OSI:ASA/SAML
Z HelpDesk
< OSI:ASA
Cisco ASA VPN SAML ověřování
Pro ověření uživatelů pomocí SAML protokolu je nutné nainstalovat na ASA balík external-sso. Při upgradu Cisco Secure klienta se musí nainstalovat nová verze.
webvpn anyconnect external-browser-pkg disk0:/external-sso-XXX-webdeploy-k9.pkg
Pro spojení mezi Shibbolethem a ASA se musí vygenerovat certifikát na ASA (self-signed s dlouhou platností, aby se nemusel dlouho měnit).
crypto key generate rsa label SPSigningKey modulus 2048 crypto ca trustpoint SPSigningCert keypair SPSigningKey subject-name cn=vpn2.zcu.cz enrollment self exit crypto ca enroll SPSigningCert
Na stránce https://shib3.zcu.cz/idp/shibboleth jsou certifikáty Shibbolethu, které se musí zadat na ASA.
crypto ca trustpoint SAML-IDP-SHIB3 revocation-check none no id-usage enrollment terminal no ca-check crypto ca authenticate SAML-IDP-SHIB3 (paste cert) quit
Nastavení group policy
group-policy WEBNET-SAML-POLICY attributes banner value Welcome to UWB VPN Service. banner value Support https://support.zcu.cz/index.php/VPN banner value You are now connected to the University of West Bohemia campus network. banner value banner value ** SAML authentication successful ** dns-server value 147.228.3.3 147.228.52.11 vpn-simultaneous-logins 1 vpn-idle-timeout 120 vpn-session-timeout 720 vpn-filter value acl-vpn-out vpn-tunnel-protocol ikev1 ikev2 ssl-client split-tunnel-policy excludespecified split-tunnel-network-list value acl-vpn-local-lan default-domain value zcu.cz backup-servers clear-client-config anyconnect-custom DeferredUpdateAllowed value Allowed anyconnect-custom DeferredUpdateDismissTimeout value Timeout anyconnect-custom dynamic-split-exclude-domains value ExcludeDomains webvpn anyconnect mtu 1402 anyconnect keep-installer installed anyconnect ssl keepalive 15 anyconnect ssl rekey time 30 anyconnect ssl rekey method new-tunnel anyconnect dpd-interval client 20 anyconnect dpd-interval gateway 20 anyconnect ssl compression none anyconnect profiles value ZCU-VPN2-SAML type user anyconnect ssl df-bit-ignore enable
Nastavení webvpn konfigurace pro shib3
tunnel-group SAML-IdP-SHIB3 type remote-access tunnel-group SAML-IdP-SHIB3 general-attributes address-pool RA-VPN-WEBNET-PRIVATE-IPV4 authorization-server-group VPN-RADIUS accounting-server-group VPN-RADIUS default-group-policy WEBNET-SAML-POLICY tunnel-group SAML-IdP-SHIB3 webvpn-attributes authentication saml external-browser enable group-alias SAML enable group-url https://vpn2.zcu.cz enable saml identity-provider https://shib3.zcu.cz/idp/shibboleth saml idp-trustpoint SAML-IDP-SHIB3
