Configure Certificate Authentication & DUO SAML Authentication

Available Languages

Download Options

  • PDF     (2.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.6 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.4 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 20, 2023
Document ID:220600

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes an example of the implementation of certificate-based authentication and duo SAML authentication.

    Prerequisites

    The tools and devices used in the guide are:

    • Cisco Firepower Threat Defense (FTD) 
    • Firepower Management Center (FMC)
    • Internal Certificate Authority (CA)
    • Cisco DUO Premier Account
    • Cisco DUO Authentication Proxy
    • Cisco Secure Client (CSC)

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Basic VPN,
    • SSL/TLS
    • Public Key Infrastucture
    • Experience with FMC
    • Cisco Secure Client
    • FTD code 7.2.0 or Higher
    • Cisco DUO Authentication Proxy

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco FTD (7.3.1)
    • Cisco FMC (7.3.1)
    • Cisco Secure Client (5.0.02075)
    • Cisco DUO Authentication Proxy (6.0.1)
    • Mac OS (13.4.1)
    • Active Directory

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure Steps on DUO

    This section describes the steps to configure Cisco DUO Single Sign-on (SSO). Before you begin, be sure to have the authentication proxy implemented.

    warning-icon

    Warning: If an authentication proxy has not been implemented, this link has the guide for this task. DUO Authentication Proxy Guide

    Create an Application Protection Policy

    Step 1. Sign on to the admin panel via this link Cisco Duo

    Cisco DUO homepageCisco DUO homepage

    Step 2. Navigate to Dashboard > Applications > Protect an Application.

    In the search bar, enter "Cisco Firepower Threat Defense VPN" and select "Protect".

    Protect an application screenshotProtect an application screenshot

    Select the option with only Protection Type "2FA with SSO hosted by Duo".

    Step 3: Copy this URL information under Metadata.

    • Identity Provider Entity ID
    • SSO URL
    • Logout URL

    Example of information to copyExample of information to copy

    note-iconNote: The links have been omitted from the screenshot.

    Step 4. Select "Download certificate" to download the Identity Provider Certificate under Downloads.

    Step 5. Fill in the Service Provider Information

    Cisco Firepower Base URL- The FQDN used to reach the FTD

    Connection Profile Name- The Tunnel-Group Name

    Create Application Policy

    Step 1: To create an Application Policy under Policy Select "Apply a policy to all users" then select "Or, create a new Policy" as shown in the image.

    Example of creating an application policyExample of creating an application policy

    Example of creating an application policyExample of creating an application policy

    Step 2. Under Policy name, input the desired name, select "Authentication policy" under Users, and Select "Enforce 2FA." Then save with "Create Policy."

    Example of creating an application policyExample of creating an application policy

    Step 3. Apply the policy with "Apply Policy" in the next window. then scroll to the bottom of the page and select "Save" to finish the DUO configurations

    Configuration Steps for FMC

    Deploy Identity Certificate to the FTD

    This section describes configuring and deploying the identity certificate to the FTD needed for certificate authentication. Before you begin, be sure to deploy all configurations.

    Step 1. Navigate toDevices > Certificateand chooseAdd, as shown in the image.

    Screenshot of Devices/CertificatesScreenshot of Devices/Certificates

    Step 2: Choose the FTD appliance from the devices dropdown. Click the + icon to add a new certificate enrollment method.

    Screenshot of Add New CertificateScreenshot of Add New Certificate

    Step 3: Choose the option that is the preferred method to obtain certificates in the environment via the "Enrollment Type," as shown in the image.

    tcoutrie_1-1689786001509Screenshot of new certificate enrollment page

    tcoutrie_0-1689785460404

    Tip: The available options are: Self Signed Certificate - Generate a new certificate locally, SCEP - Use Simple Certificate Enrollment Protocol to obtain a certificate from a CA, Manual- Manually install the Root and Identity certificate, PKCS12 - Upload encrypted certificate bundle with root, identity, and private key.

    Deploy IDP certificate to the FTD 

    This section describes configuring and deploying the IDP certificate to the FTD. Before you begin, be sure to deploy all configurations.

    Step 1: Navigate to Devices > Certificate and choose Add."

    Step 2: Choose the FTD appliance from the devices dropdown. Click the + icon to add a new certificate enrollment method.

    Step 3: Within the add Cert Enrollment window, input the required information as shown in the image, then "Save" as shown in the image.

    • Name: Name of the object
    • Enrollment Type: Manual
    • Check box enabled: CA Only
    • CA Certificate: Pem Format of the certificate

    Example of creating a certificate enrollment objectExample of creating a certificate enrollment object

    caution-icon

    Caution: "Skip Check for CA flag in basic constraints of the CA Certificate" can be used if needed. Use this option with caution.

