Link to home
Create AccountLog in
Avatar of CHI-LTD
CHI-LTDFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Enabling Cisco VPN within Defender for Identity.

Hi


We are deploying Defender for Identity and would like to integrate our Cisco Firepower VPN connections.  I know that we are using AD certificate services to authenticate our AD users using AnyConnect.  We don't use SSL VPN connections.


Cant seem to find any resources online.


Any suggestions/solutions?


Thanks  


Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

https://learn.microsoft.com/en-us/defender-for-identity/vpn-integration


this is the VPN integration and it is via RADIUS AAA. 


Avatar of CHI-LTD

ASKER

Ok thanks.  So we require an RRAS server/service to be installed and configure RADIUS server?  Thereafter the Cisco ASA can pass this traffic onto the RADIUS box and the RADIUS box can send the logs via the defender for identity service to the defender cloud?


Thanks


NPS will forward the log to Active Directory with a preshared key so it will be detected by defender for identity. 

Avatar of CHI-LTD

ASKER

We are already using LDAPs with Certificate Services for authenticating the VPN connection from the Cisco to our AD environment.   All i require is the VPN integration, but do not understand how RADIUS fits here?

Avatar of CHI-LTD

ASKER

Any further update?  Do i need to install NPS to get RADIUS accounting?  Also, as we are already and only using Certificate Services role with LDAPs, will this new role have any affect?

i know it is confusing.

In Microsoft world, VPN integration only works with NPS (Network policy server) - RADIUS.


While you are getting your Cisco VPN using LDAPS, that means it is using a different method that Microsoft can consume. 


LDAPS is closely monitored and logged within AD, just not appeared as VPN. 





Avatar of CHI-LTD

ASKER

So in order to get RADIUS installed and to use the accounting for the Cisco VPN i need to install which role/feature (without affecting any existing VPN config)?  

hi, i just want to ENSURE we are on the same page. 


you want to change your cisco VPN to configure from LDAPS to RADIUS just to use this setting?


If so, 

you need to install the NPS feature

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-install


and then configure your firepower to use RADIUS (will need to affect existing VPN) 


https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/217437-configure-ftd-remote-access-vpn-with-msc.html



but my question is WHY changing from LDAPS to RADIUS 

just because you want to microsoft secure say you should?

you now have an additional thing to configure (NPS) and maintain. 


I will basically just skip it and explain to the business rather than make the required changes 




Avatar of CHI-LTD

ASKER

No, we want to just forward the event logs from the Cisco to RADIUS server(s), and these servers are to be pointed into defender for cloud portal to audit the VPN activity. 


Leave the existing authentication of cisco anyconnect to use LDAPs which has certificate services role already installed and configured accordingly. 

in this case no, Defender for Identity won't work the way you intend, if you don't intend to change your cisco anyconnect to use RADIUS. 


it is the technology you are thinking. 


Defender for Identity only audit RADIUS server, and other LDAP authentication (just not in the name of VPN), it still get logged in Defender for Identity.

So it is currently working as intended.


the Defender for Identity, VPN integration is for RADIUS only. 



you can keep reading Microsoft article, it all says RADIUS integration

https://learn.microsoft.com/en-us/defender-for-identity/vpn-integration




Avatar of CHI-LTD

ASKER

Ok, so i understand this, as we are using LDAPs with AD and CA on premise and the Cisco is authenticating with these components, by adding RRAS and RADIUS will make no difference as the event are not generated by NPS?

exactly. 

adding RRAS and RADIUS but not using it (divert to use RADIUS) will not help in Defender for Identity context. 


Avatar of CHI-LTD

ASKER

Ok thanks.  How do i find VPN information within defender, if at all possible? 

depends on your luck,

if you logon to https://portal.atp.azure.com/

it will show all the history of the device and LDAP authentication (not VPN) 

however, i know microsoft start to remove that page and force to security.microsoft.com 


The old portal shows a clear and easy to understand timeline, log and directory history. The new portal seems to have only the "activity log" view with filters. Most of the information is not make sense, but it is detected for sure just not surface upon. 


you can use the filter (after reading the article below) for any successful and failed logins 


https://learn.microsoft.com/en-us/defender-for-identity/monitored-activities#monitored-user-activities-login-operations



Avatar of CHI-LTD

ASKER

Thanks, yes i can see the activity logs but nothing in there regarding LDAPs.

ASKER CERTIFIED SOLUTION
Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer