How to Protect Cisco Firepower Threat Defense (FTD) VPN with AnyConnect using Duo

(music) – [Matt] Hi, I'm Matt from Duo Security. In this video, I'm going to
show you how to integrate Duo with Cisco Firepower
Threat Defense SSL VPN to add tokenless two-factor authentication to AnyConnect VPN logins. Before watching this video, please read our documentation for integrating with
Firepower Threat Defense, also known as FTD, at While this video will focus on the AnyConnect login experience, note that this configuration also protects web-based VPN logins using our automatic push or
phone call functionality. Duo multi-factor authentication for FTD supports push, phone call,
or passcode authentication for AnyConnect desktop,
AnyConnect mobile client, or browser VPN connections
that use SSL encryption.

This configuration does not feature the interactive Duo Prompt
for web-based logins, but it does capture client IP information for use with Duo policies when the user logs in with AnyConnect. Learn more about policies
at This video will walk you through adding two-factor
authentication via RADIUS to your FTD using the
Firepower Management Center, also known as FMC. These instructions assume you already have a functioning FTD Remote
Access SSL VPN deployment using an existing AAA
authentication server. Duo RADIUS two-factor
authentication requires FTD and FMC versions 6.3.0 or newer. To integrate Duo with your Cisco FTD, you will need to install
a local proxy service on a system within your network. This Duo proxy server also
acts as a RADIUS server. There is usually no need to deploy a separate
RADIUS server to use Duo. Before proceeding, you should
locate or set up a system on which you will install
the Duo Authentication Proxy. The proxy supports
Windows and Linux systems.

The proxy can be installed on
a physical or virtual host. We recommend a system
with at least one CPU, 200 megabytes of disk space,
and four gigabytes of RAM. In this video, we'll deploy
the proxy on a Windows system. After preparing your proxy system, you need to create your
Cisco FTD application in Duo. Open a web browser and log
in to the Duo Admin Panel. In the left sidebar, click Applications. Then click Protect an Application. In the search bar, type
in Cisco Firepower. Next to the entry for Cisco
Firepower Threat Defense VPN, click Protect this application. This brings you to your new
application's properties page. This page contains your integration key, secret key, and API hostname. You'll need these during setup. At the top of the properties page, click the link to open the
Cisco FTD documentation. Next, install the Duo
Authentication Proxy. On the system you want
to install the proxy on, navigate to the Install the Duo
Authentication Proxy section of the Cisco FTD documentation.

Click the link to download
the most recent version of the proxy for Windows. Launch the installer on the server as a user with administrator rights and follow the on-screen prompts
to complete installation. After the installation completes, configure and start the proxy. For the purposes of this video, we assume that you have some
familiarity with the elements that make up the proxy configuration file and how to format them.

Comprehensive descriptions
of each of these elements are available in the documentation. The Duo Authentication
Proxy configuration file is named authproxy.cfg and is located in the conf subdirectory of the proxy installation. Run a text editor, like
WordPad, as an administrator and open the configuration file. By default, this file is
stored in C:\Program Files x-86 Duo Security
Authentication Proxy\conf. (music) Since this is a completely
new installation of the proxy, there may be example content
in the configuration file. You can delete this content. First, configure the proxy for
your primary authenticator. For this example, we will
use Active Directory. Add an ad_client section to the top of the configuration file. Add the host parameter and
enter the hostname or IP address of your domain controller. Then add the service
account username parameter and enter the username of
a domain member account that has permission to bind to
your AD and perform searches.

Next, add the service
account password parameter and enter the password that corresponds to the username entered above. Finally, add the search_dn parameter and enter the LDAP distinguished
name of an AD container or organizational unit
containing all of the users you wish to permit to log in. Optional variables for this section are described in the documentation. Next, configure your
proxy for your Cisco FTD. Create a radius_server_auto section beneath the ad_client section. Add the integration key,
secret key, and API hostname from your Cisco FTD
application's properties page in the Duo Admin Panel. Add the radius_ip_1 parameter and enter the IP address
of your Cisco FTD VPN. Below that, add the
radius_secret_1 parameter and enter a secret to be shared between the proxy and your FTD VPN. Add the client parameter
and enter ad_client. Optional parameters for the
radius server auto section are described in the documentation. Save your configuration file. Open an administrator command prompt and run net start DuoAuthProxy to start the proxy service.

If you modify your
proxy configuration file after initial setup, you will need to stop and restart the Duo Authentication
Proxy service or process for your change to take effect. Next, configure your
Cisco FTD VPN using FMC. Log into the FMC console that manages your FTD SSL VPN devices. Navigate to Objects > Object Management
> RADIUS Server Group. Click Add RADIUS Server Group. In the name field,
enter a descriptive name such as Duo_RADIUS. In the Description field,
enter some informative text about the server group. Leave Group Accounting Mode set to Single. Leave the Retry Interval set to 10. You do not need to select a realm. Do not enable authorize
only, interim account update, nor dynamic authorization.

In the RADIUS Servers section, click the green plus sign
to add a RADIUS server. In the IP Address/Hostname field, enter the fully-qualified
hostname or IP address of your Duo Authentication Proxy server. Leave the Authentication
Port field set to 1812. In the Key field, enter the shared secret used in your proxy configuration. Re-enter the secret in
the Confirm Key field. The accounting port defaults to 1813. This will not impact your configuration because the Duo Authentication Proxy does not support RADIUS accounting. In the Timeout field, enter 60. Next to Connect using, select either Routing
or Specific Interface. In this example, we will use Routing. Reference the documentation for more information on these settings. The Redirect ACL option
should only be configured when using FTD with Cisco
Identity Services Engine, or ISE. In this example, ISE ACLs are not used. Click Save. Then click Save again to create the new Duo RADIUS Server Group. Next, change the Remote Access
VPN Authentication Method to Duo RADIUS.

Navigate to Devices > VPN > Remote Access. Click on the VPN configuration you want to add Duo protection to. While viewing the Connection Profiles tab for the selected VPN configuration, click the pencil icon on the far right to edit the connection
profile that you want to start using the Duo
RADIUS AAA server group. On the Edit Connection Profile
form, click the AAA tab. Change the Authentication Server from the existing selection to the Duo RADIUS server
group you created earlier. You typically do not need to select an Authorization
Server or Accounting Server.

Do not configure the
Password Management options. Click the Save button on the
Edit Connection Profile form. Click the Save button in
the upper right corner of the FMC console window. Next, deploy your changes to FTD devices. Click the Deploy button in the
top right of the FMC console. Select the FTD device or
devices to which you want to push the new Remote
Access VPN config with Duo.

Click the Deploy button. A notification will appear when the deployment is successful. Finally, test your setup. Launch the AnyConnect client
and select the VPN profile that now uses Duo RADIUS authentication. To test your setup, attempt to log in to your
newly-configured system as a user enrolled in Duo
with an authentication device. When you enter your username and password, you will receive an automatic
push or phone callback. As the example user has already installed and activated Duo Mobile on a smartphone, you will receive a push notification. Open the notification on the smartphone, check the contextual information to confirm the login is legitimate, and tap the green button to accept. You are then logged in. You have successfully
protected Cisco FTD with Duo. (music).

You May Also Like