- Cisco Asa Ad Authentication
- Cisco Asa Product Line
- Cisco Asa Models
- Cisco Asa Ad Integration Tutorial
- Cisco Asa Download
- Cisco Asa Ad Integration Tool
This server will sync users from AD, talk to the Cisco ASA via RADIUS and handle any incoming authentication requests. I strongly suggest you to allocate a separate VM for this instead of installing it directly on one of your DCs (I installed it on the VM that also performs Office 365 dirsync). The ldap-base-dn will be where where the ASA starts looking for an authenticated user. I recommend setting this as the first level of your AD tree. The ldap-scope subtree tells LDAP to look for this user in any subtree. The other option is just a single subtree up. The next 3 commands are setting up the LDAP user that will be used to bind to LDAP. So once the ASA integrates with our on-prem AD which is connected to Azure AD I also want to enable those users coming through ASA that are on AD to also be enabled for Azure MFA. Can someone point me to such a document please.
- CHANGE THE ENTRIES IN BOLD BELOW TO MATCH YOUR REQUIREMENTS Type help or '?' For a list of available commands. Petes-ASA enable Password:. Petes-ASA# configure terminal Petes-ASA(config)# aaa-server PNL-LDAP-SERVER protocol ldap Petes-ASA(config-aaa-server-group)# aaa-server PNL-LDAP-SERVER (inside) host 192.168.100.10 Petes-ASA(config-aaa-server-host)# ldap-base-dn dc=pnl,dc=com Petes.
- AD is not LDAP (because LDAP is just the protocol), AD is an LDAP store that can answer LDAP queries, so to integrate AAA with AD (at least for the 'authentication'), you may use AD as an LDAP store for authentication directly without ACS, without ISE, without radius and without tacacs.
- 1Introduction
- 2Prerequisites
- 5Swivel Configuration
- 5.1Configuring the RADIUS server
- 6Cisco ASA Configuration
- 8Additional Configuration Options
This document describes steps to configure a Cisco ASA with Swivel as the authentication server. Swivel can provide Two Factor authentication with SMS, Token, Mobile Phone Client and strong Single Channel Authentication TURing, Pinpad or in the Taskbar using RADIUS. AnyConnect works with Swivel if started in the portal.
Swivel integration is made using RADIUS authentication protocol with an option to configure the login page. Depending on your needs, you can modify the default customization object or create a new customization object. There are many ways to configure it to work with Swivel such as:
- Username AD Password and Swivel Authentication (The most common method with AD authentication made against the LDAP server and OTC checked against Swivel using RADIUS)
- Username AD Password and Swivel Authentication (AD authentication and OTC checked against Swivel using RADIUS)
- Username and OTC (OTC checked against Swivel using RADIUS authentication)
And various other options including local password.
To use the Single Channel Image such as the TURing Image, the Swivel server must be made accessible. The client requests the images from the Swivel server, and is usually configured using a NAT (Network Address Translation), often with a proxy server. The Swivel virtual appliance or hardware appliance is configured with a proxy port to allow an additional layer of protection.
For the Cisco IPSEC client Swivel integration see Cisco IPSEC Client Integration
Configuration steps overview
- Configuring the Swivel server
- Create a customization object to hold the attached Javascript.
- Create an authentication server group with RADIUS protocol.
- Create a connection profile (tunnel group) to link login URL, authentication server and custom login page together.
Cisco ASA 8.03 or higher
Cisco documentation
Swivel 3.x, 3.5 or higher for RADIUS groups
NAT for Single channel access
Login Page customisation prerequisites
Cisco ASA 8 customisation Script Note: beware if opening this in Wordpad or similar in case the text editor wraps the text onto a new line. This script can be used for TURing, SMS, Token or Mobile Phone Client. There is an alternative customisation for Pinpad, available from here.
Nisa wicked perversions. For Single Channel TURing images some editing of the script is required.
Swivel server must be accessible by client when using Single Channel Images, such as the Turing Image or Pinpad, and security string number, for external access this is usually through a NAT.
Cisco ASA 8.03, Also tested with 8.21
Swivel 3.5, 3.6, 3.7, 3.8, 3.9
The Cisco ASA makes authentication requests against the Swivel server by RADIUS.
The client makes TURing requests against the Swivel server using HTTP/HTTPS
Configuring the RADIUS server
On the Swivel Administration console configure the RADIUS Server and NAS, see RADIUS Configuration
Enabling Session creation with username
To allow the TURing image, Pinpad and other single channel images, under Server/Single Channel set Allow session request by username to Yes.
