Tip: Highlight text to annotate itX
00:00:01 - Connection profiles, user profiles, and up to three
00:00:04 - individual group policies that can be applied to
00:00:07 - every single VPN. 00:00:09 - I've noticed that individuals normally
fall into one of two 00:00:13 - camps with remote access VPNs.
00:00:15 - Camp number one, they ran a Wizard, the VPN's working, and
00:00:19 - they just pray nothing breaks. 00:00:21 - The second camp are people who
understand the 00:00:24 - interrelationship of how the group
00:00:26 - policies all fit together. 00:00:27 - And as a result, they're much better
implementers, and 00:00:30 - they're much better trouble shooters.
00:00:32 - My friend, welcome to camp number two.
00:00:34 - In this Nugget, we're going to identify exactly the
00:00:37 - interrelationship between the policies so that
00:00:39 - it won't be a mystery. 00:00:40 - And then as we begin to configure
and implement the 00:00:43 - VPNs, we'll know exactly what fits
and how to correct it if 00:00:47 - there's a problem.
00:00:48 - Let's jump in. 00:00:49 - In this Nugget, you and I get to
dig a little bit deeper 00:00:52 - into the world of connection profiles.
00:00:54 - So maybe we have some users that are coming in from the
00:00:56 - internet trying to build remote access VPN connections.
00:01:00 - Perhaps this one's the clientless SSL.
00:01:05 - And maybe this is the AnyConnect SSL.
00:01:10 - And maybe this is the IPsec, using IPsec either with the
00:01:14 - AnyConnect client or with the legacy IPsec VPN client.
00:01:17 - Either way, those customers, as they come in, the ASA--
00:01:20 - when the packets first arrive, the ASA goes, hmm, I wonder
00:01:24 - how I should try to authenticate this user.
00:01:26 - Should I use the local database? 00:01:28 - Should I use a AAA server?
00:01:29 - I wonder. 00:01:30 - Well, the way it figures that out,
the incoming connections 00:01:33 - are going to be associated with
a connection 00:01:35 - profile on the ASA.
00:01:36 - Well, Keith, what if we didn't create
00:01:38 - any connection profiles? 00:01:40 - Then, my friend, it's going to
use the default connection 00:01:42 - profile, which normally is not
a good idea. 00:01:45 - So we'll take a look at how those
operate for the initial 00:01:48 - connections.
00:01:49 - And then, below this green line right here, we'll take a
00:01:53 - look at the policies that we can apply to the VPN once we
00:01:56 - know who the user is. 00:01:58 - What do you mean, Keith, once we
know who the user is? 00:01:59 - Well, let's say this is Bob.
00:02:01 - How do we know? 00:02:02 - Well, he connected using the connection
profile. 00:02:04 - The ASA said, who are you?
00:02:06 - Bob put his username and password in.
00:02:08 - Now that we know who Bob is, now we can apply policy.
00:02:12 - Now, those policies could be lots of things.
00:02:15 - Well, Keith, could you give us an example?
00:02:17 - Sure, check this out. 00:02:19 - Let's say that it's a clientless
VPN user, Bob. 00:02:22 - And we don't want him to go to
.6. 00:02:25 - He can go to .5, he can go to .7
with HTTP. 00:02:29 - So we could set up what's called
a Webtype ACL. 00:02:35 - And a Webtype ACL is for your clientless
VPN user, so you 00:02:38 - can filter what they can get to
or not get to once they 00:02:41 - have their VPN up.
00:02:43 - So maybe we give Bob a Webtype ACL that says, you are allowed
00:02:46 - to get to two or three or one of those
00:02:48 - servers and not the others. 00:02:50 - That would be one example.
00:02:51 - Another example might be, how many simultaneous connections
00:02:56 - can Bob login as? 00:02:57 - Now, Bob, if he's a single user,
maybe one's enough. 00:03:00 - But maybe, for whatever reason,
we want to allow Bob 00:03:03 - to login twice.
00:03:04 - Three is no good, twice is OK based on our policy.
00:03:07 - We can allow these simultaneous logins,
00:03:09 - simultaneous connections. 00:03:10 - That's another option we could've
pushed down to him. 00:03:13 - Another thing we could specify
is the 00:03:15 - maximum connection time.
00:03:16 - Maybe we say, hey Bob, when you're connected, the maximum
00:03:19 - connection time is going to be 33 minutes.
00:03:23 - I'm just making these up. 00:03:24 - It's just whatever policy you want
to push down, you can 00:03:27 - once we know who that user is.
00:03:28 - So that's the objective of this Nugget
00:03:31 - is those three items. 00:03:32 - Number one, take a look at creating
custom connection 00:03:35 - profiles, so we understand how
to create them. 00:03:37 - Take a look at the defaults if
we don't create any. 00:03:39 - And then the myriad of options
for applying the policies to 00:03:43 - the user after we know who they
are. 00:03:46 - I'd like you to pretend with me
that we get to be the ASA. 00:03:50 - Boy, that's fun, we're an ASA,
maybe a 5520 or a 5540 or the 00:03:54 - big boys or the little guy.
00:03:55 - Either way, we're at ASA and we are set up to support web
00:03:59 - VPN clients. 00:04:00 - So Bob here on the internet connects
to us. 00:04:02 - What does that look and feel like?
00:04:04 - What protocol is a Layer 4? 00:04:06 - Let's start there.
