topic Re: Cisco FMC and SAML in Network Security

Cisco FMC and SAML

Imm — Fri, 30 Sep 2022 09:22:46 GMT

Hello,

We have Cisco FMC\FTD (Version is 7.0.1) integrated with Azure SAML for Anyconnect MFA, also done integration with Active Directory for other purposes. Authentication works, I can connect to the Anyconnect. But now I need to also provide Authorization (For example, User1 must have access to some servers, but User2 doesn't). How I can do this?

When I add Authorization in Profile settings, then Authentication is failed.

How I can configure Azure SAML + Authorization by AD Groups?

Re: Cisco FMC and SAML

Aref Alsouqi — Fri, 30 Sep 2022 08:36:09 GMT

Good question! I don't think AD can provide any type of authorization, I think you would need to use a RADIUS server to set those attributes. Do you have any RADIUS server in your environment?

Re: Cisco FMC and SAML

Imm — Fri, 30 Sep 2022 09:26:19 GMT

Yes, I have Windows NPS Radius Server, which we use for WIFI-Authentication. Also we have Cisco ACS, but we use it just for TACACS.

Re: Cisco FMC and SAML

Aref Alsouqi — Fri, 30 Sep 2022 09:32:00 GMT

I would recommend using ACS, set up the authorization rules to match the users based on their AD group, or even usernames, and then associate the rules with dACLs where you can define their access level. I would also turn on CoA on the FTD and configure the ACS as the authorization server. Also, please keep in mind that you can actually use the ACS for both authentication and authorization, in that case the FTD will point to the ACS and then the ACS will check the users identities against the AD.

Re: Cisco FMC and SAML

Imm — Fri, 30 Sep 2022 09:42:08 GMT

But If I use ACS also for authentication, then I need to integrate ACS with Azure-SAML, correct?

Re: Cisco FMC and SAML

Aref Alsouqi — Fri, 30 Sep 2022 10:05:07 GMT

Yeah that's right, however, to keep things simple, you can leave the authentication as is and just use ACS for authorization.

Re: Cisco FMC and SAML

Imm — Fri, 30 Sep 2022 10:20:39 GMT

Yes, as I see ACS doesn't support SAML.

I will try, thanks.

Re: Cisco FMC and SAML

Aref Alsouqi — Fri, 30 Sep 2022 11:41:31 GMT

I didn't know that, thanks for sharing and you're welcome.

Re: Cisco FMC and SAML

Marvin Rhoads — Fri, 30 Sep 2022 16:40:15 GMT

If you have a RADIUS server (NPS, ISE, old ACS etc.) you can use it for Authorization separately from the Azure AD you use for Authentication via the SAML method.

ISE TME Jason Maynard has created a YouTube video demonstrating the procedure step-by-step:

https://www.youtube.com/watch?v=gcIQL2VJoR0

Re: Cisco FMC and SAML

Imm — Fri, 30 Sep 2022 19:13:16 GMT

I will try dACL, as has suggested Aref Alsouqi, because I don't have ISE and unfortunatelly ACS doesn't has capavilities of ISE.

I'm not sure why FTD Anyconnect bypass traffic after SAML Authentication... But with dACL I can configure some kind of restricted accesses. But in this case I will lose NGFW capabilities of FTD (I mean, for example, IPS), am I correct?

Re: Cisco FMC and SAML

Marvin Rhoads — Sun, 02 Oct 2022 03:11:18 GMT

ACS is capable of applying Authorization results based on a RADIUS authentication.

Even if you apply a dACL you still retain the ability to inspect traffic with the full capabilities of the FTD.

Re: Cisco FMC and SAML

Imm — Mon, 24 Oct 2022 15:09:46 GMT

Hello,

I have additional question:

I just will do authorization trough Cisco ACS for providing limited accesses (dACL) and then I will create one rule on FMC itself with "monitor" in Action field and apply, for example, IPS, correct?

Re: Cisco FMC and SAML

Imm — Wed, 26 Oct 2022 12:07:12 GMT

I configured our FMC in several ways:

1 - I configured Radius Server object on FMC, enable\disabled Dynamic Authentication, but nothing works. On Radius server itself I see next logs:

ACSVersion=acs-5.8.0.32-B.442.x86_64 : ConfigVersionId=140 : Device Port=61652 : RadiusPacketType=AccessRequest : Protocol=Radius : Called-Station-ID=95.*.*.246 : CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name=Anyconnect : AD-User-Candidate-Identities=irakli.gvishiani@*.com : StepData=9=Irakli.Gvishiani@*.com : StepData=10=*.com : StepData=11=*.com : StepData=13=STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,irakli.gvishiani@*.com : Device IP Address=172.31.254.253

2 - I configured Radius Server object on FMC and enable just Authorization (Authorize only), but nothing works. On Radius server itself I see next logs:

ACSVersion=acs-5.8.0.32-B.442.x86_64 : ConfigVersionId=141 : Device Port=61652 : RadiusPacketType=AccessRequest : Protocol=Radius : Service-Type=Authorize Only : Called-Station-ID=95.*.*.246 : CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name=Anyconnect : DetailedInfo=UserName or Password is missing : Device IP Address=172.31.254.253

Re: Cisco FMC and SAML

Imm — Wed, 26 Oct 2022 12:18:38 GMT

Also in Authentication I see that username appeared with domain postfix, can It be problem?

Because also I use Tacacs for User Authentication\Authorization for Device Access and there usernames are without domain postfix:

Re: Cisco FMC and SAML

Imm — Fri, 28 Oct 2022 10:47:44 GMT

Have anybody already done SAML + Authorization by AD Groups somehow?