Apr 09, 2017 Cisco ASA AAA Failure Debug Posted on 2017-04-09 by kludgebomb I recently came across an issue where our team was unable to log into one of our Cisco ASA firewalls running code version 9.2(4)5 to manage the firewall. ASA: debugging AnyConnect and radius Published Sun, Nov 1, 2015. Ubuntu 14.04 (Linux 3.13.0-48), freeradius 2.1.12, ASA 9.4.2 (which runs Lua 5.0.2), AnyConnect 4.2. Setting up communications between an ASA and a radius server can be tricky, because it's hard to know what attributes the radius server is sending back and are being applied to a. If you want to debug a single L2L VPN connection you can enable the following configuration ASA# debug crypto condition peer 1.1.1.1 This should limit the debugs to only this specific L2L VPN Peer You can confirm the setting with. The Process of Determining the MTU CAN BE Confirmed by the debug output 'debug webvpn AnyConnect 1.' Shown Below IS a debug output example WHEN the MTU of physical NIC IS 1500, IS 1406 AnyConnect MTU, with DTLS enabled USING aes128-SHA1. May 05, 2019 3650 9300 Switches AAA Access-lists Ansible AnyConnect API APIC-EM ASA Automation bash BGP Certificates Cisco CISCO ISE DNAC DNA Center EEM EIGRP Embedded Event Manager ios IP SLA ISE Juniper Linux Monitor Capture openssl OSPF Password PowerShell Python REST Routing Protocols SRX SSL Switches TCL throubleshooting Troubleshooting Upgrade Guide.
Most networking administrators have probably spent at least some time setting up a remote-access VPN for their company or for a customer. To authenticate end-users that connect to the VPN, it is very common to utilize an external database of users and to communicate with this external database you usually have to use the LDAP or RADIUS-protocol to talk either directly to an LDAP-catalog or to a RADIUS-server (like Cisco’s Identity Services Engine, ISE, for example).
However, if your VPN-solution consists of an Cisco ASA-firewall and the AnyConnect VPN software, there is a new option/protocol available to handle authentication: SAML, which stands for Security Assertion Markup Language. SAML has grown big in the last few years to provide authentication and single sign-on (SSO) experiences for applications like email, websites, ticket services and much more. The general idea of SAML is that once you have gone through a succesful authentication, you are handed a sort of cookie or “ticket” inside your web browser that will allow you to automatically be signed into the next service you want to use that also uses the same SAML-authentication. Today, there are many different products that use SAML-authentication from well-known companies like Microsoft, Okta, Ping Identity and even Cisco (through their Duo service).
As of this writing, successful SAML-authentications taking place for VPN does not “carry over” for use with other services because of how AnyConnect works… so keep that in mind for your own implementation.
I am not going to go into detail how SAML-authentication works but the main thing about the SAML-authentication flow is that when you initiate a VPN-session in AnyConnect (by typing in the URL/IP to your ASA and clicking “Connect”) instead of getting the normal AnyConnect login-prompt you will be redirected to a so called Identity Provider (IdP) which will present you with a login website that opens up inside AnyConnect (at least if you are using AnyConnect version 4.6 or newer). It is very common for companies and organizations to design their own login-page using their brand colors and logotypes to make users feel at home. Since the VPN login will look the same as for other applications used by the users, they will be very familiar with the interface. In SAML-terms the ASA will be acting as a Service Provider (SP).
This is not going to be a complete guide on how to setup SAML-authentication for VPN on the ASA, we will only cover the SAML-configuration on the ASA and not the configuration of basc VPN-settings like Group Policies etc. We will also not cover the configuration of the IdP, mainly because 1) you, the network administrator, will probably not be the one tasked to do that configuration and 2) there are way to many different IdP-services and I’ve barely seen any of them. This article is more about putting together a collection of good things to know that I’ve picked up from implementing SAML-authentication myself and from reading about other people’s experience on the Cisco Support forum. The main reason I felt the need to make this article is that Cisco’s own documentation regarding SAML is pretty barebone and it does not cover all the steps needed in a good enough manner, in my opinion.
General Setup
Below you see a simple diagram of the connections and communication that takes place in a SAML VPN-solution. The IdP could be either on your internal network, your DMZ or on the internet if you are using a cloud service.
Technical requirements
I’m just gonna get this out right away, there are some technical requirements that need to be met to use SAML-authentication for your VPN-connections:
Your ASA must have a trusted certificate installed, preferably from a third-party.
Your IdP must also have a trusted certificate installed, preferably from a third-party.
SAML-authentication differs quite a bit from the usual RADIUS or LDAP-authentication you are used to: the ASA doesn’t actually know the name of the user until the authentication is complete (either sucessful or failed) since the authentication takes place on the IdP. The IdP will inform the ASA of the username using the SAML-attribute NameID.
