The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes a configuration example for integrating Duo SAML SSO with Adaptive Security Appliance (ASA) Cisco AnyConnect Secure Mobility Client access that leverages Cisco ISE for a detailed posture assessment. Duo SAML SSO is implemented using Duo Access Gateway (DAG) which communicates to the Active Directory for initial user authentication and then communicates to Duo Security (Cloud) for multi-factor authentication. Cisco ISE is used as an authorization server for providing endpoint verification using posture assessment.
Contributed by Dinesh Moudgil and Pulkit Saxena, Cisco HTTS Engineer.
Note: Anyconnect Embedded Browser, used in this implementation, requires ASA on 9.7(1)24, 9.8(2)28, 9.9(2)1 or higher version of each release, and AnyConnect version 4.6 or later.
Note: Cisco ISE is configured only for authorization since Duo Access Gateway provides the necessary authentication
In this section, configure the ASA application on the Duo Admin Portal.
1. Login to “Duo Admin Portal” and navigate to “Applications > Protect an Application”, and search for “ASA” with protection type of “2FA with Duo Access Gateway, self-hosted”. Click “Protect” on the far right to configure the Cisco ASA
2. Configure the following attributes under "Service Provider" for the protected application, ASA
Base URL | firebird.cisco.com |
Tunnel Group | TG_SAML |
Mail Attribute |
sAMAccountName,mail |
Click on “Save” at the bottom of the page
In this document, the rest of the configuration uses default parameters but they can be set based on customer's requirements.
Additional settings can be adjusted for the new SAML application at this time, like changing the application's name from the default value, enabling self-service, or assigning a group policy.
3. Click the "Download your configuration file" link to obtain the Cisco ASA application settings (as a JSON file). This file is uploaded to Duo Access Gateway in later steps
4. Under “Dashboard > Applications", the newly created ASA application looks like as shown in the image below:
5. Navigate to "Users > Add User" as shown in the image:
Create a user named "duouser" to be used for Anyconnect Remote Access authentication and activate Duo Mobile on the end-user device
To add the phone number as shown in the image, select the "Add Phone" option.
Activate "Duo Mobile" for the particular user
Note: Ensure to have "Duo Mobile" installed on the end-user device.
Manual installation of Duo application for IOS devices
Manual installation of Duo application for android devices
Select "Generate Duo Mobile Activation Code" as shown in the image:
Select "Send Instructions by SMS" as shown in the image:
Click the link in the SMS, and Duo app gets linked to the user account in the Device Info section, as shown in the image:
Note: Follow the below documents for deployment:
Duo Access Gateway for Linux
https://duo.com/docs/dag-linux
Duo Access Gateway for Windows
https://duo.com/docs/dag-windows
This section provides information to configure ASA for SAML IDP authentication and basic AnyConnect configuration. The document provides ASDM configuration steps and CLI running configuration for the overview.
1. Upload Duo Access Gateway Certificate
A. Navigate to "Configuration > Device Management > Certificate Management > CA Certificates", click "Add"
B. On the “Install Certificate Page”, configure the Trustpoint Name: Duo_Access_Gateway
C. Click "Browse" to select the path associated with DAG certificate and once selected, click “Install Certificate”
2. Create IP Local Pool for AnyConnect users
Navigate to "Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools", click "Add"
3. Configure AAA Server Group
A. In this section, configure the AAA Server Group and provide details of the specific AAA server which performs authorization
B. Navigate to "Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups", click "Add"
C. On the same page, under the section “Servers in the Selected group”, click "Add" and provide IP address details of the AAA server
4. Map AnyConnect Client Software
A. Map the AnyConnect client software webdeploy image 4.8.03052 for windows to be used for WebVPN
B. Navigate to "Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software", click "Add"
5. Configure the redirect ACL which is pushed as a result from ISE
A. Navigate to "Configuration > Firewall > Advanced > ACL Manager”, click Add to add the redirect ACL. The entries, once configured, looks as shown below:
6. Validate existing Group Policy
A. This setup uses the default group-policy and that can be viewed at: "Configuration > Remote Access VPN > Network (Client) Access > Group Policies"
7. Configure Connection Profile
A. Create a new connection profile to which AnyConnect users connect
B. Navigate to "Configuration > Remote Access VPN > Network (Client) Access > Anyconnect Connection Profiles", click "Add"
C. Configure the below details associated with connection profile:
Name | TG_SAML |
Aliases | SAML_Users |
Method | SAML |
AAA Server Group | Local |
Client Address Pools | AC_Pool |
Group Policy | DfltGrpPolicy |
D. On the same page, configure SAML Identity provider details which look as shown below:
E. Click on "Manage > Add"
F. Under the Advanced Section for the connection profile, define the AAA server for authorization
Navigate to "Advanced > Authorization" and click "Add"
G. Under Group Alias, define the connection alias
Navigate to "Advanced > Group Alias/Group URL" and click "Add"
H. This completes the ASA configuration, the same looks like below on the command-line interface (CLI)
! hostname firebird domain-name cisco.com !