00:04:07 - If it's going to be SSL, which the AnyConnect and the
00:04:11 - clientless VPN are going to be using, the inbound
00:04:14 - connection's going to be TCP and the destination port is
00:04:17 - going to be port number 443. 00:04:19 - That's just basic SSL.
00:04:20 - So when Bob connects with SSL, how does the ASA know how to
00:04:26 - authenticate Bob? 00:04:26 - Because there's lots of options.
00:04:28 - We could use the local database to authenticate Bob's
00:04:30 - username and password. 00:04:31 - We could use AAA services if it's
configured. 00:04:35 - So how do we know?
00:04:36 - Well, the answer is, when that connection comes in, here's
00:04:38 - what the ASA thinks about. 00:04:40 - How did the user connect, is what
the ASA says. 00:04:42 - Did the user go to a specific URL?
00:04:44 - For example, if this is the outside address, we could have
00:04:47 - a URL, a special URL called 192.168.1.171/custom-- 00:04:56 - I'm just making this up here.
00:04:58 - So custom-url. 00:05:00 - HTTPS.
00:05:00 - And what we could say is, hey, if somebody connects to that
00:05:03 - URL, says that ASA, I know they're going to be inside of
00:05:07 - connection profile number one. 00:05:14 - We just link to that.
00:05:15 - So we can configure the ASA. 00:05:16 - And that way, you tell your users,
here's the URL you 00:05:18 - connect to.
00:05:19 - And they'll automatically be connected through connection
00:05:22 - profile number one if they hit this URL.
00:05:24 - That's one option. 00:05:25 - Another option is we could just
have Bob go ahead and hit 00:05:29 - the actual IP address with HTTPS.
00:05:33 - So go to that IP address right there.
00:05:35 - No URL at all. 00:05:37 - And we could give him a drop-down
list. 00:05:38 - The drop-down list would tell you
this. 00:05:40 - I've got all these options--
00:05:42 - number one, number two, number three, number four.
00:05:44 - And I could leave it up to Bob to go ahead and select.
00:05:47 - If Bob chooses four, maybe that's tied to connection
00:05:49 - profile four or some other name that I've created for a
00:05:52 - connection profile. 00:05:53 - And then I'll use that connection
profile to do the 00:05:56 - authentication of Bob.
00:05:58 - So things like the AAA server group I'm going to use or the
00:06:01 - local database. 00:06:01 - How am I going to authenticate
Bob? 00:06:03 - If it's a full tunnel client, what
pool of addresses I'm 00:06:06 - going to give Bob and so forth.
00:06:08 - So that's how that works. 00:06:09 - The other option, the third option,
00:06:11 - is certificate mapping. 00:06:13 - Let's say Bob is connecting and
he's already 00:06:15 - pre-configured with a digital certificate.
00:06:18 - He has his own identity certificate. 00:06:20 - When he connects, maybe I can look,
the ASA can look at that 00:06:23 - certificate and say, OK, if the
organization equals sales, 00:06:28 - I'm going to automatically put
him with 00:06:30 - connection profile two.
00:06:32 - So we can configure that mapping internally.
00:06:34 - Now, that's only going to work if we have a certificate on
00:06:37 - this computer here and we've trained the ASA to go ahead
00:06:40 - and look for that mapping to associate with
00:06:42 - a connection profile. 00:06:43 - So those are the three options.
00:06:45 - So here we go back to our logic. 00:06:47 - We are the ASA.
00:06:48 - Bob's connection comes in, and we simply ask ourselves, did
00:06:51 - he go to a specific URL? 00:06:53 - Am I dropping down a list and he's
going to choose from a 00:06:56 - list of the aliases for which tunnel
group to choose? 00:06:59 - Or does he have a cert?
00:07:01 - Now, each one of those is going to have the opportunity
00:07:04 - for us as administrators to map it to a different
00:07:06 - connection profile. 00:07:07 - So let's take a look at the example
of that, and then 00:07:09 - we'll continue on with the logic.
00:07:11 - This is an outside PC. 00:07:13 - When I say outside--
00:07:14 - I mean, it's not really far outside, 00:07:16 - it's just barely outside.
00:07:18 - This IP address right here is on this network.
00:07:21 - So this computer lives on the outside of the ASA.
00:07:25 - And it could be an internet device. 00:07:26 - It could be local on this network,
but it's off the 00:07:28 - outside interface.
00:07:29 - And what I want to do is I want to build a tunnel, an SSL
00:07:33 - clientless VPN tunnel, and give you that look and feel of
00:07:35 - what it not only looks like but also apply it to this
00:07:38 - connection profile. 00:07:39 - So let's bring up a browser.
00:07:41 - And the first option I'd like to demonstrate is, let's go
00:07:43 - ahead and just go right to the IP address.
00:07:45 - So if I'm this user Bob out here, I have this option, this
00:07:48 - group name. 00:07:49 - Now, what that group really is,
that's 00:07:51 - a connection profile.
00:07:52 - So these are aliases that we create for each of our
00:07:55 - connection profiles on the ASA. 00:07:56 - So the user clicks the drop-down
button, they choose 00:07:59 - the connection profile, they call
it Group for the benefit 00:08:02 - of the user.
00:08:02 - Pete chooses the group. 00:08:03 - Then he puts his credentials in,
and he authenticates. 00:08:05 - That's one option.
00:08:07 - Now, I'm not going to authenticate here.
