Introduction
This document describes the steps for configuring Cisco Secure Client over SSL on FTD managed by FDM with AAA and certificate authentication.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Cisco Firepower Device Manager (FDM) Virtual
- Firewall Threat Defense (FTD) Virtual
- VPN Authentication Flow
Components Used
- Cisco Firepower Device Manager Virtual 7.2.8
- Cisco Firewall Threat Defense Virtual 7.2.8
- Cisco Secure Client 5.1.4.74
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Firepower Device Manager (FDM) is a simplified, web-based management interface used for managing Cisco Firepower Threat Defense (FTD) devices. The Firepower Device Manager allows network administrators to configure and manage their FTD appliances without using the more complex Firepower Management Center (FMC). FDM provides an intuitive user interface for basic operations such as setting up network interfaces, security zones, access control policies, and VPNs, as well as for monitoring the device performance and security events. It is suitable for small to medium-sized deployments where simplified management is desired.
This document describes how to integrate pre-filled usernames with Cisco Secure Client on FTD managed by FDM.
If you are managing FTD with FMC, please refer to the Configure AAA and Cert Auth for Secure Client on FTD via FMC guide.
This is the certificate chain with the common name of each certificate used in the document.
- CA: ftd-ra-ca-common-name
- Client Certificate: sslVPNClientCN
- Server Certificate: 192.168.1.200
Network Diagram
This image shows the topology that is used for the example of this document.
Network Diagram
Configurations
Configuration in FDM
Step 1. Configure FTD Interface
Navigate to Device > Interfaces > View All Interfaces, configure inside and outside interface for FTD inInterfacestab.
For GigabitEthernet0/0,
- Name: outside
- IP Address: 192.168.1.200/24
For GigabitEthernet0/1,
- Name: inside
- IP Address: 192.168.10.200/24
FTD Interface
Step 2. Confirm Cisco Secure Client License
Navigate to Device > Smart License > View Configuration, confirm the Cisco Secure Client license in RA VPN Licenseitem.
Secure Client License
Step 3. Add Remote Access VPN Connection Profile
Navigate to Device > Remote Access VPN > View Configuration, click CREATE CONNECTION PROFILE button.
Add Remote Access VPN Connection Profile
Input necessary information for connection profile and click Create new Network button in the IPv4 Address Pool item.
- Connection Profile Name: ftdvpn-aaa-cert-auth
- Authentication Type: AAA and Client Certificate
- Primary Identity Source for User Authentication: LocalIdentitySource
- Client Certificate Advanced Settings: Prefill username from certificate on user login window
Details of VPN Connection Profile
Step 4. Add Address Pool for Connection Profile
Input necessary information to add a new IPv4 address pool. Select new added IPv4 address pool for connection profile and click Next button.
- Name: ftdvpn-aaa-cert-pool
- Type: Range
- IP Range: 172.16.1.40-172.16.1.50
Details of IPv4 Address Pool
Step 5. Add Group Policy for Connection Profile
Click Create new Group Policy in the View Group Policy item.
Add Group Policy
Input necessary information to add a new group policy and click OK button. Select new added group policy for connection profile.
- Name: ftdvpn-aaa-cert-grp
Details of Group Policy
Step 6. Configure Certificate of Device Identity and Outside Interface for Connection Profile
Click Create new Internal certificate in the Certificate of Device Identity item.
Add Internal Certificate
Click Upload Certificate and Key.
Upload Certificate and Key
Input necessary information for FTD certificate, import a certificate and a certificate key from local computer and then Click OK button.
- Name: ftdvpn-cert
- Validation Usage for Special Services: SSL Server
Details of Internal Certificate
Select Certificate of Device Identity and Outside Interface for VPN connection.
- Certificate of Device Identity: ftdvpn-cert
- Outside Interface: outside (GigabitEthernet0/0)
Details of Global Settings
Step 7. Configure Secure Client Image for Connection Profile
Select Windows in Packages item
Upload Secure Client Image Package
Upload secure client image file from local computer and clickNextbutton.
Note: The NAT Exempt feature is disabled in this document. By default, the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) option is disabled, which means that decrypted VPN traffic is subjected to access control policy inspection.
Select Secure Client Image Package
Step 8. Confirm Summary for Connection Profile
Confirm the information entered for VPN connection and click FINISHbutton.