The Connection Profile (Tunnel Group) for your VPN that is going to use SAML as authentication method cannot contain any spaces. This it because the Connection Profile name is going to be used in the SAML-URL that the IdP will make use of. If you need to have multiple words in your Connection Profile, use dash or underscore between them.
If your SAML-authentication page is capable of reading user certificates from your computer, you must have AnyConnect version 4.7 or newer for this to work. Earlier version will not be able to fetch and present certificates stored on your computer to the IdP login page.
Your ASA must have DNS-servers configured that are able to do lookup the URL/IP of your Identity Provider servers.
Make sure your ASA and your IdP has NTP running and synchronized.
Basic VPN-configuration
Once again, this article assumes you have at least a decent amount of experience working with remote-access VPN configuration of an ASA and therefore I will not be covering the basics of Connection Profiles, Group Policies, IP-pools and so on. You know what’s best for your environment and the only thing this article will ask of you is to follow the technical requirement above (like the Connection Profile name) and that you set the Connection Profile’s User Authentication to SAML after you have configured the SAML (SSO) server futher down.
Adding the Identity Provider (IdP) certificate to the ASA
According to the documentation on Cisco’s website, you only need to add the root-certificate of the IdP’s certificate to the ASA buuut if you dig inside the Help pages inside the ASDM software you actually need to add the IdP’s certificate to the ASA.
As a best practice, I would recommend you install the root and intermediate certificates of the IdP’s certificate into the trusted certificate store of the ASA just in case. Head over to Configuration > Certificate Management > CA Certificates and click on Add to import the root certificate first and then do it again to import the intermediate certificate. You can add the certificates either as files (.der/.cer/.crt) or paste in the Base64 (text-version) of the certificates one by one.
However, for the “SAML-trust” to be setup between your ASA (SP) and the IdP, you also need to add the certificate of the IdP itself (the certificate that is used on the login website) as a trusted CA certificate.
Now comes the tricky part: I had trouble adding the IdP certificate itself in ASDM as a CA certificate because I kept getting an error stating the certificate could not be added because it needs to be added with the “no ca-check” command.
There is no way to issue the command “no ca-check” when importing the certificate using ASDM so you will need to add this certificate as a trustpoint using the command line instead.
<paste in the IdP-certificate in Base64-format>
And you’re done!
Configuring a SAML-server
Next up we need to add the SAML-server in ASDM, you can find the configuration for SAML-servers (or SSO-server as they are named here) under Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Single Signon Server. Don’t let the menu fool you, these servers are not only used for Clientless VPN.
The configuration of adding a SAML-server is pretty simple because there isn’t a lot of settings for you to play around with, but you will need to get some URLs from your IdP-administrator. Ask them for IDP Entity ID, Sign-in URL and Sign-out URL.
Please note that even the IDP Entity ID is a URL, it is not a “friendly name” that you can pick yourself so to speak.
Request Signature is something you must agree with your IdP-administrator about. Setting it to None is a very bad practice.
Request Timeout is something I would not touch unless told to by the IdP-administrator.
Make sure to remove “https://” before all URLs (except for the URL you set as IDP Entity ID) and all possibly added “/” from the end of the URLs, including the Base URL which is your ASA’s URL.
There is also a slight inconvenience with configuring SAML (SSO) servers and that is that everytime you make a change, you need to turn the SAML-configuration for that Connection Profile off and on again for the changes to take effect. Cisco is however aware of this oddity (it is tracked as en Enhancement under the bug-id CSCvi23605) and when you head into the SSO-server configuration you are greeted with this message:
To turn the SAML-configuration for a Connection Profile off and on again, either use the commands below or do it from ASDM on the Connection Profile > Basic > change SAML Identity Provider to “None” > click OK and Apply, then go back and reselect the SAML-server in the scroll list and click OK and Apply again.
Enter you Connection Profile/Tunnel Group:
Remove SAML-server from Connection Profile:
Re-add SAML-server to Connection Profile:
What the IdP-administrator will need from you
Your ASA certificate which is used on the “outside” interface of your ASA and for VPN-connections, they will need it to complete the trust between the ASA and the IdP.
Your SAML metadata which can be found if you (on the outside of the ASA) browse to the URL of your ASA and access the SAML-resource portion of your Connection Profile (the so-called metadata). For example, if your VPN URL is https://vpn.mydomain.com and your Connection Profile is called VPN-SAML-AUTH then your metadata-URL would be: https://vpn.mydomain.com/saml/sp/metadata/VPN-SAML-AUTH. You know the URL is correct if you get something like the image below if you browse to the URL. You can also get this information via the CLI using the command show saml metadata <Connection Profile name> which in my case would be show saml metadata VPN-SAML-AUTH.
