Advanced AnyConnect Deployment and Troubleshooting with...

BRKSEC-3033

Advanced AnyConnect Deployment and Troubleshooting with ASA 5500

Follow us on Twitter for real time updates of the event:

@ciscoliveeurope, #CLEUR

2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 2

Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions and Meet the Engineer

Visit the Cisco Store to purchase your recommended readings

Please switch off your mobile phones

After the event dont forget to visit Cisco Live Virtual: www.ciscolivevirtual.com

Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR

http://www.ciscolivevirtual.com/http://www.ciscolivevirtual.com/


Agenda

Introduction

Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive

RADIUS and LDAP AAA Deep Dive

Client Certificates Provisioning Client

Certificates

Posture Checking Dynamic Access

Policies (DAP)

Securing the Client Customizing the

User Experience


The Scenario : Cisco Islands

New eCountry competing in its first Olympic games

- Ambitious Synch Swimming Team

eStrategy, eCoaching, eTraining

IPv6

Windows, MAC, iPADs, iPhones, Androids.....

Security is Paramount

Easy to Use


What We Won't Cover

Clientless SSL VPN via WebPortal : see LABSEC-1186

Integration with Cisco Web Security Appliance : see BRKSEC-2101

Integration with Cisco Scansafe : see BRKSEC-2346

AnyConnect Network Access Module : see BRKSEC-3005

Licensing

Roadmaps

but covered in other Cisco Live sessions


Agenda

Introduction Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive



Certificates


Policies (DAP)


User Experience


The TLS Handshake

Application Data Application Data

ClientHello

Client Version, ClientNonce

SessionID, Ciphersuites

ServerHello,

ServerCertChain,

ServerHelloDone

Server Version, ServerNonce

Selected Ciphersuite, CertificateChain

(Option: CertRequest)

ClientKeyExchange,

ChangeCipherSpec,

ClientFinished

Encrypted pre_master_secret

PRF computation

ChangeCipherSpec,

ServerFinished

PRF computation

Client Server

For Your Reference


Datagram TLS (DTLS) RFC 6347 (Obsoletes RFC 4347)

Limitations of TLS with SSL VPN tunnels

- TLS is used to tunnel TCP/IP over TCP

- TCP requires retransmission of lost packets

- Both application and TLS wind up retransmitting when packet loss is detected

DTLS solves the TCP over TCP problem

-DTLS replaces the underlying TCP transport with UDP

Cisco's implementation

- DTLS is optional and can fallback to TLS if required Ciscos implementation

- TLS tunnel is maintained in parallel to DTLS for keepalives and backup (need to allow for both TCP 443 and UDP 443 for DTLS to work)


IPSEC : IKEv2 vs IKEv1

The Motivation


IKEv2

A Sample Protocol Run

For Your Reference


Notes on IKEv2, ASA and AnyConnect

AnyConnect only supports IKEv2 (not IKEv1) for IPsec

ASA IPSEC/IKEv2 for Remote Access is not compatible with 3rd party clients (e.g. Microsoft Windows 7 native L2TP/IPsec with IKEv2).

Why would you want to use IPsec/IKEv2 instead of SSL?


Agenda

Introduction

Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive



Certificates


Policies (DAP)


User Experience


AnyConnect Fundamentals : ASA Server Certificate

Enterprise

CA

fileshare

IPv4

Internet

web

IPv4/IPv6

Intranet

ASA certificate should be trusted by clients

- Public (well-known) Certificate Authority (e.g. Verisign, Thawte)

- Enterprise Certificate Authority, e.g. Microsoft Active Directory (beware of CRL checking...)

- Self-Signed (need to import certificate to all clients)

FQDN in Subject Name : olympus.ciscoislands.cs

Public

CA


AnyConnect Fundamentals : IPv4 and IPv6

DNS

IPv4

Internet

web

fileshare IPv4/IPv6

Intranet

10.1.32.0/20

FD00:1234:5678::/48

AnyConnect supports IPv6 tunneled (SSL) inside IPv4

- IPv6 address has to be enabled on both outside and inside interfaces (in spite of not being connected to IPv6 internet)

- management/control servers (CA, AD, RADIUS, DNS) IPv4 only

- Roadmap : Native IPv6 over IPv6, DNS IPv6

CA, AD, RADIUS

Virtual Adapter


Reminder : Do NOT NAT VPN Traffic

NAT configuration has changed from ASA 8.3

ASA 8.2 : NAT Exempt

ASA 8.4 : NAT


AnyConnect - Installation

Optional modules to install

- DART

- Posture

- Start-Before-Login

- Websecurity

- Telemetry

- Network Access Manager

Web Deployment (Installed from browser)

