Multi-factor Authentication using Duo (LDAP)for RA VPN through REST API on FDM Contents

IntroductionPrerequisitesRequirementsComponents UsedBackground InformationAuthentication FlowAuthentication Flow ExplainedConfigureConfiguration on Duo Administration PortalConfiguration on POSTMANConfigure FDMAdd Duo Certificate on FDM Create Local User for Primary AuthenticationBinding Duo object to RA VPN on FDM Verify Troubleshoot

Introduction

This document describes how to configure a Duo Lightweight Directory Access Protocol (LDAP)identity source object through REST API and using this object in the Remote Access VPN (RAVPN) connection profile as a secondary authentication identity source on Firepower ThreatDefense (FTD) managed by Firepower Device Manager (FDM).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Basic knowledge of RA VPN configuration on FDM.●

Basic knowledge of REST API and FDM REST API Explorer.●

Cisco FTD running version 6.5.0 and above managed by Cisco Firepower Device Manager(FDM).

●

FTD registered with the smart licensing portal with Export Controlled Features enabled (inorder to allow RA VPN configuration tab to be enabled).

●

AnyConnect Licenses enabled (APEX, Plus or VPN-Only).●

Components Used

The information in this document is based on these software and hardware versions:

Cisco FTD running version 6.5.0-115●

Cisco AnyConnect Secure Mobility Clientversion 4.7.01076●

Postman or any other API development tool ●

Duo web account ●

 The information in this document was created from the devices in a specific lab environment. Allof the devices used in this document started with a cleared (default) configuration. If your networkis live, ensure that you understand the potential impact of any command.

Background Information

From FTD version 6.5, you can use Duo LDAP Identity Source object directly in the RA VPNprofile for secondary authentication with the help of REST API.

Prior to this version, two-factor authentication was supported only via Duo Proxy and RADIUS.

Authentication Flow

Authentication Flow Explained

The user initiates a remote access VPN connection to the FTD and provides a username andpassword for Primary Authentication.

1.

FTD sends the authentication request to the primary authentication server.2.Once the primary authentication is successful, FTD sends a request for secondaryauthentication to the Duo LDAP server.

3.

Duo then authenticates the user, depending on the input for secondary authentication (push,passcode, phone).

4.

Duo responds to the FTD to indicate whether the user authenticated successfully.5.If the secondary authentication was successful, the FTD establishes a remote access VPNconnection.

6.

Configure

In order to complete the configuration take into consideration these sections:

Configuration on Duo Administration Portal

Step 1. Login to your Duo account (https://admin.duosecurity.com).

Navigate to Applications > Protect an Application.

Step 2. Select your Authentication Application as Cisco ASA SSL VPN.

Integration Key, Secret Key, and API hostname are used while Duo LDAP object is added throughthe REST API.

Note: Do not select Cisco Firepower Threat Defense as it is used to add Duo as a ProxyServer.

Step 3. Create a username and activate Duo Mobile on the end device.

Add yourself to the Duo cloud administration webpage. Navigate to Users > Add users

Note: Ensure the end-user has the Duo app installed on.

Manual installation of Duo application for iOS devices

Manual installation of Duo application for android devices

Step 4. Add your phone number for the automatic generation of code.

Step 5. Select ActivateDuo Mobile.

Step 6. Select Generate Duo Mobile Activation Code. 

Step 7. Select Send Instructions by SMS.

Step 8. In order to enroll in the Duo app, click on the link in the SMS. Your account details can beseen in the Device Info section, as shown in the image.

Configuration on POSTMAN

Step 1. Launch the API Explorer of the FTD on a Browser Window.

Navigate to https://<FTD Management IP>/api-explorer

For the configuration displayed the following URL is used:  https://10.197.224.99/api-explorer Thiscontains the entire list of API available on the FTD.

It is divided based on the main feature with multiple GET/POST/PUT/DELETE requests which issupported by the FDM.

Note: In this example, we have used POSTMAN as the API.

Step 2. Add a Postman collection for Duo.

Give a name for the collection.

Edit the Authorization tab and update the type to OAuth 2.0 

Step 3. Add a new request Auth to create a login POST request to the FTD in order to get thetoken to authorize any POST/GET requests.

The Body of the POST request must contain these:

Type raw - JSON (application/json)grant_type

password

username

Admin Username in order to log in to theFTD

passwordThe password associated with theadmin user account

POST Request : https://<FTD Management IP>/api/fdm/latest/fdm/token

The Body of the Response contains the access token which is used in order to send anyPUT/GET/POST requests from the FTD.

Step 4. Create Get Interface information request to get the interface details through which Duowould be reachable.

The Authorization tab must contain the following for all subsequent GET/POST requests:

Type Bearer TokenToken

The access token received by running the loginPOST Request

 GET Request : https://<FTD Management IP>/api/fdm/latest/devices/default/interfaces

The Body of the Response contains the interface information (version, name, id, type).