Setting up Swivel Dual Channel Transports
Used for SMS, see Transport Configuration
Create a Radius Authentication Server Group
Authentication Server Group is used to hold necessary information about the Swivel server. Go to Remote Access VPN -> AAA/Local users -> AAA Server. Click on Add to add an AAA Server Group.
Enter a name for Server Group, select RADIUS for Protocol and click OK. With the newly created server group name selected, click on Add on the right bottom to add a Swivel server.
Enter Swivel server's IP, authentication port and server secret key as indicated. Click on OK then Apply to save the AAA server group.
Optional: Create a Secondary Authentication Server
The login page can be configured to display Swivel as a primary or secondary authentication server. To use multiple authentication servers, they must be configured under Remote Access VPN -> AAA/Local users -> AAA Server. This example shows an AD Server being added.
Go to Remote Access VPN -> AAA/Local users -> AAA Server. Click on Add to add an AAA ServerGroup.
Enter a name for Server Group, select NT Domain or Kerberos for Protocol and click OK. With the newly createdserver group name selected, click on Add on the right bottom to add a NT Domain Server.
Enter the AD server's IP, Server port and Domain Controller hostname. Click on OK then Apply to save the AAA server group.
This secondary authentication server then needs to be linked to the Connection Profile (see below).
Create a Connection Profile (Tunnel Group)
Swivel can be defined as a Primary Authentication server or as a Secondary authentication server.
Connection Profile is used to link authentication server group, URL used to access the ASA, and login page customization together. Go to Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles. Click on Add to add a connection profile.
In Basic panel, enter a name, alias and select the AAA Server Group created. Swivel can be configured as the Primary authentication server or the secondary authentication server.
Click on Advanced then Clientless SSL VPN. Select the customization object created and add a Group URL used to access the ASA with Swivel authentication.
Click on OK then Apply to save the Connection Profile.
Optional: Create a Secondary Authentication for the Connection Profile (Tunnel Group)
This option has been configured using the Secondary Authentication server option available in ASA 8.21
Go to Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles, select the connection profile created above then select Edit. Expand the Advanced option list and select Secondary Authentication. Enter the Secondary server group required and if the username should be reused.
Ensure the box 'Use primary username (Hide secondary username on login page)' is ticked. Click on OK to save the settings. If AD is defined as the Primary authentication server then Swivel can be defined as the secondary AD server.
Test the RADIUS authentication
At this stage it should be possible to authenticate by SMS, hardware Token, Mobile Phone Client and Taskbar to verify that the RADIUS authentication is working for users. Browse to the SSL VPN login page, and enter Username and if being used, the password. From the Swivel Administration console select User Administration and the required user then View Strings, and select an appropriate authentication string or OTC for the user. At the SSL VPN login enter the required OTC. Check the Swivel logs for a RADIUS success or rejected message. If no RADIUS message is seen, check that the Swivel RADIUS server is started and that the correct ports are being used.
Optional: Login Page Customisation
If the Swivel Single Channel Image is to be used, then the login page needs to be customised. If single channel authentication is not required, or other page modifications such as for SMS on Demand buttons, then this section can be skipped. The login page customization is used to insert necessary Javascript to retrieve Swivel Turing image. In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Portal ->Customization. Click on Add to add a new customization object.
Enter a name for the object, click on OK then Apply.
With the new object selected, click on Edit to enter the Customization Editor. Click on the Information Panel menu item. Note: If the information panel has been moved to a different location then the script can be added to the Copyright panel instead.
Change Mode to 'Enable'. Modify the pinsafeurl variable in the Cisco ASA 8 customisation Script to reflect your Swivel server's URL. (The scripts are located at the top of the page under prerequisites). Paste the modified content into the Text box. Click on Save on the top right corner of the Customization Editor to save the object.
WARNING: the Panel Position must be set to Right for the script to work. This is so that the customisation script is rendered after the logon form. If you particularly need the information panel to be on the left, put the Swivel customisation script in the Copyright Panel instead, as that is always rendered at the bottom.
The following elements need to be modified in the script:
Note that for the Pinpad version, SCImage will be replaced with SCPinPad.