- Requires administrative privileges

- For Windows with Internet Explorer, ASA should be in "Trusted Sites"

- For Windows with Internet Explorer 8/9, use 32 bit version of browser for install

Pre Deployment

- using favorite software management package (e.g. MSI installer)

- from Appstore, Android Markets


On the Client: AnyConnect Configuration Files

AnyConnect Configuration Files are stored on the client in the following directories:

Windows 7 and

Windows VISTA C:\ProgramData\Cisco\Cisco AnyConnect Secure

Mobility Client

Windows XP C:\Documents and Settings\All Users\Application

Data\Cisco\Cisco AnyConnect VPN Client

MAC OS X and Linux /opt/cisco/anyconnect/

For Your Reference

Windows 7 and

Windows VISTA C:\Users\username\AppData\Local\Cisco\

Cisco AnyConnect VPN Client\preferences.xml

Windows XP C:\Documents and Settings\username\Local

Settings\ApplicationData\

Cisco\Cisco AnyConnect VPN

Client\preferences.xml

MAC OS X and Linux /Users/username/.anyconnect

File for storing user specific preferences


On the Client: AnyConnect Configuration Files

AnyConnect Client Profiles

(described later)

AnyConnect Local Policy

Security Settings

Default User, Default Hosts

etc.

Apply to all Users


AnyConnect Local Policy File

Not downloaded from ASA (use your favorite desktop management system)

XML file defining important aspects of AnyConnect behavior

- allowing user to accept untrusted ASA certificates

- allowing client software updates from ASA (and from which ASAs)

- allowing client profile updates from ASA (and from which ASAs)

- certificate stores, credentials caching etc.

AnyConnect Local Policy

false

false

false

olympus.ciscoislands.cs

poseidon.ciscoislands.cs


Local Policy File Example :

If the server certificate is not trusted, do you want the user to be able to accept the certificate?

.... or do you want AnyConnect to refuse to connect?

false

true


AnyConnect Troubleshooting Toolbox (Windows)

MMC console with snap-ins:

Event Viewer

Certificate (Current User)

Certificate (Local Computer)


AnyConnect Troubleshooting Toolbox (MAC)

Utilities/Console

Utilities/Keychain Access


DART Tool (Windows and MAC)

DART Tool can be installed along with the Client

Similar to "show tech" on the client

Gathering of OS Data, App Data and logfiles into a single ZIP File

GOT DART?


AnyConnect Troubleshooting Toolbox (iOS, Android)


Agenda

Introduction

Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive

RADIUS and LDAP

AAA Deep Dive


Certificates


Policies (DAP)


User Experience


SMS OTP

Cisco Islands Requirements

Other Devices,

Contractors

Corporate

Devices : PCs,

iPhones...

Microsoft Active Directory

Certificate Access based on

membership in AD

and login method


Client

Profile

Connection

Profile

(tunnel-group)

AAA in ASA : Some Important Concepts

Proving Who you are

Static Passwords (local to ASA, Active Directory, LDAP)

OTP (One-Time-Passwords), typically RADIUS

Certificates

Group Policy

Determining What You are and What You can do

IP address, DNS server

ACL, Split Tunnelling

Proxy settings, Timeouts

etc..

AnyConnect behaviour...

- "Always On"

- which certificate to use

etc...


Connection Profile defines how to Authenticate

Alias : Shown as drop-

down selection to user

AAA server group

AAA, Cert or Both?

Group-Policy used

unless overwritten by

Authorization Server

AAA Server Group

RADIUS

You may have more than one Connection Profile

Connection

Profile


Connection Profile defines how to Authorize

AAA Server Group

LDAP

Possible to define different AAA server group for authorization (if not specified, the same group is used for authentication and authorization).

AAA server group

used for Authorization

Connection

Profile


User Selection of Connection Profile

Alias for drop-down at

login page

URL to

land on this connection

profile


User Selection of Connection Profile (2)

Drop-Down list allows

user to select login

method (Connection

Profile)


AnyConnect Client Profiles

XML file created by ASDM, downloaded to client Client Profile

....

true

ciscoislands.cs

10.1.40.100

Disconnect

Connect

true

....


In the AnyConnect Client Profile : Server List

...using the Connection

Profile specified with this

Group URL

Client Profile

Connection

Profile

Connect to host

olympus.ciscoislands.cs


Multiple Client Profiles on ONE Client?

