Configure Passive Authentication with Remote Access VPN login on Firepower Device Manager

Available Languages

Download Options

  • PDF     (791.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (878.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (760.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 11, 2021
Document ID:217299

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure Passive Authentication on the Firepower Threat Defense (FTD) via the Firepower Device Manager (FDM) with Remote Access VPN logins (RA VPN) with AnyConnect.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Firepower Device Manager.
    • Remote Access VPN.
    • Identity Policy.

    Components Used

    The information in this document is based on these software and hardware versions:

    • Firepower Threat Defense (FTD) version 7.0
    • Cisco AnyConnect Secure Mobility Client version 4.10
    • Active Directory (AD)

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Identity Policy can detect users that are associated with a connection. The method used is Passive Authentication since the user identity is obtained from other authentication services (LDAP).

    In FDM, Passive Authentication can work with two different options:

    • Remote Access VPN logins
    • Cisco Identity Services Engine (ISE)

    Configuration

    Network Diagram

    VPN

    This section describes how to configure Passive Authentication on FDM.

    Step 1. Configure the Identity Source

    Whether you collect user identity actively (by the prompt for user authentication) or passively, you need to configure the Active Directory (AD) server that has the user identity information.

    Navigate toObjects>Identity Servicesand select the optionADto add the Active Directory.

    Add the Active Directory configuration:

    Identity_Source

    Step 2. Configure the RA VPN

    Remote Access VPN configuration can be reviewed in this link

    Step 3. Configure the Authentication Method for RA VPN users

    In the RA VPN configuration, select the authentication method. The Primary Indeity Source for User Authentication must be the AD. 

    ra_VPN

    Note: In the Global Settings of the RA VPN, uncheck the Bypass Access Control Policy for decrypted traffic (sysopt permit-vpn) option to allow the possibility to use Access Control Policy to inspect traffic which comes from the AnyConnect users.

    Bypass

    Step 4. Configure the Identity Policy for Passive Authentication

    You need to create the Identity policy in order to configure Passive  authentication, the policy must have the below elements:

    • AD Identity Source: The same you add in step number 1
    • Action: PASSIVE AUTH

    In order to configure the Identity rule, navigate toPolicies>Identity >select[+]button to add a new Identity rule.

    • Define the source and destination subnets where passive authentication applies.

    identity policy

    Step 5. Create the Access Control Rule into the Access Control Policy

    Configure the Access Control rule to allow or block traffic based on users.

    acp

    In order to configure the users or users group to have passive authentication, select the Users tab. You can add a user group or individual user.

    user

    Deploy the changes.

    Verification

    Verify that the test connection with the AD is successful

    test

    Verify that the remote user can log in with the AnyConnect client with their AD credentials.

    vpn

    login

    Verify that the user gets an IP address of the VPN pool

    user_annyconnect

    Troubleshoot

    You can use the user_map_query.plscript to validate that the FDM has the user ip mapping

    user_map

    On clish mode you can configure:

    system support identity-debugto verify if redirection is successful.

    > system support identity-debug
    Enable firewall-engine-debug too? [n]: y
    Please specify an IP protocol:
    Please specify a client IP address: 192.168.19.1
    Please specify a client port:
    Please specify a server IP address:
    Please specify a server port:
    Monitoring identity and firewall debug messages