Step 5. Add CreateDuoLDAPIdentitySource request to create the Duo LDAP object. 

The body of the POST request must contain these:

Name Name for Duo LDAP objectapiHostname Duo hostname received from Duo admin portalport 636timeout 60 secondsintegrationKey ikey received from Duo admin portalsecretKey skey received from Duo admin portal

Note: Timeout is added as 60 seconds for the purpose of this document. Please add thesettings as per your network environment.

The URL and sample body for POST request can be copied from the API explorer . 

POST Request : https://<FTD Management IP>/api/fdm/latest/object/duoldapidentitysources

The Body of response shows Duo configuration ready to be pushed to the device.

Configure FDM

Step 1. Verify Device is registered to Smart Licensing.

Step 2. Verify AnyConnect licenses are enabled on the device.

Step 3. Verify Export-controlled Features is enabled in the token.

Add Duo Certificate on FDM 

You need to download the CA certificate from the Duo website and add it to FDM in-order forLDAP over SSL to work.

Step 1. Login to FDM and then navigate to Objects > Certificates > Add Trusted CACertificates.

Step 2. Provide a name for certificate object and add the CA certificate downloadedfrom https://duo.com

Step 3. Deploy the certificate to the device.

Create Local User for Primary Authentication

Step 1. Navigate to Objects > Users and click on + to add a new user., as shown in the image.

Step 2. Add the username and password details and click on OK, as shown in the image.

Note: This document assumes that the RA VPN is already configured.  Please refer to thefollowing document for more information on How to configure RA VPN on FTD managed byFDM.

Binding Duo object to RA VPN on FDM 

Step 1. Bind the Duo object as the secondary authentication method in Remote Access VPN.

Navigate to Remote Access VPN and edit the concerned Connection Profile, as shown in theimage.

Select LocalIdentitySource as Primary Identity Source and Duo as Secondary Identity Source.Click on Next to close the Remote Access VPN Wizard. 

Note: Use Primary username for Secondary login is checked under Advanced option for thepurpose of the document. If you need to use different usernames for Primary and Secondaryauthentication, you can uncheck it.

Step 2. Deploy the configuration to the device.

Pending changes show Local user, Duo object and Secondary Authentication Settings ready to bepushed.

Verify 

In order to test this configuration, provide the local credentials in Username and Password. ForSecond Password type push, phone, passcode to determine kind of notification to be sent byDuo. Here push method is used.

You must get a Duo PUSH notification on your enrolled device for Two Factor Authentication(2FA). Once the push request is approved anyconnect user gets connected.

 Open Anyconnect GUI >Settings > Statistics and verify the connection.

Verify the user connection on FTD CLI using the show command show vpn-session anyconnect

firepower# show vpn-sessiondb anyconnect

Username : tazkhan Index : 32

Assigned IP : 192.168.10.1 Public IP : 10.65.81.47

Protocol : AnyConnect-Parent SSL-Tunnel

License : AnyConnect Premium

Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256

Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384

Bytes Tx : 149500 Bytes Rx : 112471

Group Policy : DfltGrpPolicy Tunnel Group : SSLVPN

Login Time : 11:07:09 UTC Mon Oct 9 2019

Duration : 0h:27m:46s

Inactivity : 0h:00m:00s

VLAN Mapping : N/A VLAN : none

Audt Sess ID : 00000000000200005d9b1c5d

Security Grp : none Tunnel Zone : 0

firepower#

Troubleshoot

Verify if Duo object is pushed from REST API by navigating to Objects >Identity Sources

Verify the aaa-server configuration and secondary authentication FTD CLI using the showcommand show run aaa-server <name> and show run tunnel-group

firepower# show run aaa-server Duo

aaa-server Duo protocol ldap

aaa-server Duo (outside) host api-f754c261.duosecurity.com

timeout 60

server-port 636

ldap-base-dn dc=DI518DFVL9NBTM06CTQQ,dc=duosecurity,dc=com

ldap-naming-attribute cn

ldap-login-password *****

ldap-login-dn dc=DI518DFVL9NBTM06CTQQ,dc=duosecurity,dc=com

ldap-over-ssl enable

server-type auto-detect

firepower# show run tunnel-group

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool anyconnect-pool

secondary-authentication-server-group Duo use-primary-username

tunnel-group SSLVPN webvpn-attributes

group-alias SSLVPN enable firepower#

Debug Commands

Note: Refer to Important Information on Debug Commands before youuse debug commands.

You can set various debug levels. By default, level 1 is used. If you change the debug level,the verbosity of the debugs might increase. Do this with caution, especially in productionenvironments.

These debugs on the FTD CLI would be helpful in troubleshooting AnyConnect connection forDuo.

debug ldap 255

debug webvpn anyconnect 255

BJB had timeout connecting to BDB backend. Make sure you are connected to Cisco InternalNetwork. [close]