ONE client typically only has ONE Client Profile..... but

Old Client Profiles are not deleted, multiple profiles maybe accumulated

- a consultant connecting to different ASAs

- testing/piloting AnyConnect using different profile names

Upon connection, the profile assigned by the chosen ASA headend is downloaded and applies for the VPN session

If a profile with Always-On is downloaded, the other profiles are deleted

Client Profile A

Server List

A

Client Profile B

Server List B

Client Profile X

Always On=True

Group Policy


Authentication and Authorization by RADIUS

Connection

Profile "SMS"

Default

Group

Policy

Group Policy

Coach Group Policy

IT Support

Group Policy

Swimmers

AAA Server Group

RADIUS

Client Profile

"HiSec"

User can be authenticated and authorized by RADIUS.

RADIUS attribute IETF 25 (Class) is used to assign the group policy.


Authentication by RADIUS Authorization by LDAP

Default

Group

Policy

Group Policy

Coach Group Policy

IT Support

Group Policy

Swimmers

Connection

Profile "SMS"

Client Profile

"HiSec"

AAA Server Group

LDAP

AAA Server Group

RADIUS

User authenticated by RADIUS (typically strong authentication, OTP)

Username used for LDAP lookup

LDAP attributes are mapped to a Group Policy

LDAP

map


AAA Server Groups

Using the same authentication protocol and characteristics

Several Servers in

a Group for

redundancy

Same Protocol but

different Groups if

different characteristics

AAA Server Group

LDAP

AAA Server Group

RADIUS


RADIUS Server Definition

Double check port

numbers on RADIUS

server

Shared Secret must

match with RADIUS

server


RADIUS Authorization

RADIUS server tells ASA which Group Policy to apply

RADIUS Server

(Cisco ISE)

definition

Typically, RADIUS Server just needs to inform ASA about Group-Policy with IETF attribute 25 ("Class")

Group Policy on ASA defines authorization (IP address, ACL, etc).

Also possible to define other authorization attributes (such as ip address) on RADIUS server


LDAP Server Definition (Active Directory)

Domain is

ciscoislands.cs

Attribute for user lookup ASA

Credentials

Used to map LDAP

attributes to ASA

attributes (to be

covered)

LDAP over SSL


A Good LDAP Browser is useful

To learn LDAP structure, and for troubleshooting

http://www.softerra.com or LDP.exe (Windows 2008)

http://www.softerra.com


Determining Group Policy from LDAP

Any LDAP attribute can be mapped to a group policy

Active Directory

User/Properties

Configuration

Group

Policy

Coaches


LDAP Attribute Maps

maps any LDAP attribute to selected ASA attribute

The content of department

attribute is matched to Group

Policy

LDAP

map


Using Active Directory memberOf

A user in Active Directory is typically a member of many groups

A user can only be mapped to one ASA Group Policy

Active Directory groups have names like:

cn=Coaches, cn=Users, dc=CiscoIslands,dc=cs

Nested Active Directory Groups: CSCso24147


Mapping memberOf to Group Policy

Values of memberOf can be matched to ASA Group Policy with the LDAP attribute map

Beware: First match will apply (many memberOf -> one Group Policy)

DAP (covered later) allows for more flexibility in handling "many memberOf"

LDAP

map


Troubleshooting AAA server

Test that AAA server works


Troubleshooting AAA

Checking that the right Group Policy has been assigned


Troubleshooting RADIUS

debug radius

asa# debug radius user hacke

asa# radius mkreq: 0xba

alloc_rip 0xcb207f4c

new request 0xba --> 7 (0xcb207f4c)

got user 'hacke'

got password

add_req 0xcb207f4c session 0xba id 7

RADIUS_REQUEST

radius.c: rad_mkpkt

rad_mkpkt: ip:source-ip=64.103.49.80

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 138).....

01 07 00 8a d3 10 09 0e 2f 3c c5 1a 4b 28 41 e6 | ......../


Troubleshooting RADIUS (2)

RADIUS packet decode (response)

.....

......

Parsed packet data.....