Confirm Settings for Connection Profile
Confirm the summary of remote access VPN policy and deploy the settings to FTD.
Confirm Summary for Connection Profile
Step 9. Add User to LocalIdentitySource
Navigate to Objects > Users, click + button.
Add Local User
Input necessary information for local user and click OK button.
Note: The username equals the common name within the client certificate
Details of Local User
Step 10. Add CA to FTD
Navigate to Objects > Certificates, click Add Trusted CA Certificate from + item.
Add Trusted CA Certificate
Input necessary information for CA, import a certificate from local computer. Deploy the settings to FTD.
- Name: ftdvpn-ca-cert
- Validation Usage for Special Services: SSL Client
Details of Trusted CA Certificate
Confirm in FTD CLI
Confirm the VPN connection settings in the FTD CLI after deployment from the FDM.
// Defines IP of interface
interface GigabitEthernet0/0
speed auto
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.1.200 255.255.255.0
!
interface GigabitEthernet0/1
speed auto
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.10.200 255.255.255.0
// Defines a pool of addresses
ip local pool ftdvpn-aaa-cert-pool 172.16.1.40-172.16.1.50
// Defines a local user
username sslVPNClientCN password ***** pbkdf2
// Defines Trustpoint for Server Certificate
crypto ca trustpoint ftdvpn-cert
enrollment terminal
keypair ftdvpn-cert
validation-usage ssl-server
crl configure
// Server Certificate
crypto ca certificate chain ftdvpn-cert
certificate 22413df584b6726c
3082037c 30820264 a0030201 02020822 413df584 b6726c30 0d06092a 864886f7
......
quit
// Defines Trustpoint for CA
crypto ca trustpoint ftdvpn-ca-cert
enrollment terminal
validation-usage ssl-client ssl-server
crl configure
// CA
crypto ca certificate chain ftdvpn-ca-cert
certificate ca 5242a02e0db6f7fd
3082036c 30820254 a0030201 02020852 42a02e0d b6f7fd30 0d06092a 864886f7
......
quit
// Configures the FTD to allow Cisco Secure Client connections and the valid Cisco Secure Client images
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/cisco-secure-client-win-5.1.4.74-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
// Configures the group-policy to allow SSL connections
group-policy ftdvpn-aaa-cert-grp internal
group-policy ftdvpn-aaa-cert-grp attributes
dns-server value 64.x.x.245 64.x.x.184
dhcp-network-scope none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-dns none
split-tunnel-all-dns disable
client-bypass-protocol disable
msie-proxy method no-modify
vlan none
address-pools none
ipv6-address-pools none
webvpn
anyconnect ssl dtls none
anyconnect mtu 1406
anyconnect ssl keepalive none
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles none
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting
// Configures the tunnel-group to use the aaa & certificate authentication
tunnel-group ftdvpn-aaa-cert-auth type remote-access
tunnel-group ftdvpn-aaa-cert-auth general-attributes
address-pool ftdvpn-aaa-cert-pool
default-group-policy ftdvpn-aaa-cert-grp
// These settings are displayed in the 'show run all' command output. Start
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy ftdvpn-aaa-cert-grp
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
username-from-certificate-choice second-certificate
secondary-username-from-certificate-choice second-certificate
// These settings are displayed in the 'show run all' command output. End
tunnel-group ftdvpn-aaa-cert-auth webvpn-attributes
authentication aaa certificate
pre-fill-username client
group-alias ftdvpn-aaa-cert-auth enable
Confirm in VPN Client
Step 1. Confirm Client Certificate
Navigate toCertificates - Current User > Personal > Certificates, check the client certificate used for authentication.
Confirm Client Certificate
Double click the client certificate, navigate toDetails, check the detail ofSubject.
- Subject: CN = sslVPNClientCN
Details of Client Certificate
Step 2. Confirm CA
Navigate toCertificates - Current User > Trusted Root Certification Authorities > Certificates, check the CA used for authentication.
- Issued By: ftd-ra-ca-common-name
Confirm CA
Verify
Step 1. Initiate VPN Connection
On the endpoint, initiate the Cisco Secure Client connection. The username is extracted from the client certificate, you need to input the password for VPN authentication.
Note: The username is extracted from the Common Name (CN) field of the client certificate in this document.