00:08:08 - Another option we have is we can go ahead and go to a
00:08:10 - custom URL. 00:08:11 - Now, let me show you what that
is real quick. 00:08:13 - I've got this custom URL set up,
and I 00:08:16 - called it custom URL.
00:08:17 - So I configured it on the ASA. 00:08:19 - You could make it anything you
wanted to. 00:08:21 - But I trained the ASA.
00:08:22 - I said, hey, dear Mr. ASA, if somebody connects at your IP
00:08:25 - address slash custom dash URL-- 00:08:27 - it could say Bubba, it could say
Group One, it could say 00:08:31 - Sales, whatever you want to call
it. 00:08:32 - If somebody connects at that specific
custom URL, go ahead 00:08:36 - and associate them with a specific
connection profile. 00:08:39 - Back at the role of the ASA.
00:08:41 - So a connection comes in. 00:08:42 - We've identified either from the
URL they used or from the 00:08:46 - alias they picked from a drop-down
list, we know 00:08:48 - exactly what connection profile
to use, 00:08:51 - so we go this way.
00:08:52 - Why does that matter? 00:08:53 - It matters, because if we want
a certain user to use a 00:08:56 - certain connection profile, we
could then control how we're 00:08:59 - going to make that user authenticate.
00:09:01 - Maybe we'll use, on the connection profile that we're
00:09:04 - associating with Bob, maybe we're 00:09:06 - using the local database.
00:09:07 - So I create the local user Bob on the local ASA, and I
00:09:11 - authenticate him there. 00:09:11 - Or we could authenticate using
a AAA server or freezing 00:09:15 - digital certificates.
00:09:16 - I could do client-based digital certificates to
00:09:19 - authenticate Bob that way if we had pre-configured Bob to
00:09:21 - support that. 00:09:22 - We also are going to support or
identify IP address 00:09:26 - assignment.
00:09:27 - Now, when does that come into play? 00:09:29 - This is important.
00:09:30 - A clientless-- 00:09:34 - hence, no software client on the
PC, no AnyConnect, no VPN, 00:09:37 - just a clientless connection with
SSL for VPN, we don't 00:09:41 - need to give the customer an IP
address. 00:09:43 - They don't get their own IP address
if they're clientless. 00:09:46 - But if they're using AnyConnect
with a full-tunnel 00:09:51 - SSL VPN or they're using the old
VPN client with IPsec, any 00:09:57 - of these full-tunnel options are
going to be 00:09:59 - getting an IP address.
00:10:00 - So in the connection profile, we have the option of
00:10:03 - specifying what IP address pools we're going to use.
00:10:06 - Are we going to use DHCP and hand out IP
00:10:08 - addresses from DHCP? 00:10:09 - Are we going to pull from a pool
of addresses how we're 00:10:12 - going to give IP addresses to these
two sets of clients? 00:10:15 - If Bob is connecting with his Clientless
list option with 00:10:18 - VPN, he won't need an IP address.
00:10:22 - And so even if we have IP addresses assigned in the
00:10:25 - connection profile for Bob, they'll be meaningless in his
00:10:27 - case as an SSL clientless VPN. 00:10:30 - We're also going to specify things
like the DNS server and 00:10:32 - so forth to use.
00:10:34 - Let's take a look at the other side of the house.
00:10:35 - Let's say that somebody connects. 00:10:37 - Let's say it's Lois.
00:10:40 - So Lois connects, and she doesn't specify an alias from
00:10:44 - the drop-down. 00:10:45 - Maybe we haven't configured it.
00:10:47 - Maybe we didn't support it. 00:10:48 - So on ASA we didn't provide that
as an option. 00:10:51 - She didn't go to the URL for any
specific connection 00:10:54 - profile, and she doesn't have a
cert. 00:10:56 - So what do we do?
00:10:57 - If the ASA can't figure out what connection profile to
00:11:00 - use, which would be a no here, it's going to use one of two
00:11:04 - default connection profiles for remote access.
00:11:07 - And those two connection profiles, one is going to be
00:11:10 - Default Web VPN Group. 00:11:13 - I'd like you to take a moment and
write that down just to 00:11:16 - help reinforce that in your memory
that if a remote access 00:11:20 - SSL customer is coming in and there's
no specific connection 00:11:24 - profile that's identified through
one of the three 00:11:27 - methods that we talked about, the
default connection profile 00:11:30 - that they will be assigned is Default
Web VPN Group. 00:11:34 - If that customer's coming in and
they're coming in as an 00:11:36 - IPsec remote access VPN client
and it can't map to a specific 00:11:42 - connection profile, it will then
use the default RA, as in 00:11:46 - Remote Access, Group.
00:11:47 - That's the name. 00:11:48 - I'd like you to write that one
out as well. 00:11:49 - That's the default connection profile
that 00:11:52 - they will be using.
00:11:53 - Why does that matter? 00:11:54 - It matters because you may have
set up a whole bunch of 00:11:57 - stuff in your ASA, and people are
trying to authenticate and 00:12:00 - they can't even authenticate.
00:12:02 - It's hard to find out who Bob is if we don't give him a
00:12:05 - chance to authenticate correctly. 00:12:07 - So we can modify these default
connection profiles. 00:12:11 - You can't delete them.
00:12:12 - The system will not let you delete them, but
00:12:14 - we can modify them. 00:12:16 - If you want your default method
for authenticating 00:12:19 - users who don't fit into any of
your custom connection 00:12:21 - profiles, we can go modify the
Default Web VPN Group and 00:12:25 - default RA Group and control the
last ditch effort 00:12:29 - regarding the behavior of those
00:12:31 - default connection profiles. 00:12:32 - Are these in the local database?