Radius: Code = 2 (0x02)

Radius: Identifier = 7 (0x07)

Radius: Length = 73 (0x0049)

Radius: Vector: 9F7E831B16FD6E1802BE49E0643C41FE

Radius: Type = 1 (0x01) User-Name

Radius: Length = 7 (0x07)

Radius: Value (String) =

68 61 63 6b 65 | hacke

Radius: Type = 25 (0x19) Class

Radius: Length = 15 (0x0F)


6f 75 3d 49 54 73 75 70 70 6f 72 74 3b | ou=ITadmins;

Radius: Type = 25 (0x19) Class

Radius: Length = 31 (0x1F)


43 41 43 53 3a 41 43 53 2d 41 4e 49 4d 41 4c 53 |

CACS:ACS-ANIMALS

2f 38 30 30 35 35 39 39 30 2f 34 30 35 | /80055990/405

rad_procpkt: ACCEPT

RADIUS_ACCESS_ACCEPT: normal termination

RADIUS Response:

ACCESS-ACCEPT or

ACCESS-REJECT

Class attribute=Group Policy


Troubleshooting RADIUS

RADIUS server logs may be useful

Authentication logs

from Cisco ISE


Troubleshooting LDAP

debug ldap

asa# debug ldap 100

debug ldap enabled at level 100

asa#

[80] Session Start

[80] New request Session, context 0xcb196fa8, reqType = Other

[80] Fiber started

[80] Creating LDAP context with uri=ldap://10.1.40.100:389

[80] Connect to LDAP server: ldap://10.1.41.90:389, status = Successful

[80] supportedLDAPVersion: value = 3

[80] supportedLDAPVersion: value = 2

[80] Binding as asa

[80] Performing Simple authentication for asa to 10.1.41.100

[80] LDAP Search:

Base DN = [dc=CiscoIslands,dc=cs]

Filter = [[email protected]]

Scope = [SUBTREE]

[80] User DN = [CN=Hakan Nohre,CN=Users,DC=CiscoIslands,DC=cs]

Connect (layer 4)

Bind (authentication)

LDAP search


Troubleshooting LDAP (2)

debug LDAP (2)

80] Retrieved User Attributes:

[80] .....

[80] cn: value = Hakan a

[80] sn: value = Nohre

[80] givenName: value = Hakan

[80] distinguishedName: value = CN=Hakan Nohre,CN=Users,DC=CiscoIslands,DC=cs

.......

[80] displayName: value = Hakan Nohre

[80] memberOf: value =CN=ITsupport,CN=Users,DC=CiscoIslands,DC=cs

[80] memberOf: value = CN=Domain Admins,CN=Users,DC=CiscoIslands,DC=cs

[80] memberOf: value = CN=Enterprise Admins,CN=Users,DC=CiscoIslands,DC=cs

[80] memberOf: value = CN=Administrators,CN=Builtin,DC=CiscoIslands,DC=cs

[80] uSNChanged: value = 13842

[80] department: value = ITadmins

[80] mapped to Group-Policy: value = ITadmins

[80] mapped to LDAP-Class: value = ITadmins

Retrieved

Attributes

Group-Policy mapping


Recommendations

Use strong authentication that is easy to use and manage

Determine your roles, how many different sets of Group Policies and Client Profiles do you really need?

- also consider what you can do with DAP (covered later)

Leverage the Enterprise Directory :

- "outsource" the daily work of user adds/moves/changes to "somebody else"


Demo

Authentication via RADIUS (OTP server from Mideye) server reads mobile number from AD, SMS with OTP sent to user

Authorization via AD

AD

IPv4

Internet

IPv4/IPv6

Intranet


Agenda

Introduction

Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive


Client Certificates

Provisioning Client

Certificates


Policies (DAP)


User Experience


Authentication with Client Certificates

Application Data Application Data

ClientHello

ServerHello,

ServerCertChain,

ServerHelloDone

Client Certificate Request ClientKeyExchange,

ChangeCipherSpec,

Client Certificate

Encrypted Random

byte string

ClientFinished

ChangeCipherSpec,

ServerFinished



Considered stronger authentication than passwords

No need to manage passwords (password complexity, resetting passwords, expiring passwords...)

Need to manage a PKI (Public Key Infrastructure) to enroll and revoke certificates

Client Certificates may be tied to machine or user

User certificates may be soft or hard (smart cards)

We can make it difficult to move a certificate from one machine to another: Using client certificates allows us to distinguish corporate devices from other devices (employee iPADs etc)


ASA must trust the Issuer of Client Certificates

Install Issuer CA Certificate

- from file

- paste PEM file

- SCEP

Issuer of client certificates may not be the same as the issuer of the ASA certificate


Checking for lost/stolen certificates

CRL (Certificate Revocation List) downloads a list of revoked certificates (can be cached)

OCSP (Online Certificate Status Protocol) checks status of individual certificates

Do we trust certificate if

we cannot retrieve CRL?


