remote access using clientless vpnd2zmdbbm9feqrf.cloudfront.net/2013/eur/pdf/brksec-2697.pdf ·...
TRANSCRIPT
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Remote Access using Clientless VPN Thorsten Rosendahl
BRKSEC-2097
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Agenda
3
Integrate Enable IT Add real Users
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
• Will cover
‒ ASA as the Headend
‒ Clientless Access
….with focus on 9.0 Release
• Won’t cover
‒ IOS headends
‒ The AnyConnect Client (BRKSEC-
3033)
‒ Cisco Secure Desktop
4
This Breakout
The embedded videos are available at http://ciscosales.webex.com/meet/trosenda
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Cisco Secure Desktop
The following features are deprecated (November 20, 2012) :
‒ Secure Desktop (Vault)
‒ Cache Cleaner
‒ Keystroke Logger Detection (KSL)
‒ Host Emulation Detection
5
http://www.cisco.com/en/US/docs/security/csd/csd36/public_notices/vault_cc_ksl_host_emulation_deprecat_notice.html
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Hardware
• Every ASA can handle Clientless SSL VPN
• A 5505 can handle up to 25 Sessions
• A5585 can handle up to 10.000 Sessions
• As rewriting of Content occurs, CPU is more important than throughput
Overview
6
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Software
We need a DES (K8) and/or 3DES (K9) License
We need an “AnyConnect Premium” License, as this enables Clientless (default 2 per chassis)
Premium and Essentials can *not* run concurrently
Licensing
7
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Client(less) Requirements
8
Firefox Chrome IE Safari
Windows XP 3 + 6 + 6/7/8
Windows Vista 3 + 6 + 7/8/9
Windows 7 3 + 6 + 8/9
Windows 8 tbd tbd tbd tbd
MacOS X 3 + 6 + 3/4/5
Linux 3 +
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html
Plugins ActiveX (32bit) / Java 1.4-1.7
Smart Tunnels x86/64 only, no itanium or ppc
Port Forwarding 32 bit only
Windows XP ✓ ✓ ✓
Windows Vista ✓ ✓ ✓
Windows 7 ✓ ✓ -
Windows 8 tbd tbd tbd
MacOS X ✓ ✓ ✓
Fedora Core 4 - - ✓
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Overview
9
ASA
https http[s]
ftp/cifs
Smarttunnels : TCP Portforwarding : TCP Plugins : ssh, telnet, rdp, vnc, citrix
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Secure Sockets Layer (SSL) Overview
• A “Secure Protocol” developed by Netscape for secure e-commerce.
• SSL2.0 released in 1994, but had flaws and was replaced by SSL 3.0. Transport Layer Security (TLS) was published 1999 and continued to evolve.
• Creates a tunnel between web browser and web server
Authenticated and encrypted (RC4, 3DES, DES, AES)
• https://
Usually over port :TCP/443
Closed lock indicates SSL-enabled!
Refer to RFC 2246, for TLS 1.0 Refer to RFC 4346, 2006 for TLS 1.1 Refer to RFC 5246, 2008 for TLS 1.2
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
SSL on ASA
ssl-lab# show crypto ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: aes256-sha1 aes128-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 rc4-sha1 null-sha1
SSL trust-points:
outside interface: ASDM_TrustPoint0
Certificate authentication is not enabled
ssl-lab#
Parameters that identify the protocol, encryption algorithm and hash
function.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Overview
12
ASA
https http[s]
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Content Transformation Engine
Rewrites HTML[5], Java, JavaScript, Flash, SVG, CSS
13
ASA
*GET /intranetsite/index.html HTTP/1.0 *GET /index.html HTTP/1.0
*<a href=”/about.html”>About</a> *<a href=”/intranetsite/about.html”>About</a>
* Very Simplified statement
10.1.1.66
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Content Transformation Engine
Server Certificate Validation (ASA v9.0) – new commands
14
ssl-lab(config-webvpn)# ssl-server-check ?
webvpn mode commands/options:
deny-on-failure Disconnect the connection and show the denying page to end users on failure of verification
warn-on-failure Show the warning page to end users on failure of verification
ssl-lab(config)# crypto ca trustpool ?