Make sure to tell the IdP-administrator that you want the SAML-attribute NameID included in the SAML-response from the IdP when it tells the ASA if an authentication attempt was successful or not. If you do seperate authorization (via ISE for example), this will be the username that is sent to the authorization server. The NameID will also be what you, in the ASA, will see at the username for a remote-access VPN-session.
Agree upon what Request Signature to use and (optionally) a Request Timeout. A tips is to start by setting no Request Timeout on the ASA’s side and just let the IdP deal with this however it wants to to see if it just works right out of the box.
Making changes to the SAML-configuration on the ASA could change your SAML-metadata and the IdP-administrator might need to change something on their side as well, so always ask the IdP-administrator to verify that they have the latest metadata from your ASA.
Debugging SAML-authentication attempts
Your first few attempts of connecting to the SAML VPN is probably gonna go bad and then I would recommend this debug command to see if there is anything wrong with the SAML-connection from your ASA (the SP) and the IdP.
Using the debug above you get to see the actual creation of SAML-requests being sent between the ASA and the IdP. The 255 at the end is the debug level, with 255 providing you with the most output.
In my experience, I have run into trouble where the IdP has been trying to send SAML-attributes to the ASA that the ASA is not able to interpret or understand which would show up in the debugging log as:
Here the SAML-attribute AuthnContextDeclRef is sent to the ASA from the IdP after authentication is successful, but the ASA does not know what this attribute is and therefore the VPN-authentication fails. If you run into this you pretty much have to ask your IdP administrator to make the IdP not send this attribute as there is no way to fix this on the ASA’s side due to the very limited SAML-configuration parameters of the ASA OS.
Another trouble you could run into is that the clock of the ASA and the IdP is not synchronized or that the timeout for the SAML-tickets/sessions are not in agreement between the ASA and the IdP. This could happen if you define a Request Timeout in the ASA configuration for the SAML-server and the ASA tries to override the timeout values set by the IdP. This is what you could see in the debug then:
Drawbacks of using SAML
As of this writing (March 6th 2020) there is no easy way to apply different authorization rules for VPN users after they authenticate, like you would with Dynamic Access Policies (DAP) in ASA. The SAML-standard itself support many types of authorization parameters, but the ASA is unable to understand these. What you can do is let a separate authorization take place after the SAML-authentication, using either an LDAP-catalog or RADIUS-server, to get a second look at the user and then change authorization depending on group membership or account attributes, for example.
Good luck!
Cisco ASA で AnyConnect クライアントを使った SSL-VPN の設定をメモしておきます。
構成/環境
以下の構成で検証しました。
Cisco ASA 以下を使いました。
ハードウェア | Cisco ASA 5506-X |
---|---|
ソフトウェア | 9.4(1) |
アドレス体系は以下としてあります。
WAN 側 | 192.168.253.0/24 |
---|---|
LAN 側 | 192.168.1.0/24 |