AAA Server Group

LDAP

Authentication with Client Certificates Authorization with LDAP

Default

Group

Policy

Group Policy

Coach Group Policy

IT Support

Group Policy

Swimmers

Connection Profile

"certificate"

Client Profile

"HighSec"

User authenticated with client certificate

Username (some field) of certificate used for LDAP lookup

LDAP attributes are mapped to a Group Policy

LDAP

map



Defined in Connection Profile

Choosing "both" means that user first has to authenticate with certificate, then with username/password

- Use case : Checking that user uses a corporate machine (with a soft certificate)


Authorization with Client Certificates

Work out which fields in cert to use and how to map to LDAP

Client Certificate : SAN

(Principal Name) [email protected]

LDAP : userPrincipalName [email protected]


Authorization with Client Certificates

Client Certificate LDAP Database

Connection Profile :

User mapping from Cert=

UPN (Users' Principal Name)

AAA Server :

Naming Attribute=

userPrincipalName


Agenda

Introduction

Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive



Certificates


Policies (DAP)


User Experience


Certificate Enrollment : Active Directory

Microsoft Active Directory supports automatic certificate enrollment for user and machine certificates

User and machine are members of Active Directory Domain: Their certificates can be pushed by GPOs (Group Policy Objects)

http://technet.microsoft.com/en-

us/library/cc770546.aspx


Certificate Enrollment : Active Directory (2)

Microsoft CA also supports web enrollment

Can be used by non-domain members, e.g MACs


Simple Certificate Enrollment Protocol (SCEP)

http://tools.ietf.org/id/draft-nourse-scep-21.txt

Protocol for enrolling certificates over HTTP (basically encapsulating PKCS#10, PKCS#7 over HTTP)

Originally developed by Verisign for Cisco

Widely supported by network devices (including ASA and AnyConnect), clients and most Certificate Authorities (including Microsoft CA)

CA

SCEP


AnyConnect SCEP Proxy Support

ASA can be an SCEP proxy, enabling AnyConnect on the outside to enroll to a CA on the inside of ASA without poking holes in Firewall

SCEP proxy requires AnyConnect 3.0 : Not supported by iOS or Android

CA

SCEP SCEP


Case Study : Secure Enrolment of Certificates to Mobile Devices

OTP

CA

Mobile users (Windows, MAC, Phone, Android) logon from anywhere (over internet) to enroll

Secure authentication via OTP sent by SMS to mobile

Certificate automatically enrolled with correct CN=....

Phone profile updated with profile that use certificate

- note: to mitigate risk of stolen phones, use certs + AAA for authentication

SCEP

VPN


1. User Connects to ASA

OTP CA AD


2. User Gets SMS with OTP

OTP CA AD


3. User logs on with OTP

OTP CA AD

Client Profile

"SCEP-Enroll"


4. AnyConnect Gets Certificate from CA

OTP CA AD

SCEP

Client Profile

"SCEP-Enroll"

For iOS, cert can also be used for 802.1X


5. AnyConnect On Demand (iOS only)

x.ciscoislands.cs


What to Configure on ASA

Connection Profile

"CertEnroll"

AAA Server Group

SMS (RADIUS)

AAA Server Group

AD (LDAP)

Group Policy

"CertEnroll"

Client Profile

"SCEP-Enroll"

Configuration example (using local authentication) on

- http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b25dc1.shtml


Client Profile For Certificate Enrollment (1)

subject-name CN, can use

%USER% %MACHINEID% *

Defaults to 512

Microsoft SCEP URL

http://.../certsrv/mscep/mscep.dll

*Current versions

of iOS and Android

do not supply device ID


Client Profile for Certificate Enrollment (2)

Tell Client to which Connection Profile to

connect for certificate authentication

On Demand

Apple iOS only

Mobile Settings


Configuration on Windows 2008 R2 Server (1)

SCEP RA

(Registration Authority)

By default Microsoft requires

user to enter challenge password

to get certificate

For Your Reference


Configuration on Windows 2008 R2 Server (2)

Microsoft registry setting to

change default Certificate

Template used by SCEP

Hint : the default template does

not work for SSL VPN

Good Microsoft document on

- http://www.microsoft.com/download/en/details.aspx?id=1607

For Your Reference


Troubleshooting Tips

If AnyConnect already has a certificate it will not try to get another one

- ensure that AnyConnect fails to connect to a connection profile using certificate authentication

Pay attention to the certificate templates used by Microsoft CA

- certificate usage

- security permissions

- minimum key length

Logs from Microsoft Server may be helpful


Agenda

Introduction

Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive



Certificates

Posture Checking

Dynamic Access

Policies (DAP)


User Experience


AnyConnect Posture : Do the Clients meet Requirements?

fileshare

Internet Coaches

web

Possible to check that client meets Posture Requirements : OS, Anti-Virus, Personal Firewall, Registry Keys, Open Ports etc

Used in combination with Dynamic Access Policies (DAP) to grant access to clients depending on their posture status

1. VPN Connection

Microsoft Firewall

ON, but No

Antivirus...


