In this article we will take a look at how to configure Cisco Secure Firewalls for Passwordless Remote Access VPN authentication. Microsoft Azure will be used as the Identity Provider (IdP) and will also be federated with Duo for Single Sign-On (SSO) which will allow the use of Duo Passwordless. The federation between Azure Active Directory (AAD) and Duo SSO has already been completed in this demonstration and therefore won’t be covered.

Note: Firepower version 7.1 is required in order to make use of passwordless. Previous versions do not support the external browser feature and therefore cannot utilse passwordless. Please consult the release notes here.

Assumptions

The following article assumes that the reader is familiar with the following:

• Azure Active Directory
• Cisco Secure Access by Duo
• Firepower VPN configurations
• SAML 2.0
• PKI

Demonstration Devices/Software

• Cisco Firewall Management Centre Virtual (FMCv) (7.3)
• Cisco Secure Firewall Threat Defence Device Virtual (FTDv) (7.3)
• Cisco AnyConnect (4.10) on a Windows 11 Device
• Yubico YubiKey 5C NFC

Prerequisites

• Admin access to an Azure tenant
• Admin access to Duo
• Admin access to Firepower devices
• Access to your public domain
• Ability to generate a public certificate (If testing in a lab environment you could choose to use ZeroSSL)
• A test device with built-in biometrics or an external biometric device which can be attached to the test device for passwordless testing
• Correct licenses for Duo and Firepower

Configure a new Azure Enterprise Application

• At this point, Duo has already been federated with the Azure tenant but before we can connect to the VPN we need to configure SAML 2.0 between Azure and the FTD device. Access your Azure tenant and navigate to Enterprise Applications and click ‘+ New application’

• Search for ‘AnyConnect’ and select the Cisco AnyConnect Enterprise Application once found

• Select the users and groups that should be allowed to access this application. If testing, you may just want to select a couple of admin users. To do this click on ‘Assign users and groups’ under the Getting Started section

• Once users and groups are configured, navigate to Single Sign-On located on the left-hand side of the page. We will need information from this configuration for the FTD and vice-versa. Each configuration step is covered below:
  • Identifier (Entity ID): contains your VPNs FQDN and Connection Profile name. If the FTD is not yet configured, you can still create the Entity ID making sure that the FQDN and Connection Profile are replicated on the FTD later. Below is an example:

Tunnel Group/Connection Profile = SAML-DEMO
VPN FQDN = securefw.networkwizkid.com

https://securefw.networkwizkid.com/saml/sp/metadata/SAML-DEMO

• The Reply URL (Assertion Consumer Service URL) contains the same information but the URL is slightly different. Use the following URL below, replacing my FQDN and Connection Profile:

https://securefw.networkwizkid.com/+CSCOE+/SAML/SP/ACS?tgname=SAML-DEMO

• In step 3, download the Certificate (Base64). This will be uploaded to the FTD shortly
• Lastly, make note of the Login URL, Azure AD Identifier and Logout URL as these will also be required when configuring the FTD

• Once complete, do NOT test the configuration. Move onto the configuration of the FTD

Configure the Secure Firewall VPN

Note: FMC Version 6.7 used for the certificate creation and then upgraded to 7.3 for the remaining configuration. Visually, the certificate enrollment screenshots may look different to version 7.0+ but the configuration is the same.

• Access the Firepower Management Centre (FMC), navigate to Objects > PKI > Cert Enrollment and click ‘Add Cert Enrollment’ in the top right-hand corner

• Give the certificate a name and select ‘Manual’ from the drop-down menu under CA Information. Open the Azure certificate which you downloaded earlier in Notepad and copy the contents into the CA Certificate field. Ensure that ‘CA Only’ and ‘Skip check for CA flag in basic constraints of the CA Certificate’ are selected. Once complete, save the configuration

• On the same page, we will now repeat the last steps and add the certificate that will be used and presented to VPN users. In this example, I have already generated a CSR and signed the certificate that will be used for this demonstration. The file was added using the ‘PKCS#12’ option instead of the ‘Manual’ option but please use what option works best for you

• Navigate to Devices > Certificates and click ‘Add’ in the top right-hand corner. Add both the Azure and the VPN certificate to the relevant FTD. Once added, you should see the Azure certificate is identified as a CA and the VPN certificate is identified as an Identity (ID) certificate