00:12:33 - Are they using a AAA server group? 00:12:35 - We can control it by configuring
those defaults. 00:12:39 - Our next step is to go ahead and
authenticate. 00:12:41 - So I've got the same PC on the
outside 00:12:43 - network here that's connected.
00:12:45 - I went to the global address on the ASA.
00:12:47 - I said, go ahead and allow a list of aliases for the
00:12:50 - connection profiles. 00:12:51 - And I mapped them appropriately
on the back-end. 00:12:53 - And what I want you to be aware
of is that connection 00:12:55 - profile has different names.
00:13:01 - What do you mean, Keith, different names?
00:13:03 - Like a nickname? 00:13:04 - I don't know if I'd go that far.
00:13:06 - But it has certain names that you want to be familiar with.
00:13:08 - When people say, for example, tunnel group, what are they
00:13:11 - talking about? 00:13:12 - Well, a tunnel group--
00:13:14 - and I'll just circle it right there. 00:13:15 - When people talk about a tunnel
group, they're also 00:13:17 - talking about a connection profile.
00:13:20 - So in the actual configuration when we work with tunnel
00:13:23 - groups at the CLI, tunnel groups are nothing more than
00:13:27 - connection profiles. 00:13:28 - They are one and the same thing.
00:13:29 - Now, to make matters a little bit more interesting from the
00:13:32 - user perspective-- 00:13:33 - I'll circle this in blue.
00:13:35 - From the user perspective, they're given a menu of the
00:13:38 - aliases that map to our connection profiles.
00:13:40 - And on the user interface, they call them groups.
00:13:43 - A connection profile, the real connection profile, could be
00:13:46 - called a tunnel group. 00:13:47 - No problem.
00:13:48 - From a user-only perspective, they might refer to it as a
00:13:51 - group because it says so right here.
00:13:54 - Now, why do I make a big deal out of that?
00:13:55 - Well, let me log in as Bob, and I'll tell you.
00:13:59 - So let me go ahead as Bob1. 00:14:00 - I've got a user called Bob1, and
we're going to have 00:14:02 - several Bobs today.
00:14:04 - And I'm in. 00:14:05 - And this is the beautiful clientless
interface. 00:14:08 - This is my portal to get to this
internal network. 00:14:11 - Now, what just happened when I
just logged in is an amazing 00:14:15 - story all by itself.
00:14:16 - And that's all about the policies that were applied to
00:14:19 - this VPN connection. 00:14:21 - What I'm really excited about is
that you and I right now 00:14:25 - get to take a look at the details
of what policies were 00:14:28 - applied to Bob1, because he authenticated,
and how they 00:14:32 - were determined from the configuration
in the ASA. 00:14:36 - Let's put this in the right context.
00:14:37 - Anything about pre-logon policy is all about the
00:14:40 - connection profiles. 00:14:41 - That's before we know it's Bob.
00:14:43 - We don't know it's Bob yet, because he hasn't
00:14:44 - authenticated. 00:14:45 - Once he does authenticate and we
now know it's Bob, we can 00:14:49 - then apply policy.
00:14:50 - And that's what we're dealing with here
00:14:51 - in these two columns. 00:14:52 - Now, the two columns I have--
00:14:53 - I have column one and then column two.
00:14:56 - The reason these are here is this first column shows the
00:14:58 - logic of the policies that are going to be applied for Bob's
00:15:02 - duration of his VPN on our network. 00:15:05 - And the second one is an example
of that 00:15:07 - policy being applied.
00:15:08 - And there's a lot of really cool options that we can do
00:15:11 - and something called inheritance. 00:15:13 - Let's talk about inheritance for
a moment. 00:15:15 - Back in the '80s when--
00:15:17 - I know, some of you may not have been born in the '80s.
00:15:19 - But back in the '80s when I started working with Novell
00:15:21 - Networks, we had users. 00:15:24 - And here's what we would do.
00:15:25 - We'd have these user accounts. 00:15:27 - And I'd have some from Human Resource
and maybe five there. 00:15:31 - And some from Sales, maybe 10 there.
00:15:34 - And maybe Engineering, and maybe 15 users there.
00:15:38 - And if I had all these users, which is a total of 30 users,
00:15:41 - I could do this a couple of ways. 00:15:43 - I could manage every single user
and give them all the 00:15:46 - rights and the permissions they
needed individually. 00:15:49 - But that's a headache.
00:15:50 - If we have 3,000 users, it becomes more of a headache.
00:15:53 - So instead, what we did way back then and we still do now
00:15:57 - is we use groups. 00:15:57 - We'll have an Engineering Group.
00:15:59 - And we'd simply give the group Engineering certain rights and
00:16:02 - privileges and make those 15 users a member of the group.
00:16:05 - Same thing with HR. 00:16:07 - We'd create an HR group, associate
privileges or rights 00:16:10 - with that group, and make those
five users a member of 00:16:12 - that group.
00:16:13 - Same thing with Sales. 00:16:14 - And that way, a new user comes
on board, we simply make them 00:16:17 - a member of the group they belong
to. 00:16:19 - And poof, they automatically get
those rights. 00:16:21 - Does that makes sense?
