ASA 9.1, Anyconnect 3.1, Profile for IPSEC with Smartcard (CAC)
At the end of my rope here, may as well try one more time--
I have an ASA running 9.1.x and am able to configure a remote VPN profile that works with the old Cisco VPN client (pre-anyconnect) to require use of a Smartcard to authorize the user, then use local login to authenticate, and encrypt the tunnel. On removal of Smartcard from client system, tunnel terminates.
Have not been able to get this to work with Anyconnect client 3.1.05160, tried all kinds of things,no luck. Need it as IPSEC only (no SSL at all), and require the smartcard be inserted for the connection to work. Any clue on profiles? Have got parts of it working minus the smartcard, so not completely lost. The Smartcard subsystem workd perfectly with all apps that require it, and also with old Cisco VPN client.
Thanks for the info, with that profile I am able to get to the username/login prompt, which I have managed to do before, BUT without any Smartcard interaction at all.
I suppose I should add that I cannot use ssl port 443 at all for this connection. I am limited to those inbound ports the old Cisco VPN client uses, namely ISAKMP (500 & 4500). The profile referenced in the link utilizes webvpn urls and client services. I cannot use a web connection at all, due to the ports being specifically blocked by an outside provider.
So I suppose the question is, how can I use client services without using webvpn, and/or is there a way to have the CAC certificat and PIN entry window come up without using client services?
Another poster was asking not too long ago about using IKEv2 without client services. We determined it could be done if you predeploy or manually create the profiles.
The downside is you won't be able to push profile updates from the ASA as that depends on client services. (You can tell clients services to run over a non-standard port but if the organizational policy is not to use https then you would still be violating that even if you did a technical hack to circumvent it.)
If you setup a certificate to connection profile map (as described in the older IPsec CAC document) I believe that would make sure your users are prompted to unlock their certificate with their PIN.
Yeah, that was me, and still have not solved the issue. Have opened a TAC case, but have still not figured out how to make it work functionally like the old Cisco VPN client. That thing works fine all day long, so as far as I can tell, the certificate reader, PIN popup and all that works for both non-VPN apps and the old Cisco client. There does not appear to be a way that I have found, to have Anyconnect work the way I need it to. Perhaps the client must have SSL access for client services, always. If that's the case, I would hope theTAC would know. f
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...