Multi-factor Authentication using Duo (LDAP)for RA VPN through REST API on FDM Contents
IntroductionPrerequisitesRequirementsComponents UsedBackground InformationAuthentication FlowAuthentication Flow ExplainedConfigureConfiguration on Duo Administration PortalConfiguration on POSTMANConfigure FDMAdd Duo Certificate on FDM Create Local User for Primary AuthenticationBinding Duo object to RA VPN on FDM Verify Troubleshoot
Introduction
This document describes how to configure a Duo Lightweight Directory Access Protocol (LDAP)identity source object through REST API and using this object in the Remote Access VPN (RAVPN) connection profile as a secondary authentication identity source on Firepower ThreatDefense (FTD) managed by Firepower Device Manager (FDM).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Basic knowledge of RA VPN configuration on FDM.●
Basic knowledge of REST API and FDM REST API Explorer.●
Cisco FTD running version 6.5.0 and above managed by Cisco Firepower Device Manager(FDM).
●
FTD registered with the smart licensing portal with Export Controlled Features enabled (inorder to allow RA VPN configuration tab to be enabled).
●
AnyConnect Licenses enabled (APEX, Plus or VPN-Only).●
Components Used
The information in this document is based on these software and hardware versions:
Cisco FTD running version 6.5.0-115●
Cisco AnyConnect Secure Mobility Clientversion 4.7.01076●
Postman or any other API development tool ●
Duo web account ●
The information in this document was created from the devices in a specific lab environment. Allof the devices used in this document started with a cleared (default) configuration. If your networkis live, ensure that you understand the potential impact of any command.
Background Information
From FTD version 6.5, you can use Duo LDAP Identity Source object directly in the RA VPNprofile for secondary authentication with the help of REST API.
Prior to this version, two-factor authentication was supported only via Duo Proxy and RADIUS.
Authentication Flow
Authentication Flow Explained
The user initiates a remote access VPN connection to the FTD and provides a username andpassword for Primary Authentication.
1.
FTD sends the authentication request to the primary authentication server.2.Once the primary authentication is successful, FTD sends a request for secondaryauthentication to the Duo LDAP server.
3.
Duo then authenticates the user, depending on the input for secondary authentication (push,passcode, phone).
4.
Duo responds to the FTD to indicate whether the user authenticated successfully.5.If the secondary authentication was successful, the FTD establishes a remote access VPNconnection.
6.
Configure
In order to complete the configuration take into consideration these sections:
Configuration on Duo Administration Portal
Step 1. Login to your Duo account (https://admin.duosecurity.com).
Navigate to Applications > Protect an Application.
Step 2. Select your Authentication Application as Cisco ASA SSL VPN.
Integration Key, Secret Key, and API hostname are used while Duo LDAP object is added throughthe REST API.
Note: Do not select Cisco Firepower Threat Defense as it is used to add Duo as a ProxyServer.
Step 3. Create a username and activate Duo Mobile on the end device.
Add yourself to the Duo cloud administration webpage. Navigate to Users > Add users
Note: Ensure the end-user has the Duo app installed on.
Manual installation of Duo application for iOS devices
Manual installation of Duo application for android devices
Step 4. Add your phone number for the automatic generation of code.
Step 5. Select ActivateDuo Mobile.
Step 6. Select Generate Duo Mobile Activation Code.
Step 7. Select Send Instructions by SMS.
Step 8. In order to enroll in the Duo app, click on the link in the SMS. Your account details can beseen in the Device Info section, as shown in the image.
Configuration on POSTMAN
Step 1. Launch the API Explorer of the FTD on a Browser Window.
Navigate to https://<FTD Management IP>/api-explorer
For the configuration displayed the following URL is used: https://10.197.224.99/api-explorer Thiscontains the entire list of API available on the FTD.
It is divided based on the main feature with multiple GET/POST/PUT/DELETE requests which issupported by the FDM.
Note: In this example, we have used POSTMAN as the API.
Step 2. Add a Postman collection for Duo.
Give a name for the collection.
Edit the Authorization tab and update the type to OAuth 2.0
Step 3. Add a new request Auth to create a login POST request to the FTD in order to get thetoken to authorize any POST/GET requests.
The Body of the POST request must contain these:
Type raw - JSON (application/json)grant_type
password
username
Admin Username in order to log in to theFTD
passwordThe password associated with theadmin user account
POST Request : https://<FTD Management IP>/api/fdm/latest/fdm/token
The Body of the Response contains the access token which is used in order to send anyPUT/GET/POST requests from the FTD.
Step 4. Create Get Interface information request to get the interface details through which Duowould be reachable.
