This discussion is locked

Ask the Expert: AnyConnect Secure Mobility

Unanswered Question
Mar 22nd, 2013

AnyConnect Secure Mobility with Ameet Kulkarni - Read the bioWith Ameet Kulkarni

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about AnyConnect Secure Mobility with Cisco expert Ameet Kulkarni. Learn about the various aspects of AnyConnect Secure Mobility such as HostScan, Client and Clientless based remote access, policies, and more.

Ameet Kulkarni is a product manager within the Secure Access and Mobility Product Group. His areas of expertise revolve around AnyConnect & ISE with a focus on posture assessment and profiler technologies. Kulkarni has managed multiple products over his career in VoIP and Security industries. He is an engineer by education with a Master of Science in Telecommunication. He has had a broad exposure in software development, solution architecture, program management and product management.

Remember to use the rating system to let Ameet know if you have received an adequate response.

Ameet might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub community shortly after the event. This event lasts through April 5, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
john.ebrahim83 Mon, 03/25/2013 - 23:04

Anyconnect user automatic group-policy and tunnel-group assignment without selecting any group-alias from tunnel-group-list .

Objective is that anyconnect user  dont have to select Group-alias, so when a user enters its username and  password it should go to its specific tunnel-group and group-policy. as i  have removed this command in webvpn "no tunnel-group-list enable".  doing this i can not login (user does not authenticate).

1- My question is why its not happening ?

Solution:

If  i keep only one tunnel-group default and make multiple group-policies  and assign each user with its specific group-policy than it works. means  in user attribute i only issue following commands than it works but if i  put "group-lock value test-tunnel" than it does not login.

why is that so, can we have only one tunnel in this case ..

webvpn

enable outside

cache-fs limit 50

svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1

svc enable

group-policy test-gp internal

group-policy test-gp attributes

vpn-tunnel-protocol svc webvpn

address-pools value test-pool

username test password test

username test attributes

vpn-tunnel-protocol svc

group-lock value test-tunnel

vpn-group-policy test-gp

tunnel-group test-tunnel type remote-access

tunnel-group test-tunnel general-attributes

default-group-policy test-gp

tunnel-group test-tunnel webvpn-attributes

group-url https://192.168.168.2/test enable

john.ventura73 Wed, 03/27/2013 - 08:35

Can the Cisco Adaptive Security Appliance be connected to a RADIUS infrastructure to authenticate users?

amekulka Wed, 03/27/2013 - 16:06

Yes, the ASA can be connected to a RADIUS server for authentication purposes. It is quite common.

MohammadAli89 Wed, 03/27/2013 - 16:09

hi

what are the requierd knowledges to achive ccnp security ? in which order should i start to study ? what comes first , ccnp r&s or ccnp security ? when can i start with ccna security ? i need some informations ? please do the needful for me , and tell me how to start. is it true that i need to know how to install before securing it ? i got some infos from some sources ,which told me that i need to study ccnp r&s before ccnp security because before securing ,it is necessary to know how to install.is it true ??

thanX

john.ebrahim83 Wed, 03/27/2013 - 23:03

thanks ameet for enlightening me on the above issue. but still in user attribute if i map a user "testuser" with a tunnel-group "group-lock test-tunnel" and group-policy " vpn-group-policy test policy" than it does not login. if i remote group-lock it works. so why cisco has added group-lock in user-attribute what is th purpose .. ? i need to understand in details plz

amekulka Thu, 03/28/2013 - 14:11

John, what you are doing is locking the user to the tunnel group. So for the user to connect, you need to use group URL or pull down or certificate matching. When you remove the group-lock, the user goes into the default tunnel group and is probably hitting the default group policy that you have set up and hence is logging in.

Tunnel Group Lock is a simple check to validate if the Tunnel Group (aka. ASDM Connection Profile) you connect with matches what you have defined under the group-policy. If the Tunnel-Group-Lock value matches (true condition), the VPN remote access session is allowed to setup; otherwise the session is not allowed to establish.

aakil@cisco Sat, 03/30/2013 - 09:40

On My ASA Firewall I have anyconnect-win-3.0.5080-k9.pkg image. Some of the users have installed AnyConnect 2.5.3051 software on their machine. I just wanted to know, if there would be some issue in connecting or accessing VPN or other programs.

pcarco Sat, 03/30/2013 - 13:11

Both versions should co-exist just fine.  I would suggest tesint one 2.5 client if you are using csd/hostscan to ensure compatability.

