Show
Last modified date: 2022-10-24 Applicable ProductsQVPN ProcedureFollow these steps to set up a VPN server on a QNAP NAS behind a router.
Further ReadingConsult the table in How to choose suitable VPN services for you? for advice on the best VPN service for your use case. How to connect QTS Wireguard server on Windows 10? Was this article helpful? 75% of people think it helps. Thank you for your feedback. Please tell us how this article can be improved: If you want to provide additional feedback, please include it below. Configure AnyConnect VPNConnect and Disconnect to a VPNAnyConnect VPN Connectivity OptionsAnyConnect provides many options for automatically connecting, reconnecting, or disconnecting VPN sessions. These options provide a convenient way for your users to connect to your VPN, and they also support your network security requirements. Starting and Restarting AnyConnect ConnectionsConfigure VPN Connection Servers to provide the names and addresses of the secure gateways your users will manually connect to. Choose from the following AnyConnect capabilities to provide convenient, automatic VPN connectivity:
Also, consider using the following Automatic VPN Policy options to enforce greater network security or restrict network access to the VPN only:
Renegotiating and Maintaining the AnyConnect ConnectionYou can limit how long the Secure Firewall ASA keeps an AnyConnect VPN connection available to the user even with no activity. If a VPN session goes idle, you can terminate the connection or re-negotiate the connection.
Terminating an AnyConnect VPN ConnectionTerminating an AnyConnect VPN connection requires users to re-authenticate their endpoint to the secure gateway and create a new VPN connection. The following connection parameters terminate the VPN session based on timeouts:
See the Specify a VPN Session Idle Timeout for a Group Policy section in the appropriate release of the Cisco ASA Series VPN ASDM Configuration Guide to set these parameters. Configure VPN Connection ServersThe AnyConnect VPN server list consists of host name and host address pairs identifying the secure gateways that your VPN users will connect to. The host name can be an alias, an FQDN, or an IP address. The hosts added to the server list display in the Connect to drop-down list in the AnyConnect GUI. The user can then select from the drop-down list to initiate a VPN connection. The host at the top of the list is the default server, and appears first in the GUI drop-down list. If the user selects an alternate server from the list, the selected server becomes the new default server. Once you add a server to the server list, you can view its details and edit or delete the server entry. To add a server to the server list, follow this procedure. Procedure
Automatically Start Windows VPN Connections Before LogonAbout Start Before LoginThis feature called Start Before Login (SBL) allows users to establish their VPN connection to the enterprise infrastructure before logging onto Windows.
After SBL is installed and enabled, the Network Connection button launches AnyConnect core VPN and Network Access Manager UI. SBL also includes the Network Access Manager tile and allows connections using user configured home network profiles. Network profiles allowed in SBL mode include all media types employing non-802.1X authentication modes, such as open WEP, WPA/WPA2 Personal, and static key (WEP) networks.
Limitations on Start Before Login
Configure Start Before LoginProcedureInstall the AnyConnect Start Before Login ModuleThe AnyConnect installer detects the underlying operating system and places the appropriate AnyConnect DLL from the AnyConnect SBL module in the system directory. On Windows devices, the installer determines whether the 32-bit or 64-bit version of the operating system is in use and installs the appropriate PLAP component, vpnplap.dll or vpnplap64.dll.
You can predeploy the SBL module or configure the ASA to download it. When predeploying AnyConnect, the Start Before Login module requires that the core client software is installed first. If predeploying AnyConnect VPN and Start Before Login components using MSI files, the order must be correct.
Enable SBL in the AnyConnect VPN Profile
Troubleshoot Start Before LoginProcedure
Automatically Start VPN Connections When AnyConnect StartsThis feature called Auto Connect On Start, automatically establishes a VPN connection with the secure gateway specified by the VPN client profile when AnyConnect starts. Auto Connect On Start is disabled by default, requiring the user to specify or select a secure gateway. Procedure
Configure Start Before Login (PLAP) on Windows SystemsThe Start Before Login (SBL) feature starts a VPN connection before the user logs in to Windows. This ensures that users connect to their corporate infrastructure before logging on to their computers. Windows only supports one PLAP being installed at the a time. The SBL AnyConnect feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider. This feature lets programmatic network administrators perform specific tasks, such as collecting credentials or connecting to network resources before logon. PLAP provides SBL functions on all of the supported Windows operating systems. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP functions supports x86 and x64. Automatically Restart VPN ConnectionsWhen Auto Reconnect is enabled (default), AnyConnect recovers from VPN session disruptions and reestablishes a session, regardless of the media used for the initial connection. For example, it can reestablish a session on wired, wireless, or 3G/4G/5G. When Auto Reconnect is enabled, you also specify the reconnect behavior upon system suspend or system resume. A system suspend is a low-power standby, such as Windows “hibernation” or macOS or Linux “sleep.” A system resume is a recovery following a system suspend. If you disable Auto Reconnect, the client does not attempt to reconnect regardless of the cause of the disconnection. Cisco highly recommends using the default setting (enabled) for this feature. Disabling this setting can cause interruptions in VPN connectivity over unstable connections. Procedure
Use Trusted Network Detection to Connect and DisconnectAbout Trusted Network DetectionTrusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a VPN connection when the user is inside the corporate network (the trusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network). TND does not interfere with the ability of the user to manually establish a VPN connection. It does not disconnect a VPN connection that the user starts manually in the trusted network. TND only disconnects the VPN session if the user first connects in an untrusted network and moves into a trusted network. For example, TND disconnects the VPN session if the user makes a VPN connection at home and then moves into the corporate office. You configure TND in the AnyConnectVPN profile. No changes are required to the Secure Firewall ASA configuration. You need to specify the action or policy AnyConnect takes when recognizing it is transitioning between trusted and untrusted networks, and identify your trusted networks and servers.
