 71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication with Client Certificates
• Defined in Connection Profile
• Certificate authentication can be combined with passwords
• Added options for multiple certificates in ASA 9.7.1
Certificate
Certificate + AAA
Multiple Certificates
Multiple Certificates + AAA
BRKSEC-2501 72
Connection Profile
”Certs"
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AAA Server Group
ISE
Authentication with Client CertificatesAuthorization with RADIUS (ISE)
• User authenticated with client certificate
• Username (some field) of certificate used for RADIUS lookup
• RADIUS server returns Group Policy and/or SGT
Default Group
Policy
Group Policy
CatsCorpGroup Policy
RatsCorp
Connection Profile "cert"
Client Profile
"HighSec"
Security
Group
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using ISE for Authorization and Accounting
74BRKSEC-2501
Connection Profile "cert"
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Client Certificate Authentication with ISE
• Authentication is between AnyConnect and ASA, ISE never sees or validates cert
• ASA does a authorize-only lookup (RFC 5176) with no password
I
S
E
ACCESS REQUEST- [email protected]
- service-type= authorize-only
Logon
ASA
ISE
ACCESS ACCEPTclass="CatsCorp"
ISE
BRKSEC-2501 75
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connection Profile Name sent to ISE
• ASA sends info about Connection Profile and Client Type to RADIUS server
• Can be used by RADIUS Server Policy
I
S
E
ACCESS REQUEST- [email protected]
- service-type= authorize-only
- "connection-profile" = certs
ISE
ACCESS ACCEPTclass="CatsCorp"
Logon
ASA
Certs used,
set class =
CatsCorp
ISE
BRKSEC-2501 76
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AAA Server Group
LDAP
Authentication with Client CertificatesAuthorization with LDAP (if no ISE)
• User authenticated with client certificate
• Username (some field) of certificate used for LDAP lookup
• LDAP attributes are mapped to a Group Policy
Default Group
Policy
Group Policy
CatsCorpGroup Policy
RatsCorp
Connection Profile "cert"
Client Profile
"HighSec"
LDAP
map
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A smart card is just another client certificate• Same principles and configuration as for soft client certificates
BRKSEC-2501 78
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Double Certificate Authentication• ASA 9.7.1 with AnyConnect 4.4 now support “double” cert authentication!
• First authenticate with computer certificate
• Second authenticate with user certificate/smart card
• Proves it is a “corporate machine” and adds strong user authentication
BRKSEC-2501 79
New!
Double Cert
Auth
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Client Profile Options to select the right certificate
Certificate Store : User, Machine or All
Certificate Store Override :
Check if non administrator needs access to
machine certificate
Uncheck for Automatic certificate Selection
Client
Profile
Client
Profile
BRKSEC-2501 80
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Matching (for automatic cert selection)
If client (or smartcard) contains many certificates,
we can specify which one should be selected
(used with automatic certificate selection)
Client
Profile
BRKSEC-2501 81
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Checking Securing the Client
Introduction AnyConnect
Fundamentals
AAA Deep Dive
Client CertificatesAAA Deep Dive
RADIUS & LDAP
Customizing the User
Experience
Provisioning Client
Certificates
Agenda
BRKSEC-2501 82
AnyConnect
Network Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Enrolment : Active Directory
• Microsoft Active Directory supports automatic certificate enrolment for user and machine certificates
• User and machine are members of Active Directory Domain: Their certificates can be pushed by GPOs (Group Policy Objects)
http://technet.microsoft.com/en-
us/library/cc770546.aspx
BRKSEC-2501 83
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Enrolment : Active Directory (2)
• Microsoft CA also supports web enrolment
• Can be used by non-domain members, e.g. MACs
BRKSEC-2501 84
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simple Certificate Enrolment Protocol (SCEP)
• http://tools.ietf.org/id/draft-nourse-scep-23.txt
• Protocol for enrolling certificates over HTTP (basically encapsulating PKCS#10, PKCS#7 over HTTP)
• Originally developed by Verisign for Cisco
• Widely supported by network devices (including ASA and AnyConnect), clients and most Certificate Authorities (including Microsoft CA and Cisco ISE)
CA
SCEP
BRKSEC-2501 85
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect SCEP Proxy Support
• ASA can be an SCEP proxy, enabling AnyConnect on the outside to enroll to a CA on the inside of ASA without poking holes in Firewall
• Not to be confused with Legacy SCEP, where AnyConnect speaks directly to the CA over the VPN tunnel.