The 2.5 clients software and profiles will be updated unless you do one of the following

Q. Is it possible to turn off the automatic AnyConnect upgrade via ASA? AnyConnect Local Policy File Parameters and Values for more information.

A. Yes. Use one of these methods in order to turn off the automatic AnyConnect upgrade via the ASA:

  • Adjust the profile on the ASA to disable updates.

    “false”

  • Use a local policy to disable the AnyConnect downloader.

    BypassDownloader true The client does not check for any dynamic content present on the ASA,      including profile updates, translations, customization, optional      modules, and core software updates.

    true

    Refer to


amekulka Mon, 04/01/2013 - 09:53

What pcarco is saying is true for ASA 9.0 and AnyConnect 3.1 and above. If you have a newer version of AnyConnect on the ASA, the end users will automatically get upgraded to that version. The ability for end users to defer updates to a later time comes about from ASA 9.0 and AnyConnect 3.1.

aakil@cisco Sat, 03/30/2013 - 10:04

When configuring AnyConnect using ASDM it has two options for VPN protocol to be used. One is SSL and other is IPSec. Can we use IPsec as the protocol? can you please assist here.

john.ebrahim83 Sun, 03/31/2013 - 15:33

hi mohd IPSec is for remote access vpn clients and SSL is for webvpn or anyconnect client.

amekulka Mon, 04/01/2013 - 08:49

Mohd, pcarco provides a good quick summary of what AnyConnect can do with IPsec and SSL.

pcarco Sun, 03/31/2013 - 18:08

Yes you can but just note it is IPSEC with IKEv2

"Optimized Network Access - VPN Protocol Choice SSL (TLS and DTLS), and IPsec/IKEv2

AnyConnect now provides a choice of VPN protocols, allowing administrators to use whichever protocol best fits their business needs

• Tunneling support includes SSL (TLS and DTLS) and next-generation IPsec (Internet Key Exchange Version 2 [IKEv2])

• DTLS provides an optimized connection for latency-sensitive traffic, such as VoIP traffic or TCP-based application access

• TLS (HTTP over TLS/SSL) ensures availability of network connectivity through locked-down environments, including those using web proxy servers

• IPsec/IKEv2 provides an optimized connection for latency-sensitive traffic when security policies require use of IPsec"

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html

19jglowacki78 Mon, 04/01/2013 - 08:32

Hello,

My company currently uses IPsec VPN client for our VPN solution. We are getting ready to migrate to Anyconnect/SSL solution and I had a a few questions.

First, is generating a self-signed certificate an acceptable solution for the ASA or is it standard practice to purchase a certificate?

Secondly, from a security stand point, is there any advantage to using a registered name for users to connect to the ASA rather then an IP when connecting across public networks?  A co-worker has told me that it is less secure to have a name for users to connect to rather then just an IP address. (example: companyname.vpn.com   vs 192.168.10.1)


Third, can you give me the pro's/cons of using anyconnect SSL vs the clientless/webvpn portal?

Finally, our enviorment has many different VPN groups (20+) who have their own group policy to restrict what resources they can access. What is the best method to migrate them to anyconnect SSL easily, while keeping this structure in place. I have heard turning on group-URL is one option. The goal here is so that users cannot see all the other groups available. In the current Ipsec client setup, users are only given the "group" information for their own VPN group and are not even aware of the other groups. Any advice?

pcarco Mon, 04/01/2013 - 09:55

Hello  John,

A Self-Signed cert is really intended for evaluations, proof of concepts, lab work etc. . It is a security  best practice to deploy certifcates from a CA.

More than likely you will want to use a FQDN for requesting a certificate and unless you include a Subject Alternate Name being the ip address the cert would not match.   The ASA allows you to when creating the profile that is pushed to the user to show a friendly name rather than the FQDN or IP Address. 

If you were load-balancing a pair of ASA using a FQDN for the VIP would be advantageous . If you had an IP address change on the ASA and using a FQDN then its just a DNS update.  I am sure there are other good reasons but to your original question "from a security standpoint"   maybe not since you could simply just do a nslookup and discover the IP.