    192.168.19.1-62757 > 72.163.47.11-53 17 AS 1-1 I 0 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 62757 -> 53, geo 14467064 -> 14467082
    192.168.19.1-62757 > 72.163.47.11-53 17 AS 1-1 I 0 Retrieved ABP info:
    192.168.19.1-62757 > 72.163.47.11-53 17 AS 1-1 I 0 abp src 
    192.168.19.1-62757 > 72.163.47.11-53 17 AS 1-1 I 0 abp dst 
    192.168.19.1-62757 > 72.163.47.11-53 17 AS 1-1 I 0 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-62757 > 72.163.47.11-53 17 AS 1-1 I 0 new firewall session
    192.168.19.1-62757 > 72.163.47.11-53 17 AS 1-1 I 0 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-62757 > 72.163.47.11-53 17 AS 1-1 I 0 HitCount data sent for rule id: 268435458,
    192.168.19.1-62757 > 72.163.47.11-53 17 AS 1-1 I 0 allow action
    192.168.19.1-62757 > 8.8.8.8-53 17 AS 1-1 I 1 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 62757 -> 53, geo 14467064 -> 14467082
    192.168.19.1-62757 > 8.8.8.8-53 17 AS 1-1 I 1 Retrieved ABP info:
    192.168.19.1-62757 > 8.8.8.8-53 17 AS 1-1 I 1 abp src 
    192.168.19.1-62757 > 8.8.8.8-53 17 AS 1-1 I 1 abp dst 
    192.168.19.1-62757 > 8.8.8.8-53 17 AS 1-1 I 1 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-62757 > 8.8.8.8-53 17 AS 1-1 I 1 new firewall session
    192.168.19.1-62757 > 8.8.8.8-53 17 AS 1-1 I 1 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-62757 > 8.8.8.8-53 17 AS 1-1 I 1 HitCount data sent for rule id: 268435458,
    192.168.19.1-62757 > 8.8.8.8-53 17 AS 1-1 I 1 allow action
    192.168.19.1-53015 > 20.42.0.16-443 6 AS 1-1 I 0 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 53015 -> 443, geo 14467064 -> 14467082
    192.168.19.1-53015 > 20.42.0.16-443 6 AS 1-1 I 0 Retrieved ABP info:
    192.168.19.1-53015 > 20.42.0.16-443 6 AS 1-1 I 0 abp src 
    192.168.19.1-53015 > 20.42.0.16-443 6 AS 1-1 I 0 abp dst 
    192.168.19.1-53015 > 20.42.0.16-443 6 AS 1-1 I 0 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-53015 > 20.42.0.16-443 6 AS 1-1 I 0 new firewall session
    192.168.19.1-53015 > 20.42.0.16-443 6 AS 1-1 I 0 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-53015 > 20.42.0.16-443 6 AS 1-1 I 0 HitCount data sent for rule id: 268435458,
    192.168.19.1-53015 > 20.42.0.16-443 6 AS 1-1 I 0 allow action
    192.168.19.1-52166 > 20.42.0.16-443 6 AS 1-1 I 1 deleting firewall session flags = 0x10001, fwFlags = 0x102, session->logFlags = 010001
    192.168.19.1-65207 > 72.163.47.11-53 17 AS 1-1 I 1 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 65207 -> 53, geo 14467064 -> 14467082
    192.168.19.1-65207 > 72.163.47.11-53 17 AS 1-1 I 1 Retrieved ABP info:
    192.168.19.1-65207 > 72.163.47.11-53 17 AS 1-1 I 1 abp src 
    192.168.19.1-65207 > 72.163.47.11-53 17 AS 1-1 I 1 abp dst 
    192.168.19.1-65207 > 72.163.47.11-53 17 AS 1-1 I 1 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-65207 > 72.163.47.11-53 17 AS 1-1 I 1 new firewall session
    192.168.19.1-65207 > 72.163.47.11-53 17 AS 1-1 I 1 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-65207 > 72.163.47.11-53 17 AS 1-1 I 1 HitCount data sent for rule id: 268435458,
    192.168.19.1-65207 > 72.163.47.11-53 17 AS 1-1 I 1 allow action
    192.168.19.1-65207 > 8.8.8.8-53 17 AS 1-1 I 0 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 65207 -> 53, geo 14467064 -> 14467082
    192.168.19.1-65207 > 8.8.8.8-53 17 AS 1-1 I 0 Retrieved ABP info:
    192.168.19.1-65207 > 8.8.8.8-53 17 AS 1-1 I 0 abp src 
    192.168.19.1-65207 > 8.8.8.8-53 17 AS 1-1 I 0 abp dst 
    192.168.19.1-65207 > 8.8.8.8-53 17 AS 1-1 I 0 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-65207 > 8.8.8.8-53 17 AS 1-1 I 0 new firewall session
    192.168.19.1-65207 > 8.8.8.8-53 17 AS 1-1 I 0 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-65207 > 8.8.8.8-53 17 AS 1-1 I 0 HitCount data sent for rule id: 268435458,
    192.168.19.1-65207 > 8.8.8.8-53 17 AS 1-1 I 0 allow action
    192.168.19.1-65209 > 8.8.8.8-53 17 AS 1-1 I 0 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 65209 -> 53, geo 14467064 -> 14467082
    192.168.19.1-65209 > 8.8.8.8-53 17 AS 1-1 I 0 Retrieved ABP info:
    192.168.19.1-65209 > 8.8.8.8-53 17 AS 1-1 I 0 abp src 
    192.168.19.1-65209 > 8.8.8.8-53 17 AS 1-1 I 0 abp dst 
    192.168.19.1-65209 > 8.8.8.8-53 17 AS 1-1 I 0 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-65209 > 8.8.8.8-53 17 AS 1-1 I 0 new firewall session
    192.168.19.1-65209 > 8.8.8.8-53 17 AS 1-1 I 0 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-65209 > 8.8.8.8-53 17 AS 1-1 I 0 HitCount data sent for rule id: 268435458,
    192.168.19.1-65209 > 8.8.8.8-53 17 AS 1-1 I 0 allow action
    192.168.19.1-65211 > 72.163.47.11-53 17 AS 1-1 I 1 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 65211 -> 53, geo 14467064 -> 14467082
    192.168.19.1-65211 > 72.163.47.11-53 17 AS 1-1 I 1 Retrieved ABP info:
    192.168.19.1-65211 > 72.163.47.11-53 17 AS 1-1 I 1 abp src 
    192.168.19.1-65211 > 72.163.47.11-53 17 AS 1-1 I 1 abp dst 
    192.168.19.1-65211 > 72.163.47.11-53 17 AS 1-1 I 1 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-65211 > 72.163.47.11-53 17 AS 1-1 I 1 new firewall session
    192.168.19.1-65211 > 72.163.47.11-53 17 AS 1-1 I 1 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-65211 > 72.163.47.11-53 17 AS 1-1 I 1 HitCount data sent for rule id: 268435458,
    192.168.19.1-65211 > 72.163.47.11-53 17 AS 1-1 I 1 allow action
    192.168.19.1-61823 > 72.163.47.11-53 17 AS 1-1 I 1 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 61823 -> 53, geo 14467064 -> 14467082
    192.168.19.1-61823 > 72.163.47.11-53 17 AS 1-1 I 1 Retrieved ABP info:
    192.168.19.1-61823 > 72.163.47.11-53 17 AS 1-1 I 1 abp src 
    192.168.19.1-61823 > 72.163.47.11-53 17 AS 1-1 I 1 abp dst 
    192.168.19.1-61823 > 72.163.47.11-53 17 AS 1-1 I 1 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-61823 > 72.163.47.11-53 17 AS 1-1 I 1 new firewall session
    192.168.19.1-61823 > 72.163.47.11-53 17 AS 1-1 I 1 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-61823 > 72.163.47.11-53 17 AS 1-1 I 1 HitCount data sent for rule id: 268435458,
    192.168.19.1-61823 > 72.163.47.11-53 17 AS 1-1 I 1 allow action
    192.168.19.1-61823 > 8.8.8.8-53 17 AS 1-1 I 0 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 61823 -> 53, geo 14467064 -> 14467082
    192.168.19.1-61823 > 8.8.8.8-53 17 AS 1-1 I 0 Retrieved ABP info:
    192.168.19.1-61823 > 8.8.8.8-53 17 AS 1-1 I 0 abp src 
    192.168.19.1-61823 > 8.8.8.8-53 17 AS 1-1 I 0 abp dst 
    192.168.19.1-61823 > 8.8.8.8-53 17 AS 1-1 I 0 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-61823 > 8.8.8.8-53 17 AS 1-1 I 0 new firewall session
