Configuring Single SignOn for VPN

Single Sign-On for NAC + Cisco VPN provides a similar user login experience to AD SSO. However, in IPsec or SSL VPN access, the user is typically prompted with a VPN username and password login. After the users enter their username and password, NAC Appliance can assign the appropriate user role based on RADIUS accounting information received from the RADIUS authentication server used by the VPN concentrator. Figure 11-34 shows the NAC Appliance and Cisco VPN test network diagram.

Figure 11-34 Deploying NAC over VPN

VPN IP Pool: 192.168.30.100-200

ASA Eth0/0 (Outside) 10.10.10.1/24

VPN IP Pool: 192.168.30.100-200

ASA Eth0/0 (Outside) 10.10.10.1/24

Active Directory DNS Server 192.168.10.110/24

VLAN 10

VLAN 10

ASA-5510 FW/VPN

NAC Appliance Server Layer 3 In-Band, VGW

VLAN 10

Active Directory DNS Server 192.168.10.110/24

Remote Client PC 10.10.10.10/24

VLAN 10

VLAN 10

ASA-5510 FW/VPN

ASA Eth0/1 (Inside) 192.168.20.3/24

NAC Appliance Server Layer 3 In-Band, VGW

VLAN 10

VLAN 10 ACS RADIUS

192.168.10.1/24 192.168.10.111/24 Layer3 3550_core

NAS Etho (Trusted) 192.168.20.2/24

Qssssi

NAS Eth1 (Untrusted) VLAN 199:192.168.0.1/24

NAC Appliance Manager 192.168.10.100/24

The VPN SSO setup in this test network consists of the following components:

• Cisco Adaptive Security Appliance (ASA) 5510 (7.2.2) with SSLVPN Tunnel Client (sslclient-win-1.1.3.173.pkg). Adaptive Security Device Manager (ASDM) 5.2.2 is used to configure the ASA 5510.

• Remote client PC has NAC Agent installed.

Only In-Band mode supports VPN SSO at the time of this writing.

The following is a high level summary for configuring SSO over Cisco VPN:

Step 1 Configure the RADIUS server (ACS Server). Add users and authentication, authorization, and accounting (AAA) clients (ASA, NAM, and NAS).

Step 2 Set up SSLVPN in the ASA-5510. Add ACS to ASA for RADIUS authentication. Add NAS as the RADIUS accounting server.

Step 3 Configure NAS to support VPN SSO.

The scope of this book is not to show details of how to configure or design Cisco SSLVPN services. Therefore, only the main VPN configuration portions that interact with NAC Appliance are demonstrated. For basic VPN setup reference, see the following Cisco.com URL for a VPN setup example: http://www.cisco.com/en/US/products/ps6120/ products_configuration_example09186a008071c428.shtml.

ACS Setup

In this test network, Cisco ACS is used as the back-end RADIUS authentication server. VPN users and RADIUS clients must be added. Figure 11-35 shows the added RADIUS clients.

Figure 11-35 Added AAA Clients

Figure 11-35 Added AAA Clients

ASA-5510 VPN Setup

Here's a summary of enabling SSLVPN in the ASA appliance. Again, not all the SSLVPN setup steps are shown. ASDM is used to configure ASA.

Step 1 Enable WebVPN for the Outside interface. Figure 11-36 shows enabling WebVPN.

Figure 11-36 Enabling WebVPN Services on the Outside Interface Using the ASDM GUI

Figure 11-36 Enabling WebVPN Services on the Outside Interface Using the ASDM GUI

Step 2 Load and enable the SSLVPN tunnel client. Figure 11-37 shows the loading of the SSLVPN tunnel client.

Figure 11-37 SSLVPN Client Image Must Be Loaded into the ASA Appliance

si Cisco ASDM 5.2 for ASA

1 92.168.20.3

1 File Options Tools Wizards

Help

Search: |

3

4

i

O

O

&

o

Home

Configuration

Monitoring

Back

Forward

Packet Tracer

Refresh

Save

Help

Configuration > VPN » WebVPN » SSLVPN Client

Configuration > VPN » WebVPN » SSLVPN Client r K5 VPN Wizard s sl General H-fkt IKE l-'l IPSec

ÈJ 3jp IP Address Management

I pNAC

\ WebVPN Access f II Proxies [ pi APCF \ pj Auto Signon r ^ Cache ; Content Rewrite rSSL VPN Client-

Configure SSL VPN

disk0:fsslclient-wln-1.1 3.173.pkg

Step 3

Go to the IP address assignment section. Select Use Internal Address Pools and create your IP address pools. Figure 11-38 shows the creation of IP address pools.

Figure 11-38 Creating IP Address Pools for SSLVPN Users

Figure 11-38 Creating IP Address Pools for SSLVPN Users

Step 4 Next, go to the AAA server section and create the RADIUS

authentication server group. Figure 11-39 shows the creation of the AAA server group.

Figure 11-39 Creating the AAA Server Group

Figure 11-39 Creating the AAA Server Group

Step 5 Now a RADIUS server (192.168.10.111) must be added to the AAA server group. Figure 11-40 shows the addition of a RADIUS server.

Figure 11-40 Defining the RADIUS Server Under the AAA Server Group

Figure 11-40 Defining the RADIUS Server Under the AAA Server Group

Step 6 Next, a RADIUS accounting server group must be created so that the ASA VPN concentrator will send the RADIUS accounting start packet to pass the user role assignment info and to perform Single Sign-On. Figure 11-41 shows adding a RADIUS accounting group called NAS_Accounting.

Figure 11-41 Adding a RADIUS Accounting Group

Step 7 The RADIUS accounting server, which is NAS 192.168.20.2, must be added to the NAS_Accounting RADIUS accounting group. Figure 11-42 shows the addition of NAS as the RADIUS accounting server.

Figure 11-42 Adding NAS as the RADIUS Accounting Server

Figure 11-42 Adding NAS as the RADIUS Accounting Server

Step 8 The WebVPN tunnel policy must select the NAS_Accounting group. Figure 11-43 shows the selection of the NAS_Accounting group.

Figure 11-43 Associating the NAS_Accounting Group to the WebVPN Tunnel Policy

Edit Tunnel Group

Name: | DelaultWEBVPNGroup Type: webvpn

General | WebVPN |

Configure general access attributes from the following sub-tabs.

| Basic || Authentication || Authorization ] Accounting | client Address Assignment Advanced |

Accounting Server Group: | NAS_Accounting v

Was this article helpful?

0 0

Post a comment