In regards to AnyConnect  (Client) vs WebVPN (Clientless)

Using AnyConnect is going to provide your users with the experience they are accustomed to now.  Full tunnel ie, have an ip address on the lan when they connect.   AnyConnect SSL utilizes both TLS and DTLS so a performance gain should be seen especially for latenc sensitive applications.

The ASA Clientless solution is an excellent option for the users you do not want to install a client on for one reason or the other.    You can very easily deploy a Portal page and provide bookmarks to the network resources you permit based on the policy assigned to user based on the posture assessment.

And to answer your final question - yes we can do this dynamically.  Please have a look at this link

Understanding Policy Enforcement of Permissions and Attributes

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_extserver.html#wp1773735

Best regards,

Paul

amekulka Mon, 04/01/2013 - 18:00

Pcarco is spot on. One thing to add is that Clientless can also be used for disaster recovery when you need to quickly provide access to all your users who might not have a company provided equipment but can use their home machines and use a browser to connect to your company's network with access to defined resources.

bara.lucia Mon, 04/01/2013 - 19:39

Hi Ameet,

Hopefully you're doing good,

I set up ASA 5505, with anyconnect, and i only use this anyconnect for mobilde device iOS & android. On my configuration, i set split tunnel to let the device can still connect to the internet by their internet access not via ASA, nah the problem is here, my iOS device can do split tunneling and voila access the internet successfully, but not with my samsung S3 mini android, my android can connect to VPN anyconnect but can't access the internet, seems like something blocked the access, but i can still chat with Gtalk and whatsapp, only access from browser (any browser) , google playstore, etc all blocked. Do you have any idea for this?

Thanks.

amekulka Tue, 04/02/2013 - 19:19

Hi Bara, I am not sure why you are unable to access the Internet. With Android, we do support various tunneling abilities such as Split Exclude, Split Include and Full Tunneling if required. Can you share which OS version your S3 mini is on as well as the ASA version?

bara.lucia Wed, 04/03/2013 - 20:52

Hi Ameet ,

Actually i use Split include on my ASA 5505, to only tunnel traffic to my internal network, but yesterday i tried to install anyconnect on LG android (use rooted anyconnect - downloaded from google play store) and its work, he can access the internet and still able to connect to my internal network (i dont change any configuration on my ASA). This really confusing.My S3 mini use Android 4.1.2 (use anyconnect - Samsung Anyconnect) and my ASA version is 9.0(2) with ASDM 7.1(2). Do you have any advice?

thanks so much for answer my question,

Have a good day

amekulka Thu, 04/04/2013 - 13:56

This is odd. We might have to take a look at the logs to see what is going on. Is this a production environment or lab setup? You should get in touch with TAC.

bara.lucia Fri, 04/05/2013 - 01:30

Ok then, maybe i'll try to root my S3 mini first, because i think there is something different with rooted anyconnect and samsung anyconnect, thank you ameet, i'll ask to TAC if im failed with root way.

csco10710049 Tue, 04/02/2013 - 00:01

Ameet,

I am looking at moving from Dynamic ACLs of the clientless SSLVPN to the Identity Firewall AD user ACLs. Were on 8.4(5) and wanting to know how that new feature for Identity has been going within the community.

amekulka Tue, 04/02/2013 - 19:43

Hi Rick, we are seeing a lot of interest from the community and the pickup has been quite good as well. Was there anything in particular that you are interested in?

ToX1c1986 Wed, 04/03/2013 - 09:50

Hello, Ameet!

While user's connecting through AnyConnect, AnyConnect doesn`t check  endpoint attributes. I've configured checking proccess  of  "notepad.exe", but it doesn`t work. Endpoint is VM, will it wok or not?

AC is started out from Admin privilege.

amekulka Wed, 04/03/2013 - 13:57

You need to enable HostScan on your AnyConnect deployments to check attributes and set policy based on the posture of the devices. You will need Premium licenses for that.

ToX1c1986 Wed, 04/03/2013 - 21:20

Amett, HostScan is enable and I have Premiun linenses.

pcarco Wed, 04/03/2013 - 17:46

Yes, it will work on an VM.   A couple of questions.

1.) You have configured hostscan for  notepad.exe  - do you have notepad open while testing?

2.) Have you configured your Dynamic Access Policy with 'Endpoint Attribute for the process ?

