Saturday, June 28, 2014

AnyConnect Secure Mobility Client Installation

When installing the AnyConnect client software for use by remote users, you have two installation options:

* Web deployment

* Manual predeployment

The choice ultimately depends on the evironment the AnyConnect remote-access VPN will be deployed to. For example, if users are seldom in the corporate office environment and spend the majority of their time on the road, the web deployment method of the installation may suit their needs because it allows for an easy automatic installation upon opening a URL to the SSL VPN service, which allows for the automatic download and installation of the client software.

When deploying your first full-tunnel AnyConnect SSL VPN on an ASA device, you must complete a number of steps before remote users can connect to the device and begin using the connection for access to internal resources:

* IP addressing: The ASA device requires an IP address for the external- and internal-facing interfaces (and any demilitarized zone [DMZ] or other internal networks that may be required). Therefore, you must know your organization's IP addressing policy to complete this step and assign the device-required addresses.

* Enable IPv6 access: This step is optional and should only need to be completed if your organization uses an internal IPv6 addressing scheme and you aim to extend the use of IPv6 to your VPN-connected clients. IPv6 is only supported with SSL connectivity and not IKEv2.

* Hostname, domain name, and Domain Name System (DNS): SSL requires the ASA to have a hostname and domain name combination configured before an RSA key pair can be generated to secure packets between the ASA and remote clients. Give your ASA a hostname and configure a domain name. In addition, configure the addresses of your organization's internal DNS servers to allow users access by fully qualified domain name (FQDN) to any internal or external resources they require through the SSL VPN tunnel after it has succesfully established.

* Enroll with a CA and become a member of a PKI: The use of SSL on your ASA device also requires the ASA to have an identity certificate installed, which for the successful authentication of the ASA.

* Enable the relevant interfaces for SSL/DTLS and AnyConnect client access: Before SSL, DTLS, IKEv2, and AnyConnect client access can occur, you need to specify which interface these services will be available on.

* Create a connection profile: In this step, create a new connection profile and enable it for use with SSL VPN connections. A connection profile provides your AnyConnect users with prelogin settings such as authentication and authorization methods, DNS servers and domain name, IP address pool, and so on.

I'll be using the AnyConnect VPN wizard in ASDM and choose web deployment as an example.





Download the AnyConnect .pkg file from Cisco.com (CCO login required) and upload it from PC local drive.











We login to the SSL VPN portal and choose the ANYCONNECT-PROF group from the drop-down menu. It will automatically prompt to download and install the AnyConnect software.







I received the IP address of 10.1.1.10 /24 from the AnyConnect pool.





To verify, we go to Monitoring > VPN Statistics > Sessions > Filter by: AnyConnect (optionally click Details).



We could also view the same output via CLI using the command show vpn-sessiondb anyconnect.


Saturday, June 14, 2014

Adding a CA Root Certificate on the ASA

By default, the ASA device creates a self-signed certificate for SSL authentication. This is fine for a test or lab environment. However, when you allow access to remote users outside your organization, you will usually purchase a valid certificate from a recognized certificate authority (CA) and prevent them from receiving any browser warnings about your certificate being invalid.

The ASA has no default CA root certificate installed. So, before you add an identity certificate for the ASA, you first need to add the certificate of the issuing CA from which you purchased your certificate. These are  downloaded from the CA's website. A few locations to download common CA certificates are listed here:

* https://www.entrust.net/downloads/root_index.cfm

* https://support.globalsign.com/customer/portal/articles/1219303-serversign-root-certificates---downloads

* https://www.symantec.com/page.jsp?id=roots


Otherwise, you could use an in-house deployed CA. I've used my Cisco 871w router to act as my CA server for my PKI, which I posted on my other <blog>.

Now that you have your CA's root certificate, in the ASDM navigate to Configuration > Device Management > Certificate Management > CA Certificates and click the Add button on the right side.

Within the Install Certificate window, you have the option to enter a trustpoint name for the CA certificate you are importing. A trustpoint is used by the ASA as a container for CA and certificate information. It is generally advisable to enter the name of the root CA, which will make life a bit easier for you when you come to install new certificates or troubleshoot existing ones. You have three options for how to install the certificate, depending on how you retrieved the root certificate (downloaded it from the CA's site in a zip file, copied a base64 output to your Clipboard, or use Simple Certificate Enrollment Protocol [SCEP] to retrieve the file).
















To use the configured identity certificate for the inbound clientless SSL VPN connections, we go to Configuration > Clientless SSL VPN Access > Connection Profiles > Device Certificate and choose the identity certificate from the drop-down menu.



Saturday, June 7, 2014

CCNP Security SITCS (300-207)

I'm just one step closer in completing my CCNP Security track. I was able to take up VPN (642-648) right before Cisco updated its CCNP Security track last April 2014.

Upon completing the VPN exam (plus FIREWALL), I got both the Cisco VPN Security Specialist and Cisco ASA Specialist certifications. It's unfortunate that Cisco also redesigned and announced the retirement of these Security Specialist certs on the same date. My Security Specialist certs are still valid for 2 more years though.