configure mode commands/options:
policy Define trustpool policy
exec mode commands/options:
export Export a trustpool bundle
import Import a trustpool bundle
remove Remove a trustpool certificate
ssl-lab(config)#
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Overview
15
ASA
https http[s]
ftp/cifs
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Files Access
16
ASA
GET /+CSCOE+/files/browse.html?code=init&path=cifs%3A%2F%2F31302E312E312E3636%2FC%24 HTTP/1.1 %3A%2F%2F31302E312E312E3636
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Overview
17
ASA
https http[s]
ftp/cifs
Smarttunnels : TCP Portforwarding : TCP Plugins : ssh, telnet, rdp, vnc, citrix
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Overview
18
ASA
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Overview
19
ASA
GET /+CSCOE+/tunnel_mac.jnlp?….HTTP/1.1 GET /+CSCOE+/relayocx.html?p=w32 HTTP/1.1
<<<<<<<<<<<<<<<java/active-x<<<<<<<<<<<<<
TCP/22,TCP/3389,etc %3A%2F%2F31302E312E312E3636
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Plugins
• “In Browser Access” to rdp, ssh, vnc, citrix ressources
• No Need for an Application on the Client, just java/active-x
• Supported on Windows and Mac OS X platforms only.
20
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Smart Tunnels
• For Web Applications/Bookmarks if CTE fails (shouldn’t happen)
• For Non-Web-Applications, TCP only like :
Telnet, Passive FTP, SSH, RDP, VNC, VMWare View (rdp, not PCoIP)
but Application has to reside on Endpoint.
• Supported on Windows and Mac OS X platforms only.
• Supported on x86 and x64 architectures only
• Requires Active X or Java enabled browsers.
• Better Performance than Plugins
Use Cases
21
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Port Forwarding
• “Legacy” method, kept for compatibility
• Application on end System needs to be reconfigured
• Smart tunnels offer better Performance
• Smart tunnels do not need Admin privileges
22
First Time Setup
23
24
25
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
CLI Config
Overview
26
webvpn
enable outside
group-policy it internal
group-policy it attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list none
exit
exit
tunnel-group it type remote-access
tunnel-group it general-attributes
default-group-policy it
tunnel-group it webvpn-attributes
group-alias it enable
group-url https://10.1.30.254/it enable
• Group Policies What can be done during a session ACL, Times, Portal, Customization,…
• Connection Profiles
What is needed to establish a session AAA, Username Mapping, Alias, url,… …and map that back to a group
Connection Profile / tunnel-group
27
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
DNS lookup for the Clients
Group Policy
Primary Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
If (Client) Certificates are
used for authentication.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Secondary (double) authentication
With secondary authentication enabled, the User *must* present two sets of credentials
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Authorization
The authorization Server takes precedence over “Secondary Authentication Server -> Attribute Server”
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
How Clients connect
Alias which appears in
drop down list
Direct URL
(like apache vhosts)
Group Policies
33
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Let’s rollout to some users
34
Assign an ACL
Inherit from DfltGrpPolicy
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
WEB ACL
35
Allow to filter on URLs with wildcard support (smart-tunnel is URL as well) Allow to filter on IP Address and Service
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Portal Policy
36
Freedom vs. Workload ?
Assign a bookmark list*
* Dedicated (next) Chapter
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Smart Tunnels
37
Include
Exclude
All
Define a list of
Application(s)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Smart Tunnel Entry
38
Windows / Mac
Full Path for Mac
Name of Process
(Parent)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Group Policy – More Options - Customization
39
Apply Customization
(This is Portal Only)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Single Sign-on
• Auto Sign-On
• External SSO Servers
• Kerberos Constrained Delegation (Global)
3 Methods Available
40
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Auto Sign-On
• Submits static Clientless SSL Login credentials to
‒ Web Servers, ftp/cifs shares, Webapps with smart tunnels, plugins
• Supports
‒ Basic, NTLMv1, FTP or CIFS authentication, HTTP Form*
• Can use double authentication when users are authenticated by OTP or
Certificates
41
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
External SSO Servers
• SAML 1.1 (Browser) Post Profile (push,!=pull)
‒ ASA plays role of asserting party (sends assertions), SAML Server of relying
party, hence cannot accept assertions (Novell Identity Manager)
‒ SAML1 Federated/Trust component is not supported
‒ Only Single Cookie Domain is supported
• Works with RSA ClearTrust, CA Siteminder, Entrust GetAccess (CTSESSION, SMSESSION, AUTH_SESSION_ID) SAML COOKIE
42
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Kerberos Constrained Delegation - KCD
• Global configuration
• Useful to extend Certificate- and OTP-based authentication methods to
web applications.