00:16:23 - So we're going to do the same kind of policy with our VPN
00:16:27 - connections. 00:16:28 - We can have group policies and
simply associate users with 00:16:31 - those groups.
00:16:32 - Now, the challenge here is that we have a lot of options
00:16:35 - on the ASA. 00:16:36 - And I say it's a challenge, because
if we're not clear on 00:16:39 - the order of things, we can really
make a mistake. 00:16:43 - So what we're going to do together,
you and I right now, 00:16:45 - is go through exactly the logic,
after Bob's logged on, 00:16:49 - exactly what rules will be applied.
00:16:52 - So let's start off with column one and column two.
00:16:54 - Column one is the actual logical flow, and column two
00:16:57 - is an example of each. 00:16:58 - The first thing that's going to
be considered as the 00:17:01 - highest priority-- in fact, the
higher these are, the 00:17:03 - higher their priority is as far
as the policy-- 00:17:06 - is going to be this thing called
DAP. 00:17:07 - DAP stands for Dynamic Access Policy.
00:17:10 - And it could be, for example, that Bob's machine, when Bob
00:17:13 - connects, he's got a firewall, a personal firewall in place.
00:17:17 - Now, if we're checking for a personal firewall and if it's
00:17:20 - present, we can then say, oh, you know what, Bob's got a
00:17:23 - personal firewall, we're going to open up and give him
00:17:26 - additional access to additional network resources.
00:17:29 - Or if he doesn't have a firewall, we are going to
00:17:32 - restrict his network access and only give him access to a
00:17:35 - couple servers instead of most of the network.
00:17:38 - So that's what a Dynamic Access Policy is based on the
00:17:40 - considerations as that user connects. 00:17:44 - So we can tie Dynamic Access Policy
to tons of different 00:17:47 - parameters such as, do you have
a firewall, do you not, 00:17:49 - and then what rights you get or
don't get. 00:17:51 - In this case, let's say there's
no Dynamic Access 00:17:55 - Policy that matches.
00:17:57 - And so what Bob is going to get is the Default Access
00:17:59 - Policy, which basically means he's not being restricted or
00:18:02 - locked down or given any inordinate amount of
00:18:05 - permissions, because there's nothing that
00:18:07 - applies directly to him. 00:18:08 - But if there was, the higher policies,
these ones at the 00:18:13 - top, would be most important.
00:18:16 - So for example, let's just say, hypothetically, that the
00:18:20 - Dynamic Access Policy said that Bob could log on three
00:18:24 - times, three simultaneous logins. 00:18:27 - And let's say way down here at
the Default Group Policy, it 00:18:30 - said Bob could log in four times.
00:18:34 - Well, if the Dynamic Access Policy said three times and
00:18:37 - way down here at the bottom it said four times, the one on
00:18:40 - the top wins. 00:18:41 - So that's how it works.
00:18:43 - The one on the top wins. 00:18:44 - If there's a conflict, the one
on the top wins. 00:18:47 - So there's no Dynamic Access Policy
other than 00:18:49 - the default for Bob.
00:18:50 - And then we consider the next element. 00:18:53 - The next element is Bob's user
profile. 00:18:56 - In the ASA, we've got a user profile
for Bob or Bob1, 00:18:59 - whatever the username is.
00:19:00 - And in that policy, it can specify things
00:19:03 - specific to that user. 00:19:05 - So in this example, let's say Bob's
profile says, two 00:19:08 - simultaneous logins.
00:19:09 - I'll just circle it. 00:19:11 - That's in his profile.
00:19:13 - It says, two simultaneous logins. 00:19:15 - And it also says, please use Group
Policy One. 00:19:19 - That's what's in his policy.
00:19:20 - So right now two logins, it's in stone.
00:19:25 - He can log in simultaneously from two different times at
00:19:27 - the same moment. 00:19:29 - That's not a really great idea.
00:19:31 - However, that's what this policy is
00:19:32 - saying as an example. 00:19:34 - And the next thing that comes down
is, if the user policy 00:19:38 - for Bob specifies a group, apply
that group policy. 00:19:42 - So because here this said, go ahead
and use Group Policy 00:19:45 - One, Group Policy One is going
to be applied. 00:19:47 - So as we look at the details of
Group Policy One, it's 00:19:51 - saying that there's going to be
a Webtype ACL restriction 00:19:55 - and it's going to be applied to
Bob. 00:19:56 - So here, he picks up a Web ACL.
00:20:01 - Now, as we go down, anything that these higher level
00:20:04 - policies didn't call out specifically and match on we
00:20:07 - can inherit from the lower policies. 00:20:10 - So we're still going down.
00:20:11 - So we've got two simultaneous logins, we've got Web
00:20:14 - ACL from Group One. 00:20:16 - And then we're going to go down
to the next option. 00:20:18 - If the connection profile--
00:20:20 - wait, wait, wait, Keith, stop the truck.
00:20:22 - You said that connection profiles were way over here
00:20:25 - before Bob ever logged on. 00:20:26 - And that's true.
00:20:28 - But check this out. 00:20:29 - The connection profile--
00:20:31 - let's say we have a connection profile called con-prof-1.
00:20:37 - As one of the properties of connection profile number one,
00:20:40 - we can say what our group policy is.
00:20:46 - If that's present, that's what this is
00:20:48 - referring to right here. 00:20:49 - So we can still have policies from
yet another group if the 00:20:54 - connection profile that we came
in on specifies it. 00:20:57 - But it's way down here, second
from the bottom. 00:20:59 - So in this example, when Bob connected,
and he connected on 00:21:02 - a connection profile, that specific
connection profile 00:21:05 - said, use Group Policy Two.