SSL-VPN 接続時に払い出すアドレス | 192.168.99.1 〜 100/24 |
inspection の設定
必須ではありませんが、ICMP パケットを inspection 対象としておきます (inspection 対象にしないと戻りパケット用の ACL を明示的に書かなければならない為)。
NAT の設定
LAN → WAN の通信は送信元アドレスを outside 側インターフェイスで NAT します。
設定のポイント
設定のポイントを幾つか補足します。説明の都合上、若干コンフィグの順序を変えています (設定自体は変えていません)。
SSL-VPN 接続時に払い出すアドレスプール
SSL-VPN 接続時に払い出すアドレスプールを POOL_ANYCONNECT として定義します。また、このアドレス範囲を OBJ_POOL_ANYCONNECT として定義し、(通常の LAN → WAN 通信は NAT させるが)「LAN → SSL-VPN プール」向けの通信は NAT させないようにしています。
SSL-VPN の設定
事前に AnyConnect のイメージを ASA のストレージにコピーしておきます。ここでは outside 側で SSL-VPN (WebVPN) を有効化し、AnyConnect のイメージを指定しています。tunnel-group-list を enable に設定すると SSL-VPN 接続時に利用するグループをリスト表示させ、選択出来るようになります。
スプリットトンネルの設定
次はグループポリシーを定義します。SSL-VPN 接続時でも VPN トンネルに流したくないネットワークを ACL で指定し、スプリットトンネルの設定を行っています。
split-tunnel-policy は以下 3 種類の指定が出来ます。
各々、以下の意味を持ちます。
オプション | SSL-VPN トンネルに流すトラフィック |
---|---|
excludespecified | 指定した ACL以外のトラフィック |
tunnelall | 全てのトラフィック |
tunnelspecified | 指定した ACL のトラフィック |
ユーザの定義
ここでは二人のユーザを定義しました。
ユーザ名 | パスワード | 役割 |
---|---|---|
ADMIN | PASSWORD | ASA の管理用ユーザ |
USER | PASSWORD | AnyConnect 接続用 |
USER は属性 (attributes) を service-type remote-access とし、「VPN 用のユーザである」旨を宣言します。
トンネルグループの設定
先程定義した SSL-VPN 接続時に払い出すアドレスプールを指定します。また、group-alias を定義しておくと、AnyConnect クライアントから SSL-VPN 接続を開始する際にリスト表示させるグループ名 (の、別名 = 表示名) を定義することが出来ます。
接続テスト
AnyConnect クライアントから ASA の outside 側アドレス (今回は 192.168.253.100) を指定して接続を開始します。ASA へ公的な証明書をインストールしたり、ASA 自体を自己証明局にすることも出来ます。しかしデフォルトの状態でも ASA は自己証明書を持っており、明示的に証明書を指定しない場合はこの自己証明書が利用されます。今回はこの自己証明書を利用している為、SSL-VPN 接続時に警告が表示されました。Connect Anyway をクリックして続行します。
グループ名 (の、別名 = Alias) はデフォルトで表示されているはずです。後はユーザ名とパスワードを入力し、OK を押して SSL-VPN 接続を確立します。
SSL-VPN が正常に確立していれば PC-A → PC-B で通信出来るようになっているはずです。PC-A から PC-B へ Ping し、疎通出来ていることを確認します。
同セグメント宛の通信を許可する
SSL-VPN 接続が確立した際、デフォルトの状態では「クライアントの同セグメントにはアクセス出来ない」状態になってしまうようです。ですので、例えば「自宅から学校のネットワークに AnyConnect で SSL-VPN した際、自宅の (同セグメントにある) プリンタにアクセス出来ない」といった問題が起きてしまいます。これは AnyConnect クライアントの設定画面にある「Allow local (LAN) access when using VPN (if configured)」をチェックし、SSL-VPN を再接続することで回避出来ます (デフォルトではチェックが入っていない為、同セグメントにアクセス出来なくなっています)。
証明書について
上述の々になりますが、SSL-VPN 接続時に利用する証明書は以下、いずれを利用することも出来ます。
- 外部の CA 局で発行した証明書を利用する
- ASA 自身を CA 局 (自己証明局) にして発行した証明書を利用する
- ASA がデフォルトで持っている自己証明書を利用する
SSL-VPN 設定の際、明示的にサーバ証明書を指定しなかった場合は「ASA がデフォルトで持っている自己証明書」が使われます (ので、警告は出るものの、SSL-VPN 接続は出来ます)。
クライアントの同セグをスプリットトンネルの ACL に含めるとマズイ??
今回は WAN を 192.168.253.0/24、LAN を 192.168.1.0/24 としています。
ですので、スプリットトンネル用の ACL は以下の通り、LAN のアドレス「192.168.1.0/24」を設定しました。
しかし、仮にこれを以下のように「WAN も含めた 192.168.0.0/16」と書くとどうなるか、実験してみます。
Asa Debug Anyconnect
この場合、以下のような結果になります。
フロー | 結果 |
---|---|
PC-A から PC-B への Ping | OK |
PC-A から同セグメントの PC への Ping | NG |
Cisco ASA Packet Drop Troubleshooting
AnyConnect でスプリットトンネルを行うと、SSL-VPN クライアントのルーティングテーブルへ「スプリットトンネルとして定義されている経路」がインストールされるます。しかし、その際に (今回実験したように)「同セグがスプリットトンネルの ACL に含まれている」と同セグ宛の通信が SSL-VPN トンネルに向いてしまい、結果として '同セグへ通信出来ない' という事象になるようです。これを仕様として記載しているドキュメントを見つけたわけでは無いのですが、実際にスプリットトンネル用の ACL を書く際は「集約した際に思いがけず、SSL-VPN クライアント側のネットワークを含めてしまう」ことが無いように気をつけた方が良いのかも知れません… (正しいお作法があれば是非、知りたいです、、、)
トラブルシューティング
設定したのに上手く通信出来ない… 場合は debug や show コマンドでトラブルシューティング出来ます。また、「SSL-VPN 接続自体は確立しているのに、通信が出来ない (パケットがどこかでドロップしている)」場合は packet-tracer で送信元/宛先を指定し、'そのフローがどこでドロップしているのか?' をトラブルシューティング出来ます。以下は packet-tracer のコマンド例です。ICMP のメッセージタイプは適当に指定しています。