Hopefully this will be quite a simple query but we are currently looking at testing and the migrating our users over to SSL Full Client VPN. At the moment we have our ASA 5520 (8.2) configured for IPSec only and this is configured to use an external RADIUS server for authentication. The group policy which we use for this is only configured to allow IPSec, my question is whether I can simply perform the following steps to get SSL VPN working. Apologies in advance but I am still learning this stuff and have been reading many articles regarding setting this up from scratch which I which have been great but I need to accommodate our RADIUS system into it for testing
1. Create a cert from our internal CA and upload it to the ASA
2. Create a AnyConnect Connection profile and select the RADIUS server from the drop down of AAA servers
3. Enable SSL VPN Client on the Group policy currently being used for IPSec
Along with the mentioned points , you would have to upload the anyconnect package (e.g. anyconnect-dart-win-3.1.05152version-k9.pkg). on the ASA.
If you are using internal CA , then you would have to install the root certificate from CA on all the clients so that they do not get certificate error. [This is not mandate to get Anyconnect working.]
If you are using Anyconnect 3.X version , then you wont need external profile editor and I don't think there is any need to use Anyconnect 2.5 as 3.0 and 3.1 have more features and functions.
You also don't need to install the client on the user machine as it can be pushed from the ASA itself.
For the radius server , you can surely use the Anyconnect connection profile with radius authentication.
aaa-server test protocol radius aaa-server test host <IP> key *****
I agree with Dinesh with the clarification that the package file for Windows would be "anyconnect-win-3.1.05178-k9.pkg". (At least that's the current version as of this posting.)
I don't know of any reason to go with anything but the latest AnyConnect 3.1 release for a new deployment. I've heard rumor that 4.0 might be out this fall. I might wait until 4.0.2 or such is out before jumping right on a brand new major release.
DART is the optional Diagnostic and Reporting Tool component of AnyConnect.
We're just going to test things first so we don't currently have any AnyConnect licenses. I will be making use of the two free licenses on the ASA. Will more than likely go for the AnyConnect essentials but I am still awaiting pricing for Essentials vs Premium.
Would the recommended approach be to use a public CA to get a certificate? All our client's will be domain joined laptops etc but I'm aware if we do device to go for the Premium AnyConnect licenses with Mobile access none of the devices will have our Internal CA cert on it...
As mentioned, certificates are not necessary for functioning of Anyconnect VPN. You can surely use internal or public CA , the point to be pondered is in both the cases , you will need to make sure the client has the root certificate .This is for conforming identity of the VPN headend.
You can also use certificates for client authentication instead of username/password as shown here.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...