A Remote Access VPN connection profile defines the characteristics that allow external users to create a VPN connection to the system using the AnyConnect client. Each profile defines the AAA servers and certificates used for authenticating users, the address pool for assigning users IP addresses, and the group policies that define various user-oriented attributes.
You can create multiple profiles within the RA VPN configuration if you need to provide variable services to different user groups, or if you have various authentication sources. For example, if your organization merges with a different organization that uses different authentication servers, you can create a profile for the new group that uses those authentication servers.
An RA VPN connection profile allows your users to connect to your inside networks when they are on external networks, such as their home network. Create separate profiles to accommodate different authentication methods.
Before you begin
Before configuring the remote access (RA) VPN connection:
- The outside interface, the one that terminates remote access VPN connections, cannot also have a management access list that allows HTTPS connections. Delete any HTTPS rules from the outside interface before configuring RA VPN. See the "Configuring the Management Access List" section in the "System Settings" chapter of Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version X.Y.
- Create an RA VPN configuration. See Create an RA VPN Configuration.
- On the CDO navigation pane, click VPN > Remote Access VPN Configuration.
You can click a VPN configuration to view the summary information on how many connection profiles and group policies are currently configured.
- Click the connection profile and under Actions in the sidebar at the right, click Add Connection Profile.
- Configure the basic connection attributes.
- Connection Profile Name: The name for this connection, up to 50 characters without spaces. For example, MainOffice.
Note: The name you enter here is what users will see in the connection list in the AnyConnect client. Choose a name that will make sense to your users.
- Group Alias, Group URL: Aliases contain alternate names or URLs for a specific connection profile. VPN users can choose an alias name in the AnyConnect client in the list of connections when they connect to the FTD device. The connection profile name is automatically added as a group alias.
You can also configure the list of group URLs, which your endpoints can select while initiating the Remote Access VPN connection. If users connect using the group URL, the system will automatically use the connection profile that matches the URL. This URL would be used by clients who do not yet have the AnyConnect client installed.
Add as many group aliases and URLs as required. These aliases and URLs must be unique across all connection profiles defined on the device. Group URLs must start with https://.
- For example, you might have the alias Contractor and the group URL https://ravpn.example.com/contractor. Once the AnyConnect client is installed, the user would simply select the group alias in the AnyConnect VPN drop-down list of connections.
- Connection Profile Name: The name for this connection, up to 50 characters without spaces. For example, MainOffice.
- Configure the primary and optionally, secondary identity sources.
These options determine how remote users authenticate to the device to enable the remote access VPN connection. The simplest approach is to use AAA only and then select an AD realm or use the LocalIdentitySource. You can use the following approaches for Authentication Type:
- AAA Only: Authenticate and authorize users based on username and password. For details, see Configure AAA for a Connection Profile.
- Client Certificate Only: Authenticate users based on client device identity certificate. For details, see Configure Certificate Authentication for a Connection Profile.
- AAA and ClientCertificate: Use both username/password and client device identity certificate.
- Configure the address pool for clients. The address pool defines the IP addresses that the system can assign to remote clients when they establish a VPN connection. For more information, see Configure Client Address Pool Assignment.
- Click Continue.
- Select the Group Policy to use for this profile from the list and click Select.
The group policy sets terms for user connections after the tunnel is established. The system includes a default group policy named DfltGrpPolicy. You can create additional group policies to provide the services you require.
Note: If the group policy you need does not yet exist, create the group policy on the Objects page and then associate the policy to the RA VPN configuration. For detailed information about group policies, see Create New RA VPN Group Policies.
- Click Continue.
- Review the summary. First, verify that the summary is correct.
You can see what end-users need to do to initially install the AnyConnect software and test that they can complete a VPN connection.
Click to copy the instructions to the clipboard, and then distribute them to your users.
- Click Done.
Ensure that traffic is allowed in the VPN tunnel, as explained in Allow Traffic Through the Remote Access VPN.
Configure AAA for a Connection Profile
Authentication, Authorization, and Accounting (AAA) servers use username and password to determine if a user is allowed access to the remote access VPN. If you use RADIUS servers, you can distinguish authorization levels among authenticated users, to provide differential access to protected resources. You can also use RADIUS accounting services to keep track of usage.
When configuring AAA, you must configure a primary identity source. Secondary and fallback sources are optional. Use a secondary source if you want to implement dual authentication, for example, using RSA tokens or DUO.
Primary Identity Source Options
- Primary Identity Source for User Authentication: The primary identity source used for authenticating remote users. End users must be defined in this source or the optional fallback source to complete a VPN connection. Select one of the following:
- An Active Directory (AD) identity realm. If the realm you need does not yet exist, click Create New Identity Realm.
- A RADIUS server group.
- LocalIdentitySource (the local user database): You can define users directly on the device and not use an external server.
- Fallback Local Identity Source: If the primary source is an external server, you can select the LocalIdentitySource as a fallback in case the primary server is unavailable. If you use the local database as a fallback source, ensure that you define the same local usernames/passwords as the ones defined in the external server.
- Strip options: A realm is an administrative domain. Enabling the following options allows the authentication to be based on the username alone. You can enable any combination of these options. However, you must select both check boxes if your server cannot parse delimiters.
- Strip Identity Source Server from Username: Whether to remove the identity source name from the username before passing the username on to the AAA server. For example, if you select this option and the user enters domain\username as the username, the domain is stripped off from the username and sent to AAA server for authentication. By default, this option is unchecked.
