multi-factor authentication using duo (ldap) for ra …...cisco ftd running version 6.5.0-115...
TRANSCRIPT
![Page 1: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/1.jpg)
Multi-factor Authentication using Duo (LDAP)for RA VPN through REST API on FDM Contents
IntroductionPrerequisitesRequirementsComponents UsedBackground InformationAuthentication FlowAuthentication Flow ExplainedConfigureConfiguration on Duo Administration PortalConfiguration on POSTMANConfigure FDMAdd Duo Certificate on FDM Create Local User for Primary AuthenticationBinding Duo object to RA VPN on FDM Verify Troubleshoot
Introduction
This document describes how to configure a Duo Lightweight Directory Access Protocol (LDAP)identity source object through REST API and using this object in the Remote Access VPN (RAVPN) connection profile as a secondary authentication identity source on Firepower ThreatDefense (FTD) managed by Firepower Device Manager (FDM).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Basic knowledge of RA VPN configuration on FDM.●
Basic knowledge of REST API and FDM REST API Explorer.●
Cisco FTD running version 6.5.0 and above managed by Cisco Firepower Device Manager(FDM).
●
FTD registered with the smart licensing portal with Export Controlled Features enabled (inorder to allow RA VPN configuration tab to be enabled).
●
AnyConnect Licenses enabled (APEX, Plus or VPN-Only).●
Components Used
![Page 2: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/2.jpg)
The information in this document is based on these software and hardware versions:
Cisco FTD running version 6.5.0-115●
Cisco AnyConnect Secure Mobility Clientversion 4.7.01076●
Postman or any other API development tool ●
Duo web account ●
The information in this document was created from the devices in a specific lab environment. Allof the devices used in this document started with a cleared (default) configuration. If your networkis live, ensure that you understand the potential impact of any command.
Background Information
From FTD version 6.5, you can use Duo LDAP Identity Source object directly in the RA VPNprofile for secondary authentication with the help of REST API.
Prior to this version, two-factor authentication was supported only via Duo Proxy and RADIUS.
Authentication Flow
Authentication Flow Explained
![Page 3: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/3.jpg)
The user initiates a remote access VPN connection to the FTD and provides a username andpassword for Primary Authentication.
1.
FTD sends the authentication request to the primary authentication server.2.Once the primary authentication is successful, FTD sends a request for secondaryauthentication to the Duo LDAP server.
3.
Duo then authenticates the user, depending on the input for secondary authentication (push,passcode, phone).
4.
Duo responds to the FTD to indicate whether the user authenticated successfully.5.If the secondary authentication was successful, the FTD establishes a remote access VPNconnection.
6.
Configure
In order to complete the configuration take into consideration these sections:
Configuration on Duo Administration Portal
Step 1. Login to your Duo account (https://admin.duosecurity.com).
Navigate to Applications > Protect an Application.
Step 2. Select your Authentication Application as Cisco ASA SSL VPN.
Integration Key, Secret Key, and API hostname are used while Duo LDAP object is added throughthe REST API.
![Page 4: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/4.jpg)
Note: Do not select Cisco Firepower Threat Defense as it is used to add Duo as a ProxyServer.
Step 3. Create a username and activate Duo Mobile on the end device.
Add yourself to the Duo cloud administration webpage. Navigate to Users > Add users
Note: Ensure the end-user has the Duo app installed on.
Manual installation of Duo application for iOS devices
Manual installation of Duo application for android devices
![Page 5: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/5.jpg)
Step 4. Add your phone number for the automatic generation of code.
Step 5. Select ActivateDuo Mobile.
Step 6. Select Generate Duo Mobile Activation Code.
Step 7. Select Send Instructions by SMS.
![Page 6: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/6.jpg)
Step 8. In order to enroll in the Duo app, click on the link in the SMS. Your account details can beseen in the Device Info section, as shown in the image.
Configuration on POSTMAN
Step 1. Launch the API Explorer of the FTD on a Browser Window.
Navigate to https://<FTD Management IP>/api-explorer
For the configuration displayed the following URL is used: https://10.197.224.99/api-explorer Thiscontains the entire list of API available on the FTD.
It is divided based on the main feature with multiple GET/POST/PUT/DELETE requests which issupported by the FDM.
![Page 7: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/7.jpg)
Note: In this example, we have used POSTMAN as the API.
Step 2. Add a Postman collection for Duo.
Give a name for the collection.
![Page 8: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/8.jpg)
Edit the Authorization tab and update the type to OAuth 2.0
![Page 9: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/9.jpg)
Step 3. Add a new request Auth to create a login POST request to the FTD in order to get thetoken to authorize any POST/GET requests.
![Page 10: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/10.jpg)
![Page 11: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/11.jpg)
The Body of the POST request must contain these:
Type raw - JSON (application/json)grant_type
password
username
Admin Username in order to log in to theFTD
passwordThe password associated with theadmin user account
POST Request : https://<FTD Management IP>/api/fdm/latest/fdm/token
![Page 12: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/12.jpg)
The Body of the Response contains the access token which is used in order to send anyPUT/GET/POST requests from the FTD.
Step 4. Create Get Interface information request to get the interface details through which Duowould be reachable.
![Page 13: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/13.jpg)
The Authorization tab must contain the following for all subsequent GET/POST requests:
Type Bearer TokenToken
The access token received by running the loginPOST Request
GET Request : https://<FTD Management IP>/api/fdm/latest/devices/default/interfaces
![Page 14: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/14.jpg)
The Body of the Response contains the interface information (version, name, id, type).