00:21:08 - And that Group Policy Two-- if we opened it up, because I
00:21:11 - created it that way-- it would've said, I want to
00:21:14 - restrict this user from not being able to do browser
00:21:17 - options for HTTP, which means he can't, from his clientless
00:21:21 - VPN, go ahead and open up any HTTP 00:21:25 - resources from the portal.
00:21:27 - So he's going to lose HTTP from portal.
00:21:33 - And that's from the group policy Group Policy Two that
00:21:36 - was tied to the connection profile. 00:21:38 - And then last but not least, we
have this thing called a 00:21:41 - Default Group Policy.
00:21:42 - Now, in the Default Group Policy, if you've tweaked or
00:21:45 - tuned that, they're going to get that if that doesn't
00:21:48 - conflict with anything else. 00:21:49 - And so I've set the connection
time to 33 minutes, the 00:21:53 - maximum connection time to 33 minutes.
00:21:55 - So 33 minutes max. 00:21:57 - That's all Bob is going to get.
00:21:58 - And he's going to get kicked out. 00:22:00 - He'll have to log on again.
00:22:01 - So here's what I want you to take away from this.
00:22:03 - Number one, you do need to memorize this
00:22:06 - order from top, down. 00:22:07 - And it goes DAP and user profile.
00:22:14 - And then we have the group in user profile.
00:22:23 - Then we have the group in connection profile.
00:22:30 - And then finally, we have a Default Group Policy.
00:22:34 - So I would say it would be really important to
00:22:36 - understand that flow. 00:22:37 - DAP, user profile, the group in
the user profile, the group 00:22:40 - in the connection profile, and
then the Default Group. 00:22:43 - And the Default Group Policy indeed
has a name, and that's 00:22:45 - it right there--
00:22:46 - Default GRP Policy. 00:22:49 - I'd like you to take a moment right
now and jot those down. 00:22:57 - We're going to walk through Bob
logging in again and 00:22:59 - verify that he has each of those
aspects up from the 00:23:03 - inheritance all the way down from
the policies. 00:23:05 - If you would do me a huge favor,
I'd like you to do a 00:23:07 - screenshot just to record this.
00:23:09 - And that way, as we're in the interface, you can keep it as
00:23:12 - a separate document and refer to it.
00:23:14 - Because we want to verify that he's got two simultaneous
00:23:17 - logins from his user policy and that from Group One,
00:23:20 - there's a Web VPN ACL, and from the Group Two Policy
00:23:23 - culled from the connection profile that he's got no HTTP
00:23:27 - URL access, and then finally, from the Default that the
00:23:32 - maximum connection time is set to 33 minutes.
00:23:35 - Someone once told me that repetition is
00:23:37 - the mother of learning. 00:23:38 - And in this Nugget series together,
we're going to have 00:23:41 - lots of opportunities of going
into the ASDM again and again 00:23:45 - and again to reinforce the skill
set of exactly where do 00:23:49 - I go to manage each of these pieces
inside of 00:23:52 - remote access VPN.
00:23:53 - Well, the first thing we're going to do is go to the
00:23:55 - Configuration button here under remote access VPN.
00:23:59 - And in our policies, I want to ask you a question.
00:24:02 - Where is the least significant policy kept?
00:24:06 - It's at the bottom. 00:24:07 - And do you recall the name of that
least significant policy? 00:24:10 - And some of you are saying, Keith,
it's on the screen. 00:24:12 - It's even highlighted.
00:24:13 - It's the Default Group Policy. 00:24:15 - And yes, it is.
00:24:17 - And what I would like to do is I would like to start at the
00:24:19 - bottom, at the least impact policy, the Default Group
00:24:22 - Policy, and work our way up. 00:24:24 - So that's that green one in the
bottom right if you took 00:24:26 - that screenshot I asked you to
of our policy 00:24:29 - example with Bob.
00:24:30 - So we're going to start with the Default Group Policy and
00:24:32 - work our way up to the more and higher important policies.
00:24:36 - To edit this, we simply double-click or you can click
00:24:39 - on the Edit button. 00:24:40 - And if you look at it, at first
glance, it's like, OK, 00:24:43 - there's the Default Group Policy.
00:24:44 - I understand, Keith, it's the least important.
00:24:47 - But there's no options here. 00:24:48 - There's very few options here.
00:24:49 - Well, click on the More Options button, and that's
00:24:51 - going to give you more details. 00:24:53 - The only parameter I'll focus on
here is maximum connection 00:24:56 - time, 33 minutes.
00:24:58 - That means, to you and me, if some higher priority policy
00:25:02 - doesn't specify the maximum connection time, that this
00:25:06 - will take effect for everybody. 00:25:10 - What do you mean, Keith, everybody?
00:25:11 - This Default Group Policy is the Default
00:25:14 - Group Policy for everybody. 00:25:16 - So everybody's going to have a
maximum connect time of 33 00:25:19 - minutes unless it's specified in
a user policy or one of the 00:25:23 - group policies that were called
out in the user profile 00:25:27 - or the connection profile.
00:25:28 - OK, so that's the Default Group Policy.
00:25:30 - Let's go ahead and cancel that. 00:25:31 - Our next one was Group Policy Two,
the Group Policy Two. 00:25:35 - We can double-click to edit it
or click on Edit. 00:25:38 - And same thing here.