• SCEP proxy requires AnyConnect 3.0 or later :
SCEP SCEPASA
BRKSEC-2501 86
ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Case Study : Secure Enrolment of Certificates to Mobile Devices
• Mobile users (Windows, MAC, Phone, Android) logon from anywhere (over internet) to enroll
• Secure authentication via OTP sent by SMS to mobile
• Certificate automatically enrolled with correct subject name
• Note : to mitigate risk of stolen phones, use certs + AAA for authentication
• is phone PIN code protection of certificate enough?
OTP
CASCEP
VPN
ASA
BRKSEC-2501 87
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. User Connects to ASA
OTPCAAD
ASA
BRKSEC-2501 88
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
2. User Gets SMS with OTP
OTPCAAD
ASA
BRKSEC-2501 89
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
3. User logs on with OTP
OTPCAAD
ASA
BRKSEC-2501 90
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA
4. AnyConnect Gets Certificate from ASA (proxy to CA)Cert can also be used for 802.1X*
OTPCAAD
Client Profile
"scepproxy"
SCEP
SCEP
BRKSEC-2501 91
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to Configure on ASA
• Configuration example on
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html#wp1591160
Connection Profile
"SCEPProxyEnroll"
AAA Server Group SMS
(RADIUS)
AAA Server Group
AD (LDAP)
Group Policy
"SCEPProxyEnroll"
Client Profile
"scepproxy"
BRKSEC-2501 92
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Checking Securing the Client
Introduction AnyConnect
Fundamentals
AAA Deep Dive
Client CertificatesAAA Deep Dive
RADIUS & LDAP
Customizing the User
Experience
Provisioning Client
Certificates
Agenda
BRKSEC-2501 93
AnyConnect
Network Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Posture with ISE : Do the Clients meet Requirements?
• Possible to check that client meets Posture Requirements : OS, Anti-Virus, Personal Firewall, Registry Keys
• … or compliance to patch management status
• Leverages AnyConnect ISE Posture Module
• Posture control and decision defined in ISE
Internet
VPN Connection
Not OK according to
SCCM
and he is a RAT!!!!!
ASA
BRKSEC-2501 94
ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect ISE Posture Module
• Windows and MAC
• Checks and Remediates Posture
• Works on campus (wired, wireless 802.1X)
• Works with AnyConnect VPN
• Posture checking with Patch Management (SCCM)
• Software and XML config file provisioned from
• ASA
• ISE or
• via Desktop Management System
• Requires Compliance Module provisioned from
• ISE or
• via Desktop Management System
Desktop Posture
Checking and
Remediation
BRKSEC-2501 95
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect ISE Posture Flow
ACCESS REQUEST
ACCESS ACCEPT
- url-redirect-ACL=Quarantine
- url-redirect=https://ise...
- SGT = Quarantine
Logon
Discovers ISE
Posture Req
Posture Report
(Compliant)
CoA REQUEST
- SGT = CleanCat
- DACL
CoA ACK
ASA ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to Configure on ASA for ISE Posture
• Configure a standalone ACL
• permit means redirect traffic to ISE (default)
• deny means do not redirect : this is traffic to ISE itself, traffic to remediation servers...
• name of ACL must match RADIUS attribute "url-redirect-acl" signaled by ISE
Permit means "Redirect
to ISE"
Deny means
"Do not Redirect"
BRKSEC-2501 97
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Posture without ISE : Do the Clients meet Requirements?
• AnyConnect Posture Module (Hostscan)
• Possible to check that client meets Posture Requirements : OS, Anti-Virus, Personal Firewall, Registry Keys
• Used in combination with Dynamic Access Policies (DAP) to grant access to clients depending on their posture status
Internet
VPN Connection
Microsoft Firewall ON,
but No Antivirus...
and he is a RAT!!!!!
ASA
BRKSEC-2501 98
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Scan loads
Prelogin Checks based on OS, ip, cert
, file, registry
"Corp
Windows""MAC" Other
Endpoint Assessment
Get info on FW, AV, AS, Registry,
Processes, Files...