The primary and standby should be modified. If a standby is not used then set var secondaryAuth = false
For a virtual or hardware appliance
var primary='https://demo.swivelsecure.com:8443/proxy/SCImage?username=';
For a software only install see Software Only Installation
To use multiple security strings in an SMS message, this can be modified to show the next security string which should be entered.
For a virtual or hardware appliance
var pinsafeurl='https://demo.swivelsecure.com:8443/proxy/DCIndexImage?username=';
For a software only install see Software Only Installation
The text can also be changed to reflect the request for a security string index number. See also Multiple Security Strings How To Guide
The Button to request the Security String Index can also be edited
The Logon Form can be edited to suit the language and secondary authentication password message. Select the Logon Form to display the fields available.
Swivel as the primary authentication server, AD as the secondary authentication server.
AD as the primary authentication server, Swivel as the secondary authentication server.
Now the configuration is complete. You can use the configured Group URL to access the ASAwith Swivel authentication.
If configured, a Domain Password prompt will appear.
Before the user name is entered, the OTP (One Time Password) field is grayed out. Enter a user name and click on Get OTP.
OTP login with Domain Password
Use your PIN to extract the OTP and enter it in the OTP field. If everything is configured correctly, you will see the portal page after clicking on Login. Please note that the Javascript to retrieve the Turing image is executed at the user's browser. Therefore, the user's PC must have access to the Swivel URL. It is highly recommended that you configure your Swivel server to use SSL/https to protect the session. Also if you are using a Swivel virtual or hardware appliance, the image can be requested via the built-in image proxy.
The below screen shot shows the use of the Security String Index to tell the user which of their multiple security Strings to use.
The below security screen shows a login screen with Turing and SMS on Demand login options.
The Cisco server can be configured to use multiple authentication servers such as Active Directory.
Two Stage and Challenge/Response authentication can also be configured.
The integration uses Swivel as the primary authentication server and AD as the secondary authentication server. It would be possible to change this order.
If you need to reference the secondary password label or field, the IDs are 'secondary_password_field' and 'secondary_password_input' respectively.
For example, if you want to change the secondary password prompt from within the customised script, use the following:
Customisation for One Touch / Push
This section describes how to customise the Cisco ASA login page to support Push authentication (previously One Touch). In order to use One Touch with Cisco ASA, you must have the Swivel software version 3.11.5 or later.
Before applying this customisation, read the article on One Touch to ensure that the Swivel Secure Appliance is prepared.
Follow the instructions on customisation above up to the point where the information panel is enabled. Now insert the following in the information panel:
Check the Swivel logs for Turing images and RADIUS requests.
Login page modifications absent
This can be caused if the script has been altered with line feeds inserted in a text editor from wrap around text. View the login page source and see if it contains the page modifications, and are not being displayed correctly.
TURing image doesn't change
If you are repeatedly shown the same TURing image for multiple logins, or after refreshing the page, this may be due to page caching settings in your browser. To avoid this problem, change one line in the customisation. Ansys 16.2 download key. Search for the string
and replace it with the following:
This results in a different URL every time the TURing image is displayed, thereby avoid problems with caching.
None
We have a prototype customised AnyConnect VPN client available for testing. Please see here for more details.
For assistance in Swivel installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com
Introduction
This document describes the configuration of Captive portal authentication (Active Authentication) and Single-Sign-On (Passive Authentication) on Firepower Module using ASDM (Adaptive Security Device Manager).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Knowledge of ASA (Adaptive Security Appliance) firewall and ASDM
- FirePOWER module Knowledge
- Light Weight Directory Service (LDAP)
- Firepower UserAgent
Components Used
The information in this document is based on these software and hardware versions:
- ASA FirePOWER modules (ASA 5506X/5506H-X/5506W-X, ASA 5508-X, ASA 5516-X ) running software version 5.4.1 and above.
- ASA FirePOWER module (ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X) running software version 6.0.0 and above.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background Information
Captive Portal Authentication or Active Authentication prompts a login page and user credentials are required for a host to get the internet access.
Single-Sign-On or Passive Authentication provides seamless authentication to a user for network resources and internet access without entering user credential multiple times. The Single-Sign-on authentication can be achieved either by Firepower user agent or NTLM browser authentication.
Note:Captive Portal Authentication, ASA should be in routed mode.
Note: Captive portal command is available in ASA version 9.5(2) and late.
Configure
Step 1. Configure the Firepower User Agent for Single-Sign-On.