CSD

Host Scan Vault

AnyConnect 3.0

Host Scan

Standalone Host Scan

Posture/Host Scan Software Packages Options

Cache

Cleaner

Keylogger

Detection

Host Emulation

Detection

Host Scan is packaged standalone, with AnyConnect 3.0 and with CSD

Standalone Host Scan gives faster updates of AV database etc (no need to wait for AnyConnect or CSD updates)

Also included: Cache Cleaner, Keylogger, Host Emulation Detection (used with Clientless SSL VPN)


Specifying Host Scan Image

Standalone Host Scan

location on CCO

For Your Reference

Choose standalone Host

Scan, AnyConnect or CSD


Host Scan

loads

Prelogin Checks based on

OS, ip, cert , file, registry

"Corp

Windows" "MAC

" Other

Endpoint Assessment

Get info on FW, AV, AS,

Registry, Processes,

Files...

Advanced Endpoint

Assessment:

Remediation/Fix

FW, AV, AS

DAP

Policy

The Host Scan Process

Both in

Parallel


Configuring Host Scan

Endpoint Assessment must be checked

to retrieve info on AV, AS, Firewall

settings that can be enforced by DAP

Advanced Endpoint Assessment can

remediate (turn on AV, AS, Firewall)

Possible to create checks for

Process, File and Registry keys

that can be enforced by DAP


Prelogin Policy

Typical use case is to differentiate corporate devices from other devices

Check client ip address, OS, that file exists, registry keys/values and certificate

- note : certificate check only checks if certificate exist, it does not cryptographically verify that the private key is there

Possible to deny login immediately, or pass Policy Name to DAP for policy enforcement

Policy Classification can

be used by DAP


Agenda

Introduction

Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive



Certificates


Policies (DAP)


User Experience


Dynamic Access Policies (DAP) : Granular Access Control

shareB

Internet

webA

DAP allows granular access to resources based on authentication method, AAA parameters and Posture

Very flexible, allowing policies set by Data Owners access to Data :

- "to access my data you must be member of AD groups SynchSwim and Coaches, you must be logged in with strong authentication and you must have Antivirus with the latest updates"

Microsoft Firewall ON,

AntiVirus ON,

memberOf SynchSwim

Synch

Swim

DENIED

PERMIT


AAA Server Group

SMS (RADIUS)

How DAP relates to AAA

AAA Server Group

AD (LDAP)

Default

Group

Policy

Group Policy

Coach

Group Policy

IT Support

Connection

Profile SMS

Dynamic Access Policies

override certain attributes from Group Policy

depending on AAA, Posture, Connection Profile...

DAP-1 DAP-2 DAP-N + memberOf

Fans

Posture: .....

memberOf

Coaches

LDAP

map


Configuring DAP

If member of Coaches

logged on with certificate...

and Policy is Corporate Windows

Registry Key exists

Antivirus Updated...

Authorization

IPv4 ACL

don't mix permit

and deny in ACL


Default DAP (DfltAccessPolicy)

SynchSwim SwimSuit-Server

ITadmins w Clean Machine

Strong Authentication ITadmins

Coaches w Clean PC Tactics-Server

Condition ACL

DfltAccessPolicy

If no DAP

matches then

DfltAccessPolicy

Applies

Action=

Terminate


DAP Grows On You! (DAP accumulates)

SynchSwim SwimSuit-Server

ITadmins w Clean Machine

Strong Authentication ITadmins

Coaches w Clean PC Tactics-Server

Condition ACL

SwimSuit-Server

Tactics-Server

Matching

Several

conditions

Accumulates

Access Rights


The Power of DAP

Very flexible mapping to multiple "memberOf"

- Example : 4 groups in Directory

- A user may be a member of 0 to 4 groups : 16 combinations

A B C D

A B C D A B A C A D D B B C

D C A B C A B D A D C D C B D C B A

Quiz : How many DAP policies do you need to cover the 16 combinations?

Condition (memberOf) ACL

A

B

C

D

ACL-A

ACL-B

ACL-C

ACL-D


DAP with Quarantine

Possible to create a DAP (with ACL) that gives a user limited access to the network to remediate posture, after which he can "reconnect".

