Generic AnyConnect SSL Configuration
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
webvpn enable outside svc image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 1 svc image disk0:/anyconnect-linux64-4.4.03034-webdeploy-k9.pkg 2 svc image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 3 anyconnect enable tunnel-group-list enable exit ip local pool CLIENT-VPN-IPPOOL 192.168.237.1-192.168.237.254 mask 255.255.255.0 object-group network CLIENT-VPN-IPPOOL network-object 192.168.237.0 255.255.255.0 object-group network FW-LOCAL network-object 192.168.99.0 255.255.255.0 network-object 10.176.0.0 255.248.0.0 network-object 10.184.0.0 255.248.0.0 network-object 10.208.0.0 255.240.0.0 network-object 192.168.100.0 255.255.252.0 access-list CLIENTVPN extended permit ip object-group FW-LOCAL object-group CLIENT-VPN-IPPOOL nat (any,outside) source static FW-LOCAL FW-LOCAL destination static CLIENT-VPN-IPPOOL CLIENT-VPN-IPPOOL group-policy MY_COMPANY internal group-policy MY_COMPANY attributes vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENTVPN address-pools value CLIENT-VPN-IPPOOL webvpn anyconnect ask none default anyconnect tunnel-group MY_COMPANY type remote-access tunnel-group MY_COMPANY general-attributes default-group-policy MY_COMPANY tunnel-group MY_COMPANY webvpn-attributes group-alias MY_COMPANY |
Duo
- Create Account
- Create new application
- Create test user
Create AAA to go to Duo. This information is found in the Duo portal under Application.
|
0 1 2 3 4 5 6 7 8 9 10 11 12 |
aaa-server Duo-Auth protocol ldap aaa-server Duo-Auth (OUTSIDE) host <API Hostname> timeout 120 server-port 636 ldap-base-dn dc=<Integration Key>,dc=duosecurity,dc=com ldap-naming-attribute cn ldap-login-password <Secret Key> ldap-login-dn dc=<Integration Key>,dc=duosecurity,dc=com ldap-over-ssl enable server-type auto-detect exit |
Update tunnel-group to use Duo
|
0 1 2 3 |
tunnel-group MY_COMPANY-DUO general-attributes secondary-authentication-server-group Duo-Auth use-primary-username |
Ping the API Hostname
|
0 1 2 3 |
dns domain-lookup OUTSIDE dns name-server [DNS-SERVERS] |
Additional DUO Things
Default AnyConnect Profile
|
0 1 2 |
scp <file name> @<firewall public ip>:disk0:<file name> |
Duo Files
|
0 1 2 3 4 5 6 7 |
scp /var/tmp/duo-en @<firewall public ip>:disk0:duo-en scp /var/tmp/DfltCustomization @<firewall public ip>:disk0:DfltCustomization import webvpn translation-table AnyConnect language en disk0:/duo-en import webvpn customization DfltCustomization disk0:/DfltCustomization |
Create Profile
|
0 1 2 3 4 5 |
config t webvpn anyconnect profiles AnyConnectUserProfile disk0:/<AnyConnect Profile Name.xml> exit |
Apply Profile
|
0 1 2 3 4 5 6 |
group-policy <NAME> attributes webvpn anyconnect profiles value AnyConnectUserProfile type user exit exit |
Testing
|
0 1 2 |
test aaa-server authentication Duo-Auth host <API hostname> username <name> password push |
Using LDAP as primary Authentication Instead of Local Database
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
ldap attribute-map CISCOMAP map-name memberOf Group-Policy map-value memberOf "CN=SSLVPN,OU=The American Institute of Architects,DC=HTCloud,DC=loc" AIoA-ANYCONNECT-SSL-DUO aaa-server LDAP_SRV_GRP (FW-LB) host 172.16.108.135 ldap-base-dn DC=HTCloud,DC=loc ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ldap-login-dn CN=VPNAuth,CN=Users,DC=HTCloud,DC=loc server-type microsoft ldap-attribute-map CISCOMAP tunnel-group AIoA-ANYCONNECT-SSL-DUO general-attributes authentication-server-group LDAP_SRV_GRP secondary-authentication-server-group Duo-Auth use-primary-username |