This article explains how to configure Firepower User Agent in Windows machine:
Installation and Uninstallation of Sourcefire User Agent
Step 2. Integrate the Firepower Module (ASDM) with User Agent.
Log in to ASDM, navigate to Configuration > ASA FirePOWER Configuration > Integration > Identity Sources and clickthe User Agent option. After you click on the User Agent option and configure the IP address of User Agent system. click on Add, as shown in the image:
Click on Save button to save the changes.
Step 3. Integrate Firepower with Active Directory.
Step 3.1 Create the Realm.
Log in to ASDM, navigate to Configuration > ASA FirePOWER Configuration > Integration > Realms. Click on Add a New Realm.
Name & Description: Give a name/description to uniquely identify the realm.
Type: AD
AD Primary Domain: Domain name of Active Directory (NETBIOS Name).
Directory Username: Specify the <username>.
Directory Password: Specify the <password>.
Base DN: Domain or Specific OU DN from where the system will start a search in LDAP database.
Cisco Asa Ad Authentication
Group DN: Specify the group DN.
Group Attribute: Specify the option Member from the drop-down list.
Click on OK to save the configuration.
This article can help you to figure out the Base DN and Group DN values.
Step 3.2 Add the Directory Server IP address/hostname.
To specify AD Server IP/hostname, click on Add directory.
Hostname/IP Address: configure the IP address/hostname of the AD server.
Port: Specify the Active Directory LDAP port number ( Default 389 ).
Encryption/SSL Certificate: (optional) To encrypt the connection between FMC & AD server, refer this article:
Click Test in order to verify the connection of FMC with the AD server. Now click OK to save the configuration.
Step 3.3 Modify the Realm Configuration.
In order to modify and verify integration configuration of AD server, navigate to Realm Configuration.
Step 3.4 Download User database.
Navigate to User Download to fetch the user database from the AD server.
Enable the check box to download Download users and groups and define the time interval about how frequently Firepower module contacts AD server to download user database.
Select the group and add it to the Include option for which you want to configure the authentication. By default, all groups are selected if you do not choose to include the groups.
Click on Store ASA Firepower Changes to save the realm configuration.
Enable the realm state and click the download button to download the users and groups, as shown in the image.
Step 4. Configure the Identity Policy.
An identity policy performs user authentication. If the user does not authenticate, access to network resources is refused. This enforces Role-Based Access Control (RBAC) to your organization's network and resources.
Step 4.1 Captive portal (Active Authentication).
Cisco Asa Product Line
Active Authentication asks for username and password at the browser to identify a user identity to allow any connection. Browser authenticates user either by presenting authentication page or authenticates silently with NTLM authentication. NTLM uses the web browser to send and receive authentication information. Active Authentication uses various types to verify the identity of the user. Different types of Authentication are:
- HTTP Basic: In this method, the browser prompts for user credentials.
- NTLM: NTLM uses windows workstation credentials and negotiates it with Active directory using a web browser. You need to enable the NTLM authentication in the browser. User Authentication happens transparently without prompting credentials. It provides a single sign-on experience for users.
- HTTP Negotiate:In this type, the system tries to authenticate using NTLM, if it fails then the sensor uses HTTP Basic authentication type as a fallback method and prompts a dialog box for user credentials.
- HTTP Response page: This is similar to HTTP basic type, however, here user is prompted to fill the authentication in an HTML form which can be customized.
Each browser has a specific way to enable the NTLM authentication and hence, you can follow browser guidelines in order to enable the NTLM authentication.
To securely share the credential with the routed sensor, you need to install either self-signed server certificate or publicly-signed server certificate in the identity policy.
Navigate to Configuration > ASA FirePOWER Configuration > Policies > Identity Policy. Now navigate to Active Authentication tab and in the Server Certificate option, click the icon (+) and upload the certificate and private key which you have generated in the previous step using openSSL, as shown in the image:
Now click on Add rule to give a name to the Rule and choose the action as Active Authentication. Define the source/destination zone, source/destination network for which you want to enable the user authentication.
Navigate to the Realm & Settings tab. Select the Realm from the drop-down list which you have configured in the previous step and select the Authentication Type from the drop-down list that best suits your network environment.
Step 4.2 ASA Configuration for Captive Portal.
Step 1. Define the interesting traffic that will be redirected to Sourcefire for inspection.
Step 2. Configure this command on the ASA in order to enable the captive portal.
Tip: captive-portal can be enabled globally or per interface basis.
