PDF(2.4 MB) View with Adobe Reader on a variety of devices
ePub(2.6 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(1.4 MB) View on Kindle device or Kindle app on multiple devices
Updated:July 20, 2023
Document ID:220600
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes an example of the implementation of certificate-based authentication and duo SAML authentication.
Prerequisites
The tools and devices used in the guide are:
Cisco Firepower Threat Defense (FTD)
Firepower Management Center (FMC)
Internal Certificate Authority (CA)
Cisco DUO Premier Account
Cisco DUO Authentication Proxy
Cisco Secure Client (CSC)
Requirements
Cisco recommends that you have knowledge of these topics:
Basic VPN,
SSL/TLS
Public Key Infrastucture
Experience with FMC
Cisco Secure Client
FTD code 7.2.0 or Higher
Cisco DUO Authentication Proxy
Components Used
The information in this document is based on these software and hardware versions:
Cisco FTD (7.3.1)
Cisco FMC (7.3.1)
Cisco Secure Client (5.0.02075)
Cisco DUO Authentication Proxy (6.0.1)
Mac OS (13.4.1)
Active Directory
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure Steps on DUO
This section describes the steps to configure Cisco DUO Single Sign-on (SSO). Before you begin, be sure to have the authentication proxy implemented.
Warning: If an authentication proxy has not been implemented, this link has the guide for this task. DUO Authentication Proxy Guide
Create an Application Protection Policy
Step 1. Sign on to the admin panel via this link Cisco Duo
Cisco DUO homepage
Step 2. Navigate to Dashboard > Applications > Protect an Application.
In the search bar, enter "Cisco Firepower Threat Defense VPN" and select "Protect".
Protect an application screenshot
Select the option with only Protection Type "2FA with SSO hosted by Duo".
Step 3: Copy this URL information under Metadata.
Identity Provider Entity ID
SSO URL
Logout URL
Example of information to copy
Note: The links have been omitted from the screenshot.
Step 4. Select "Download certificate" to download the Identity Provider Certificate under Downloads.
Step 5. Fill in the Service Provider Information
Cisco Firepower Base URL- The FQDN used to reach the FTD
Connection Profile Name- The Tunnel-Group Name
Create Application Policy
Step 1: To create an Application Policy under Policy Select "Apply a policy to all users" then select "Or, create a new Policy" as shown in the image.
Example of creating an application policy
Example of creating an application policy
Step 2. Under Policy name, input the desired name, select "Authentication policy" under Users, and Select "Enforce 2FA." Then save with "Create Policy."
Example of creating an application policy
Step 3. Apply the policy with "Apply Policy" in the next window. then scroll to the bottom of the page and select "Save" to finish the DUO configurations
Configuration Steps for FMC
Deploy Identity Certificate to the FTD
This section describes configuring and deploying the identity certificate to the FTD needed for certificate authentication. Before you begin, be sure to deploy all configurations.
Step 1. Navigate toDevices > Certificateand chooseAdd, as shown in the image.
Screenshot of Devices/Certificates
Step 2: Choose the FTD appliance from the devices dropdown. Click the + icon to add a new certificate enrollment method.
Screenshot of Add New Certificate
Step 3: Choose the option that is the preferred method to obtain certificates in the environment via the "Enrollment Type," as shown in the image.
Screenshot of new certificate enrollment page
Tip: The available options are: Self Signed Certificate - Generate a new certificate locally, SCEP - Use Simple Certificate Enrollment Protocol to obtain a certificate from a CA, Manual- Manually install the Root and Identity certificate, PKCS12 - Upload encrypted certificate bundle with root, identity, and private key.
Deploy IDP certificate to the FTD
This section describes configuring and deploying the IDP certificate to the FTD. Before you begin, be sure to deploy all configurations.
Step 1: Navigate to Devices > Certificate and choose Add."
Step 2: Choose the FTD appliance from the devices dropdown. Click the + icon to add a new certificate enrollment method.
Step 3: Within the add Cert Enrollment window, input the required information as shown in the image, then "Save" as shown in the image.
Name: Name of the object
Enrollment Type: Manual
Check box enabled: CA Only
CA Certificate: Pem Format of the certificate
Example of creating a certificate enrollment object
Caution: "Skip Check for CA flag in basic constraints of the CA Certificate" can be used if needed. Use this option with caution.
Step 4: Select the newly created certificate enrollment object under "Cert Enrollment*:" then select "Add" as shown in the image.
Screenshot of added certificate enrollment object and device
Note: Once added, the certificate deploys' immediately.
Creating the SAML SSO Object
This section describes the steps to configure SAML SSO via FMC. Before you begin, be sure to deploy all configurations.
Step 1. Navigate to Objects > AAA Server > Single Sign-on Server and select "Add Single Sign-on Server".
example of creating a new SSO object
Step 2. Input the required information from "Create an Application Protection Policy"
". To continue once completed, select "Save."
Name*: Name of the Object
Identity Provider Entity ID*: Entity ID from Step 3
SSO URL*: Sign In URL copied from Step 3
Logout URL: Sign Out URL copied from Step 3
Base URL: Use the same FQDN as "Cisco Firepower Base URL" in Step 5
This section describes the steps to configure RAVPN using the wizard.
Step 1. Navigate to Devices > Remote Access Select "Add."
Step 2. In the wizard, input the name of the new RAVPN Policy Wizard, select SSL under VPN Protocols: Add the Targeted Devices, as shown in the image. Select "Next" once completed.
Step 1 of the RAVPN wizard
Step 2. For the Connect Profile, set the options (shown here): Select "Next" once completed.
Connection Profile Name: Use the Tunnel-group name in Step 5 of "Create an Application Protection Policy."
Authentication, Authorization & Accounting (AAA):
Client Certificate & SAML
Authentication Server:* Select the SSO object created during "Creating the SAML SSO Object."
Client Address Assignment:
Use AAA Server (Realm or RADIUS only)- Radius or LDAP
Use DHCP Servers- DHCP Server
Use IP Address Pools- Local Pool on the FTD
Step 2 of RAVPN wizard
Tip: For this lab, a DHCP server is used.
Step 3. Select the "+" to upload a web-deploy image of the Cisco Secure Client to be deployed. Then select the checkbox of the CSC image to be deployed. As shown in the image. Select "Next" once completed.
Step 3 RAVPN wizard
Step 4. Set these objects (as seen in the image): Select "Next" once completed.