    192.168.19.1-61823 > 8.8.8.8-53 17 AS 1-1 I 0 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-61823 > 8.8.8.8-53 17 AS 1-1 I 0 HitCount data sent for rule id: 268435458,
    192.168.19.1-61823 > 8.8.8.8-53 17 AS 1-1 I 0 allow action
    192.168.19.1-57747 > 72.163.47.11-53 17 AS 1-1 I 1 deleting firewall session flags = 0x10001, fwFlags = 0x102, session->logFlags = 010001
    192.168.19.1-57747 > 72.163.47.11-53 17 AS 1-1 I 1 Logging EOF as part of session delete with rule_id = 268435458 ruleAction = 2 ruleReason = 0 
    192.168.19.1-57747 > 8.8.8.8-53 17 AS 1-1 I 0 deleting firewall session flags = 0x10001, fwFlags = 0x102, session->logFlags = 010001
    192.168.19.1-57747 > 8.8.8.8-53 17 AS 1-1 I 0 Logging EOF as part of session delete with rule_id = 268435458 ruleAction = 2 ruleReason = 0 
    192.168.19.1-53038 > 20.42.0.16-443 6 AS 1-1 I 0 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 53038 -> 443, geo 14467064 -> 14467082
    192.168.19.1-53038 > 20.42.0.16-443 6 AS 1-1 I 0 Retrieved ABP info:
    192.168.19.1-53038 > 20.42.0.16-443 6 AS 1-1 I 0 abp src 
    192.168.19.1-53038 > 20.42.0.16-443 6 AS 1-1 I 0 abp dst 
    192.168.19.1-53038 > 20.42.0.16-443 6 AS 1-1 I 0 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-53038 > 20.42.0.16-443 6 AS 1-1 I 0 new firewall session
    192.168.19.1-53038 > 20.42.0.16-443 6 AS 1-1 I 0 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-53038 > 20.42.0.16-443 6 AS 1-1 I 0 HitCount data sent for rule id: 268435458,
    192.168.19.1-53038 > 20.42.0.16-443 6 AS 1-1 I 0 allow action
    192.168.19.1-57841 > 72.163.47.11-53 17 AS 1-1 I 1 deleting firewall session flags = 0x10001, fwFlags = 0x102, session->logFlags = 010001
    192.168.19.1-57841 > 72.163.47.11-53 17 AS 1-1 I 1 Logging EOF as part of session delete with rule_id = 268435458 ruleAction = 2 ruleReason = 0 
    192.168.19.1-57841 > 8.8.8.8-53 17 AS 1-1 I 0 deleting firewall session flags = 0x10001, fwFlags = 0x102, session->logFlags = 010001
    192.168.19.1-57841 > 8.8.8.8-53 17 AS 1-1 I 0 Logging EOF as part of session delete with rule_id = 268435458 ruleAction = 2 ruleReason = 0 
    192.168.19.1-64773 > 8.8.8.8-53 17 AS 1-1 I 0 Starting authentication (sfAuthCheckRules params) with zones 2 -> 2, port 64773 -> 53, geo 14467064 -> 14467082
    192.168.19.1-64773 > 8.8.8.8-53 17 AS 1-1 I 0 Retrieved ABP info:
    192.168.19.1-64773 > 8.8.8.8-53 17 AS 1-1 I 0 abp src 
    192.168.19.1-64773 > 8.8.8.8-53 17 AS 1-1 I 0 abp dst 
    192.168.19.1-64773 > 8.8.8.8-53 17 AS 1-1 I 0 matched auth rule id = 130027046 user_id = 5 realm_id = 3
    192.168.19.1-64773 > 8.8.8.8-53 17 AS 1-1 I 0 new firewall session
    192.168.19.1-64773 > 8.8.8.8-53 17 AS 1-1 I 0 using HW or preset rule order 2, 'Inside_Outside_Rule', action Allow and prefilter rule 0
    192.168.19.1-64773 > 8.8.8.8-53 17 AS 1-1 I 0 HitCount data sent for rule id: 268435458,
    192.168.19.1-64773 > 8.8.8.8-53 17 AS 1-1 I 0 allow action

    Related information


    Configure Remote Access VPN on FTD Managed by FDM
    https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215532-configure-remote-access-vpn-on-ftd-manag.html

    Revision History

    Revision Publish Date Comments
    1.0
    10-Aug-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Oscar Montoya Torres
      Cisco TAC Engineer
    • Juan Enrique Ruiz
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products