Continuing the series of articles on the topic of organization Remote Access VPN access I can't help but share an interesting deployment experience highly secure VPN configuration. A non-trivial task was thrown by one customer (there are inventors in Russian villages), but Challenge Accepted was creatively implemented. The result is an interesting concept with the following characteristics:
- Several factors of protection against the substitution of the terminal device (with a rigid binding to the user);
- Evaluation of the compliance of the user's PC with the assigned UDID of the allowed PC in the authentication base;
- With MFA using PC UDID from certificate for secondary authentication via Cisco DUO (You can screw any SAML / Radius compatible);
- Multi-factor authentication:
- User certificate with field validation and secondary authentication for one of them;
- Login (unchangeable, taken from the certificate) and password;
- Estimating the state of the connecting host (Posture)
Solution components used:
- Cisco ASA (VPN Gateway);
- Cisco ISE (Authentication / Authorization / Accounting, State Estimation, CA);
- Cisco DUO (Multi-Factor Authentication) (You can screw any SAML / Radius compatible);
- Cisco AnyConnect (Multipurpose agent for workstations and mobile OS);
Let's start with the customer requirements:
- The user must be able to download the AnyConnect client from the VPN gateway by his Login/Password authentication, all the necessary AnyConnect modules must be automatically installed in accordance with the user's policy;
- The user should be able to automatically issue a certificate (for one of the scenarios, the main scenario is manual issue and filling on a PC), but I implemented auto-issuance for a demonstration (it's never too late to remove it).
- Basic authentication should take place in several stages, first the certificate is authenticated with the analysis of the required fields and their values, then the login / password, only this time the username specified in the certificate field should be substituted in the login window Subject Name (CN) without the possibility of editing.
- You need to make sure that the device from which you are logging in is a corporate laptop issued to the user for remote access, and nothing else. (Several variations have been made to meet this requirement)
- The state of the connecting device should be assessed (at this stage, the PC) with a check of the whole hefty table of customer requirements (summarizing):
- Files and their properties;
- Registry entries;
- OS patches from the provided list (further SCCM integration);
- Availability of Anti-Virus of a certain manufacturer and relevance of signatures;
- Activity of certain services;
- Presence of certain installed programs;
To begin with, I suggest that you definitely look at the video demonstration of the resulting implementation on Youtube (5 minutes).
Now I propose to consider the implementation details not covered in the video clip.
Let's prepare the AnyConnect profile:
An example of creating a profile (in terms of a menu item in ASDM) I previously gave in my article on setting up . Now I want to separately note the options that we need:
In the profile, specify the VPN gateway and the profile name for connection on the end client:
Let's set up the automatic issuance of a certificate from the side of the profile, specifying, in particular, the parameters of the certificate and, which is typical, pay attention to the field Initials (I), where a specific value is manually entered UDID test machine (Unique device identifier generated by the Cisco AnyConnect client).
Here I want to make a lyrical digression, since this article describes the concept, for demonstration purposes, here is the UDID for issuing a certificate in the Initials field of the AnyConnect profile. Of course, in real life, if you do this, then all clients will receive a certificate with the same UDID in this field and nothing will work for them, because they need the UDID of their particular PC. AnyConnect, unfortunately, does not yet implement the substitution of the UDID field in the certificate request profile through the environment variable, as, for example, it does with the variable % USER%.
It should be noted that the customer (in this scenario) initially plans to manually issue certificates with the specified UDID to such Protected PCs on his own, which is not a problem for him. However, for most of us, we want automation (well, for me, that's for sure =)).
And that's what I can offer in terms of automation. If it is not yet possible to issue a certificate automatically, AnyConnect dynamically substituting the UDID, then there is another way that will require a little creative thought and skillful hands - I will tell you the concept. First, let's look at how the UDID is formed on different operating systems by the AnyConnect agent:
- Windows - SHA-256 hash of the combination of the DigitalProductID and Machine SID registry key
- OSX - SHA-256 hash PlatformUUID
- Linux - SHA-256 hash of the UUID of the root partition.
- Apple iOS - SHA-256 hash PlatformUUID
- Android β See document on
Accordingly, we make a script for our corporate Windows OS, with this script we locally calculate the UDID using known inputs and generate a request for issuing a certificate by entering this UDID in the required field, by the way, you can also use a machine certificate issued by AD (adding double authentication by certificate to the scheme multiple certificate).
Let's prepare the settings from the Cisco ASA side:
Let's create a TrustPoint for the ISE CA server, it will issue certificates to clients. I will not consider the Key-Chain import procedure, an example is described in my setup article .
crypto ca trustpoint ISE-CA
enrollment terminal
crl configureWe set up distribution over the Tunnel-Group based on the rules in accordance with the fields in the certificate that is used for authentication. Also, the AnyConnect profile, which we made at the last stage, is configured here. Please note that I use the value SECUREBANK-RA, to transfer users with an issued certificate to a tunnel group SECURE-BANK-VPN, please note that I have this field in the AnyConnect profile certificate request column.
tunnel-group-map enable rules
!
crypto ca certificate map OU-Map 6
subject-name attr ou eq securebank-ra
!
webvpn
anyconnect profiles SECUREBANK disk0:/securebank.xml
certificate-group-map OU-Map 6 SECURE-BANK-VPN
!Set up an authentication server. In my case, this is ISE for the first stage of authentication and DUO (Radius Proxy) as MFA.