Guidelines for Trusted Network Detection
Configure Trusted Network DetectionProcedure
Require VPN Connections Using Always-OnAbout Always-On VPNAlways-On operation prevents access to Internet resources when the computer is not on a trusted network, unless a VPN session is active. Enforcing the VPN to always be on in this situation protects the computer from security threats. When Always-On is enabled, it establishes a VPN session automatically after the user logs in and upon detection of an untrusted network. The VPN session remains open until the user logs out of the computer, or the session timer or idle session timer (specified in the Secure Firewall ASA group policy) expires. AnyConnect continually attempts to reestablish the connection to reactivate the session if it is still open; otherwise, it continually attempts to establish a new VPN session. When Always-On is enabled in the VPN Profile, AnyConnect protects the endpoint by deleting all the other downloaded AnyConnect profiles and ignores any public proxies configured to connect to the Secure Firewall ASA. The following AnyConnect options also need to be considered when enabling Always-On:
Limitations of Always-On VPN
Guidelines for Always-On VPNTo enhance protection against threats, we recommend the following additional protective measures if you configure Always-On VPN:
Configure Always-On VPNProcedureConfigure Always-On in the VPN ProfileBefore you beginAlways-On VPN requires that a valid, trusted server certificate be configured on the Secure Firewall ASA; otherwise, it fails and logs an event indicating the certificate is invalid. In addition, ensuring that the server certificate can pass Strict Certificate Trust mode prevents the download of an Always-On VPN profile that locks a VPN connection to a rogue server. Procedure
Use Always-On VPN With External SAML Identity ProviderTo support SAML authentication with Always On enabled, follow these steps, which impact the Allow Access to the Following Hosts With VPN Disconnected parameter configuration. Procedure
Add Load-Balancing Backup Cluster Members to the Server ListAlways-On VPN affects the load balancing of AnyConnect VPN sessions. With Always-On VPN disabled, when the client connects to a primary device within a load balancing cluster, the client complies with a redirection from the primary device to any of the backup cluster members. With Always-On enabled, the client does not comply with a redirection from the primary device unless the address of the backup cluster member is specified in the server list of the client profile. Therefore, be sure to add any backup cluster members to the server list. To specify the addresses of backup cluster members in the client profile, use ASDM to add a load-balancing backup server list by following these steps: Procedure
Exempt Users from Always-On VPNYou can configure exemptions to override an Always-On policy. For example, you might want to let certain individuals establish VPN sessions with other companies or exempt the Always-On policy for noncorporate assets. Exemptions set in group policies and dynamic access policies on the Secure Firewall ASA override the Always-On policy. You specify exceptions according to the matching criteria used to assign the policy. If the AnyConnect VPN policy enables Always-On and a dynamic access policy or group policy disables it, the client retains the disable setting for the current and future VPN sessions as long as its criteria match the dynamic access policy or group policy on the establishment of each new session. This procedure configures a dynamic access policy that uses AAA endpoint criteria to match sessions to noncorporate assets. Procedure
Set a Connect Failure Policy for Always-OnAbout the Connect Failure PolicyThe connect failure policy determines whether the computer can access the internet if Always-On VPN is enabled and AnyConnect cannot establish a VPN session. This can occur when a secure gateway is unreachable, or when AnyConnect fails to detect the presence of a captive portal hotspot. An open policy permits full network access, letting users continue to perform tasks where access to the Internet or other local network resources is needed. A closed policy disables all network connectivity until the VPN session is established. AnyConnect does this by enabling packet filters that block all traffic from the endpoint that is not bound for a secure gateway to which the computer is allowed to connect. Regardless of the connect failure policy, AnyConnect continues to try to establish the VPN connection. Guidelines for Setting the Connect Failure PolicyConsider the following when using an open policy which permits full network access:
Consider the following when using a closed policy which disables all network connectivity until the VPN session is established:
Configure a Connect Failure PolicyYou configure a Connect Failure Policy only when the Always-On feature is enabled. By default, the connect failure policy is closed, preventing Internet access if the VPN is unreachable. To allow Internet access in this situation, the connect failure policy must be set to open.
Use Captive Portal Hotspot Detection and RemediationAbout Captive PortalsMany facilities that offer Wi-Fi and wired access, such as airports, coffee shops, and hotels, require the user to pay before obtaining access, to agree to abide by an acceptable use policy, or both. These facilities use a technique called captive portal to prevent applications from connecting until the user opens a browser and accepts the conditions for access. Captive portal detection is the recognition of this restriction, and captive portal remediation is the process of satisfying the requirements of a captive portal hotspot in order to obtain network access. If you are enabling captive portal detection with Network Access Manager, refer to the Client Policy Window section for configuration and requirements. Captive portals are detected automatically by AnyConnect when initiating a VPN connection requiring no additional configuration. Also, AnyConnect does not modify any browser configuration settings during captive portal detection and does not automatically remediate the captive portal. It relies on the end user to perform the remediation. AnyConnect reacts to the detection of a captive portal depending on the current configuration:
Configure Captive Portal RemediationYou configure captive portal remediation only when the Always-On feature is enabled and the Connect Failure Policy is set to closed. In this situation, configuring captive portal remediation allows AnyConnect to connect to the VPN when a captive portal is preventing it from doing so.
If the Connect Failure Policy is set to open or Always-On is not enabled, your users are not restricted from network access and are capable of remediating a captive portal without any specific configuration in the AnyConnect VPN profile. By default, captive portal remediation is disabled on platforms supporting Always on (Windows and macOS) to provide the greatest security. AnyConnect does not provide data leakage protection capabilities during the captive portal remediation phase. If data loss protection is desired, you should employ a relevant endpoint security product. Procedure
Enhanced Captive Portal Remediation (Windows and macOS)With enhanced captive portal remediation, the AnyConnect embedded browser is used for remediation whenever captive portal is detected with network access restricted by AnyConnect (for example, due to Always On). Other applications remain with network access blocked while captive portal remediation with the AnyConnect browser is pending. The user can close the AnyConnect browser and fail over to an external browser (when enabled in the profile), causing AnyConnect to revert to the regular captive portal remediation behavior. In doing so, the following message is shown:
When captive portal is detected but network access is restricted by AnyConnect, the AnyConnect browser is automatically launched, with the following message displayed to prompt the user to remediate:
Configure Captive Portal Remediation Browser FailoverYou may want to set browser failover to apply whenever the AnyConnect browser is launched for captive portal remediation. By setting the browser failover, users can remediate the captive portal via an external browser, after closing the AnyConnect browser. The AnyConnect browser launched for captive portal remediation has tighter security settings with regard to server security certificates. Untrusted server certificates are not accepted during the captive portal remediation. If an untrusted server certificate is encountered, the corresponding HTTPS URL is not loaded by the AnyConnect browser, potentially blocking the remediation process. If untrusted server certificates are acceptable during captive portal remediation, you should enable captive portal remediation browser failover in order to allow the user to remediate the captive portal. After enabling, the user can close the AnyConnect browser and continue remediation with an external browser (as AnyConnect reverts to the regular captive portal remediation behavior). Before you beginProcedure
Troubleshoot Captive Portal Detection and RemediationAnyConnect can falsely assume that it is in a captive portal in the following situations.