Initiate VPN Connection
Step 2. Confirm VPN Session in FTD CLI
Runshow vpn-sessiondb detail anyconnect
command in FTD (Lina) CLI to confirm the VPN session.
firepower# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : sslVPNClientCN Index : 4
Assigned IP : 172.16.1.40 Public IP : 192.168.1.11
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384
Bytes Tx : 29072 Bytes Rx : 44412
Pkts Tx : 10 Pkts Rx : 442
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ftdvpn-aaa-cert-grp Tunnel Group : ftdvpn-aaa-cert-auth
Login Time : 11:47:42 UTC Sat Jun 29 2024
Duration : 1h:09m:30s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0000000000004000667ff45e
Security Grp : none Tunnel Zone : 0
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 4.1
Public IP : 192.168.1.11
Encryption : none Hashing : none
TCP Src Port : 49779 TCP Dst Port : 443
Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 7 Minutes
Client OS : win
Client OS Ver: 10.0.17763
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.4.74
Bytes Tx : 14356 Bytes Rx : 0
Pkts Tx : 2 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 4.3
Assigned IP : 172.16.1.40 Public IP : 192.168.1.11
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 49788
TCP Dst Port : 443 Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.4.74
Bytes Tx : 7178 Bytes Rx : 10358
Pkts Tx : 1 Pkts Rx : 118
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Step 3. Confirm Communication with Server
Initiate ping from VPN client to the Server, confirm that communication between the VPN client and the server is successful.
Note: Because the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) option is disabled in step 7, you need to create access control rules that allow your IPv4 address pool access to the server.
Ping Succeeded
Runcapture in interface inside real-time
command in FTD (Lina) CLI to confirm packet capture.
firepower# capture in interface inside real-time
Warning: using this option with a slow console connection may
result in an excessive amount of non-displayed packets
due to performance limitations.
Use ctrl-c to terminate real-time capture
1: 12:03:26.626691 172.16.1.40 > 192.168.10.11 icmp: echo request
2: 12:03:26.627134 192.168.10.11 > 172.16.1.40 icmp: echo reply
3: 12:03:27.634641 172.16.1.40 > 192.168.10.11 icmp: echo request
4: 12:03:27.635144 192.168.10.11 > 172.16.1.40 icmp: echo reply
5: 12:03:28.650189 172.16.1.40 > 192.168.10.11 icmp: echo request
6: 12:03:28.650601 192.168.10.11 > 172.16.1.40 icmp: echo reply
7: 12:03:29.665813 172.16.1.40 > 192.168.10.11 icmp: echo request
8: 12:03:29.666332 192.168.10.11 > 172.16.1.40 icmp: echo reply
Troubleshoot
You can expect to find information about VPN authentication in the debug syslog of Lina engine and in the DART file on Windows computer.
This is an example of debug logs in the Lina engine.
// Certificate Authentication
Jun 29 2024 11:29:37: %FTD-7-717029: Identified client certificate within certificate chain. serial number: 6EC79930B231EDAF, subject name: CN=sslVPNClientCN,OU=sslVPNClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.
Jun 29 2024 11:29:37: %FTD-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
Jun 29 2024 11:29:37: %FTD-6-717022: Certificate was successfully validated. serial number: 6EC79930B231EDAF, subject name: CN=sslVPNClientCN,OU=sslVPNClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.
// Extract username from the CN (Common Name) field
Jun 29 2024 11:29:53: %FTD-7-113028: Extraction of username from VPN client certificate has been requested. [Request 3]
Jun 29 2024 11:29:53: %FTD-7-113028: Extraction of username from VPN client certificate has completed. [Request 3]
// AAA Authentication
Jun 29 2024 11:29:53: %FTD-6-113012: AAA user authentication Successful : local database : user = sslVPNClientCN
Jun 29 2024 11:29:53: %FTD-6-113009: AAA retrieved default group policy (ftdvpn-aaa-cert-grp) for user = sslVPNClientCN
Jun 29 2024 11:29:53: %FTD-6-113008: AAA transaction status ACCEPT : user = sslVPNClientCN
These debugs can be run from the diagnostic CLI of the FTD, which provides information you can use in order to troubleshoot your configuration.
- debug crypto ca 14
- debug webvpn anyconnect 255
- debug crypto ike-common 255
Related Information
Configure FDM On-Box Management Service for Firepower 2100
Configure Remote Access VPN on FTD Managed by FDM
Configure and Verify Syslog in Firepower Device Manager