43
Login, Access URL ASA
GET
Challenge, SPENGO
Request impersonate Ticket
Return Ticket with User authorization Data Request Service Ticket
Return Service Ticket
Reply
Use Service Ticket
Reply
Kerberized Server
Domain Controller (KDC)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Per User editable Bookmarks
44
smb or ftp Username:password@host:port/path
Storage Key to encrypt data
Bookmarks
45
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Bookmarks are organized into Lists
• More convenient to end users
Bookmark Lists can be assigned to group(s)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Bookmarks
• URL with GET or POST method
• Predefined Application Templates, HTML form auto-submit
ASA v9.0 added 2 new Types
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
URL with GET or POST method
Create a meaningful Title
Enter URL
For Post, define Parameters
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Predefined Application Templates
Select a Predefined App
Predefined Templates for well known Applications prepopulate settings.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Outlook Web Access
50
Create a meaningful Title
Optional Icon
http/https
Host Name
See next slide
Select Application
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Variables
Variable Name
CSCO_WEBVPN_USERNAME
CSCO_WEBVPN_PASSWORD
CSCO_WEBVPN_INTERNAL_PASSWORD
CSCO_WEBVPN_CONNECTION_PROFILE
CSCO_WEBVPN_PRIMARY_USERNAME
CSCO_WEBVPN_PRIMARY_PASSWORD
CSCO_WEBVPN_SECONDARY_USERNAME
CSCO_WEBVPN_SECONDARY_PASSWORD
CSCO_WEBVPN_MACRO1
CSCO_WEBVPN_MACRO2
See Connection Profile / Customization to enable
51
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Outlook Web Access
52
Auto appended
Predefined
From previous screen
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
VIDEO WALK THROUGH
53
54
55
Customization
56
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Customization
• General
• Logon Page
• Portal Page
• Logout Page
• External Portal Page
Is divided into 5 Main Parts
57
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
58
Will be enabled in
Connection Profile
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
External Portal with new Bookmark Methods
59
Adding a second Group
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Combining What we have seen so far
• Create a new Customization which enables “External Portal Page”
• Setup URL with “Predefined Application Templates”
• Create a Group Policy which only allows OWA
• Create a Connection Profile which accepts https://ssl-lab.cisco.com/owa
Enabling Users to access Outlook Web Access only
61
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
62
From there on
Only First time
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Group Policy / Connection Profile
63
access-list owa_only webtype permit url https://mail.cisco.com/* log default
access-list owa_only webtype deny url any log default
!
group-policy owa internal
group-policy owa attributes
vpn-tunnel-protocol ssl-clientless
webvpn
filter value owa_only
customization value owa
hidden-shares none
file-entry disable
file-browsing disable
url-entry disable
!
tunnel-group owa_only type remote-access
tunnel-group owa_only general-attributes
authentication-server-group LDAP
default-group-policy owa
tunnel-group owa_only webvpn-attributes
group-alias owa enable
group-url https://ssl-lab.cisco.com/owa enable
!
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
VIDEO WALK THROUGH
64
65
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
A word about (Web)ACLs
• Remember that many emails contain html links nowadays
• The above might be to restrictive
66
Tips
67
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Little Troubleshooting tips
68
Familiarize yourself with working examples of debug webvpn [chunk|cifs|citrix|failover|html|javascript|request|response|transformation|url|util|xml]
Notice that there is a capture type “webvpn” This capture should be used for a particular User, not all traffic. Unzipping the capture requires a password “koleso” (no quotes) The extracted files have following naming format : <request number>-<response/request files/log>-<front-end|backend><0-original content| 1-content after transfer encoding> For example, lets suppose we need to look at captures for the very first request. We need to look for file names starting with "1-" 1-req-f0 - request received by WebVPN from the browser 1-req-b0 - request sent to the backend server 1-res-b0 - response WebVPN received from the backend server 1-res-f0 - response after transformer 1-res-f1 - response after transformer sent to the browser with transfer encoding applied by ASA (gzip,chunked) 1 - log - log entries for the request