Used together with "Advanced Endpoint Assessment"

Remember that DAP accumulates ACL privileges (if other DAPs are matched user may still get full access to the network).


DAP for Mobile Devices (iOS, Android)

"Mobile Posture Assessment"


DAP with LUA

LUA (www.lua.org) scripting language

that allows for advanced checks, e.g

- check for any AV

- check for any AV, AS, Firewall

- regexp matching of hotfixes, DN etc


LUA examples

assert(function()

for k,v in pairs(endpoint.av) do

if (EVAL(v.exists, "EQ", "true", "string")) then

return true

end

end

return false

end)()

Check for Any Antivirus

assert(function()

function check(antix)

if (type(antix) == "table") then

for k,v in pairs(antix) do

if (EVAL(v.exists, "EQ", "true", "string")) then

return true

end

end

end

return false

end

return (check(endpoint.av) or check(endpoint.fw) or check(endpoint.as))

end)()

Check for Any Antivirus, Firewall or

AntiSpyware

For Your Reference


LUA check that User Connecting with the "right" device

Device ID as signaled by

AnyConnect "Mobile Posture"

Attribute read from LDAP (where

mobile ID is stored in attribute

"mobileid"

Problem : A user with admin privileges may move a cert (and the private keys) from an "approved" device to a non-approved.

LUA can detect this by comparing device ID signalled by AnyConnect with

- name in certificate (if certificate contains device ID)

- an attribute from LDAP lookup (requires device IDs to be stored in LDAP server

EVAL(endpoint.anyconnect.deviceuniqueid,"EQ", aaa.ldap.mobileid,"caseless")


Troubleshooting DAP : debug dap trace

DAP_TRACE: DAP_open: CD923B10

DAP_TRACE: Username: [email protected], aaa.ldap.objectClass.1 = top

......

DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["memberOf"]["1"]="Coaches"

DAP_TRACE: name = aaa["ldap"]["memberOf"]["1"], value = "Coaches"

DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["memberOf"]["2"]="ITadmins"

DAP_TRACE: name = aaa["ldap"]["memberOf"]["2"], value = "ITadmins"

......

DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.os.version="Windows 7"

DAP_TRACE: name = endpoint.os.version, value = "Windows 7"

DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.os.servicepack="Service Pack 1"

DAP_TRACE: name = endpoint.os.servicepack, value = "Service Pack 1"

DAP_TRACE: name = endpoint.fw["MSWindowsFW"].version, value = "7"

DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.fw["MSWindowsFW"].enabled="ok"

DAP_TRACE: name = endpoint.fw["MSWindowsFW"].enabled, value = "ok"

......

.....

DAP_TRACE: Username: [email protected], Selected DAPs: ,Access-Tactics-

Server,ITadmins

DAP_TRACE: dap_process_selected_daps: selected 2 records

DAP_TRACE: Username: [email protected], DAP_close: CD923B10

LDAP info

Posture

(Subset)

Result


Troubleshooting DAP :

Monitoring/Session Details/ACL

Syslog %ASA-6-734001

DAP: User [email protected], Addr 64.103.25.233, Connection AnyConnect: The following DAP records were selected for this connection:

Access-Tactics-Server, ITadmins

User

DAPs


Troubleshooting Hostscan Component

Enable Debugging level at ASDM, then rerun test on problematic client

GOT DART?

Check Host Scan log files on problematic client

- libcsd.log

- cscan.log, detailed posture attributes

These are located at

- Windows %LOCALAPPDATA%\Cisco\Cisco HostScan\log

- MAC/Linux : ~/.cisco/hostscan/log/

Examine Windows Event logs


Agenda

Introduction

Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive



Certificates


Policies (DAP)

Securing the Client

Customizing the

User Experience


(No) Split Tunnelling Policy

Determines whether to allow traffic outside of the tunnel

Defined under Group Policy, default is to tunnel all networks (no split tunneling)

DENIED

IPv4 Internet


Note on Split Tunnelling Policy for mobile devices

Even with no Split Tunneling (Tunnel All Networks), certain traffic from mobile devices (e.g. iTunes) goes outside the tunnel

DENIED


No Split Tunneling but Allow Local LAN Access

Possible to allow split tunneling to "Local LAN" without knowing its ip address in advance

- Exclude Network List Below : permit any


Seamless Security with Always-On

ASA5505

fileshare

Internet Coaches

web

Force (some) users to always be connected over VPN when off-premises

- works on Windows, MAC

Objective #1: Increased Security if surfing out via Enterprise Proxy

- WCCP or Explicity Proxy (centrally configured at ASA)

Objective #2 : Seamless, simple user experience

- Automatic Connection, "I am always at work"


AnyConnect Client Profile with Always-On

Define conditions for Trusted Network Detection (DNS Servers and Domain)

Define Always-On (don't forget Server List)

Define Connection Failure Policy : Open or Closed

- Balance Security Requirements vs Risk of No Network...