Advanced Endpoint
Assessment:
Remediation/Fix
FW, AV, AS
DAP
The Host Scan Process
Both in
ParallelPolicy
BRKSEC-2501 99
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring Host Scan
Endpoint Assessment must be checked to retrieve info
on AV, AS, Firewall settings that can be enforced by DAP
Possible to create checks for Process,
File and Registry keys that can be
enforced by DAP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Access Policies (DAP)
• DAP allows granular access control to resources based on authentication method, AAA parameters and Posture
• Very flexible, allowing policies set by Data Owners access to Data :
• "to access my data you must be member of AD groups Cats and ProjectX, you must be logged in with strong authentication and you must have Antivirus on a corporate machine"
Internet
Microsoft Firewall ON, Antivirus
ON,
memberOf Cats AND projectX
DENY
PERMITASA
BRKSEC-2501 101
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring DAP
and Policy is
Corporate Windows
Registry Key is…
Antivirus Updated...
Authorization
IPv4/IPv6 ACL
don't mix permit and
deny in ACL
If member of Cats and
ProjectX
logged on with
certificate...
BRKSEC-2501 102
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Default DAP (DfltAccessPolicy)
ITSupport w clean PC RDP to everything
Cats+ProjectX w clean PC ProjectX
Rats Rats WebSite
Condition ACL
DfltAccessPolicy
If no DAP matches then
DfltAccessPolicy
Applies
Action= Terminate
BRKSEC-2501 103
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DAP Grows On You! (DAP accumulates)
Matching
Several conditions
Accumulates
Access Rights
ITSupport w clean PC RDP to everything
Cats+Project X w clean PC ProjectX
Rats Rats WebSite
Condition ACL
RDP to everything
Rats Website
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Power of DAP• Very flexible mapping to multiple "memberOf"
• Example : 4 groups in Directory
• A user may be a member of 0 to 4 groups : 16 combinations (2 )
A B C D
A B C D A B A C A D DBB C
DCA B CA B DA DCDCBDCBA
• Quiz : How many DAP policies do you need to cover the 16 combinations?
Condition (memberOf) ACL
A
B
C
D
ACL-A
ACL-B
ACL-C
ACL-D
n
BRKSEC-2501 105
Endpoint Visibility ASA Hostscan ISE Posture
Policy Framework DAP ISE+VPN
Updates Every 3 months Dynamically
IP, Hostname, Mac address Yes Yes
Certificate Fields Yes Yes
BIOS Serial Number Yes No
Personal Firewall Yes Roadmap
File CRC32 Check Yes Yes
Disk Encryption Roadmap Yes
SHA256 File Check Roadmap Yes
USB Check Roadmap Yes*
Application Roadmap Yes, ISE 2.2
Stealth Agent Roadmap Yes
OS Support Windows, Mac, Linux Windows, Mac
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture CheckingSecuring the Client
Introduction AnyConnect
Fundamentals
AAA Deep Dive
Client CertificatesAAA Deep Dive
RADIUS & LDAP
Customizing the User
Experience
Provisioning Client
Certificates
Agenda
BRKSEC-2501 107
AnyConnect
Network Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
(No) Split Tunnelling Policy• Defined in Group Policy : whether to allow traffic outside of the tunnel
DENIED
Internet
Split DNS
Split IPv4
Split IPv6
ASA
BRKSEC-2501 108
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Note on Split Tunnelling Policy for mobile devices
• Even with no Split Tunneling (Tunnel All Networks), certain traffic from mobile devices (e.g. iTunes) goes outside the tunnel
DENIED
ASA
Yusuf Islam
BRKSEC-2501 109
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Split Tunneling Example (IPv4 and IPv6)
Extended ACL (extended
ACLs are unified v4 v6)
Add IPv4 and IPv6 networks
in the Source
BRKSEC-2501 110
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
No Split Tunneling but Allow Local LAN Access
DENIED
Exclude Network List
0.0.0.0/32
::/128
Must also be
allowed per client
profile
Group Policy
ASA
BRKSEC-2501 111
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Per App VPN
• Available for iOS 7.0+, Samsung Knox, Generic Android 5.0+
• Allows for tunneling specified subset of apps through one AnyConnect tunnel
• save resources : don’t Netflix over VPN tunnel
• security: don’t allow non enterprise apps on enterprise network
• Configured via DAP
ASA
BRKSEC-2501 112
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Seamless Security with Always-On
• Encourage/force (some) users to always be connected over VPN when off-premises
• works on Windows, MAC
• Objective #1 : Seamless, simple user experience
• Automatic Connection, "I am always at work"
• Objective #2: Increased Security if surfing out via Enterprise Proxy or NGFW
fileshare
Internet
web
ASA Labrats
Trusted Network Detection automatically establishes tunnel if
not on enterprise network
Always On
Blocks traffic until tunnel is
established,
BRKSEC-2501 113
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Client Profile with Always-On
• Define conditions for Trusted Network Detection
• DNS Servers and Domain
• AC 4.2: https:// reachability
• Define Always-On (must also define Server List)
• Connection Failure Policy : Open or Closed• Balance Security Requirements
vs. Risk of No Network...