AAA
69
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public 70
local Radius LDAP Tacacs+ NT
Domain SDI Kerberos
HTTP Form
Authentication Y Y Y Y Y Y Y Y
Authorization Y* Y Y N N N N N
Accounting N Y N Y? N N N N
Source: Placeholder for Notes is 12pts
AAA
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
LDAP
• ASA supports LDAP v3 with plain text and SASL
• SASL supports Digest-MD5 and Kerberos (GSSAPI)
• Tested with Java System Directory Server, MS-AD, Novell, OpenLDAP
• To learn LDAP Structure and for troubleshooting see
http://www.softerra.com or use LDP.exe (Windows 2008)
• We will walk through Active Directory Configuration now
71
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
For the Active Directory Admin it looks like
72
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
We have to deal with
73
Where we find Users
Sample Attribute
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public 74
Where we find Users
MS AD in this example
As MS requires Login,
enter a valid User. N.B.: Administrator is for LAB use only
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
LDAP bind
75
debug ldap enabled at level 100
ssl-lab#
[422] Session Start
[422] New request Session, context 0x00007fff2ef348f8, reqType = Authentication
[422] Fiber started
[422] Creating LDAP context with uri=ldap://10.1.1.66:389
[422] Connect to LDAP server: ldap://10.1.1.66:389, status = Successful
[422] supportedLDAPVersion: value = 3
[422] supportedLDAPVersion: value = 2
[422] Binding as Administrator
[422] Performing Simple authentication for Administrator to 10.1.1.66
[422] LDAP Search:
Base DN = [CN=Users,DC=duslab,DC=cisco,DC=com]
Filter = [sAMAccountName=trosenda]
Scope = [SUBTREE]
[422] User DN = [CN=thorsten rosendahl,CN=Users,DC=duslab,DC=cisco,DC=com]
[422] Talking to Active Directory server 10.1.1.66
[422] Reading password policy for trosenda, dn:CN=thorsten rosendahl,CN=Users,DC=duslab,
DC=cisco,DC=com
[422] Read bad password count 0
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
LDAP Attributes
76
[422] Binding as trosenda
[422] Performing Simple authentication for trosenda to 10.1.1.66
[422] Processing LDAP response for user trosenda
[422] Message (trosenda):
[422] Authentication successful for trosenda to 10.1.1.66
[422] Retrieved User Attributes:
[TRUNCATED TO FIT SCREEN]
[422] cn: value = thorsten rosendahl
[422] sn: value = rosendahl
[422] givenName: value = thorsten
[422] distinguishedName: value = CN=thorsten rosendahl,CN=Users,DC=duslab,DC=cisco,
DC=com
[TRUNCATED TO FIT SCREEN]
[422] displayName: value = thorsten rosendahl
[422] uSNCreated: value = 20557
[422] memberOf: value = CN=owa,CN=Builtin,DC=duslab,DC=cisco,DC=com
[422] wWWHomePage: value = 10.1.1.66
[TRUNCATED TO FIT SCREEN]
[422] Fiber exit Tx=596 bytes Rx=2436 bytes, status=1
[422] Session End
LDAP Attribute Maps
77
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
LDAP Attribute Maps
• As LDAP does provide additional Attributes, we could use these to :
‒ Map LDAP Group Membership to Group Policy
‒ Map User Attributes to Bookmarks
• Goal is to let LDAP decide on Group-Policy rather than hand out different
URLs (/beta, /owa)
Enabling ASA to parse & use Attributes existent in your Directory
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
LDAP memberOf = Cisco Group Policy
79
Start here
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Mapping the value as well
80
Complete here
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Create a mapping
81
One by One
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Mapping a second Attribute
82
“Web page” in Microsoft view
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Picking up CSCO_WEBVPN_MACRO1 in Bookmarks
83
This String will resolve to an Address
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Debug view
84
debug ldap enabled at level 100
ssl-lab#
[TRUNCATED]
[425] memberOf: value = CN=owa,CN=Builtin,DC=duslab,DC=cisco,DC=com
[425] mapped to Group-Policy: value = owa
[425] mapped to LDAP-Class: value = owa
[TRUNCATED]
[425] wWWHomePage: value = 10.1.1.66
[425] mapped to WebVPN-Macro-Substitution-Value1: value = 10.1.1.66
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
VIDEO WALK THROUGH
85
86
DAP
87
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Dynamic Access Policies
• Based on AAA and/or Endpoint Attributes, DAPs can
assign Access and Authorization Attributes.