Tip: Ensure that the server port, TCP 1025 is configured in the port option of Identity policy's Active Authentication tab.
Step 4.3 Single-Sign-On (Passive Authentication).
In passive authentication, when a domain user logins and is able to authenticate the AD, the Firepower User Agent polls the User-IP mapping details from the security logs of AD and shares this information with Firepower Module. Firepower module uses these details in order to enforce the access control.
To configure the passive authentication rule, click on Add rule to give a name to the rule and then choose the Action as Passive Authentication. Define the source/destination zone, source/destination network for which you want to enable the user authentication.
Navigate to the Realm & Settings tab. Select the Realm from the drop-down list which you have configured in the previous step.
Here you can choose fall back method as Active authentication if passive authentication cannot identify the user identity, as shown in the image:
Now click on Store ASA Firepower Changes to save the configuration of Identity policy.
Step 5. Configure the Access Control Policy.
Navigate to Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy.
Click the Identity Policy (left-hand side upper corner), select the Identify Policy that you have configured in the previous step from the drop-down list and click OK, as shown in this image.
Click on Add rule to add a new rule, navigate to Users and select the users for which access control rule will be enforced, as shown in this image and click Add.
Click on Store ASA Firepower Changes to save the configuration of Access Control policy.
Step 6. Deploy the Access Control Policy.
You must deploy the Access Control policy. Before you apply the policy, you will see an indication Access Control Policy out-of-date on the module. To deploy the changes to the sensor, Click on Deploy and choose Deploy FirePOWER Changes option then click on Deploy in the pop-up window.
Note: In version 5.4.x, to apply the access policy to the sensor, you need to click Apply ASA FirePOWER Changes
Note: Navigate to Monitoring > ASA Firepower Monitoring > Task Status. Ensure that task must complete applying the configuration change.
Step 7. Monitor User events.
Navigate to Monitoring > ASA FirePOWER Monitoring > Real-Time Eventing, to monitor the type of traffic being used by the user.
Verify
Use this section in order to confirm that your configuration works properly.
Navigate to Analysis > Users in orderto verify the User authentication/Authentication type/User-IP mapping/access rule associated with the traffic flow.
Connectivity between Firepower Module and User Agent (Passive Authentication)
Firepower Module uses TCP port 3306, in order to receive user activity log data from the User Agent.
In order to verify the Firepower module's service status, use this command in the FMC.
Cisco Asa Models
Run packet capture on the FMC in order to verify connectivity with the User Agent.
Connectivity between FMC and Active Directory
Firepower module uses TCP port 389 in order to retrieve the User Database from the Active directory.
Optional: Create a Secondary Authentication for the Connection Profile (Tunnel Group)
This option has been configured using the Secondary Authentication server option available in ASA 8.21
Go to Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles, select the connection profile created above then select Edit. Expand the Advanced option list and select Secondary Authentication. Enter the Secondary server group required and if the username should be reused.
Ensure the box 'Use primary username (Hide secondary username on login page)' is ticked. Click on OK to save the settings. If AD is defined as the Primary authentication server then Swivel can be defined as the secondary AD server.
Test the RADIUS authentication
At this stage it should be possible to authenticate by SMS, hardware Token, Mobile Phone Client and Taskbar to verify that the RADIUS authentication is working for users. Browse to the SSL VPN login page, and enter Username and if being used, the password. From the Swivel Administration console select User Administration and the required user then View Strings, and select an appropriate authentication string or OTC for the user. At the SSL VPN login enter the required OTC. Check the Swivel logs for a RADIUS success or rejected message. If no RADIUS message is seen, check that the Swivel RADIUS server is started and that the correct ports are being used.
Optional: Login Page Customisation
If the Swivel Single Channel Image is to be used, then the login page needs to be customised. If single channel authentication is not required, or other page modifications such as for SMS on Demand buttons, then this section can be skipped. The login page customization is used to insert necessary Javascript to retrieve Swivel Turing image. In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Portal ->Customization. Click on Add to add a new customization object.
Enter a name for the object, click on OK then Apply.
With the new object selected, click on Edit to enter the Customization Editor. Click on the Information Panel menu item. Note: If the information panel has been moved to a different location then the script can be added to the Copyright panel instead.
Change Mode to 'Enable'. Modify the pinsafeurl variable in the Cisco ASA 8 customisation Script to reflect your Swivel server's URL. (The scripts are located at the top of the page under prerequisites). Paste the modified content into the Text box. Click on Save on the top right corner of the Customization Editor to save the object.