If users cannot access a captive portal remediation page, ask them to try the following:
Configure AnyConnect over L2TP or PPTPISPs in some countries require support of the Layer 2 Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP). To send traffic destined for the secure gateway over a Point-to-Point Protocol (PPP) connection, AnyConnect uses the point-to-point adapter generated by the external tunnel. When establishing a VPN tunnel over a PPP connection, the client must exclude traffic destined for the Secure Firewall ASA from the tunneled traffic intended for destinations beyond the Secure Firewall ASA. To specify whether and how to determine the exclusion route, use the PPP Exclusion setting in the AnyConnect profile. The exclusion route appears as a non-secured route in the Route Details display of the AnyConnect GUI. Procedure
Instruct Users to Override PPP ExclusionIf automatic detection does not work and you configured the PPP Exclusion fields as user controllable, the user can override the setting by editing the AnyConnect preferences file on the local computer. Procedure
Use Management VPN TunnelAbout the Management VPN TunnelA management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts which require corporate network connectivity will also benefit from this feature. The management VPN tunnel is meant to be transparent to the end user; therefore, network traffic initiated by user applications is not impacted, by default, but instead directed outside the management VPN tunnel. When a management tunnel feature is detected as enabled, a restricted user account (ciscoacvpnuser) is created to enforce the principle of least privilege. This account gets removed during AnyConnect uninstallation or during an installation upgrade. If a user complains of slow logins, it may be an indication that the management tunnel was not configured appropriately. Configure the Management VPN Tunnel describes the configuration steps that are required to enable the feature. If symptoms suggest lack of connectivity to the corporate network despite following this configuration, refer to Troubleshooting Management VPN Tunnel Connectivity Issues. Compatibilities and Requirements of Management VPN Tunnel
Incompatibilities and Limitations of Management VPN Tunnel
Mandatory Preferences Enforced by Management VPN Profile Certain profile preferences are mandatory while the management VPN tunnel is active. To assist you in configuring a valid profile, mandatory preferences are enforced by the AnyConnect Management VPN Profile Editor, by disabling the corresponding UI controls. During a management tunnel connection, the following preference values are overridden, mostly to eliminate user interaction and to minimize tunnel interruptions:
Also, AnyConnect does not enforce the following profile preferences during a management tunnel connection: WindowsLogonEnforcement and SCEP related preferences. Configure the Management VPN TunnelBecause the management tunnel connection may occur without any user logged in, only machine store certificate authentication is supported. Consequently, at least one relevant client certificate needs to be available in the client host's machine certificate store. Configure the Tunnel Group for the Management VPN TunnelYou must configure the authentication method of the tunnel group as "certificate only" by navigating to in ASDM and choosing it from the Method drop-down menu under Authentication. Then configure the group URL in Advanced > Group Alias/Group URL, which is then specified in the management VPN profile (as described in Create a Profile for Management VPN Tunnel). The group policy for this tunnel group must have split include tunneling configured for all IP protocols with client address assignment configured in the the tunnel group: choose Tunnel Network List Below from ASDM Configure a Custom Attribute to Support Tunnel-All Configuration describes how to enable support for other split tunneling configurations. If a client address assignment is not configured in the tunnel group for both IP protocols, you must enable Client Bypass Protocol in the group policy, so that traffic matching the IP protocol without client address assignment is not disrupted by the management VPN tunnel. Create a Profile for Management VPN TunnelYou can deploy only one management VPN profile to a given client device. The management VPN profile is stored in a dedicated directory (%ProgramData%\Cisco\Cisco AnyConnect Secure Mobiliy Client\Profile\MgmtTun in Windows, /opt/cisco/anyconnect/profile/mgmttun in macOS) with a fixed name (VpnMgmtTunProfile.xml). A management VPN profile can have zero or one host entry that points to a tunnel group configured as per section Configure the Tunnel Group for the Management VPN Tunnel. To automatically disable the feature (upon profile update during tunnel establishment), you should configure zero host entries in the management VPN profile. Before you beginProcedure
(Optional) Upload an Already Configured Management VPN ProfileProcedure
Associate the Management VPN Profile to Group Policies
Before you beginProcedureConfigure a Custom Attribute to Support Tunnel-All ConfigurationManagement VPN tunnel requires split include tunneling configuration, by default, to avoid impacting user initiated network communication (since management VPN tunnel is meant to be transparent to the end user). You can override this behavior by configuring the following custom attribute in the group policy used by the management tunnel connection (in the Create Custom Attribute ASDM window: ). If you set a new custom attribute type to ManagementTunnelAllAllowed and set the corresponding custom attributes to true, AnyConnect proceeds with the management tunnel connection, if the configuration is one of tunnel-all, split-exclude, split-include, or bypass for both IP protocols. Restrict Management VPN Profile UpdatesYou can restrict management VPN profile updates to a certain trusted server list with a new AnyConnect local policy file (AnyConnectLocalPolicy.xml) setting, and still allow user VPN profile updates from any server. Edit this setting through the AnyConnect VPN Local Policy Editor by checking the Allow Management VPN Profile Updates From Any Server checkbox. For example, if management VPN profile updates are allowed only from the VPN server TrustedServer, the checkbox would be unchecked, and TrustedServer would be added to the trusted server list. (Replace TrustedServer with the FQDN or IP address present in the corresponding VPN profile server entry.) Troubleshoot Management VPN Tunnel Connectivity IssuesIf the client host is not reachable remotely, various scenarios may have occurred causing the management VPN tunnel to disconnect or not be established. In these scenarios, the AnyConnect GUI and CLI reflect the Management Connection State as a statistics entry:
To troubleshoot the lack of connectivity over the management VPN tunnel (expected to be established on the client host), verify the following:
Configure AnyConnect Proxy ConnectionsAbout AnyConnect Proxy ConnectionsAnyConnect supports VPN sessions through Local, Public, and Private proxies:
Control Client Proxy with VPN Client ProfileThe VPN Client profile can block or redirect the client system's proxy connection. For Windows and Linux, you can configure, or you can allow the user to configure, the address of a public proxy server. For more information about configuring the proxy settings in the VPN client profile, see AnyConnect Profile Editor, Preferences (Part 2). Proxy Auto-Configuration File Generation for Clientless SupportSome versions of the Secure Firewall ASA require AnyConnect configuration to support clientless portal access through a proxy server after establishing the AnyConnect session. AnyConnect uses a proxy auto-configuration (PAC) file to modify the client-side proxy settings to let this occur. AnyConnect generates this file only if the Secure Firewall ASA does not specify private-side proxy settings. Requirements for AnyConnect Proxy ConnectionsOS support of proxy connections varies as shown:
Limitations on Proxy Connections
Allow a Local Proxy ConnectionProcedure