- If Closed, specify if traffic will be allowed for X minutes if Captive Portal is detected

- "Last VPN Local Resource Rules" : Last Client Firewall Rules

Example: No traffic if

tunnel cannot be

established, except if

Captive Portal is

detected


Disabling Always-On with DAP

Always-On can be disabled by DAP

AnyConnect will remember this setting when disconnected


Agenda

Introduction

Some Theory

SSL and IPSEC

IKEv2

AnyConnect

Fundamentals

(v4v6)

AAA Deep Dive



Certificates


Policies (DAP)


User Experience


Seamless Office Experience by Start-Before-Logon

fileshare

Internet

Coaches AD

Allows (some) Windows users to connect VPN before logging into computer

Why? Allow domain-logon, GPOs, logon-scripts, change passwords, etc...

Can be used with or without Always-On

1. VPN Connection

2. Domain Logon


Configuring SBL in Client Profile

May make it user controllable

Note : Client certificates in User Store typically not accessible before logon

(no knowledge of who the user is).

Client certificates on Smart Cards will work!


Running Scripts after Connect and Disconnect

fileshare

Internet

Coaches AD

Runs a predefined script when (some) users connect to (or disconnect from VPN)

Any native script language understood by client ( *.vbs, *.sh etc)

Script can be downloaded from ASA, or distributed by some other means

Why?

- Allow mapping of drives, GPO-update when SBL is not possible (e.g behind a captive portal).

- Also works on non domain members, including MAC, Linux

VPN Connection

net use

q:.....

net use

q: ...


Configuring Scripting

Enable Scripting in AnyConnect Client Profile

Optionally : Import script to ASA for download to all clients

Alternatively, use other means of putting the script in the script directory for desired clients


On the Client : The Scripts Folder

AnyConnect executes the script in the folder that starts with

"OnConnect"/"OnDisconnect" after VPN connection/disconnection.

Only one script is executed, but that script can launch other scripts

Troubleshooting : Check that script exists in folder and that AnyConnect Profile allows scripting.

Check that script executes ok when invoked from local machine (permissions etc).


Example Scripts on CCO For Your Reference


Customizing AnyConnect Look and Feel

status_ico_good.png cues_bg.jpg

company_logo.png minimize.png

AnyConnect GUI and User facing messages can be customized/translated

Images must follow sizing and naming conventions (depending on OS)

- consult documentation for details

Translations of text strings created per language (en-uk, en-us, fr, ge, sv....)

- will use current language on client

translated text message (sv)


Message Customization using Language Templates

User facing messages can be translated based on language templates

Matches the active display language on the client

Translation files (AnyConnect.mo) downloaded to

- %ALLUSERSDATA%\Cisco\Cisco AnyConnect Secure Mobility\l10n\

- /opt/cisco/anyconnect/l10n

msgid = original text

msgstr = translated text

File imported as

customization for a

particular language


Summary

Strong authentication and Granular Access Control with AAA and DAP

Secure the Client

Seamless User Experience

Find Balance between Requirements and Complexity (testing, maintenance)

Good security and networking skills are essential, but also knowledge of adjacent technologies such as Active Directory, LDAP and PKI as well as different client platforms

Recommended Reading

Please visit the Cisco Store for suitable reading.


Please complete your Session Survey

Don't forget to complete your online session evaluations after each session.

Complete 4 session evaluations & the Overall Conference Evaluation

(available from Thursday) to receive your Cisco Live T-shirt

Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite

which can also be accessed through the screens at the Communication Stations

Or use the Cisco Live Mobile App to complete the

surveys from your phone, download the app at

www.ciscolivelondon.com/connect/mobile/app.html

We value your feedback

http://m.cisco.com/mat/cleu12/

1. Scan the QR code

(Go to http://tinyurl.com/qrmelist for QR code reader

software, alternatively type in the access URL above)

2. Download the app or access the mobile site

3. Log in to complete and submit the evaluations

http://www.ciscolivelondon.com/onsitehttp://www.ciscolivelondon.com/connect/mobile/app.htmlhttp://tinyurl.com/qrmelist


Thank you.

Advanced AnyConnect Deployment and Troubleshooting with...

Documents

Transcript of Advanced AnyConnect Deployment and Troubleshooting with...