WARNING: the Panel Position must be set to Right for the script to work. This is so that the customisation script is rendered after the logon form. If you particularly need the information panel to be on the left, put the Swivel customisation script in the Copyright Panel instead, as that is always rendered at the bottom.
The following elements need to be modified in the script:
Note that for the Pinpad version, SCImage will be replaced with SCPinPad.
The primary and standby should be modified. If a standby is not used then set var secondaryAuth = false
For a virtual or hardware appliance
var primary='https://demo.swivelsecure.com:8443/proxy/SCImage?username=';
For a software only install see Software Only Installation
To use multiple security strings in an SMS message, this can be modified to show the next security string which should be entered.
For a virtual or hardware appliance
var pinsafeurl='https://demo.swivelsecure.com:8443/proxy/DCIndexImage?username=';
For a software only install see Software Only Installation
The text can also be changed to reflect the request for a security string index number. See also Multiple Security Strings How To Guide
The Button to request the Security String Index can also be edited
The Logon Form can be edited to suit the language and secondary authentication password message. Select the Logon Form to display the fields available.
Swivel as the primary authentication server, AD as the secondary authentication server.
AD as the primary authentication server, Swivel as the secondary authentication server.
Now the configuration is complete. You can use the configured Group URL to access the ASAwith Swivel authentication.
If configured, a Domain Password prompt will appear.
Before the user name is entered, the OTP (One Time Password) field is grayed out. Enter a user name and click on Get OTP.
OTP login with Domain Password
Use your PIN to extract the OTP and enter it in the OTP field. If everything is configured correctly, you will see the portal page after clicking on Login. Please note that the Javascript to retrieve the Turing image is executed at the user's browser. Therefore, the user's PC must have access to the Swivel URL. It is highly recommended that you configure your Swivel server to use SSL/https to protect the session. Also if you are using a Swivel virtual or hardware appliance, the image can be requested via the built-in image proxy.
The below screen shot shows the use of the Security String Index to tell the user which of their multiple security Strings to use.
The below security screen shows a login screen with Turing and SMS on Demand login options.
The Cisco server can be configured to use multiple authentication servers such as Active Directory.
Two Stage and Challenge/Response authentication can also be configured.
The integration uses Swivel as the primary authentication server and AD as the secondary authentication server. It would be possible to change this order.
If you need to reference the secondary password label or field, the IDs are 'secondary_password_field' and 'secondary_password_input' respectively.
For example, if you want to change the secondary password prompt from within the customised script, use the following:
Customisation for One Touch / Push
This section describes how to customise the Cisco ASA login page to support Push authentication (previously One Touch). In order to use One Touch with Cisco ASA, you must have the Swivel software version 3.11.5 or later.
Before applying this customisation, read the article on One Touch to ensure that the Swivel Secure Appliance is prepared.
Follow the instructions on customisation above up to the point where the information panel is enabled. Now insert the following in the information panel:
Check the Swivel logs for Turing images and RADIUS requests.
Login page modifications absent
This can be caused if the script has been altered with line feeds inserted in a text editor from wrap around text. View the login page source and see if it contains the page modifications, and are not being displayed correctly.
TURing image doesn't change
If you are repeatedly shown the same TURing image for multiple logins, or after refreshing the page, this may be due to page caching settings in your browser. To avoid this problem, change one line in the customisation. Ansys 16.2 download key. Search for the string
and replace it with the following:
This results in a different URL every time the TURing image is displayed, thereby avoid problems with caching.
None
We have a prototype customised AnyConnect VPN client available for testing. Please see here for more details.
For assistance in Swivel installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com
Introduction
This document describes the configuration of Captive portal authentication (Active Authentication) and Single-Sign-On (Passive Authentication) on Firepower Module using ASDM (Adaptive Security Device Manager).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Knowledge of ASA (Adaptive Security Appliance) firewall and ASDM
- FirePOWER module Knowledge
- Light Weight Directory Service (LDAP)
- Firepower UserAgent
Components Used
The information in this document is based on these software and hardware versions:
- ASA FirePOWER modules (ASA 5506X/5506H-X/5506W-X, ASA 5508-X, ASA 5516-X ) running software version 5.4.1 and above.