! CISCO ISE
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 24
dynamic-authorization
aaa-server ISE (inside) host 192.168.99.134
key *****
!
! DUO RADIUS PROXY
aaa-server DUO protocol radius
aaa-server DUO (inside) host 192.168.99.136
timeout 60
key *****
authentication-port 1812
accounting-port 1813
no mschapv2-capable
!We create group policies and tunnel groups and their auxiliary components:
tunnel group DefaultWEBVPNGroup will be used primarily to download the AnyConnect VPN client and issue a user certificate using the SCEP-Proxy function of the ASA, for this we have activated the appropriate options both on the tunnel group itself and on the associated group policy AC Download, and on the loaded AnyConnect profile (certificate issuance fields, etc.). Also in this group policy we indicate the need to download ISE Posture Module.
tunnel group SECURE-BANK-VPN will be automatically used by the client when authenticating with the issued certificate in the previous step, since, according to the Certificate Map, the connection will fall on this tunnel group. I'll tell you about interesting options here:
- secondary-authentication-server-group DUO # Set secondary authentication on the DUO server (Radius Proxy)
- username-from-certificateCN # Use the CN field of the certificate for primary authentication to inherit the user's login
- secondary-username-from-certificate I # For secondary authentication on the DUO server, use the username extracted and the Initials (I) fields of the certificate.
- pre-fill-username client # make the username pre-filled in the authentication window without the ability to change
- secondary-pre-fill-username client hide use-common-password push # Hide the login/password input window for DUO secondary authentication and use the notification method (sms/push/phone) instead of the password field to request authentication - doc
!
access-list posture-redirect extended permit tcp any host 72.163.1.80
access-list posture-redirect extended deny ip any any
!
access-list VPN-Filter extended permit ip any any
!
ip local pool vpn-pool 192.168.100.33-192.168.100.63 mask 255.255.255.224
!
group-policy SECURE-BANK-VPN internal
group-policy SECURE-BANK-VPN attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
group-policy AC-DOWNLOAD internal
group-policy AC-DOWNLOAD attributes
dns-server value 192.168.99.155 192.168.99.130
vpn-filter value VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value ashes.cc
address-pools value vpn-pool
scep-forwarding-url value http://ise.ashes.cc:9090/auth/caservice/pkiclient.exe
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1300
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value iseposture
anyconnect profiles value SECUREBANK type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group ISE
accounting-server-group ISE
default-group-policy AC-DOWNLOAD
scep-enrollment enable
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa certificate
!
tunnel-group SECURE-BANK-VPN type remote-access
tunnel-group SECURE-BANK-VPN general-attributes
address-pool vpn-pool
authentication-server-group ISE
secondary-authentication-server-group DUO
accounting-server-group ISE
default-group-policy SECURE-BANK-VPN
username-from-certificate CN
secondary-username-from-certificate I
tunnel-group SECURE-BANK-VPN webvpn-attributes
authentication aaa certificate
pre-fill-username client
secondary-pre-fill-username client hide use-common-password push
group-alias SECURE-BANK-VPN enable
dns-group ASHES-DNS
!Next, let's move on to ISE:
We set up a local user (you can also use AD / LDAP / ODBC, etc.), for simplicity, I made a local user in the ISE itself and assigned it to the field Description PC UDID from which he is allowed to log in via VPN. In the case of using local authentication on ISE, I will be limited to only one device, since there are not so many fields, but in third-party authentication databases I will not have such restrictions.
Let's look at the authorization policy, it is divided into four stages of the connection:
- Step 1 - Policy for downloading the AnyConnect agent and issuing a certificate
- Step 2 β Primary Authentication Policy Login (from certificate)/Password + Certificate with UDID validation
- Step 3 - Authentication secondary via Cisco DUO (MFA) by UDID as username + State assessment
- Step 4 - Final authorization in the state:
- Compliant;
- UDID validation (from the certificate + binding to the login),
- Cisco DUO MFA
- Login authentication;
- Certificate authentication;
Let's look at an interesting condition UUID_VALIDATED, it just looks that the authenticated user really came from a PC with an associated UDID allowed in the field Description account, the conditions look like this:
The authorization profile used in stages 1,2,3 looks like this:
You can check exactly how the UDID arrives from the AnyConnect client by looking at the client session details in the ISE. We will see in detail that AnyConnect through the mechanism ACIDEX sends not only data about the platform, but also the UDID of the device as Cisco-AV-PAIR:
Pay attention to the certificate issued to the user and the field Initials (I), which is used to take it as a login for MFA secondary authentication on the Cisco DUO:
On the DUO Radius Proxy side, we can clearly see in the log how the authentication request goes, it goes using the UDID as the username:
From the DUO portal, we see a successful authentication event:
And in the user properties I have set ALIAS, which I used to login, in turn, this is the UDID of the PC allowed for login:
As a result, we got:
- Multi-factor user and device authentication;
- Protection against substitution of the user's device;
- Assessment of the state of the device;
- Potential for increased control with domain machine certificate, etc.;
- Comprehensive protection of a remote workplace with automatically deployed security modules;
Links to articles in the Cisco VPN series:
Source: habr.com