asked on
Enabling Cisco VPN within Defender for Identity.
Hi
We are deploying Defender for Identity and would like to integrate our Cisco Firepower VPN connections. I know that we are using AD certificate services to authenticate our AD users using AnyConnect. We don't use SSL VPN connections.
Cant seem to find any resources online.
Any suggestions/solutions?
Thanks
ASKER
Ok thanks. So we require an RRAS server/service to be installed and configure RADIUS server? Thereafter the Cisco ASA can pass this traffic onto the RADIUS box and the RADIUS box can send the logs via the defender for identity service to the defender cloud?
Thanks
NPS will forward the log to Active Directory with a preshared key so it will be detected by defender for identity.
ASKER
We are already using LDAPs with Certificate Services for authenticating the VPN connection from the Cisco to our AD environment. All i require is the VPN integration, but do not understand how RADIUS fits here?
ASKER
Any further update? Do i need to install NPS to get RADIUS accounting? Also, as we are already and only using Certificate Services role with LDAPs, will this new role have any affect?
i know it is confusing.
In Microsoft world, VPN integration only works with NPS (Network policy server) - RADIUS.
While you are getting your Cisco VPN using LDAPS, that means it is using a different method that Microsoft can consume.
LDAPS is closely monitored and logged within AD, just not appeared as VPN.
ASKER
So in order to get RADIUS installed and to use the accounting for the Cisco VPN i need to install which role/feature (without affecting any existing VPN config)?
hi, i just want to ENSURE we are on the same page.
you want to change your cisco VPN to configure from LDAPS to RADIUS just to use this setting?
If so,
you need to install the NPS feature
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-install
and then configure your firepower to use RADIUS (will need to affect existing VPN)
but my question is WHY changing from LDAPS to RADIUS
just because you want to microsoft secure say you should?
you now have an additional thing to configure (NPS) and maintain.
I will basically just skip it and explain to the business rather than make the required changes
ASKER
No, we want to just forward the event logs from the Cisco to RADIUS server(s), and these servers are to be pointed into defender for cloud portal to audit the VPN activity.
Leave the existing authentication of cisco anyconnect to use LDAPs which has certificate services role already installed and configured accordingly.
in this case no, Defender for Identity won't work the way you intend, if you don't intend to change your cisco anyconnect to use RADIUS.
it is the technology you are thinking.
Defender for Identity only audit RADIUS server, and other LDAP authentication (just not in the name of VPN), it still get logged in Defender for Identity.
So it is currently working as intended.
the Defender for Identity, VPN integration is for RADIUS only.
you can keep reading Microsoft article, it all says RADIUS integration
https://learn.microsoft.com/en-us/defender-for-identity/vpn-integration
ASKER
Ok, so i understand this, as we are using LDAPs with AD and CA on premise and the Cisco is authenticating with these components, by adding RRAS and RADIUS will make no difference as the event are not generated by NPS?
exactly.
adding RRAS and RADIUS but not using it (divert to use RADIUS) will not help in Defender for Identity context.
ASKER
Ok thanks. How do i find VPN information within defender, if at all possible?
depends on your luck,
if you logon to https://portal.atp.azure.com/
it will show all the history of the device and LDAP authentication (not VPN)
however, i know microsoft start to remove that page and force to security.microsoft.com
The old portal shows a clear and easy to understand timeline, log and directory history. The new portal seems to have only the "activity log" view with filters. Most of the information is not make sense, but it is detected for sure just not surface upon.
you can use the filter (after reading the article below) for any successful and failed logins
ASKER
Thanks, yes i can see the activity logs but nothing in there regarding LDAPs.
https://learn.microsoft.com/en-us/defender-for-identity/vpn-integration
this is the VPN integration and it is via RADIUS AAA.