• If Closed, specify if traffic will be allowed for X minutes if Captive Portal is detected
• "Last VPN Local Resource Rules" : Last Client Firewall Rules
Always On
Blocks traffic until
tunnel is
established, except
if Captive Portal is
detected
Trusted Network Detection automatically establishes tunnel if
not on enterprise network
AnyConnect
Client Profile
BRKSEC-2501 114
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Always On does not work for Mobile Devices
• Forcing Always-On not possible due to lack of OS APIs
• ... vendor considerations for battery life, security
• Trusted Network Detection (TND) for Android
• On Demand VPN for iOS
BRKSEC-2501 115
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
On Demand VPN for iOS - Configuration
• VPN automatically connected when traffic directed to predefined domain
• Requires client certificate
• Configured in Client Profile/Server List/Additional Mobile Only Settings
Always connect
when going to
.labrats.se
AnyConnect
Client Profile
BRKSEC-2501 116
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
On Demand VPN for iOS – User Experience
VPN
BRKSEC-2501 117
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture CheckingSecuring the Client
Introduction AnyConnect
Fundamentals
AAA Deep Dive
Client CertificatesAAA Deep Dive
RADIUS & LDAP
Customizing the User
Experience
Provisioning Client
Certificates
Agenda
BRKSEC-2501 118
AnyConnect
Network Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Seamless Office Experience by Start-Before-Logon
• Allows (some) Windows users to connect VPN before logging into computer
• Why? Allow domain-logon, GPOs, logon-scripts, change passwords, etc...
• Can be used with or without Always-On
fileshare
Internet
AD1. VPN Connection
2. Domain Logon
ASA
BRKSEC-2501 119
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring SBL in Client Profile
• May make it user controllable
Note : Client certificates in User Store typically not accessible before logon (no knowledge of who the
user is).
Client certificates on Smart Cards will work!
AnyConnect
Client Profile
BRKSEC-2501 120
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SBL User Experience
Mouse Click Needed!
BRKSEC-2501 121
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SBL User Experience with Smart Cards (2)
BRKSEC-2501 122
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SBL User Experience with Smartcards (3)
Smartcard can also be leveraged for
Domain logon, creating an “SSO
Experience”
BRKSEC-2501 123
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Running Scripts after Connect and Disconnect• Runs a predefined script when (some) users connect to (or disconnect from VPN)
• Any native script language understood by client ( *.vbs, *.sh etc)
• Script can be downloaded from ASA, or distributed by some other means
• Why?
• Allow mapping of drives, GPO-update when SBL is not possible (e.g. behind a captive portal).
• Also works on non domain members, including MAC, Linux
fileshare
Internet
ADVPN Connection
net use
q:.....
net use
q: ...
ASA
BRKSEC-2501 124
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring Scripting
• Enable Scripting in AnyConnect Client Profile
• Optionally : Import script to ASA for download to allclients
• Alternatively, use other means of putting the script in the script directory for desired clients
BRKSEC-2501 125
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
On the Client : The Scripts Folder
• AnyConnect executes the script in the folder that starts with "OnConnect"/"OnDisconnect" after VPN
connection/disconnection
• Only one script is executed, but that script can launch other scripts
• Troubleshooting :
• Check that script exists in folder and that AnyConnect Profile allows scripting.
• Check that script executes ok when invoked from local machine (permissions etc).