- ASA FirePOWER module (ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X) running software version 6.0.0 and above.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background Information
Captive Portal Authentication or Active Authentication prompts a login page and user credentials are required for a host to get the internet access.
Single-Sign-On or Passive Authentication provides seamless authentication to a user for network resources and internet access without entering user credential multiple times. The Single-Sign-on authentication can be achieved either by Firepower user agent or NTLM browser authentication.
Note:Captive Portal Authentication, ASA should be in routed mode.
Note: Captive portal command is available in ASA version 9.5(2) and late.
Configure
Step 1. Configure the Firepower User Agent for Single-Sign-On.
This article explains how to configure Firepower User Agent in Windows machine:
Installation and Uninstallation of Sourcefire User Agent
Step 2. Integrate the Firepower Module (ASDM) with User Agent.
Log in to ASDM, navigate to Configuration > ASA FirePOWER Configuration > Integration > Identity Sources and clickthe User Agent option. After you click on the User Agent option and configure the IP address of User Agent system. click on Add, as shown in the image:
Click on Save button to save the changes.
Step 3. Integrate Firepower with Active Directory.
Step 3.1 Create the Realm.
Log in to ASDM, navigate to Configuration > ASA FirePOWER Configuration > Integration > Realms. Click on Add a New Realm.
Name & Description: Give a name/description to uniquely identify the realm.
Type: AD
AD Primary Domain: Domain name of Active Directory (NETBIOS Name).
Directory Username: Specify the <username>.
Directory Password: Specify the <password>.
Base DN: Domain or Specific OU DN from where the system will start a search in LDAP database.
Cisco Asa Ad Authentication
Group DN: Specify the group DN.
Group Attribute: Specify the option Member from the drop-down list.
Click on OK to save the configuration.
This article can help you to figure out the Base DN and Group DN values.
Step 3.2 Add the Directory Server IP address/hostname.
To specify AD Server IP/hostname, click on Add directory.
Hostname/IP Address: configure the IP address/hostname of the AD server.
Port: Specify the Active Directory LDAP port number ( Default 389 ).
Encryption/SSL Certificate: (optional) To encrypt the connection between FMC & AD server, refer this article:
Click Test in order to verify the connection of FMC with the AD server. Now click OK to save the configuration.
Step 3.3 Modify the Realm Configuration.
In order to modify and verify integration configuration of AD server, navigate to Realm Configuration.
Step 3.4 Download User database.
Navigate to User Download to fetch the user database from the AD server.
Enable the check box to download Download users and groups and define the time interval about how frequently Firepower module contacts AD server to download user database.
Select the group and add it to the Include option for which you want to configure the authentication. By default, all groups are selected if you do not choose to include the groups.
Click on Store ASA Firepower Changes to save the realm configuration.
Enable the realm state and click the download button to download the users and groups, as shown in the image.
Step 4. Configure the Identity Policy.
An identity policy performs user authentication. If the user does not authenticate, access to network resources is refused. This enforces Role-Based Access Control (RBAC) to your organization's network and resources.
Step 4.1 Captive portal (Active Authentication).
Cisco Asa Product Line
Active Authentication asks for username and password at the browser to identify a user identity to allow any connection. Browser authenticates user either by presenting authentication page or authenticates silently with NTLM authentication. NTLM uses the web browser to send and receive authentication information. Active Authentication uses various types to verify the identity of the user. Different types of Authentication are:
- HTTP Basic: In this method, the browser prompts for user credentials.
- NTLM: NTLM uses windows workstation credentials and negotiates it with Active directory using a web browser. You need to enable the NTLM authentication in the browser. User Authentication happens transparently without prompting credentials. It provides a single sign-on experience for users.
- HTTP Negotiate:In this type, the system tries to authenticate using NTLM, if it fails then the sensor uses HTTP Basic authentication type as a fallback method and prompts a dialog box for user credentials.
- HTTP Response page: This is similar to HTTP basic type, however, here user is prompted to fill the authentication in an HTML form which can be customized.
Each browser has a specific way to enable the NTLM authentication and hence, you can follow browser guidelines in order to enable the NTLM authentication.
To securely share the credential with the routed sensor, you need to install either self-signed server certificate or publicly-signed server certificate in the identity policy.
Navigate to Configuration > ASA FirePOWER Configuration > Policies > Identity Policy. Now navigate to Active Authentication tab and in the Server Certificate option, click the icon (+) and upload the certificate and private key which you have generated in the previous step using openSSL, as shown in the image:
Now click on Add rule to give a name to the Rule and choose the action as Active Authentication. Define the source/destination zone, source/destination network for which you want to enable the user authentication.
