AnyConnect and Aladdin eToken authentication

Answered Question
Mar 15th, 2010
User Badges:

Hi all!


Part One

I have successfully setup Anyconnect VPN into our c2821  using MS Active Directory & Cisco Secure ACS v.4.2 Radius Server  authentication for windows clients.

I have successfully setup  authentication into Windows using Aladdin eToken and Samrtcard Logon Certificate (Microsoft CA Connector).

I have successfully got User Certificate from Microsoft CA into eToken store.


I would like someone to  answer the following: how can I use this certificate to authenticate the VPN session over AnyConnect?


Part Two

I have tried to customize local AnyConnect profile by using Cisco AnyConnect Profile Editor. The only result: changed Default Username and Default Host. All other customizations were ignored.

Here is my profile:


<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile>
    <ClientInitialization>
        <DefaultUser>one</DefaultUser>
        <DefaultSecondUser></DefaultSecondUser>
        <ClientCertificateThumbprint>omitted</ClientCertificateThumbprint>

        <ServerCertificateThumbprint>omitted</ServerCertificateThumbprint>
        <DefaultHost>omitted</DefaultHost>
        <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
        <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
        <ShowPreConnectMessage>false</ShowPreConnectMessage>
        <CertificateStore>All</CertificateStore>
        <CertificateStoreOverride>true</CertificateStoreOverride>
        <ProxySettings>Native</ProxySettings>
        <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
        <MinimizeOnConnect UserControllable="true">false</MinimizeOnConnect>
        <LocalLanAccess UserControllable="false">false</LocalLanAccess>
        <AutoReconnect UserControllable="true">true
            <AutoReconnectBehavior UserControllable="true">DisconnectOnSuspend</AutoReconnectBehavior>
        </AutoReconnect>
        <AutoUpdate UserControllable="true">false</AutoUpdate>
        <RSASecurIDIntegration UserControllable="false">HardwareToken</RSASecurIDIntegration>
        <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
        <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
        <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
        <PPPExclusion UserControllable="true">Automatic
            <PPPExclusionServerIP UserControllable="true"></PPPExclusionServerIP>
        </PPPExclusion>
        <EnableScripting UserControllable="true">false</EnableScripting>
    </ClientInitialization>
</AnyConnectProfile>


Have anyone any ideas?

Correct Answer by ksirupa about 7 years 3 months ago

Hi,


You can control the AnyConnect session parameters only if the administrator enabled/checked "User Controllable" for each individual XML attribute. For those that are User Controllable, user should be able to click on the "Settings button" very next to the Server drop-down box.


On the other hand, if you manually edit the XML file on the client's local PC, the next time AnyConnect connect, it will download the original version from the ASA and compares with local XML file. If the checksum don't match, it will overwrite the local XML file with the newly downloaded XML file.


You can modify the preferences.xml file, and as you found out, AnyConnect will honor your changes. But the profile has most of the security settings such as Local Lan Access, Start Before Logon, Auto Reconnect etc.


Thanks,

Kiran

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Vadim Gavrilov Tue, 03/16/2010 - 00:38
User Badges:

Hi all!


I was completely wrong in Part Two: this profile is one great mistake.

But.

I know about three locations, where AnyConnect places configuration files.

  1. C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile - ac-profile.xml
  2. C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client - preferences.xml
  3. C:\Documents and Settings\LOCAL_USER_NAME\Local Settings\Application Data\Cisco\Cisco AnyConnect VPN Client - preferences.xml


Third location unambiguously contains current user pfofile - I can edit it and see differences while AnyConnect starts. But any manipulations with any profiles in 1-st and 2-nd locations do not change anything. So I cannot control AnyConnact parameters via profiles.


Please tell me - is it possible to control AnyConnect parameters locally?

Correct Answer
ksirupa Wed, 03/17/2010 - 21:58
User Badges:
  • Silver, 250 points or more

Hi,


You can control the AnyConnect session parameters only if the administrator enabled/checked "User Controllable" for each individual XML attribute. For those that are User Controllable, user should be able to click on the "Settings button" very next to the Server drop-down box.


On the other hand, if you manually edit the XML file on the client's local PC, the next time AnyConnect connect, it will download the original version from the ASA and compares with local XML file. If the checksum don't match, it will overwrite the local XML file with the newly downloaded XML file.


You can modify the preferences.xml file, and as you found out, AnyConnect will honor your changes. But the profile has most of the security settings such as Local Lan Access, Start Before Logon, Auto Reconnect etc.


Thanks,

Kiran

Vadim Gavrilov Thu, 03/18/2010 - 01:24
User Badges:

2 ksirupa:


Thanks a lot - I've understood the profile situation. Profile is really controllable only on ASA under administrator's account.

Confirmed.

Vadim Gavrilov Thu, 03/18/2010 - 01:42
User Badges:

Part One


It cannot be solved on C2821. At all.

But I've tried to do it using ASA 5500 with ASDM and after a couple of hours was completely successful.



Part Two


AnyConnect configuration profile cannot be controlled locally. Any modifications must be done on ASA and than client can download profile and use it.


Thanks to all.

Actions

This Discussion

Related Content