Public ProxyPublic proxies are supported on Windows and Linux platforms. Proxy servers are chosen based on preferences set in the client profile. In case of proxy override, AnyConnect extracts proxy servers from the profile. With release 4.1 (and later) we added proxy support on macOS along with Native-proxy configuration on Linux and macOS. On Linux, native-proxy settings are exported before AnyConnect runs. If you change the settings, a restart must happen. Authenticating Proxy Servers requires a username and password. AnyConnect supports Basic and NTLM authentication when the proxy server is configured to require authentication. AnyConnect dialogs manage the authentication process. After successfully authenticating to the proxy server, AnyConnect prompts for the Secure Firewall ASA username and password. Configure a Public Proxy Connection, WindowsFollow these steps to configure a public proxy connection on Windows. Procedure
Configure a Public Proxy Connection, macOSProcedure
Configure a Public Proxy Connection, LinuxTo configure a public proxy connection in Linux, you must set an environment variable. Configure a Private Proxy ConnectionProcedureConfigure the Client to Ignore Browser Proxy SettingsYou can specify a policy in the AnyConnect profile to bypass the Microsoft Internet Explorer or Safari proxy configuration settings on the user’s PC. This prevents the user from establishing a tunnel from outside the corporate network, and prevents AnyConnect from connecting through an undesirable or illegitimate proxy server. Procedure
Lock Down the Internet Explorer Connections TabUnder certain conditions, AnyConnect hides the Internet Explorer Tools > Internet Options > Connections tab. When exposed, this tab lets the user set proxy information. Hiding this tab prevents the user from intentionally or unintentionally circumventing the tunnel. The tab lockdown is reversed on disconnect, and it is superseded by any administrator-defined policies applied to that tab. The conditions under which this lock down occurs are the following:
You can configure the Secure Firewall ASA to allow or not allow proxy lockdown, in the group policy. To do this using ASDM, follow this procedure: Procedure
Verify the Proxy Settings
Select and Exclude VPN TrafficConfigure IPv4 or IPv6 Traffic to Bypass the VPNYou can configure how AnyConnect manages IPv4 traffic when the Secure Firewall ASA is expecting only IPv6 traffic or how AnyConnect manages IPv6 traffic when the ASA is only expecting IPv4 traffic using the Client Bypass Protocol setting. When AnyConnect makes a VPN connection to the Secure Firewall ASA, the ASA can assign the client an IPv4, IPv6, or both an IPv4 and IPv6 address. If Client Bypass Protocol is enabled for an IP protocol and an address pool is not configured for that protocol (in other words, no IP address for that protocol was assigned to client by the Secure Firewall ASA), any IP traffic using that protocol will not be sent through the VPN tunnel. It will be sent outside the tunnel. If Client Bypass Protocol is disabled, and an address pool is not configured for that protocol, the client drops all traffic for that IP protocol once the VPN tunnel is established. For example, assume that the Secure Firewall ASA assigns only an IPv4 address to the AnyConnect connection, and the endpoint is dual stacked. When the endpoint attempts to reach an IPv6 address, if Client Bypass Protocol is disabled, the IPv6 traffic is dropped. If Client Bypass Protocol is enabled, the IPv6 traffic is sent from the client in the clear. If establishing an IPsec tunnel (as opposed to an SSL connection), the Secure Firewall ASA is not notified whether or not IPv6 is enabled on the client, so Secure Firewall ASA always pushes down the client bypass protocol setting. You configure the Client Bypass Protocol on the Secure Firewall ASA in the group policies. Procedure
Configure a Client Firewall with Local Printer and Tethered Device SupportSee the Client Firewall with Local Printer and Tethered Device Support section in the Cisco ASA Series VPN CLI or ASDM Configuration Guide. Configure Split TunnelingSplit tunneling is configured in a Network (Client) Access group policy. See the Configure Split Tunneling for AnyConnect Traffic section in the Cisco ASA Series VPN CLI or ASDM Configuration Guide. After making changes to the group policy in ASDM, be sure the group policy is associated with a Connection Profile in Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Add/Edit > Group Policy. Routing Network Traffic on LinuxTo enable Linux users to route network traffic on a VM instance/docker container, you must create a new custom attribute and enable it. Create a tunnel-from-any-source custom attribute and when set to true, AnyConnect permits packets with any source addresses in split-include or split-exclude tunnel mode, allowing network access inside the VM instance or Docker container.
About Dynamic Split TunnelingDynamic split tunneling was designed to enhance the current split tunneling options, which are configured with the "Exclude Network List Below" or "Tunnel Network List Below" option in ASDM group policy configuration. Beyond the static inclusions or exclusions typically used to define split tunneling, the dynamic split tunneling inclusions or exclusions address scenarios when traffic pertaining to a certain service needs to be excluded from or included into the VPN tunneling. You cannot configure a distinct split tunneling setting for each IP protocol. For example, if you enable dynamic split include tunneling for IPv4 (such as IPv4 split include and dynamic split include domains), you cannot enable dynamic split exclude tunneling for IPv6 (such as IPv6 tunnel-all and dynamic split exclude domains). Additionally, we provide an enhanced dynamic split tunneling, where both dynamic split exclude and dynamic split include domains are specified for enhanced domain name matching. The limits also vary from static split tunneling to dynamic split tunneling. For static split tunneling, the limit is 2500 networks/ACEs per IP protocol. With dynamic split tunneling, AnyConnect takes into account only dynamic split tunneling domains with the first 20,000 characters of the domain list pushed by the headend, and is only enforced via truncation on the client. Wildcards are not supported. For both dynamic split exclude and dynamic split include, besides the configured domains, all of their subdomains are also excluded from (or included into for dynamic split include) the tunnel. Dynamic Split Exclude Tunneling—Multiple cloud-based services may be hosted on the same IP pool and may resolve to different IP addresses based on the location of the user or the load of cloud-hosted compute resources. Administrators who only want to exclude a single such service from the VPN tunnel would have a difficult time defining such a policy using static exclusions, especially when ISP NAT, 6to4, 4to6, and other network translation schemes are also considered. With dynamic split exclude tunneling, you can dynamically provision split exclude tunneling after tunnel establishment, based on the host DNS domain name. For example, a VPN administrator could configure example.com to be excluded from the VPN tunnel at runtime. When the VPN tunnel is up and an application attempts to connect to mail.example.com, the VPN client automatically changes the system routing table and filters to allow the connection outside of the tunnel. Enhanced Dynamic Split Exclude Tunneling—When dynamic split exclude tunneling is configured with both dynamic split exclude and dynamic split include domains, traffic dynamically excluded from the VPN tunnel much match at least one dynamic split exclude domain, but no dynamic split include domains. For example, if a VPN administrator configured a dynamic split exclude domain example.com and a dynamic split include domain of mail.example.com, all example.com traffic other than mail.example.com is excluded from tunneling. Dynamic Split Include Tunneling—With dynamic split include tunneling, you can dynamically provision split include tunneling after tunnel establishment, based on the host DNS domain name. For example, a VPN administrator could configure domain.com to be included into the VPN tunnel at runtime. When the VPN tunnel is up and an application attempts to connect to www.domain.com, the VPN client automatically changes the system routing table and filters to allow the connection inside the VPN tunnel. Enhanced Dynamic Split Include Tunneling—When dynamic split include tunneling is configured with both dynamic split include and dynamic split exclude domains, traffic dynamically included into the VPN tunnel must match at least one dynamic split include domain, but no dynamic split exclude domains. For example, if a VPN administrator configured domain.com as a split include domain and www.domain.com as a split exclude domain, all domain.com traffic other than www.domain.com is tunneled.