Navigate to the Realm & Settings tab. Select the Realm from the drop-down list which you have configured in the previous step and select the Authentication Type from the drop-down list that best suits your network environment.
Step 4.2 ASA Configuration for Captive Portal.
Step 1. Define the interesting traffic that will be redirected to Sourcefire for inspection.
Step 2. Configure this command on the ASA in order to enable the captive portal.
Tip: captive-portal can be enabled globally or per interface basis.
Tip: Ensure that the server port, TCP 1025 is configured in the port option of Identity policy's Active Authentication tab.
Step 4.3 Single-Sign-On (Passive Authentication).
In passive authentication, when a domain user logins and is able to authenticate the AD, the Firepower User Agent polls the User-IP mapping details from the security logs of AD and shares this information with Firepower Module. Firepower module uses these details in order to enforce the access control.
To configure the passive authentication rule, click on Add rule to give a name to the rule and then choose the Action as Passive Authentication. Define the source/destination zone, source/destination network for which you want to enable the user authentication.
Navigate to the Realm & Settings tab. Select the Realm from the drop-down list which you have configured in the previous step.
Here you can choose fall back method as Active authentication if passive authentication cannot identify the user identity, as shown in the image:
Now click on Store ASA Firepower Changes to save the configuration of Identity policy.
Step 5. Configure the Access Control Policy.
Navigate to Configuration > ASA FirePOWER Configuration > Policies > Access Control Policy.
Click the Identity Policy (left-hand side upper corner), select the Identify Policy that you have configured in the previous step from the drop-down list and click OK, as shown in this image.
Click on Add rule to add a new rule, navigate to Users and select the users for which access control rule will be enforced, as shown in this image and click Add.
Click on Store ASA Firepower Changes to save the configuration of Access Control policy.
Step 6. Deploy the Access Control Policy.
You must deploy the Access Control policy. Before you apply the policy, you will see an indication Access Control Policy out-of-date on the module. To deploy the changes to the sensor, Click on Deploy and choose Deploy FirePOWER Changes option then click on Deploy in the pop-up window.
Note: In version 5.4.x, to apply the access policy to the sensor, you need to click Apply ASA FirePOWER Changes
Note: Navigate to Monitoring > ASA Firepower Monitoring > Task Status. Ensure that task must complete applying the configuration change.
Step 7. Monitor User events.
Navigate to Monitoring > ASA FirePOWER Monitoring > Real-Time Eventing, to monitor the type of traffic being used by the user.
Verify
Use this section in order to confirm that your configuration works properly.
Navigate to Analysis > Users in orderto verify the User authentication/Authentication type/User-IP mapping/access rule associated with the traffic flow.
Connectivity between Firepower Module and User Agent (Passive Authentication)
Firepower Module uses TCP port 3306, in order to receive user activity log data from the User Agent.
In order to verify the Firepower module's service status, use this command in the FMC.
Cisco Asa Models
Run packet capture on the FMC in order to verify connectivity with the User Agent.
Connectivity between FMC and Active Directory
Firepower module uses TCP port 389 in order to retrieve the User Database from the Active directory.
Cisco Asa Ad Integration Tutorial
Run packet capture on the Firepower Module to verify connectivity with the Active Directory.
Ensure that the user credential used in Realm configuration has sufficient privilege to fetch the AD's User database.
Verify the Realm configuration, and ensure that the users/groups are downloaded and user session timeout is configured correctly.
Navigate to Monitoring ASA Firepower Monitoring Task Status and ensure that the task users/groups download completes successfully, as shown in this image.
Cisco Asa Download
Connectivity between ASA and End system (Active Authentication)
active authentication, ensure that the certificate and port are configured correctly in Firepower module Identity policy and ASA (captive-portal command). By default, ASA and Firepower module listen on TCP port 885 for active authentication.
In order to verify the active rules and their hit counts, run this command on the ASA.
Cisco Asa Ad Integration Tool
Policy configuration & Policy Deployment
Ensure that the Realm, Authentication type, User agent and Action fields are configured correctly in Identity Policy.
Ensure that the Identity policy is correctly associated with the Access Control policy.
Navigate to Monitoring > ASA Firepower Monitoring > Task Status and ensure that the Policy Deployment completes successfully.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.