ToX1c1986 Wed, 04/03/2013 - 21:24

1) Yes, I have

2) Yes, I have

Connection is fine if endpoint attributes is empty.

csco10710049 Wed, 04/03/2013 - 10:17

On the Identity firewall,

most of the questions are from management and getting 'buy in' on the design change. Need to know how well it works and scales. Is the design bulletproof like can it have redundant AD agents to redundant AD servers?

Thanks,

Rick

amekulka Thu, 04/04/2013 - 08:54

Hi Rick, I believe that is the case. This bleeds over to the FW team so let me confirm with them and get back to you.

csco10710049 Thu, 04/04/2013 - 09:12

For Shared Licenses,
If you already have a 500 user license for sslvpn at one site, can you share to another new site?
Do they need to be converted to a shared or new purchased?

The issue is, the new site has the 2 SSLVPN peer and need to move off old site with license to new site.
Do not want to forklift or swap firewalls, need to run in parallel during migrations.
Both sites are in active/standby setup.

Thx, Rick

csco10710049 Thu, 04/04/2013 - 09:18

Another question on Licenses,
ASA license with a vpn premium license has 2 sslvpn peers for clientless sslvpn.

The clients with anyconnect will sslvpn to the total vpn peers of 5000 same as the ipsec clients, right?

Thx, Rick

amekulka Thu, 04/04/2013 - 10:47

Rick, if you have 500 sessions of shared license, then yes, you can share it with multiple ASAs. However, those ASAs must have a participant license on each one of them. Note that you need to have the Shared License and NOT the Premium License for it to be shared across ASAs.

If you have an A/S setup, you dont need shared licenses.

Every ASA ships with 2 Premium license for trying it out. I dont know of any customer that uses them for production. :-)

I didn't quite follow your last question. Which 5000 are you talking about?

csco10710049 Thu, 04/04/2013 - 10:58

The 5000 is from:

Other VPN Peers      : 5000           perpetual

Total VPN Peers       : 5000           perpetual

Probably different depending on ASA model.

I do not have a shared license now but want to share for a migrate to a new site.

A/S is set up on each site. New site needs license and closing old site with license.

Looking not to do a hardware swap just to keep license. Only RMA can transfer licenses, right?

amekulka Thu, 04/04/2013 - 14:07

I see. If you want shared licenses, then you will need to purchase them. It is not possible to "convert" a premium license to shared. Reach out to your Cisco sales contacts to find the best possible way for procuring shared licenses.

aakil@cisco Wed, 04/03/2013 - 17:42

What is the different licenses available for AnyConnect on ASA.

amekulka Thu, 04/04/2013 - 08:53

The two basic licenses for AnyConnect are AnyConnect Essentials (smaller set of features) and AnyConnect Premium (All features). On top of the Essentials you can have Mobile licenses. On Premium you can have Mobile licenses as well as Advanced Endpoint Assessment license. For disaster recovers, one can purchase Flex licenses.

If you want a distributed deployment with license sharing then you can go for Shared Licenses (these are a form of Premium licenses which are shared across your ASAs). Those ASAs that want to participate in the license pool from Shared Licenses should have Participant Licenses.

ToX1c1986 Thu, 04/04/2013 - 21:19

When I delete entries from

Configuration > Remote Access VPN > Secure Desktop Manager > Host Scan

they are appears again in a few time. How can I delete it?

astra.wadsworth Fri, 04/05/2013 - 11:51

Hi Ameet,

Thanks for hosting this ATE, I have a couple questions:-

1.       With AnyConnect 3.1.x, can we modify the string ‘use a browser to gain access’ or other similar strings on the GUI to display custom messages? We know we can modufy "web authentication required using the poedit method..

2.       We’re seeing this behaviour with Windows 8 following installation of AC, no difference in behaviour occurs if AC NAM/SBL modules are installed:-

The original Windows 8 user logon screen details seems to be erased (here is before install screen with username scratched out)

Here is the incorrect Windows 8 logon screen after install

 

Also after install the last logged on user name is removed

Thanks in advance!

Actions

Login or Register to take actions

This Discussion

Posted March 22, 2013 at 10:09 AM
Stats:
Replies:40 Avg. Rating:
Views:4787 Votes:0
Shares:0
Categories: AnyConnect
+

Related Content

Discussions Leaderboard