The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes a configuration example for AnyConnect Single Sign-On (SSO) with Duo and LDAP mapping for authorization on Secure Firewall.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
External authorization of the SAML user depends on the NameID value returned by the IdP. The Secure Firewall maps the NameID field to the username and this username can be used to query LDAP.
Note: The configuration used in this document is to allow users that belong to an AD group to establish a Remote Access (RA) VPN connection. Connection is prohibited for users from different AD groups not defined on the map.
Configure an AD or a SAML identity provider that can be used as your primary authentication source for Duo SSO.
Also, you need a Duo Authentication Proxy (recommended three authentication proxy servers for high availability) that has reachability to your on-premise AD or SAML identity provider.
For more information, refer to Duo Single Sign-On.
Step 1. Configure the Cisco Secure FTD on the Duo Admin Portal.
Applications > Protect an Application
.
2FA with SSO hosted by Duo
.
Protect
on the far right in order to configure the Cisco FTD VPN.Step 2. Configure the Service Provider information on the Duo Admin Portal.
These attributes are used:
fj-ftdv.example.com
SSO-AD_Split-tunnel
<Email Address>
Note: Mail attribute can be set to <Username>
. If this is the case, the configuration for ldap-naming-attribute
changes from userPrincipalName
to sAMAccountName
on the Cisco Secure FTD.
Step 3. Click the Save
button at the end of the page in order to save the configuration.
Step 4. Navigate to Users > Add User
as shown in the image:
Step 5. Fill in the blank with all the necessary information for the new user.
Note: Username data and Email data must match the information provided in the Active Directory server.
Step 6. Add Phone in order to add the phone number of the user. This is needed for the user to authenticate via 2FA with Duo Push.
Step 7. Activate Duo Mobile for the particular user.
Note: Ensure to have Duo Mobile installed on the end-user device:
Step 8. Generate Duo Mobile Activation code.
Step 9. Send instructions by SMS.
Step 10. Click the link sent via SMS, and the Duo app gets linked to the user account in the Device info section.
Step 11. Repeat the process for all the users to be added.
Step 12. Retrieve application metadata:
Applications
and click the Service Provider application that was created in Step 1.Identity Provider Entity ID URL
, SSO URL
, and Logout URL
from the metadata.Step 13. Download the Identity Provider Certificate
.
Step 1. Install and enroll the Identity Provider (IdP) certificate on the FMC.
Devices > Certificates
.
Add
. Choose the FTD to enroll in this certificate.Add Cert Enrollment
section, use any name as a label for the IdP certificate.Manual
.CA only
and Skip Check for CA flag fields
.Step 2. Configure SAML server settings:
Objects > Object Management > AAA Servers > Single Sign-on Server.
Add Single Sign-on Server.
Note: Request Timeout
is set to 300 as Duo push is sent during the authentication process and user interaction is needed. Modify the Request Timeout
value according to the network design.
Step 3. Configure REALM/LDAP server configuration.
Integration > Other Integrations.
For the purpose of this demonstration:
ActiveDirectory_SSO
example.com
administrator@example.com
<Hidden>
Note: LDAPS
(LDAP over SSL) can be used. The port must be changed from 389 to 636.
Note: AD server must have user data that has been uploaded to Duo.
Step 4. Create Group Policies as needed.
Objects > Object Management > VPN > Group Policy.
Add Group Policy
.For the purpose of this demonstration, three Group Policies have been configured:
AnyConnect Admins
group.2. SSO_LDAP_USERS
Group Policy is the group for users that belong to the AnyConnect Users
group.
3. The NO_ACCESS
Group Policy is the group for users that do not belong to any of the previous Group Policy. It has the Simultaneous Login Per User
parameter must be set to 0.
Step 5. Configure LDAP Attribute Mapping.
Devices > VPN > Remote Access
.
Advanced > LDAP Attribute Mapping.
LDAP Attribute Mapping
.Provide the LDAP Attribute Name
and the Cisco Attribute Name
. Click Add Value Map
.
For the purpose of this demonstration, LDAP attribute map configuration:
memberOf
Group-Policy
LDAP Attribute Value
and the Cisco Attribute Value
. Click OK
.For the purpose of this demonstration:
LDAP Attribute Value: CN=AnyConnect Admins, CN=Users, DC=example, DC=com
Cisco Attribute Value: SSO_LDAP_ADMINS
LDAP Attribute Value: CN=AnyConnect Users, CN=Users, DC=example, DC=com
Cisco Attribute Value: SSO_LDAP_USERS
Step 6. Configure the Connection Profile
.