Interoperability Between Static Split Tunneling and Dynamic Split TunnelingBoth static and dynamic exclusions can coexist. While static split tunneling is applied when the tunnel is established, dynamic split tunneling is applied when the traffic to the domain occurs, while the tunnel is already connected. Dynamic Split Exclude Tunneling
Enhanced dynamic split exclude tunneling applies to "tunnel all" and "split exclude" tunneling. If both dynamic split exclude and dynamic split include domains, as well as split include tunneling, are configured, the resulting configuration is enhanced dynamic split include tunneling. Dynamic Split Include Tunneling Dynamic split include tunneling applies only to split include configuration. Enhanced dynamic split include tunneling applies only to split include configuration.
Outcome of Overlapping Scenarios with Split Tunneling ConfigurationDynamic inclusion or exclusion covers only IP addresses not already included or excluded. When both static and some form of dynamic tunneling is applied and a new inclusion or exclusion needs to be enforced, a collision with an already applied inclusion or exclusion may occur. When a dynamic exclusion is enforced (which contains all IP addresses that are part of a DNS response matching an excluded domain name), only those addresses not already excluded are considered for exclusion. Likewise, when a dynamic inclusion is enforced (which contains all IP addresses that are part of a DNS response matching an included domain name), only those addresses not already included are considered for inclusion. Static public routes (such as split-exclude and critical routes such as the secure gateway route) take precedence over dynamic split include routes. For that reason, if at least one IP address of the dynamic inclusion matches a static public route, the dynamic inclusion is not enforced. Similarly, static split-include routes take precedence over dynamic split exclude routes. For that reason, if at least one IP address of the dynamic exclusion matches a static split-include route, the dynamic exclusion is not enforced. Notifications of Dynamic Split Tunneling UsageWhile the VPN tunnel is connected, you can see what is set for dynamic split tunneling in several ways:
Configure Dynamic Split Exclude TunnelingBefore you beginWith dynamic split tunneling, you can dynamically provision split exclude tunneling after tunnel establishment based on the host DNS domain name. Dynamic split tunneling is configured by creating a custom attribute and adding it to a group policy on Secure Firewall ASA. Refer to Configure Dynamic Split Tunneling in the Cisco ASA Series VPN ASDM Configuration Guide for GUI steps. Procedure
Configure Enhanced Dynamic Split Exclude TunnelingBefore you beginEnhanced domain name matching is supported when dynamic split exclude tunneling is configured with both dynamic split exclude and dynamic split include domains. Enhanced dynamic split exclude tunneling is configured by creating two custom attribute and adding it to a group policy on Secure Firewall ASA. Refer to Configure Dynamic Split Tunneling in the Cisco ASA Series VPN ASDM Configuration Guide for GUI steps. Procedure
Configure Dynamic Split Include TunnelingBefore you beginWith dynamic split tunneling, you can dynamically provision split include tunneling after tunnel establishment based on the host DNS domain name. Dynamic split tunneling is configured by creating a custom attribute and adding it to a group policy on Secure Firewall ASA. Refer to Configure Dynamic Split Tunneling in the Cisco ASA Series VPN ASDM Configuration Guide for GUI steps. Procedure
Configure Enhanced Dynamic Split Include TunnelingBefore you beginEnhanced domain name matching is supported when dynamic split include tunneling is configured with both dynamic split include and dynamic split exclude domains. Enhanced dynamic split include tunneling is configured by creating two custom attribute and adding it to a group policy on Secure Firewall ASA. Refer to Configure Dynamic Split Tunneling in the Cisco ASA Series VPN ASDM Configuration Guide for GUI steps. Procedure
Split DNSSplit DNS is supported for both split include and split exclude tunneling configurations. When split DNS for split include tunneling is configured in the Network (Client) Access group policy, AnyConnect tunnels specific DNS queries to a VPN DNS server (also configured in the group policy). All other DNS queries are directed outside the VPN tunnel, to a public DNS server. When split DNS for split exclude tunneling is configured, specific DNS queries are sent outside the VPN tunnel, to a public DNS server. All othe DNS queries are tunneled to a VPN DNS server. If split DNS is not enabled with a split tunneling configuration, DNS queries are routed over the tunnel only if "Send All DNS lookups through tunnel" is configured in the group policy. Otherwise, they could be also routed outside the tunnel. Requirements for Split DNS
For macOS, AnyConnect can use true split-DNS for a certain IP protocol only if one of the following conditions is met:
If split DNS for split include is configured for one IP protocol and split DNS for split exclude is configured for the other protocol, split DNS for split include takes precedence, resulting in AnyConnect ignoring the split DNS for split exclude settings. Split DNS is relevant only to typical applications relying on the native/OS DNS client for name resolution, such as browsers, mail applications, and such. Unsupported applications include tools using a custom resolver, such as dig and nslookup. Configure Split DNS for Split Include TunnelingTo configure split DNS for split include tunneling in the group policy, do the following: Procedure
What to do nextAfter making changes to the group policy in ASDM, be sure the group policy is associated with a Connection Profile in Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Add/Edit > Group Policy. Configure Split DNS for Split Exclude TunnelingTo configure split DNS for split exclude tunneling in the group policy, do the following: Procedure
What to do nextVerify Split DNS Using AnyConnect Logs
Manage VPN AuthenticationImportant Security Considerations
We strongly recommend that you enable Strict Certificate Trust for the AnyConnect client. To configure Strict Certificate Trust, see the Local Policy Parameters and Values section: Local Policy Preferences. Supported Security TypesAnyConnect supports RSA and ECDSA certificates for both server certificate verification and for client certificate authentication.