- Strip Group from Username: Whether to remove the group name from the username before passing the username on to the AAA server. This option applies to names given in the username@domain format; the option strips the domain and @ sign. By default, this option is unchecked.
Secondary Identity Source
- Secondary Identity Source for User Authorization: The optional second identity source. If the user successfully authenticates with the primary source, the user is prompted to authenticate with the secondary source. You can select an AD realm, RADIUS server group, or the local identity source.
- Advanced options: Click the Advanced link and configure the following options:
- Fallback Local Identity Source for Secondary: If the secondary source is an external server, you can select the LocalIdentitySource as a fallback in case the secondary server is unavailable. If you use the local database as a fallback source, ensure that you define the same local usernames/passwords as the ones defined in the secondary external server.
- Use Primary Username for Secondary Login: By default, when using a secondary identity source, the system will prompt for both username and password for the secondary source. If you select this option, the system prompts for the secondary password only and uses the same username for the secondary source that was authenticated against the primary identity source. Select this option if you configure the same usernames in both the primary and secondary identity sources.
- Username for Session Server: After successful authentication, the username is shown in events and statistical dashboards, is used for determining matches for a user- or group-based SSL decryption and access control rules and is used for accounting. Because you are using two authentication sources, you need to tell the system whether to use the Primary or Secondary username as the user identity. By default, the primary name is used.
- Password Type: How to obtain the password for the secondary server. The default is Prompt, which means the user is asked to enter the password.
Select Primary Identity Source Password to automatically use the password entered when the user authenticated to the primary server.
Select Common Password to use the same password for every user, then enter that password in the Common Password field.
- Authorization Server: The RADIUS server group that has been configured to authorize remote access, VPN users.
After authentication is complete, authorization controls the services and commands available to each authenticated user. Authorization works by assembling a set of attributes that describe what the user is authorized to perform, their actual capabilities, and restrictions. Were you not to use authorization, authentication alone would provide the same access to all authenticated users. For information on configuring RADIUS for authorization, see Control User Permissions and Attributes Using RADIUS and Group Policies.
Note that if the system obtains authorization attributes from the RADIUS server that overlap those defined in the group policy, the RADIUS attributes override the group policy attributes.
- Accounting Server: (Optional.) The RADIUS server group to use to account for the remote access VPN session.
Accounting tracks the services users are accessing as well as the number of network resources they are consuming. The FTD device reports user activity to the RADIUS server. Accounting information includes when sessions start and stop, usernames, the number of bytes that pass through the device for each session, the service used, and the duration of each session. You can then analyze the data for network management, client billing, or auditing. You can use accounting alone or together with authentication and authorization.
Configure Certificate Authentication for a Connection Profile
Note: This section is not applicable for Authentication Type as AAA Only.
You can use certificates installed on the client device to authenticate remote access VPN connections.
When using client certificates, you can still configure a secondary identity source, fallback source, and authorization and accounting servers. These are AAA options; for details, see Configure an RA VPN Connection Profile.
Following are the certificate-specific attributes. You can configure these attributes separately for primary and secondary identity sources. Configuring a secondary source is optional.
- Username from Certificate: Select one of the following:
- Map Specific Field: Use the certificate elements in the order of Primary Field and Secondary Field. The defaults are CN (Common Name) and OU (Organizational Unit). Select the options that work for your organization. The fields are combined to provide the username, and this is the name used in events, dashboards, and for matching purposes in SSL decryption and access control rules.
- Use entire DN (distinguished name) as username: The system automatically derives the username from the DN fields. •
- Advanced options (not applicable for Authentication Type as Client Certificate Only):
Click the Advanced link and configure the following options:
- Prefill username from certificate on user login window: Whether to fill in the username field with the retrieved username when prompting the user to authenticate.
- Hide username in login window: If you select the Prefill option, you can hide the username, which means the user cannot edit the username in the password prompt.
Configure Client Address Pool Assignment
There must be a way for the system to provide an IP address to endpoints that connect to the remote access VPN. The AAA server can provide these addresses, a DHCP server, an IP address pool configured in the group policy, or an IP address pool configured in the connection profile. The system tries these resources in that order and stops when it obtains an available address, which it then assigns to the client. Thus, you can configure multiple options to create a failsafe in case of an unusual number of concurrent connections.
Use one or more of the following methods to configure the address pool for a connection profile.
- IPv4 Address Pool and IPv4 Address Pool: First, create up to six network objects that specify subnets. You can configure separate pools for IPv4 and IPv6. Then, select these objects in the IPv4 Address Pool and IPv6 Address Pool options, either in the group policy or in the connection profile. You do not need to configure both IPv4 and IPv6, configure the addressing scheme you want to support.
You also do not need to configure the pool in both the group policy and the connection profile. The group policy overrides the connection profile settings, so if you configure the pools in the group policy, leave the options empty in the connection profile.
Note that the pools are used in the order in which you list them.
- DHCP Servers: First, configure a DHCP server with one or more IPv4 address ranges for the RA VPN (you cannot configure IPv6 pools using DHCP). Then, create a host network object with the IP address of the DHCP server. You can then select this object in the DHCP Servers attribute of the connection profile. You can configure more than one DHCP server.
If the DHCP server has multiple address pools, you can use the DHCP Scope attribute in the group policy that you attach to the connection profile to select which pool to use. Create a host network object with the network address of the pool. For example, if the DHCP pool contains 192.168.15.0/24 and 192.168.16.0/24, setting the DHCP scope to 192.168.16.0 will ensure that an address from the 192.168.16.0/24 subnet will be selected.