Step 5. Add CreateDuoLDAPIdentitySource request to create the Duo LDAP object.
![Page 15: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/15.jpg)
The body of the POST request must contain these:
Name Name for Duo LDAP objectapiHostname Duo hostname received from Duo admin portalport 636timeout 60 secondsintegrationKey ikey received from Duo admin portalsecretKey skey received from Duo admin portal
Note: Timeout is added as 60 seconds for the purpose of this document. Please add thesettings as per your network environment.
The URL and sample body for POST request can be copied from the API explorer .
POST Request : https://<FTD Management IP>/api/fdm/latest/object/duoldapidentitysources
![Page 16: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/16.jpg)
The Body of response shows Duo configuration ready to be pushed to the device.
![Page 17: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/17.jpg)
Configure FDM
Step 1. Verify Device is registered to Smart Licensing.
Step 2. Verify AnyConnect licenses are enabled on the device.
![Page 18: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/18.jpg)
Step 3. Verify Export-controlled Features is enabled in the token.
Add Duo Certificate on FDM
You need to download the CA certificate from the Duo website and add it to FDM in-order forLDAP over SSL to work.
Step 1. Login to FDM and then navigate to Objects > Certificates > Add Trusted CACertificates.
Step 2. Provide a name for certificate object and add the CA certificate downloadedfrom https://duo.com
![Page 19: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/19.jpg)
Step 3. Deploy the certificate to the device.
Create Local User for Primary Authentication
Step 1. Navigate to Objects > Users and click on + to add a new user., as shown in the image.
![Page 20: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/20.jpg)
Step 2. Add the username and password details and click on OK, as shown in the image.
Note: This document assumes that the RA VPN is already configured. Please refer to thefollowing document for more information on How to configure RA VPN on FTD managed byFDM.
![Page 21: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/21.jpg)
Binding Duo object to RA VPN on FDM
Step 1. Bind the Duo object as the secondary authentication method in Remote Access VPN.
Navigate to Remote Access VPN and edit the concerned Connection Profile, as shown in theimage.
Select LocalIdentitySource as Primary Identity Source and Duo as Secondary Identity Source.Click on Next to close the Remote Access VPN Wizard.
![Page 22: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/22.jpg)
Note: Use Primary username for Secondary login is checked under Advanced option for thepurpose of the document. If you need to use different usernames for Primary and Secondaryauthentication, you can uncheck it.
Step 2. Deploy the configuration to the device.
Pending changes show Local user, Duo object and Secondary Authentication Settings ready to bepushed.
![Page 23: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/23.jpg)
Verify
In order to test this configuration, provide the local credentials in Username and Password. ForSecond Password type push, phone, passcode to determine kind of notification to be sent byDuo. Here push method is used.
You must get a Duo PUSH notification on your enrolled device for Two Factor Authentication(2FA). Once the push request is approved anyconnect user gets connected.
![Page 24: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/24.jpg)
Open Anyconnect GUI >Settings > Statistics and verify the connection.
![Page 25: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/25.jpg)
Verify the user connection on FTD CLI using the show command show vpn-session anyconnect
firepower# show vpn-sessiondb anyconnect
Username : tazkhan Index : 32
Assigned IP : 192.168.10.1 Public IP : 10.65.81.47
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384
Bytes Tx : 149500 Bytes Rx : 112471
Group Policy : DfltGrpPolicy Tunnel Group : SSLVPN
Login Time : 11:07:09 UTC Mon Oct 9 2019
Duration : 0h:27m:46s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 00000000000200005d9b1c5d
Security Grp : none Tunnel Zone : 0
firepower#
Troubleshoot
Verify if Duo object is pushed from REST API by navigating to Objects >Identity Sources
![Page 26: Multi-factor Authentication using Duo (LDAP) for RA …...Cisco FTD running version 6.5.0-115 Cisco€AnyConnect€Secure Mobility Clientversion€4.7.01076 Postman or any other API](https://reader034.vdocument.in/reader034/viewer/2022042917/5f595d4c46bb4d709f298e0e/html5/thumbnails/26.jpg)
Verify the aaa-server configuration and secondary authentication FTD CLI using the showcommand show run aaa-server <name> and show run tunnel-group
firepower# show run aaa-server Duo
aaa-server Duo protocol ldap
aaa-server Duo (outside) host api-f754c261.duosecurity.com
timeout 60
server-port 636
ldap-base-dn dc=DI518DFVL9NBTM06CTQQ,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=DI518DFVL9NBTM06CTQQ,dc=duosecurity,dc=com
ldap-over-ssl enable
server-type auto-detect
firepower# show run tunnel-group
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool anyconnect-pool
secondary-authentication-server-group Duo use-primary-username
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable firepower#
Debug Commands
Note: Refer to Important Information on Debug Commands before youuse debug commands.
You can set various debug levels. By default, level 1 is used. If you change the debug level,the verbosity of the debugs might increase. Do this with caution, especially in productionenvironments.
These debugs on the FTD CLI would be helpful in troubleshooting AnyConnect connection forDuo.
debug ldap 255
debug webvpn anyconnect 255
BJB had timeout connecting to BDB backend. Make sure you are connected to Cisco InternalNetwork. [close]