Configure Server Certificate HandlingServer Certificate Verification
Invalid Server Certificate HandlingIn response to the increase of targeted attacks against mobile users on untrusted networks, we have improved the security protections in the client to help prevent serious security breaches. The default client behavior has been changed to provide an extra layer of defense against Man-in-the-middle attacks. User InteractionWhen the user tries to connect to a secure gateway, and there is a certificate error (due to expired, invalid date, wrong key usage, or CN mismatch), the user sees a red-colored dialog with Change Settings and Keep Me Safe buttons.
If the user un-checks Block connections to untrusted servers, and the only issue with the certificate is that the CA is untrusted, then the next time the user attempts to connect to this secure gateway, the user will not see the Certificate Blocked Error Dialog dialog. If the user checks Always trust this VPN server and import the certificate, then future connections to this secure gateway will not prompt the user to continue.
Improved Security BehaviorWhen the client accepts an invalid server certificate, that certificate is saved in the client's certificate store. Previously, only the thumbprint of the certificate was saved. Note that invalid certificates are saved only when the user has elected to always trust and import invalid server certificates. There is no administrative override to make the end user less secure automatically. To completely remove the preceding security decisions from your end users, enable Strict Certificate Trust in the user’s local policy file. When Strict Certificate Trust is enabled, the user sees an error message, and the connection fails; there is no user prompt. For information about enabling Strict Certificate Trust in the local policy file, see the Local Policy Preferences. Guidelines and LimitationsInvalid server certificates are rejected when:
Configure Certificate-Only AuthenticationYou can specify whether you want users to authenticate using Secure Firewall ASA with a username and password or using a digital certificate (or both). When you configure certificate-only authentication, users can connect with a digital certificate and are not required to provide a user ID and password. To support certificate-only authentication in an environment where multiple groups are used, you may provision more than one group-url. Each group-url would contain a different client profile with some piece of customized data that would allow for a group-specific certificate map to be created. For example, the Department_OU value of Engineering could be provisioned on the Secure Firewall ASA to place the user in this group when the certificate from this process is presented to the Secure Firewall ASA.
Procedure
Configure Certificate EnrollmentThe AnyConnect Secure Mobility Client uses the Simple Certificate Enrollment Protocol (SCEP) to provision and renew a certificate as part of client authentication. Certificate enrollment using SCEP is supported by AnyConnect IPsec and SSL VPN connections to the Secure Firewall ASA in the following ways:
SCEP Proxy Enrollment and OperationThe following steps describe how a certificate is obtained and a certificate-based connection is made when AnyConnect and the Secure Firewall ASA are configured for SCEP Proxy.
Other SCEP Proxy operational considerations:
Certificate Authority Requirements
Guidelines for Certificate Enrollment
Configure SCEP Proxy Certificate Enrollment Configure a VPN Client Profile for SCEP Proxy EnrollmentProcedure
Configure the Secure Firewall ASA to Support SCEP Proxy EnrollmentFor SCEP Proxy, a single Secure Firewall ASA connection profile supports certificate enrollment and the certificate authorized VPN connection. Procedure
Set Up a Windows 2012 Server Certificate Authority for SCEPIf your Certificate Authority software is running on a Windows 2012 server, you may need to make one of the following configuration changes to the server to support SCEP with AnyConnect. Disable the SCEP Password on the Certificate AuthorityThe following steps describe how to disable the SCEP challenge password, so that clients will not need to provide an out-of-band password before SCEP enrollment.
Setting the SCEP Template on the Certificate AuthorityThe following steps describe how to create a certificate template, and assign it as the default SCEP template.
Configure a Certificate Expiration NoticeConfigure AnyConnect to warn users that their authentication certificate is about to expire. The Certificate Expiration Threshold setting specifies the number of days before the certificate’s expiration date. AnyConnect uses the threshold to determine when to warn users that their certificate is expiring. AnyConnect warns the user upon each connect until the certificate has actually expired or a new certificate has been acquired.
Procedure
Configure Certificate SelectionThe following steps show all the places in the AnyConnect profiles where you configure how certificates are searched for and how they are selected on the client system. None of the steps are required, and if you do not specify any criteria, AnyConnect uses default key matching. AnyConnect reads the browser certificate stores on Windows. For Linux, you must create a Privacy Enhanced Mail (PEM) formatted file store. For macOS, you may use a Privacy Enhanced Mail (PEM) formatted file store or the Keychain. ProcedureConfigure Which Certificate Stores to UseFor Windows, macOS, and Linux, separate certificate stores are provided for AnyConnect to use in the VPN client profile. You can have single or multiple certificate authentication combinations and can configure the secure gateway to dictate to the client which one of the multiple certificate authentication choices is acceptable for a particular VPN connection. For example, on macOS, if you set ExcludePemFileCertStore to true in the local policy file (to force AnyConnect to use only native Keychain certificate stores) and also set the profile-based certificate store to Login (to force AnyConnect to use only certificate stores such as User Login and dynamic smartcard Keychains, plus the user PEM file store), the combined filtering results in AnyConnect using strictly the User Login Keychain certificate store. For Windows, users with administrative privileges on the computer have access to both certificate stores. Users without administrative privileges only have access to the user certificate store. Usually, Windows users do not have administrative privileges. Choosing Windows Certificate Store Override allows AnyConnect to access the machine store, even when the user does not have administrative privileges.
The following table describes how AnyConnect searches for certificates on a client based on what Certificate Store is searched, and whether Windows Certificate Store Override is checked.