The Authorization tab must contain the following for all subsequent GET/POST requests:
Type Bearer TokenToken
The access token received by running the loginPOST Request
GET Request : https://<FTD Management IP>/api/fdm/latest/devices/default/interfaces
The Body of the Response contains the interface information (version, name, id, type).
Step 5. Add CreateDuoLDAPIdentitySource request to create the Duo LDAP object.
The body of the POST request must contain these:
Name Name for Duo LDAP objectapiHostname Duo hostname received from Duo admin portalport 636timeout 60 secondsintegrationKey ikey received from Duo admin portalsecretKey skey received from Duo admin portal
Note: Timeout is added as 60 seconds for the purpose of this document. Please add thesettings as per your network environment.
The URL and sample body for POST request can be copied from the API explorer .
POST Request : https://<FTD Management IP>/api/fdm/latest/object/duoldapidentitysources
The Body of response shows Duo configuration ready to be pushed to the device.
Configure FDM
Step 1. Verify Device is registered to Smart Licensing.
Step 2. Verify AnyConnect licenses are enabled on the device.
Step 3. Verify Export-controlled Features is enabled in the token.
Add Duo Certificate on FDM
You need to download the CA certificate from the Duo website and add it to FDM in-order forLDAP over SSL to work.
Step 1. Login to FDM and then navigate to Objects > Certificates > Add Trusted CACertificates.
Step 2. Provide a name for certificate object and add the CA certificate downloadedfrom https://duo.com
Step 3. Deploy the certificate to the device.
Create Local User for Primary Authentication
Step 1. Navigate to Objects > Users and click on + to add a new user., as shown in the image.
Step 2. Add the username and password details and click on OK, as shown in the image.
Note: This document assumes that the RA VPN is already configured. Please refer to thefollowing document for more information on How to configure RA VPN on FTD managed byFDM.
Binding Duo object to RA VPN on FDM
Step 1. Bind the Duo object as the secondary authentication method in Remote Access VPN.
Navigate to Remote Access VPN and edit the concerned Connection Profile, as shown in theimage.
Select LocalIdentitySource as Primary Identity Source and Duo as Secondary Identity Source.Click on Next to close the Remote Access VPN Wizard.
Note: Use Primary username for Secondary login is checked under Advanced option for thepurpose of the document. If you need to use different usernames for Primary and Secondaryauthentication, you can uncheck it.
Step 2. Deploy the configuration to the device.
Pending changes show Local user, Duo object and Secondary Authentication Settings ready to bepushed.
Verify
In order to test this configuration, provide the local credentials in Username and Password. ForSecond Password type push, phone, passcode to determine kind of notification to be sent byDuo. Here push method is used.
You must get a Duo PUSH notification on your enrolled device for Two Factor Authentication(2FA). Once the push request is approved anyconnect user gets connected.
Open Anyconnect GUI >Settings > Statistics and verify the connection.
Verify the user connection on FTD CLI using the show command show vpn-session anyconnect
firepower# show vpn-sessiondb anyconnect
Username : tazkhan Index : 32
Assigned IP : 192.168.10.1 Public IP : 10.65.81.47
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384
Bytes Tx : 149500 Bytes Rx : 112471
Group Policy : DfltGrpPolicy Tunnel Group : SSLVPN
Login Time : 11:07:09 UTC Mon Oct 9 2019
Duration : 0h:27m:46s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 00000000000200005d9b1c5d
Security Grp : none Tunnel Zone : 0
firepower#
Troubleshoot
Verify if Duo object is pushed from REST API by navigating to Objects >Identity Sources
Verify the aaa-server configuration and secondary authentication FTD CLI using the showcommand show run aaa-server <name> and show run tunnel-group
firepower# show run aaa-server Duo
aaa-server Duo protocol ldap
aaa-server Duo (outside) host api-f754c261.duosecurity.com
timeout 60
server-port 636
ldap-base-dn dc=DI518DFVL9NBTM06CTQQ,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=DI518DFVL9NBTM06CTQQ,dc=duosecurity,dc=com
ldap-over-ssl enable
server-type auto-detect
firepower# show run tunnel-group
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool anyconnect-pool
secondary-authentication-server-group Duo use-primary-username
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable firepower#
Debug Commands
Note: Refer to Important Information on Debug Commands before youuse debug commands.
You can set various debug levels. By default, level 1 is used. If you change the debug level,the verbosity of the debugs might increase. Do this with caution, especially in productionenvironments.
These debugs on the FTD CLI would be helpful in troubleshooting AnyConnect connection forDuo.
debug ldap 255
debug webvpn anyconnect 255
BJB had timeout connecting to BDB backend. Make sure you are connected to Cisco InternalNetwork. [close]