4.8.2. Third-Party VPN

This section explains a use case consisting of VPN access in a third-party VPN where we are going to validate certain requirements of the device connected to the VPN to grant access to the internal network resources.

To do this we will use the ON Captive module with the guest profiling workflow. Profile-Based Workflow.

4.8.2.1. Flow

An external user connects to a VPN gateway (independent of the OpenNAC Enterprise Solution) and when the user tries to access to the internal resources through the internal firewall, the connection is redirected to the Captive Portal where it is evaluated.

The Captive Portal interacts with the ON Core and warns the internal firewall to grant or deny access to internal resources.

../../_images/vpn_flows.png


Note

If the portal is accessed with a device for which there is no agent available (e.g. android), the tag ONC_AGENT_UNAVAILABLE will be assigned and the captive portal flow will be finished.

To control these devices, the corresponding policy would have to be created.

4.8.2.2. Steps to reproduce

1. Connect to your corporate VPN using your corporate credentials.

../../_images/openvpn_login.png


2. Once authenticated, when you try to access to your corporate resources via web, you will be presented with a link to be redirected to the ON Captive Portal.

../../_images/web_1.png


3. On the Captive Portal workflow, you will be required to accept the privacy terms and policies and log in.

../../_images/captive_portal_1.png


4. The Captive Portal will then be triggered to verify if the user already has the Agent installed:

Note

If the portal is accessed with a device for which there is no agent available (e.g. android), the tag ONC_AGENT_UNAVAILABLE will be assigned and the captive portal flow will be finished.

To control these devices, the corresponding policy would have to be created.

../../_images/captive_portal_2.png


4.1. If yes, it will start the Profile evaluation to send a payload to OpenNAC:

../../_images/captive_portal_2a.png


4.2. If not, it will trigger the Soluble Agent download:

../../_images/captive_portal_2b.png


5. For downloading the Soluble Agent, open the executable file and accept the license:

../../_images/onagent_1.png


../../_images/onagent_2.png


../../_images/onagent_3.png


6. Once the process has finished (it will take a few seconds), it will send the payload to the ON Core. The web browser will be updated an you will be granted access to the corporate services.

../../_images/captive_portal_3.png


4.8.2.3. Validate the access

On the OpenNAC Enterprise Web Administration Portal, we should go to the correspondent Business Profile.

../../_images/bp_view.png


As we can see, the profile “ocf” is in the “VPN 3rd Party Posture” Policy. If we unfold the tab to reveal further information we can see details in the Tags such as:

../../_images/bp_tags.png


  • The Captive Workflow (CWF_VPN_ACCESS)

  • The Operating System (DOS_WINDOWS_10)

  • The installed OpenNAC components

  • The applications and its security patches

  • etc.

The ONC_AUTHORIZATION_DENIED tag will be added when a user enters a quarantine policy during a Captive workflow.

Clicking on the policy eye we can gather more information about the authorization steps.

../../_images/bp_policy_eye.png


In the “PLUGIN” section we can see the source module as “fortiGateAccounting” as that is the way to interact with the firewall.

../../_images/bp_plugin.png


4.8.2.4. Policy Configuration

To be able to match this policy:

  • In Preconditions: User Devices we should indicate the VPN Access Workflow with the CWF_VPN_ACCESS tag

../../_images/preconditions_user_device.png


  • In Preconditions: Sources it should have the Visibility flag activated

../../_images/preconditions_sources1.png


  • In Postconditions

../../_images/postconditions2.png


  • Vlan we should select the Switch Default VLAN as we do not interact with any Layer 3 device.

  • Plugins we should have the fortiGateAccounting plugin with a custom param where we specify the user group that it has to write in order to be accepted on the Fortinet Policy

4.8.2.5. UD Tag policies Configuration

To get compliance devices on this use case, we need to create the EPC_COMPLIANCE tag with our own compliance restrictions.

To do so, we need to go to ON NAC -> Tag policies -> UD Tag policies and create this tag.

../../_images/ud_tag_policy_epc_compliance.png


4.8.2.6. Monitoring

The Third party VPN dashboard displays all the events related to the Third Party VPN use case.

../../_images/2sra_third_party_vpn_1.png


  • Total third party VPN connections: Metric showing the total number of third party VPN connections. Include both non-compliance and compliance connections.

  • Total third party VPN compliance connections: Metric showing the total number of third party VPN compliance connections.

  • Total third party VPN no compliance connections: Metric showing the total number of third party VPN no compliance connections.

  • Total third party VPN unique devices: Metric showing the total number of third party VPN unique devices. Include both non-compliance and compliance devices.

  • Total third party VPN unique compliance devices: Metric showing the total number of third party VPN unique compliance devices.

  • Total third party VPN unique no compliance devices: Metric showing the total number of third party VPN unique no compliance devices.

  • Total third party VPN unique devices OS distribution: Pie chart showing the OS installed distribution in third party VPN unique devices.

  • Total third party VPN connections time distribution: Histogram showing the time evolution of the total third party VPN connections. The bar stacks are segmented by compliance status

../../_images/2sra_third_party_vpn_2.png


  • Total third party VPN connections details: Table showing the following information about third party VPN connections: dates, device info (MAC, IP, hostname and type), user and policy result.