Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AnyConnect and Aladdin eToken authentication

Hi all!

Part One

I have successfully setup Anyconnect VPN into our c2821  using MS Active Directory & Cisco Secure ACS v.4.2 Radius Server  authentication for windows clients.

I have successfully setup  authentication into Windows using Aladdin eToken and Samrtcard Logon Certificate (Microsoft CA Connector).

I have successfully got User Certificate from Microsoft CA into eToken store.

I would like someone to  answer the following: how can I use this certificate to authenticate the VPN session over AnyConnect?

Part Two

I have tried to customize local AnyConnect profile by using Cisco AnyConnect Profile Editor. The only result: changed Default Username and Default Host. All other customizations were ignored.

Here is my profile:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile>
    <ClientInitialization>
        <DefaultUser>one</DefaultUser>
        <DefaultSecondUser></DefaultSecondUser>
        <ClientCertificateThumbprint>omitted</ClientCertificateThumbprint>

        <ServerCertificateThumbprint>omitted</ServerCertificateThumbprint>
        <DefaultHost>omitted</DefaultHost>
        <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
        <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
        <ShowPreConnectMessage>false</ShowPreConnectMessage>
        <CertificateStore>All</CertificateStore>
        <CertificateStoreOverride>true</CertificateStoreOverride>
        <ProxySettings>Native</ProxySettings>
        <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
        <MinimizeOnConnect UserControllable="true">false</MinimizeOnConnect>
        <LocalLanAccess UserControllable="false">false</LocalLanAccess>
        <AutoReconnect UserControllable="true">true
            <AutoReconnectBehavior UserControllable="true">DisconnectOnSuspend</AutoReconnectBehavior>
        </AutoReconnect>
        <AutoUpdate UserControllable="true">false</AutoUpdate>
        <RSASecurIDIntegration UserControllable="false">HardwareToken</RSASecurIDIntegration>
        <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
        <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
        <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
        <PPPExclusion UserControllable="true">Automatic
            <PPPExclusionServerIP UserControllable="true"></PPPExclusionServerIP>
        </PPPExclusion>
        <EnableScripting UserControllable="true">false</EnableScripting>
    </ClientInitialization>
</AnyConnectProfile>

Have anyone any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: AnyConnect and Aladdin eToken authorization

Hi,

You can control the AnyConnect session parameters only if the administrator enabled/checked "User Controllable" for each individual XML attribute. For those that are User Controllable, user should be able to click on the "Settings button" very next to the Server drop-down box.

On the other hand, if you manually edit the XML file on the client's local PC, the next time AnyConnect connect, it will download the original version from the ASA and compares with local XML file. If the checksum don't match, it will overwrite the local XML file with the newly downloaded XML file.

You can modify the preferences.xml file, and as you found out, AnyConnect will honor your changes. But the profile has most of the security settings such as Local Lan Access, Start Before Logon, Auto Reconnect etc.

Thanks,

Kiran

4 REPLIES
New Member

Re: AnyConnect and Aladdin eToken authorization

Hi all!

I was completely wrong in Part Two: this profile is one great mistake.

But.

I know about three locations, where AnyConnect places configuration files.

  1. C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile - ac-profile.xml
  2. C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client - preferences.xml
  3. C:\Documents and Settings\LOCAL_USER_NAME\Local Settings\Application Data\Cisco\Cisco AnyConnect VPN Client - preferences.xml

Third location unambiguously contains current user pfofile - I can edit it and see differences while AnyConnect starts. But any manipulations with any profiles in 1-st and 2-nd locations do not change anything. So I cannot control AnyConnact parameters via profiles.

Please tell me - is it possible to control AnyConnect parameters locally?

Silver

Re: AnyConnect and Aladdin eToken authorization

Hi,

You can control the AnyConnect session parameters only if the administrator enabled/checked "User Controllable" for each individual XML attribute. For those that are User Controllable, user should be able to click on the "Settings button" very next to the Server drop-down box.

On the other hand, if you manually edit the XML file on the client's local PC, the next time AnyConnect connect, it will download the original version from the ASA and compares with local XML file. If the checksum don't match, it will overwrite the local XML file with the newly downloaded XML file.

You can modify the preferences.xml file, and as you found out, AnyConnect will honor your changes. But the profile has most of the security settings such as Local Lan Access, Start Before Logon, Auto Reconnect etc.

Thanks,

Kiran

New Member

Re: AnyConnect and Aladdin eToken authorization

2 ksirupa:

Thanks a lot - I've understood the profile situation. Profile is really controllable only on ASA under administrator's account.

Confirmed.

New Member

AnyConnect and Aladdin eToken authentication - problem was solve

Part One

It cannot be solved on C2821. At all.

But I've tried to do it using ASA 5500 with ASDM and after a couple of hours was completely successful.

Part Two

AnyConnect configuration profile cannot be controlled locally. Any modifications must be done on ASA and than client can download profile and use it.

Thanks to all.

3885
Views
0
Helpful
4
Replies
CreatePlease login to create content