!
name 10.197.164.7 explorer.cisco.com name 10.197.164.3 firebird.cisco.com ! !--------------------Client pool configuration--------------------
!
ip local pool AC_Pool 10.197.164.6-explorer.cisco.com mask 255.255.255.0 !
!--------------------Redirect Access-list-------------------------
! access-list redirect extended deny udp any any eq domain access-list redirect extended deny ip any host 10.197.243.116 access-list redirect extended deny icmp any any access-list redirect extended permit ip any any access-list redirect extended permit tcp any any eq www !
!--------------------AAA server configuration---------------------
! aaa-server ISE protocol radius authorize-only interim-accounting-update periodic 1 dynamic-authorization aaa-server ISE (outside) host 10.106.44.77 key ***** !
!-----Configure Trustpoint for Duo Access Gateway Certificate-----
! crypto ca trustpoint Duo_Access_Gateway enrollment terminal crl configure !
!-------Configure Trustpoint for ASA Identity Certificate---------
! crypto ca trustpoint ID_CERT enrollment terminal fqdn firebird.cisco.com subject-name CN=firebird.cisco.com ip-address 10.197.164.3 keypair ID_RSA_KEYS no ca-check crl configure !
!------Enable AnyConnect and configuring SAML authentication------
! webvpn enable outside hsts enable max-age 31536000 include-sub-domains no preload anyconnect image disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 1 anyconnect enable saml idp https://explorer.cisco.com/dag/saml2/idp/metadata.php url sign-in https://explorer.cisco.com/dag/saml2/idp/SSOService.php url sign-out https://explorer.cisco.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://explorer.cisco.com/dag/module.php/duosecurity/logout.php base-url https://firebird.cisco.com trustpoint idp Duo_Access_Gateway trustpoint sp ID_CERT no signature no force re-authentication timeout assertion 1200 tunnel-group-list enable cache disable error-recovery disable !
!--------------------Group Policy configuration--------------------
! group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless !
!----------Tunnel-Group (Connection Profile) Configuraiton----------
! tunnel-group TG_SAML type remote-access tunnel-group TG_SAML general-attributes address-pool AC_Pool authorization-server-group ISE accounting-server-group ISE tunnel-group TG_SAML webvpn-attributes authentication saml group-alias SAML_Users enable saml identity-provider https://explorer.cisco.com/dag/saml2/idp/metadata.php !
1. Add Cisco ASA as Network Device
Under "Administration > Network Resources > Network Devices", click "Add".
Configure the name of the Network device, associated IP address and under "Radius Authentication Settings", configure the "Shared Secret" and click "Save"
2. Install the latest posture updates
Navigate to "Administration > System > Settings > Posture > Updates" and click "Update Now"
3. Upload the Compliance Module and AnyConnect Headend Deployment Package on ISE
Navigate to "Policy > Policy Elements > Results > Client Provisioning > Resources". Click "Add" and select "Agent resources from local disk" or "Agent resources from Cisco site" based on whether the files are to be fetched from the local workstation or Cisco site.
In this case, to upload files from local workstation under Category, select "Cisco Provided Packages", and click "Browse" and select the required packages and click "Submit".
This document uses "anyconnect-win-4.3.1012.6145-isecompliance-webdeploy-k9.pkg" as compliance module and "anyconnect-win-4.8.03052-webdeploy-k9.pkg" as AnyConnect Headend Deployment Package.