• AAA examples : Cisco Username, LDAP memberOf, Radius 4097*
• Endpoint examples : OS, FW, AV, AS, HostName
• Access/Authorization Attribute examples : ACL, Bookmarks, Functions,
Terminate/Continue
*DAP add 4096 to Numerical Radius Attribute ID, i.e. 4097-4096=1=Access-Hours
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Order of Enforcement:
89
• Dynamic Access Policy (DAP)
• User Attributes
• Group-Policy Attributes
• Connection Profile
• Default Groups
* More Information: https://supportforums.cisco.com/docs/DOC-1369
Ove
rwrite
*
Pro
ce
ssin
g O
rde
r
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Default Access Policy
• Is always the last entry
• The default action for DfltAccessPolicy is “Continue”
• As you go and add Policies, you should change to “Terminate”
90
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Challenge
• Active Directory Users are typically member of more than ONE group
• On ASA a user can only be member of single group
• Dynamic Access Policies can multi-match and aggregate
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public 92
Source Condition
Action
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public 93
Action Action
Source Condition
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public 94
Source Condition
Action
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public 95
Action Action
Source Condition
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Debug DAP
96
debug dap trace enabled at level 1
ssl-lab#
The DAP policy contains the following attributes for user: jupp
--------------------------------------------------------------------------
1: url-list = engineering,marketing
2: action = continue
3: appl-acl = DAP-web-user-74CBC80D
rule 1: permit tcp 10.0.0.0 255.0.0.0 lt 1024 log default
rule 2: permit tcp 144.254.0.0 255.255.0.0 lt 1024 log default
DAP_TRACE: DAP_open: 7FFF32905670
[TRUNCATED]
DAP_TRACE: Username: jupp, aaa.ldap.memberOf.1 = Engineering
DAP_TRACE: Username: jupp, aaa.ldap.memberOf.1 = Marketing
[TRUNCATED]
DAP_TRACE: Username: jupp, Selected DAPs: ,engineering,marketing
DAP_TRACE: dap_process_selected_daps: selected 2 records
DAP_TRACE: Username: jupp, dap_aggregate_attr: rec_count = 2
DAP_TRACE: Username: jupp, dap_comma_str_fcn: [engineering] 11 128
DAP_TRACE: Username: jupp, dap_comma_str_fcn: [engineering,marketing] 21 128
DAP_TRACE: Username: jupp, DAP_close: 7FFF32905670
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Aggregation Result
97
User has 2 Bookmarks
2 ACE for the User
VDI Access for mobiles
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Citrix Mobile Receiver
• This feature provides secure remote access for Citrix Receiver
applications running on mobile devices to XenApp and XenDesktop VDI
servers through the ASA.
• Supported Mobile Devices
‒ iPad — Citrix Receiver version 4.x or later
‒ iPhone/iTouch — Citrix Receiver version 4.x or later
‒ Android 2.x/3.x/4.0/4.1— Citrix Receiver version 2.x or later
New in ASA v9.0
99
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Citrix Mobile Recevier
• Only default tunnel group is supported
• One XenApp or XenDesktop server at a time
• Requires XML service on XenApp and XenDesktop servers
• No support for
Certificates, Smart Cards, Double Authentication, Internal passwords, Group-URL
• Requires trusted identity certificate for ASA
Implementation Details
100
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Citrix Mobile Receiver
Configuration
101
This is your Citrix Server
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
First time Setup
102
User adds an account
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
First time Setup
103
FQDN of ASA
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
First time Setup
104
Choose Access Gateway
Choose Standard Edition
Enter Username
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Every day experience
105
Enter Password
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Every day experience
106
Select your Desktop
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Every day experience (XenDesktop)
107
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Every day experience (XenDesktop)
108
Wrap up
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
IPv6
• IPv6 address for Endpoint and ASA
• Supported:
‒ Rewriter, Java Plug-ins
‒ Smart Tunnels for IPv6 aware applications
‒ Web-type ACL
‒ Auto Sign-On
• Unsupported:
‒ SSH / Telnet plug-in
‒ Port Forwarding, Email-Proxy, Proxy-Bypass
• Internal back-end resources still use IPv4
‒ Netfs / CIFS / SMB / FTP
‒ OCSP, CRL
‒ DNS, AAA Servers
110
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Summary
• The requirements to get started
• The Configuration of different groups with different Policies
• How AAA/LDAP can be used to assign these Policies
• The new Bookmark Methods
• How Customization can influence User experience
We have seen
111
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Recommended Reading for BRKSEC-2697
112 112
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public
Call to Action
• Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action
• Get hands-on experience attending one of the Walk-in Labs
• Schedule face to face meeting with one of Cisco’s engineers
at the Meet the Engineer center
• Discuss your project’s challenges at the Technical Solutions Clinics
113
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2097 Cisco Public 114