Devices > Remote Access
and then edit your current VPN Remote Access configuration.NO_ACCESS
Group Policy as the Group Policy for this connection profile.AAA
tab. Under the Authentication Method
option, choose SAML
, and for Authorization Server
option, choose the AD server that was created in Step 3.Warning: VPN client embedded browser
is chosen as the SAML Login Experience. If Default OS Browser is chosen, then look at the restrictions mentioned in Support for an AnyConnect VPN SAML External Browser.
Step 7. Configure FlexConfig Policy
in order to modify the LDAP naming attribute.
As the Service Provider Mail attribute is set to Email Address, then the ldap-naming-attribute
for the AD server must be changed from sAMAccountName
to userPrincipalName
.
Note: If IdP sends the NameID
value as sAMAccountName
, this step is not needed.
Devices > FlexConfig
and then choose or create the FlexConfig Policy
in order to modify.FlexConfig Object
in order to add a new object.ldap-naming-attribute
from sAMAccountName
to userPrincipalname.
Step 8. Navigate to Deploy > Deployment
and choose the proper FTD in order to apply the configuration.
From LDAP debug snippet debug ldap 255
, it can be observed that there is a match on the LDAP Attribute Map for Admin User:
[26] LDAP Search:
Base DN = [DC=example,DC=com]
Filter = [userPrincipalName=admin_user@example.com]
Scope = [SUBTREE]
<snipped>
[20] memberOf: value = CN=AnyConnect Admins,CN=Users,DC=example,DC=com
[20] mapped to Group-Policy: value = SSO_LDAP_ADMINS
[20] mapped to LDAP-Class: value = SSO_LDAP_ADMINS
Issue the show vpn-sessiondb anyconnect
command in order to ensure that the user is in the defined group.
firepower# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : admin_user@example.com
Index : 6
Public IP : XX.XX.XX.XX
Protocol : AnyConnect-Parent
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 0 Bytes Rx : 0
Group Policy : SSO_LDAP_ADMINS
From LDAP debug snippet Tunnel Group : SSO_AD_Split-tunnel Login Time : 19:37:28 UTC Thu Jul 20 2023 Duration : 0h:01m:33s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0a1f7c490000600064b98cf8 Security Grp : none Tunnel Zone : 0
. debug ldap 255
, it can be observed that there is a match on the LDAP Attribute Map for Test User:
[29] LDAP Search:
Base DN = [DC=example,DC=com]
Filter = [userPrincipalName=test_user@example.com]
Scope = [SUBTREE]
<snipped>
[29] memberOf: value = CN=AnyConnect Users,CN=Users,DC=example,DC=com
[29] mapped to Group-Policy: value = SSO_LDAP_USERS
[29] mapped to LDAP-Class: value = SSO_LDAP_USERS
Issue the show vpn-sessiondb anyconnect
command in order to ensure that the user is in the correct group.
firepower# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : test_user@example.com
Index : 6
Public IP : XX.XX.XX.XX
Protocol : AnyConnect-Parent
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 0 Bytes Rx : 0
Group Policy : SSO_LDAP_USERS Tunnel Group : SSO_AD_Split-tunnel
Login Time : 19:37:28 UTC Thu Jul 20 2023
Duration : 0h:08m:07s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a1f7c490000600064b98cf8
Security Grp : none Tunnel Zone : 0
From LDAP debug snippet debug ldap 255
, it can be observed that there is no match on the LDAP Attribute Map for NOACCESS
User and with debug webvpn
that NO_ACCESS
Group Policy is chosen, therefore, the user is unable to authenticate.
[32] LDAP Search:
Base DN = [DC=example,DC=com]
Filter = [userPrincipalName=noaccess_user@example.com]
Scope = [SUBTREE]
<snipped>
User Policy Access-Lists:
user_acl[0] = NULL
user_acl[1] = NULL
tunnel policy attributes:
1 Filter-Id(11) 8 ""
2 Session-Timeout(27) 4 0
3 Idle-Timeout(28) 4 30
4 Simultaneous-Logins(4098) 4 0
5 Primary-DNS(4101) 4 IP: 0.0.0.0
6 Secondary-DNS(4102) 4 IP: 0.0.0.0
7 Primary-WINS(4103) 4 IP: 0.0.0.0
8 Secondary-WINS(4104) 4 IP: 0.0.0.0
9 Tunnelling-Protocol(4107) 4 96
10 Banner(4111) 0 0x000014e304401888 ** Unresolved Attribute **
11 Group-Policy(4121) 9 "NO_ACCESS"
Most SAML troubleshooting involves a misconfiguration which can be found by checking the SAML configuration or debugs:
debug webvpn saml 255
debug webvpn 255
debug webvpn anyconnect 255
debug webvpn session 255
debug webvpn request 255
For LDAP mapping authorization issues the useful debugs are:
debug aaa common 255
debug ldap 255
Revision | Publish Date | Comments |
---|---|---|
1.0 |
28-Jul-2023 |
Initial Release |