With Multiple Certificate Authentication
With Basic Certificate Authentication
Prompt Windows Users to Select Authentication CertificateYou can configure AnyConnect to present a list of valid certificates to users and let them choose the certificate to authenticate the session. An expired certificate is not necessarily considered invalid. For example, if you are using SCEP, the server might issue a new certificate to the client. Eliminating expired certificates might keep a client from connecting at all; thus requiring manual intervention and out-of-band certificate distribution. AnyConnect only restricts the client certificate based on security-related properties, such as key usage, key type and strength, and so on, based on configured certificate matching rules. This configuration is available only for Windows. By default, user certificate selection is disabled. Procedure
Create a PEM Certificate Store for macOS and LinuxAnyConnect supports certificate retrieval from a Privacy Enhanced Mail (PEM) formatted file store. AnyConnect reads PEM-formatted certificate files from the file system on the remote computer, verifies, and signs them. Before you beginIn order for the client to acquire the appropriate certificates under all circumstances, ensure that your files meet the following requirements:
To create the PEM file certificate store, create the paths and folders listed below. Place the appropriate certificates in these folders:
Machine certificates are the same as PEM file certificates, except for the root directory. For machine certificates, substitute /opt/.cisco for ~/.cisco. Otherwise, the paths, folders, and types of certificates listed apply. AnyConnect also uses system CA certificate location (/etc/ssl/certs) to verify server certificates. Configure Certificate MatchingAnyConnect can limit its search of certificates to those certificates that match a specific set of keys. Certificate matchings are global criteria that are set in an AnyConnect VPN profile, in the Certificate Matching pane. The criteria are:
Configure Key UsageSelecting the Key Usage keys limits the certificates that AnyConnect can use to those certificates that have at least one of the selected keys. The supported set is listed in the Key Usage list on the VPN client profile, and it includes:
If one or more criteria are specified, a certificate must match at least one to be considered a matching certificate. Configure Extended Key UsageSelecting the Extended Key Usage keys limits the certificates that AnyConnect can use to the certificates that have these keys. The following table lists the well-known set of constraints with their corresponding object identifiers (OIDs).
Configure Custom Extended Match KeyAll other OIDs (such as 1.3.6.1.5.5.7.3.11, used in some examples in this document) are considered “custom.” As an administrator, you can add your own OIDs if the OID that you want is not in the well-known set. Configure Certificate Distinguished NameThe Distinguished Name table contains certificate identifiers that limit the certificates that the client can use to the certificates that match the specified criteria and criteria match conditions. Click the Add button to add criteria to the list and to set a value or wildcard to match the contents of the added criteria.
Distinguished Name can contain zero or more matching criteria. A certificate must match all specified criteria to be considered a matching certificate. Distinguished Name matching specifies that a certificate must or must not have the specified string, and whether wild carding for the string is allowed. VPN Authentication Using SAMLYou can use SAML 2.0 integrated with Secure Firewall ASA release 9.7.1 (and later) for initial session authentication. An enhanced version of SAML integration was later introduced which replaces the native (external) browser integration with an embedded browser. When connecting to a tunnel group configured for SAML authentication, AnyConnect opens an embedded browser window to complete the authentication process. Every SAML attempt uses a new browser session, and the browser session is specific to AnyConnect (the session state is not shared with any other browsers). Although each SAML authentication attempt starts with no session state, permanent cookies persist between attempts. Secure Firewall ASA release 9.17.1 (and later) /ASDM release 7.17.1 (and later) introduced support for VPN SAML external browser with AnyConnect. When you use SAML as the primary authentication method for the AnyConnect VPN connection profile, you can choose for AnyConnect to use a local browser, instead of the embedded browser, when performing web authentication. With this feature, AnyConnect supports WebAuthN and any other SAML-based web authentication options, such asSingleSign On, biometric authentication, or other enhanced methods that are unavailable with the embedded browser. For SAML external browser use, you must perform the configuration described in the Configure Default OS Browser for SAML Authentication section of the Cisco ASA Series VPN CLI Configuration Guide, 9.17. Platform Specific Requirements You must meet the following system requirements in order to use SAML with an embedded browser:
Upgrade Process AnyConnect SAML 2.0 with a native (external) browser is available with ASA release 9.7.x, 9.8.x, and 9.9.1. The enhanced version with embedded browser requires you to upgrade to AnyConnect 4.6 (or later) and ASA 9.7.1.24 (or later), 9.8.2.28 (or later), or 9.9.2.1 (or later). When upgrading or deploying the headend or client devices with the embedded browser SAML integration, take note of these scenarios:
Follow these guidelines when using SAML:
Refer to the latest release (9.7 or later) of the Cisco ASA Series VPN CLI or ASDM Configuration Guide for additional SAML configuration details. VPN Authentication Using SDI Token (SoftID) IntegrationAnyConnect integrates support for RSA SecurID client software versions 1.1 and later running on Windows x86 (32-bit) and x64 (64-bit). RSA SecurID software authenticators reduce the number of items a user has to manage for safe and secure access to corporate assets. RSA SecurID Software Tokens residing on a remote device generate a random one-time-use passcode that changes every 60 seconds. The term SDI stands for Security Dynamics, Inc. technology, which refers to this one-time password generation technology that uses hardware and software tokens. Typically, users make the AnyConnect connection by clicking the AnyConnect icon in the tools tray, selecting the connection profile with which they wish to connect, and then entering the appropriate credentials in the authentication dialog box. The login (challenge) dialog box matches the type of authentication configured for the tunnel group to which the user belongs. The input fields of the login dialog box clearly indicate what kind of input is required for authentication. For SDI authentication, the remote user enters a PIN (Personal Identification Number) into the AnyConnect software interface and receives an RSA SecurID passcode. After the user enters the passcode into the secured application, the RSA Authentication Manager validates the passcode and allows the user to gain access. Users who use RSA SecurID hardware or software tokens see input fields indicating whether the user should enter a passcode or a PIN, a PIN, or a passcode and the status line at the bottom of the dialog box provides further information about the requirements. The user enters a software token PIN or passcode directly into the AnyConnect user interface. The appearance of the initial login dialog box depends on the secure gateway settings: the user can access the secure gateway either through the main login page, the main index URL, a tunnel-group login page, or a tunnel group URL (URL/tunnel-group). To access the secure gateway via the main login page, the “Allow user to select connection” checkbox must be set in the Network (Client) Access AnyConnect Connection Profiles page. In either case, the secure gateway sends the client a login page. The main login page contains a drop-down list in which the user selects a tunnel group; the tunnel-group login page does not, since the tunnel-group is specified in the URL. In the case of a main login page (with a drop-down list of connection profiles or tunnel groups), the authentication type of the default tunnel group determines the initial setting for the password input field label. For example, if the default tunnel group uses SDI authentication, the