• Navigate to Devices > Remote Access and click ‘Add’ in the top right-hand corner. We will now configure a new VPN along with the Connection Profile. This Connection Profile needs to match the name provided in the Azure SAML configuration that we completed earlier. Starting with step one of the wizard, give the VPN and name, select the relevant protocols and the target FTD for the VPN

• On step two ensure that the connection profile name matches the name configured on the Azure tenant Entity ID and Consumer URL. Complete the following steps before proceeding to step three:
  • Authentication Method: SAML
  • Authentication Server: Click the ‘+’ sign to add a new one and complete the following steps:
    • Name: Give the authentication server a name
    • Identity Provider Entity ID: Copy the Azure AD Identifier from step four of the Azure SAML configuration
    • SSO URL: Copy the Login URL from step four of the Azure SAML configuration
    • Logout URL: Copy the Logout URL from step four of the Azure SAML configuration
    • Base URL: Enter the VPN FQDN as a URL. For example: https://yourfqdn.domain.com
    • Identity Provider Certificate: Select the Azure certificate
    • Service Provider Certificate: Select the VPN certificate
    • Request Timeout: 60
    • Request IdP re-authentication on Login: Deselect
  • SAML Authentication Experience: Default OS Browser. This will allow the OS browser to be used by default and allow for passwordless authentication. The default browser package should exist already but if not, then you can download it here and added on the Advanced page under Secure Client Images > Secure Client External Browser Package
  • Client & Address Assignment: This is dependant on the organisation so please configure what works for you
  • Group Policy: Use an existing Group Policy or create a new one that meets the requirements of your organisation

• On step three, upload any necessary Cisco AnyConnect images

• In step four, select the interface that will be used as the VPN termination point along with the VPN certificate. Decide whether you would like to control VPN traffic with Access Control Policies or not

• Double-check your settings on the summary page and click ‘Finish’ to complete the VPN configuration

• Deploy the configuration changes to the FTD

Duo Policy Configuration

• In this demonstration, Duo is fully configured however, I would like to highlight where to enable passwordless as an authentication method in the application policy. Within the policy applied to your application, navigate to Authenticators > Authentication Methods and enable the required passwordless methods. Once complete, save the policy

Testing

• Open the AnyConnect client on your test machine and navigate type in the FQDN for your newly created VPN. Upon connecting, you should be re-directed to Microsoft via your external browser. If you don’t get redirected with the external browser but do get redirected with the embedded browser, this means your FTD is not on the correct version of supported code or you have not selected external browser use.
• Enter your username and the user will be redirected to Duo SSO

• If its the first time the user is connecting they will be required to enter their username and password first. Enter the username and password

• Once the correct credentials have been entered, if passwordless authentication is set as an authentication method in the Duo policy, the user will be presented with a screen asking them if their ‘Tired of Passwords’. This is the start of passwordless self-enrollment. Press continue to continue with the passwordless setup

• The user is presented a number of available options for passwordless. In this demonstration we have used a Yubikey security key. Select the option that is relevant for your environment

• Follow the steps on the next screen

• Press ‘OK’ and touch the Security Key

• The security key has now been added, click ‘Continue’

• Passwordless setup is now complete and the user has now enrolled their security key for passwordless authentication. Click ‘Done’

• The next time the logs in they are not required to enter their password again. Click ‘Log In’

• Complete the passwordless login process by touching the security key and entering the Windows pin if required

• Once complete you will be connected to the VPN

• On the Firewall Management Center, navigate to Overview > Remote Access VPN and validate the connection

• With access to the Azure tenant, navigate to Enterprise Applications > Sign-in Logs and validate the connection

• With access to Cisco Duo, navigate to Reports > Authentication Logs and validate that passwordless authentication was used

Additional Notes

• Firepower Certificate Troubleshooting: https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215856-troubleshoot-certificate-error-identity.html
• Users may run into an issue if they use multiple accounts and the Microsoft account cached or currently used at the time of VPN authentication is not permitted VPN access. To fix this issue either, clear the browsers cache or log out of the account causing issues. If the user account causing issues should be permitted access to the VPN then add that user account as a permitted account in the Enterprise Application