Cisco also released a great migration path tool in order to know how to mix and match the old and new CCNP Security exams. Using this tool, I would need just the SITCS (300-207) in order to complete my CCNP Security.

 

I recently found out that Cisco Press hasn't released yet (at the time of this writing) the Official Certification Guide (OCG) for SITCS and Keith Barker is doing a refresh of the CBT Nuggets video for the CCNP Security track starting with SENSS. So, I need to wait a little bit more before studying for the SITCS exam and finally complete my CCNP Security journey.

Sunday, June 1, 2014

Clientless SSL VPN Double Authentication

One of the most common deployment scenarios for an SSL VPN solution is the use of a double authentication scheme. Double authentication was introduced in ASA code 8.2 and can support up to three simultaneous authentication methods that must all succeed before a user is successfully authenticated.

It is more common for corporations to use only two authentication methods when accessing internal resources remotely. The three authentication methods available are as follows:

* AAA authentication server (primary authentication stage)

* AAA authentication server (secondary authentication stage)

* Client certificate authentication (can be used alongside either the primary or secondary authentication
stages or on its own)


We configure both double AAA and certificate authentication by navigating to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles. In the Basic pane of the Edit Clientless SSL VPN Connection Profile window, click Both option. 

You can also use the CLI to configure secondary authentication. To do so, first enter general-attributes configuration mode for your selected tunnel group (connection profile) by using the tunnel-group <name> general-attributes command. Then specify the secondary authentication AAA group.

For this example, I chose to use the LOCAL user database twice.

ASA5505(config)# tunnel-group ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the tunnel group
ASA5505(config)# tunnel-group Engineering ?

configure mode commands/options:
  general-attributes  Enter the general-attributes sub command mode
  ipsec-attributes    Enter the ipsec-attributes sub command mode
  ppp-attributes      Enter the ppp-attributes sub command mode
  webvpn-attributes   Enter the webvpn-attributes sub command mode
ASA5505(config)# tunnel-group Engineering general-attributes
ASA5505(config-tunnel-general)# ?

tunnel-group configuration commands:
  accounting-server-group                Enter name of the accounting server
                                         group
  address-pool                           Enter a list of address pools to
                                         assign addresses from
  annotation                             Specify annotation text - to be used
                                         by ASDM only
  authenticated-session-username         Specify the authenticated username
                                         will be associated with the session
  authentication-attr-from-server        Specify the authentication server that
                                         provides authorization attribute for
                                         the session
  authentication-server-group            Enter name of the authentication
                                         server group
  authorization-required                 Require users to authorize
                                         successfully in order to connect
  authorization-server-group             Enter name of the authorization server
                                         group
  default-group-policy                   Enter name of the default group policy
  dhcp-server                            Enter IP address or name of the DHCP
                                         server
  exit                                   Exit from tunnel-group general
                                         attribute configuration mode
  help                                   Help for tunnel group configuration
                                         commands
  ipv6-address-pool                      Enter a list of IPv6 address pools to
                                         assign addresses from
  nat-assigned-to-public-ip              NAT assigned IP to public IP
  no                                     Remove an attribute value pair
  override-account-disable               Override account disabled from AAA
                                         server
  password-management                    Enable password management
  scep-enrollment                        Enable SCEP proxy enrollment
  secondary-authentication-server-group  Enter name of the secondary
                                         authentication server group
  secondary-username-from-certificate    The DN of the peer certificate used as
                                         secondary username for authorization
  strip-group                            Enable strip-group processing
  strip-realm                            Enable strip-realm processing
  username-from-certificate              The DN of the peer certificate used as
                                         username for authorization and/or
                                         authentication
ASA5505(config-tunnel-general)# secondary-authentication-server-group ?

tunnel-group-general mode commands/options:
  (               The interface where the tunnel terminates
  LOCAL           Predefined server tag for aaa protocol 'local'
  WORD < 17 char  Name of authentication server group
  none            Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# secondary-authentication-server-group LOCAL
INFO: This command applies only to SSL VPN - Clientless and AnyConnect.
ASA5505(config-tunnel-general)# secondary-authentication-server-group ?

tunnel-group-general mode commands/options:
  (               The interface where the tunnel terminates
  LOCAL           Predefined server tag for aaa protocol 'local'
  WORD < 17 char  Name of authentication server group
  none            Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# secondary-authentication-server-group (outside) ?

tunnel-group-general mode commands/options:
  LOCAL           Predefined server tag for aaa protocol 'local'
  WORD < 17 char  Name of authentication server group
  none            Specify 'none' to indicate authentication is not required
ASA5505(config-tunnel-general)# $rver-group (outside) LOCAL ?

tunnel-group-general mode commands/options:
  use-primary-username  Use the primary username for the secondary
                        authentication
  <cr>
ASA5505(config-tunnel-general)# $rver-group (outside) LOCAL use-primary-username





Notice the login page requires for a second password, hence the term "double" authentication.