4. Create an AnyConnect Posture Profile
A. Navigate to "Policy > Policy Elements > Results > Client Provisioning > Resources". Click "Add" and select "AnyConnect Posture Profile"
B. Enter the name for Anyconnect Posture Profile and configure server name as "*" under Server name rules and click "Save"
5. Create Anyconnect Configuration
A. Navigate to "Policy > Policy Elements > Results > Client Provisioning > Resources". Click "Add" and select "AnyConnect Configuration"
B. Select AnyConnect Package, enter Configuration Name, select the required Compliance Module
C. Under "AnyConnect Module Selection", check 'Diagnostic and Reporting Tool"
D. Under "Profile Selection", select Posture Profile and click "Save"
6. Create Client Provisioning Policy
A. Navigate to "Policy > Client Provisioning"
B. Click "Edit" then select "Insert Rule Above"
C. Enter the Rule Name, select the required Operating System, and under Results (within "Agent" > "Agent Configuration" ), select "AnyConnect Configuration" that was created in Step 5 and click "Save"
7. Create a Posture Condition
A. Navigate to "Policy > Policy Elements > Conditions > Posture > File Condition"
B. Click "Add" and configure the Condition Name "VPN_Posture_File_Check", required Operating System as "Windows 10(All)", File Type as "FileExistence", File Path as "ABSOLUTE_PATH", and full path and file name as "C:\custom.txt", select File Operator as "Exists"
C. This example uses the presence of a file named "custom.txt" under C: drive as the file condition
8. Create Posture Remediation Action
Navigate to "Policy > Policy Elements > Results > Posture > Remediation Actions" to create corresponding File Remediation Action. This document uses "Message Text Only" as Remediations Actions which is configured in the next step.
9. Create Posture Requirement rule
A. Navigate to "Policy > Policy Elements > Results > Posture > Requirements"
B. Click "Edit" then select "Insert new Requirement"
C. Configure the Condition Name "VPN_Posture_Requirement", required Operating System as "Windows 10(All)", Compliance Module as "4.x or later", Posture Type as "Anyconnect"
D. Conditions as "VPN_Posture_File_Check" (created in Step 7) and under Remediations Actions, select Action as "Message Text Only" and enter the custom message for Agent User
10. Create a Posture Policy
A. Navigate to "Policies > Posture"
B. Configure Rule Name as "VPN_Posture_Policy_Win", required Operating System as "Windows 10(All)", Compliance Module as "4.x or later", Posture Type as "Anyconnect" and Requirements as "VPN_Posture_Requirement" as configured in Step 9
11. Create Dynamic ACLs (DACLs)
Navigate to "Policy > Policy Elements > Results > Authorization > Downlodable ACLS" and create the DACLs for different posture statuses.
This document uses the following DACLs.
A. Posture Unknown: Allows traffic to DNS, PSN, and HTTP, and HTTPS traffic
B. Posture NonCompliant: Denies access to Private Subnets and allow only internet traffic
C. Posture Compliant: Allows all traffic for Posture Compliant end users
12. Create Authorization Profiles
Navigate to "Policy > Policy Elements > Results > Authorization > Authorization Profiles".
A. Authorization Profile for Unknown Posture
Select DACL "PostureUnknown", check Web Redirection, select Client Provisioning(Posture), configure Redirect ACL name "redirect"(to be configured on the ASA), and select the Client Provisioning portal (default)
B. Authorization Profile for Posture Non-Compliant
Select DACL "PostureNonCompliant" to limit access to the network
C. Authorization Profile for Posture Compliant
Select DACL "PostureCompliant" to allow full access to the network
12. Configure Authorization Policies
Use the authorization profiles configured in the previous step to configure 3 authorization policies for Posture Compliant, Posture Non-Compliant, and Posture Unknown.
Common condition "Session: Posture Status" is used to determine the results for each policy
Use this section in order to confirm that your configuration works properly.
To verify if the user is successfully authenticated, run the following command on the ASA.
