Introduction
This document explains how to establish Cisco ASA SSL/IPSEC VPN federation with the PureAUTH Identity Platform and make Cisco AnyConnect authentication passwordless.
Prerequisites
- Cisco ASDM connected to the ASA firewall.
- A valid CA signed device certificate for the firewall / Self signed device certificate installed in client machines.
- A SSH connection to the Firewall.
Creating a new AnyConnect Profile
- Open ASDM and connect to the ASA firewall using your admin account.
- Go to the configuration tab.
- Go to the Remote Access VPN Page.
- Create a new AnyConnect Connection profile using the AnyConnect VPN wizard.
- Select AAA as the authentication, skip the SAML authentication configuration.
- Complete the Profile creation and apply the changes.
- Note the Profile name, we will need it Later.
Adding Cisco ASA application on PureAUTH
- Visit live.pureauth.io
- Enter your Organization ID or Organization Email
- You will receive an email on the organization’s email with a Login link.
- Click on the Login link, you will be logged in into the PureAUTH portal.
- Click on the Applications tab.
- And then click on the Add application button.
- You will see the list of applications, click on Create Custom application.
Application Form:
- Enter your application name
- Select Primary ( Corporate Email ) in Dataset for Email field
- In the “SAML Response Endpoint (ACS URL)” text box, enter the URL using the pattern:
https://<your cisco server fqdn>/+CSCOE+/saml/sp/acs?tgname=<Tunnel_group_name/Connection_profile_name>Example:
- In the “Audience” text box, enter the URL using Pattern:
https://<your cisco server fqdn>/saml/sp/metadata/<Tunnel_group_name/Connection_profile_name>Example:
- To check and verify the metadata, you can go to the above (Audience) URL in a browser.
- In the “SAML Logout Response Endpoint” field, enter the URL using the following pattern.
https://<your cisco server fqdn>/+CSCOE+/saml/sp/logout- Toggle the “Sign Assertion” checkbox to “ON”.
- Save the changes.
Note: PureAUTH SAML settings will be required in the future.
Adding SAML Application Certificate in ASA
- Connect to the ASA firewall using SSH, Run the following commands:
- enable
- config t
- crypto ca trustpoint pureauth-saml
- revocation-check none
- no id-usage
- enrollment terminal
- no ca-check
- crypto ca authenticate pureauth-saml
- —–BEGIN CERTIFICATE—–
- …
- PEM Certificate Text from PureAUTH portal
- …
- —–END CERTIFICATE—–
- quit
- wr
Configuring SAML Authentication Server
- Open your ASDM and connect to Cisco ASA firewall.
- Go to the configuration tab.
- Go to the Remote Access VPN page.
- In AnyConnect Connection Profiles, select the newly created profile and click edit.
- Click “Manage” under SAML Identity Provider.
- Click on Add to create a new IDP configuration.
- Set IDP entity ID as Issuer URL provided by PureAUTH.
- Set Sign In URL as SAML Login URL Provided by PureAUTH. Remove the HTTPS:// From the URL. Select https protocol from the dropdown.
- Set Sign In URL as SAML Logout URL Provided by PureAUTH. Remove the HTTPS:// From the URL. Select https protocol from the dropdown.
- Set the Base URL as your ASA FQDN. Select the correct protocol from the dropdown.
- Select the pureauth-saml Certificate from the dropdown that we had created using CLI in Identity Provider Certificate Field.
- Select a device certificate in the Service Provider Certificate Field.
- Set Request signature to res-sha256.
- Set a request timeout in seconds (Optional) (1000-4000) This can help if a CSRF error presents.
- Set clock Skew (Optional). This can help if a CSRF error presents.
- Click OK.
- In the SAML Server field, select the newly created server from the dropdown.
- On the Left pane, go to Advanced->Group Alias/Group URL.
- Add a Group URL. You can use this URL in AnyConnect to use Passwordless Authentication.
- Click OK and Apply the settings.
- You should Now be able to use passwordless Authentication.
This is how it works!
Further Assistance
For further information or assistance, please contact PureID support team : support@pureid.io.