BRKSEC-2501 126
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion
• Secure Client with a Seamless User Experience
• Strong authentication and Granular Access Control with AAA and DAP
• Consider using ISE for Unified Access (VPN, Wired, Wireless)
• Find Balance between Requirements and Complexity (testing, maintenance)
• Good security and networking skills are essential, but also knowledge of adjacent technologies such as Active Directory, LDAP and PKI, ISE… as well as different client platforms
BRKSEC-2501 127
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
128BRKSEC-2501
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-2501 129
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your IPv6 Education
• Demos in the Cisco campus: SRv6, 6CN (DevNet Zone)
• Walk-in Self-Paced Labs: LABCRS-1000, LTRRST-2016
• Lunch & Learn: Tuesday, Wednesday
• Meet the Engineer 1:1 meetings
• Related sessions: BRKRST-2667, BRKRST-2616, BRKSEC-2003, BRKSEC-3033, BRKSEC-3771, BRKRST-3304, BRKRST-2044, BRKRST-2312, BRKRST-3045, BRKSEC-3003, BRKRST-2022, BRKSPG-2300, BRKSEC-3200
• World of Solutions: ask about IPv6 support ;-)
BRKSEC-2501 130
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Joins the Customer Connection ProgramCustomer User Group Program
19,000+
Members
Strong• Who can join: Cisco customers, service
providers, solution partners and training partners
• Private online community to connect with peers & Cisco’s Security product teams
• Monthly technical & roadmap briefings via WebEx
• Opportunities to influence product direction
• Local in-person meet ups starting Fall 2016
• New member thank you gift* & badge ribbon when you join in the Cisco Security booth
• Other CCP tracks: Collaboration & Enterprise Networks
Join in World of Solutions
Security zone Customer Connection stand
Learn about CCP and Join
New member thank-you gift*
Customer Connection Member badge ribbon
Join Online
www.cisco.com/go/ccp
Come to Security zone to get your new member gift*
and ribbon
* While supplies last
BRKSEC-2501 131
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call to Action: Learning more about IPv6
Lunch and Learn:
• IPv6 in the Enterprise: Tue 13:00
• All Things IPv6: Wed 13:00
Experiment with IPv6-only WiFi:
SSID: CL-NAT64
WPA passphrase: cl-nat64
SLAAC + stateless DHCP
NAT64 included to access legacy
Ask all World of Solutions exhibitors fortheir IPv6 support
DevNet Zone: IPv6 Content Networking
+ ask other demos
132
LTRSEC-3004 Advanced IOS IPSec VPN with FlexVPN hands-on Lab Tue 09:00:00
BRKIP6-2616 Addressing Networking challenges with latest Innovations in IPv6 Tue 11:15:00
BRKRST-2337 OSPF Deployment in Modern Networks Tue 11:15:00
BRKEWN-2010 Design and Deployment of Enterprise WLANs Tue 14:15:00
BRKSEC-2501 Deploying AnyConnect SSL VPN with ASA5500 Tue 14:15:00
LTRRST-2005 Introductory - LISP Cloud extension, VPN and DC Mobility Tue 14:15:00
BRKRST-2116 Intermediate - IPv6 from Intro to Intermediate Tue 14:15:00
BRKRST-2022 IPv6 Routing Protocols Update Tue 16:45:00
BRKSPG-2061 IPv6 Deployment Best Practices for the Cable Access Network Wed 09:00:00
BRKRST-3045 LISP - A Next Generation Networking Architecture Wed 09:00:00
LABSPG-7122 Advanced IPv6 Routing and services lab Wed 09:00:00
BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation Wed 11:30:00
BRKIPM-2239 Multicast and Segment Routing Wed 14:30:00
BRKIP6-2002 IPv6 for the World of IoT Wed 16:30:00
LABIPM-2007 Intermediate - IPv6 Hands on Lab Thu 09:00:00
BRKSEC-3003 Advanced IPv6 Security in the LAN Thu 11:30:00
BRKRST-2336 EIGRP Deployment in Modern Networks Thu 11:30:00
LABSPG-7122 Advanced IPv6 Routing and services lab Thu 14:00:00
BRKRST-2045 BGP operational security best practices Thu 14:30:00
BRKCOL-2020 IPv6 in Enterprise Unified Communications Networks Thu 14:30:00
LABIPM-2007 Intermediate - IPv6 Hands on Lab Fri 09:00:00
BRKRST-2301 Intermediate - Enterprise IPv6 Deployment Fri 09:00:00
BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers Fri 11:30:00
BRKSEC-2501
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
133BRKSEC-2501
Q & A
Thank You