00:25:39 - We can click on More Options to bring out the details.
00:25:42 - And this Group Policy, it had to do with the portal.
00:25:46 - So I'll click here on Portal. 00:25:48 - Under Portal, it said, URL entry.
00:25:50 - It's not going to inherit that from some other lower policy,
00:25:53 - it's going to specify Disabling. 00:25:56 - So anybody who is associated with
this Group Policy is 00:25:59 - going to lose the ability to go
ahead and do a search for a 00:26:03 - URL, HTTP based on free form at
the top of the portal. 00:26:07 - That's going to go away completely.
00:26:09 - So that's Group Policy number Two. 00:26:11 - The next one was Group Policy number
One, which had a Web 00:26:14 - ACL associated with it.
00:26:16 - This Group Policy was being culled by
00:26:18 - the actual user profile. 00:26:19 - The user profile for Bob1 said,
use Group Policy One. 00:26:24 - So we go to More Options.
00:26:25 - Right there under Web ACL, it says, Don't Inherit.
00:26:28 - Don't inherit some policy from a lower group, go ahead and
00:26:32 - just use this. 00:26:33 - So anything specified in any of
these higher level policies 00:26:37 - is going to take precedence over
anything specified in 00:26:40 - lower policies.
00:26:41 - So here we have a Group One ACL, which is basically a Web
00:26:44 - ACL, filtering on certain types of traffic.
00:26:47 - We'll get into the details of creating those and specifying
00:26:49 - how to set them up. 00:26:50 - But right now, just know that this
Group Policy One says 00:26:53 - Group One Web ACL is going to be
applied. 00:26:55 - So we'll cancel that, and then
we'll go up 00:26:57 - to Bob's user account.
00:26:59 - And where is Bob at? 00:27:01 - Well, Configuration, Remote Access,
and here 00:27:04 - are our local users.
00:27:05 - There's the URL right here. 00:27:07 - So I've got Bob1, and he's at privilege
level two, which 00:27:10 - isn't going to matter too much
for the purposes of VPN. 00:27:14 - He doesn't need to be Administrator,
he doesn't need 00:27:15 - to have privilege 15, that's for
sure. 00:27:18 - And also specifying his group policy
right here. 00:27:20 - See that?
00:27:21 - See, it says, VPN Group Policy is Group Policy One.
00:27:24 - So we can take a look at the details of that, too.
00:27:26 - If we look at the VPN policy, right there it says, hey Bob,
00:27:30 - this is the account we're in, your policy is called Group
00:27:34 - Policy One. 00:27:34 - We had simultaneous logins of two.
00:27:36 - So he has Group Policy One and simultaneous logins of two.
00:27:40 - And there is one other thing that we needed to look at.
00:27:42 - And that was the actual connection profile that Bob
00:27:47 - let's go to connection profiles. 00:27:50 - So here's our Tunnel Group One.
00:27:52 - And that's the alias. 00:27:53 - See that alias set right there?
00:27:54 - This is the alias that Bob selected from
00:27:57 - the drop-down list. 00:27:57 - And why could he do that?
00:27:59 - It's because I set right here, I said, go ahead and go ahead
00:28:03 - and give him a drop-down, so they can select the connection
00:28:06 - profile they want to go ahead and use to connect to.
00:28:08 - So I enabled a feature here, and I specified what the alias
00:28:11 - was right there. 00:28:13 - One other thing on this connection
profile. 00:28:14 - If we modify it real quick by double-clicking,
I want you to 00:28:19 - see the Default Group Policy right
here. 00:28:22 - So anybody who connects on this
connection profile right 00:28:27 - before they hit the Default Group
Policy, second from the 00:28:30 - very end, they're also going to
pick up any remaining 00:28:33 - policies from Group Policy Two.
00:28:36 - And while we're here looking at this connection profile,
00:28:41 - let's take a look at one other option which is
URL. 00:28:51 - So if users connect to https://,
that IP address, 00:28:55 - custom-url, because I named it
that, the ASA would note, oh, 00:28:59 - you really want to connect to the
connection profile called 00:29:02 - Tunnel Group One.
00:29:04 - And then it is going to use the authentication methods
00:29:06 - associated with this tunnel group or with this connection
00:29:08 - profile to go ahead and authenticate the users.
00:29:10 - In this case, this connection profile was saying, I'm using
00:29:13 - AAA, I'm using the local database. 00:29:16 - So let's go ahead and cancel out.
00:29:17 - And let's take a look at Bob the user and make sure he is
00:29:21 - still connected, because it's been a few minutes.
00:29:23 - So we'll bring back Bob. 00:29:25 - And he has timed out.
00:29:26 - So we'll click on Log On again. 00:29:28 - There's our alias for the connection
profile. 00:29:31 - We'll go in as Bob1.
00:29:33 - Cisco. 00:29:35 - And we are connected.
00:29:36 - Fantastic. 00:29:37 - So now he's connected, what can
he do? 00:29:39 - There's no browse option up on
the top. 00:29:42 - There's normally an HTTP browse
option where you can 00:29:45 - connect to anything.
00:29:45 - And he's also been limited-- check this out.
00:29:47 - He has got no HTTP option here either.
00:29:49 - So he's been clipped. 00:29:50 - His wings have been clipped.