    Step 4: Select the newly created certificate enrollment object under "Cert Enrollment*:" then select "Add" as shown in the image.

    Screenshot of added certificate enrollment object and deviceScreenshot of added certificate enrollment object and device

    note-icon

    Note: Once added, the certificate deploys' immediately.

    Creating the SAML SSO Object

    This section describes the steps to configure SAML SSO via FMC. Before you begin, be sure to deploy all configurations.

    Step 1. Navigate to Objects > AAA Server > Single Sign-on Server and select "Add Single Sign-on Server".

    example of creating a new SSO objectexample of creating a new SSO object

    Step 2. Input the required information from "Create an Application Protection Policy"

    ". To continue once completed, select "Save."

    • Name*: Name of the Object
    • Identity Provider Entity ID*: Entity ID from Step 3
    • SSO URL*: Sign In URL copied from Step 3
    • Logout URLSign Out URL copied from Step 3
    • Base URL: Use the same FQDN as "Cisco Firepower Base URL" in Step 5
    • Identity Provider Certificate*: Deployed IDP certificate
    • Service Provider Certificate: Certificate on the outside interface of the FTD

    Example of new SSO object.Example of new SSO object.

    note-icon

    Note: The Entity ID, SSO URL, and Logout URL links have been omitted from the screenshot

    Create Remote Access Virtual Private Network (RAVPN) Configuration

    This section describes the steps to configure RAVPN using the wizard.

    Step 1. Navigate to Devices > Remote Access Select "Add.

    Step 2. In the wizard, input the name of the new RAVPN Policy Wizard, select SSL under VPN Protocols: Add the Targeted Devices, as shown in the image. Select "Next" once completed.

    Step 1 of the RAVPN wizardStep 1 of the RAVPN wizard

    Step 2. For the Connect Profile, set the options (shown here): Select "Next" once completed.

    • Connection Profile Name:  Use the Tunnel-group name in Step 5 of "Create an Application Protection Policy."

    Authentication, Authorization & Accounting (AAA):

    • Client Certificate & SAML
    • Authentication Server:* Select the SSO object created during "Creating the SAML SSO Object."

    Client Address Assignment:

    • Use AAA Server (Realm or RADIUS only)- Radius or LDAP
    • Use DHCP Servers- DHCP Server
    • Use IP Address Pools- Local Pool on the FTD
    Step 2 of RAVPN wizardStep 2 of RAVPN wizard

    Tip: For this lab, a DHCP server is used.

    Step 3. Select the "+" to upload a web-deploy image of the Cisco Secure Client to be deployed. Then select the checkbox of the CSC image to be deployed. As shown in the image. Select "Next" once completed.

    tcoutrie_5-1689774962848Step 3 RAVPN wizard

    Step 4. Set these objects (as seen in the image): Select "Next" once completed.

    Interface group/Security Zone:*: Outside interface

    "Certificate Enrollment:*": Idenity certificate created during "Deploy Identity Certificate to the FTD" portion of this guide

    tcoutrie_6-1689775004935Step 4 of RAVPN wizard

    Tip: If this has not been created, add a new certificate enrollment object by selecting the "+."

    Step 6. Summary

    Verify all the information. If everything is correct, continue with 'Finish."

    tcoutrie_7-1689775076011Summary page

    Step 7. Deploy the newly added configurations.

    Verify

    This section describes verifying a successful connection attempt.

    Open Cisco Secure Client and enter the FQDN of the FTD and connect.

    Input the credentials on the SSO page.

    tcoutrie_1-1689775208102SSO page via Cisco Secure Client

    Accept the DUO push to the registered device.

    tcoutrie_0-1689775181360DUO push

    Successful connection.

    Connected to FTDConnected to FTD

    Verify the connection on the FTD with the command: show vpn-sessiondb detail anyconnect

    Some information has been omitted from the output exampleSome information has been omitted from the output example

    Troubleshoot

    These are possible issues that arise after the implementation.

    Issue 1: Certificate authentication failing.

    Assure the root certificate is installed on the FTD;

    use these debugs:

    debug crypto ca 14

    debug aaa shim 128

    debug aaa common 128

    issue 2: SAML failures

    These debugs can be enabled to troubleshoot:

    debug aaa shim 128

    debug aaa common 128

    debug webvpn anyconnect 128

    debug webvpn saml 255

    Revision History

    Revision Publish Date Comments
    1.0
    21-Jul-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Terrell Coutrier
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products