firebird(config)# show vpn-sess detail anyconnect Session Type: AnyConnect Detailed Username : _585b5291f01484dfd16f394be7031d456d314e3e62 Index : 125 Assigned IP : explorer.cisco.com Public IP : 10.197.243.143 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384 Bytes Tx : 16404 Bytes Rx : 381 Pkts Tx : 16 Pkts Rx : 6 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : DfltGrpPolicy Tunnel Group : TG_SAML Login Time : 07:05:45 UTC Sun Jun 14 2020 Duration : 0h:00m:16s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0ac5a4030007d0005ee5cc49 Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 125.1 Public IP : 10.197.243.143 Encryption : none Hashing : none TCP Src Port : 57244 TCP Dst Port : 443 Auth Mode : SAML Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : win Client OS Ver: 10.0.15063 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 7973 Bytes Rx : 0 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 125.2 Assigned IP : explorer.cisco.com Public IP : 10.197.243.143 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 57248 TCP Dst Port : 443 Auth Mode : SAML Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 7973 Bytes Rx : 0 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PostureUnknown-5ee45b05 DTLS-Tunnel: Tunnel ID : 125.3 Assigned IP : explorer.cisco.com Public IP : 10.197.243.143 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384 Encapsulation: DTLSv1.2 UDP Src Port : 49175 UDP Dst Port : 443 Auth Mode : SAML Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 458 Bytes Rx : 381 Pkts Tx : 4 Pkts Rx : 6 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PostureUnknown-5ee45b05 ISE Posture: Redirect URL : https://ise261.pusaxena.local:8443/portal/gateway?sessionId=0ac5a4030007d0005ee5cc49&portal=27b1bc30-2... Redirect ACL : redirect
Once the posture assessment is complete, the user access is changed to full access as observed in the DACL pushed in the field "Filter Name"
firebird(config)# show vpn-sess detail anyconnect Session Type: AnyConnect Detailed Username : _585b5291f01484dfd16f394be7031d456d314e3e62 Index : 125 Assigned IP : explorer.cisco.com Public IP : 10.197.243.143 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384 Bytes Tx : 16404 Bytes Rx : 381 Pkts Tx : 16 Pkts Rx : 6 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : DfltGrpPolicy Tunnel Group : TG_SAML Login Time : 07:05:45 UTC Sun Jun 14 2020 Duration : 0h:00m:36s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0ac5a4030007d0005ee5cc49 Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 125.1 Public IP : 10.197.243.143 Encryption : none Hashing : none TCP Src Port : 57244 TCP Dst Port : 443 Auth Mode : SAML Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : win Client OS Ver: 10.0.15063 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 7973 Bytes Rx : 0 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 125.2 Assigned IP : explorer.cisco.com Public IP : 10.197.243.143 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 57248 TCP Dst Port : 443 Auth Mode : SAML Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 7973 Bytes Rx : 0 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3 DTLS-Tunnel: Tunnel ID : 125.3 Assigned IP : explorer.cisco.com Public IP : 10.197.243.143 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384 Encapsulation: DTLSv1.2 UDP Src Port : 49175 UDP Dst Port : 443 Auth Mode : SAML Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03052 Bytes Tx : 458 Bytes Rx : 381 Pkts Tx : 4 Pkts Rx : 6 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3
To verify if authorization was successfully performed on ISE, navigate to "Operations > RADIUS > Live Logs"
This section exhibits the relevant information associated to the authorized user i.e. identity, authorization profile, authorization policy, and posture status.
Note: For additional posture validation on ISE, please refer to the following documentation:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215236-ise-posture-over-anyconnect-remote-acces.html#anc7
To verify the authentication status on Duo Admin Portal, click on the "Reports" on the left side of the Admin Panel that shows the Authentication Log.
More details: https://duo.com/docs/administration#reports
To view debug logging for Duo Access Gateway, use the following link:
https://help.duo.com/s/article/1623?language=en_US
This section provides the information you can use in order to troubleshoot your configuration.
Note: Refer to Important Information on Debug Commands before you use debug commands.
Caution: On the ASA, you can set various debug levels; by default, level 1 is used. If you change the debug level, the verbosity of the debugs might increase. Do this with caution, especially in production environments.
Most SAML troubleshooting will involve a misconfiguration that can be found through checking the SAML configuration or running debugs.
"debug webvpn saml 255" can be used to troubleshoot most issues, however in scenarios where this debug does not provide useful information, additional debugs can be run:
debug webvpn 255 debug webvpn anyconnect 255 debug webvpn session 255 debug webvpn request 255
To troubleshoot authentication and authorization issues on ASA, use the following debug commands:
debug radius all debug aaa authentication debug aaa authorization To troubleshoot Posture related issues on ISE, set the following attributes to debug level:
posture (ise-psc.log) portal (guest.log) provisioning (ise-psc.log) runtime-AAA (prrt-server.log) nsf (ise-psc.log) nsf-session (ise-psc.log) swiss (ise-psc.log)
Note: For detailed posture flow and troubleshooting AnyConnect and ISE, refer to the following link:
ISE Posture Style Comparison for Pre and Post 2.2
To interpret and troubleshoot Duo Access Gateway debug logs
https://help.duo.com/s/article/5016?language=en_US
https://www.youtube.com/watch?v=W6bE2GTU0Is&
https://duo.com/docs/cisco#asa-ssl-vpn-using-saml
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215236-ise-posture-over-anyconnect-remote-acces.html#anc0