00:29:52 - He couldn't go out to an HTTP resource through this portal
00:29:55 - if he wanted to. 00:29:56 - And that's because of the policy
that was assigned 00:29:59 - through Group Policy Two.
00:30:01 - Now, if we take a look-- if we minimize this for a moment,
00:30:04 - and let's go back and take a look from the ASA at his
00:30:07 - connection. 00:30:08 - Now, to look at these beautiful
users who are coming 00:30:10 - in, to figure out what the heck
actually happened, we can 00:30:14 - go to Monitoring.
called 00:30:39 - Tunnel Group One.
00:30:49 - Not totally true! 00:30:50 - Because not only did he get Group
Policy One, but he also 00:30:54 - got Group Policy Two based on this
connection profile, and 00:31:01 - he also got the Default Group.
00:31:08 - So he actually has elements, remnants, if you will, from
00:31:12 - three different group policies. 00:31:15 - One from Group Policy One, one
from Group Policy Two, and 00:31:18 - another from the Default Group
Policy. 00:31:20 - To verify that, we can double-click
on this guy to 00:31:22 - bring up the details.
00:31:23 - And let's see what else we can ferret out.
00:31:25 - We already know that he couldn't do the browsing.
00:31:27 - So that was already limited. 00:31:29 - That's great.
00:31:29 - We identified that. 00:31:30 - From here, we can identify that
his max connection is 00:31:35 - going to be 33 minutes.
00:31:37 - And that's from the Default Policy. 00:31:39 - We also have a Webtype ACL.
00:31:43 - And that Web ACL was from Group Policy One.
00:31:46 - What we haven't verified is how many times
00:31:48 - can this guy login? 00:31:49 - It should be just two.
00:31:51 - So to test that, let's actually try logging in a
00:31:54 - couple times from Bob's machine. 00:31:56 - So we'll bring back him in.
00:31:58 - And we'll just minimize this a little bit.
00:32:00 - There we go. 00:32:02 - So there's one window.
00:32:03 - We'll start up another one, and we'll go to that same URL.
00:32:08 - And the log-in's Bob again. 00:32:12 - Bob1.
00:32:13 - And I must have logged in the wrong password.
00:32:15 - Bob1. 00:32:18 - So there's our second window.
00:32:19 - Here's our first window, here's our second window.
00:32:21 - And if we try to bring up a third, let's take a look at
00:32:23 - what happens. 00:32:24 - So I'll bring up the same URL again.
00:32:27 - I'll have to get a trusted certificate at one point.
00:32:29 - We'll do that together in another Nugget.
00:32:31 - And we'll specify Bob1. 00:32:34 - Now, gee, it looks like all three
of them came up. 00:32:35 - But if we go back to the original
window back here and 00:32:38 - we do a Refresh, it's going to
say, sorry, that 00:32:42 - connection's dead.
00:32:43 - And we could log in like 400 or 500 times, and it's only
00:32:46 - going to keep the latest last two connections valid.
00:32:49 - So if we go back to our connections here and we see a
00:32:51 - Refresh, we have two connections. 00:32:53 - We have one that was initiated
37 seconds ago, one that was 00:32:56 - 18 seconds ago, and the older one
has been pushed off. 00:33:00 - And that's because his maximum
connections has 00:33:02 - been limited to two.
00:33:04 - And that's because that was specified in
00:33:05 - actual Bob's user profile. 00:33:07 - So what have we learned in this
00:33:10 - Quite a bit. 00:33:11 - It's quite an eye-opener.
00:33:12 - First of all, we identified that connection profiles are
00:33:15 - all about the pre-logon policy. 00:33:18 - Which connection profile are we
going to use based on a URL 00:33:22 - the user puts in, a drop-down list
they select, or from 00:33:24 - certificate matching, which we'll
cover in 00:33:26 - this course as well.
00:33:28 - Once the ASA knows exactly which custom profile to use,
00:33:31 - it can then go ahead and authenticate them based on
00:33:34 - local database or AAA server group or however that
00:33:37 - connection profile says to authenticate those users.
00:33:39 - If there's no mapping in place, meaning the ASA can't
00:33:43 - figure out any specific connection profile to use for
00:33:46 - SSL, it would have used the Default Web VPN Group
00:33:50 - connection profile. 00:33:52 - And then any parameters associated
maximum of two 00:34:13 - simultaneous logins and pull from
came in on, it specified 00:34:24 - that we should use Group Policy
Two, which said, no 00:34:27 - HTTP URL entry.
00:34:29 - So we applied that. 00:34:30 - And then the Default Group said,
we want to go ahead and 00:34:32 - do 33 minutes for the max connection.
00:34:35 - And all of those items got applied. 00:34:38 - And just as a reminder, if any
of those policies, for 00:34:41 - example, 33 minute connection timeout,
if we had said that 00:34:44 - the connection timeout was 37 minutes
here, this one would 00:34:49 - win over any lower policy.
00:34:51 - And that's how the policy flows. 00:34:52 - Now, good news.
00:34:53 - We're going to take a closer look at configuring each and
00:34:57 - every individual part. 00:34:59 - My objectives for this Nugget together,
you and I, was to 00:35:02 - make sure we're clear on the connection
profiles being used 00:35:05 - for the pre-logon policy; and then
for post-logon, the order 00:35:10 - of business with DAP, user policies,
group policies tied 00:35:14 - to the user, group policies tied
to the connection profile 00:35:17 - that they came in on, and then
for you. 00:35:22 - And I'd like to thank you for viewing.