field label is “Passcode;” but if the default tunnel group uses NTLM authentication, the field label is “Password.” In Release 2.1 and later, the field label is not dynamically updated with the user selection of a different tunnel group. For a tunnel-group login page, the field label matches the tunnel-group requirements. The client supports input of RSA SecurID Software Token PINs in the password input field. If the RSA SecurID Software Token software is installed and the tunnel-group authentication type is SDI, the field label is “Passcode” and the status bar states “Enter a username and passcode or software token PIN.” If a PIN is used, subsequent consecutive logins for the same tunnel group and username have the field label “PIN.” The client retrieves the passcode from the RSA SecurID Software Token DLL using the entered PIN. With each successful authentication, the client saves the tunnel group, the username, and authentication type, and the saved tunnel group becomes the new default tunnel group. AnyConnect accepts passcodes for any SDI authentication. Even when the password input label is “PIN,” the user may still enter a passcode as instructed by the status bar. The client sends the passcode to the secure gateway as is. If a passcode is used, subsequent consecutive logins for the same tunnel group and username have the field label “Passcode.” The RSASecureIDIntegration profile setting has three possible values:
Categories of SDI Authentication ExchangesAll SDI authentication exchanges fall into one of the following categories:
Normal SDI Authentication LoginA normal login challenge is always the first challenge. The SDI authentication user must provide a user name and token passcode (or PIN, in the case of a software token) in the username and passcode or PIN fields, respectively. The client returns the information to the secure gateway (central-site device), and the secure gateway verifies the authentication with the authentication server (SDI or SDI via RADIUS proxy). If the authentication server accepts the authentication request, the secure gateway sends a success page back to the client, and the authentication exchange is complete. If the passcode is not accepted, the authentication fails, and the secure gateway sends a new login challenge page, along with an error message. If the passcode failure threshold on the SDI server has been reached, then the SDI server places the token into next token code mode. New User, Clear PIN, and New PIN ModesThe PIN can be cleared only on the SDI server and only by the network administrator. In the New User, Clear PIN, and New PIN modes, AnyConnect caches the user-created PIN or system-assigned PIN for later use in the “next passcode” login challenge. Clear PIN mode and New User mode are identical from the point of view of the remote user and are both treated the same by the secure gateway. In both cases, the remote user either must enter a new PIN or be assigned a new PIN by the SDI server. The only difference is in the user response to the initial challenge. For New PIN mode, the existing PIN is used to generate the passcode, as it would be in any normal challenge. For Clear PIN mode, no PIN is used at all for hardware tokens, with the user entering just a token code. A PIN of eight consecutive zeros (00000000) is used to generate a passcode for RSA software tokens. In either case, the SDI server administrator must inform the user of what, if any, PIN value to use. Adding a new user to an SDI server has the same result as clearing the PIN of an existing user. In both cases, the user must either provide a new PIN or be assigned a new PIN by the SDI server. In these modes, for hardware tokens, the user enters just a token code from the RSA device. In either case, the SDI server administrator must inform the user of what, if any, PIN value to use. Creating a New PINIf there is no current PIN, the SDI server requires that one of the following conditions be met, depending on how the system is configured:
If the SDI server is configured to allow the remote user to choose whether to create a PIN or have the system assign a PIN, the login screen presents a drop-down list showing the options. The status line provides a prompt message. For a system-assigned PIN, if the SDI server accepts the passcode that the user enters on the login page, then the secure gateway sends the client the system-assigned PIN. The client sends a response back to the secure gateway, indicating that the user has seen the new PIN, and the system continues with a “next passcode’ challenge. If the user chooses to create a new PIN, AnyConnect presents a dialog box on which to enter that PIN. The PIN must be a number from 4 to 8 digits long. Because the PIN is a type of password, anything the user enters into these input fields is displayed as asterisks. With RADIUS proxy, the PIN confirmation is a separate challenge, subsequent to the original dialog box. The client sends the new PIN to the secure gateway, and the secure gateway continues with a “next passcode” challenge. “Next Passcode” and “Next Token Code” ChallengesFor a “next passcode” challenge, the client uses the PIN value cached during the creation or assignment of a new PIN to retrieve the next passcode from the RSA SecurID Software Token DLL and return it to the secure gateway without prompting the user. Similarly, in the case of a “next Token Code” challenge for a software token, the client retrieves the next Token Code from the RSA SecurID Software Token DLL. Compare Native SDI with RADIUS SDIThe network administrator can configure the secure gateway to allow SDI authentication in either of the following modes:
Native SDI and RADIUS SDI appear identical to the remote user. Because the SDI messages are configurable on the SDI server, the message text on the Secure Firewall ASA must match the message text on the SDI server. Otherwise, the prompts displayed to the remote client user might not be appropriate for the action required during authentication. AnyConnect might fail to respond, and authentication might fail. RADIUS SDI challenges, with minor exceptions, essentially mirror native SDI exchanges. Since both ultimately communicate with the SDI server, the information needed from the client and the order in which that information is requested is the same. During authentication, the RADIUS server presents access challenge messages to the Secure Firewall ASA. Within these challenge messages are reply messages containing text from the SDI server. The message text is different when the Secure Firewall ASA is communicating directly with an SDI server from when communicating through the RADIUS proxy. Therefore, in order to appear as a native SDI server to AnyConnect, the Secure Firewall ASA must interpret the messages from the RADIUS server. Also, because the SDI messages are configurable on the SDI server, the message text on the Secure Firewall ASA must match (in whole or in part) the message text on the SDI server. Otherwise, the prompts displayed to the remote client user may not be appropriate for the action required during authentication. AnyConnect might fail to respond and authentication might fail. Configure the Secure Firewall ASA to Support RADIUS/SDI MessagesTo configure the Secure Firewall ASA to interpret SDI-specific RADIUS reply messages and prompt the AnyConnect user for the appropriate action, you must configure a connection profile (tunnel group) to forward RADIUS reply messages in a manner that simulates direct communication with an SDI server. Users authenticating to the SDI server must connect over this connection profile. Procedure
About Certificate PinningAnyConnect certificate pinning helps to detect if a server certificate chain actually came from the connecting server. This feature is guided by VPN profile settings and is an addition to the AnyConnect server certificate verification policies. The strict certificate trust settings in the AnyConnect local policy file have no influence on Certificate Pinning check. You can configure pins globally or by per host basis in the VPN profile. Those pins configured for primary host are also valid for back up hosts in the server list. The preference to perform certificate pinning checks is not user controllable. A pin verification failure results in the termination of the VPN connection.
In the VPN profile editor AnyConnect Profile Editor, Certificate Pin, you can enable the preference and configure the global and per host certificate pins. You must be cautious when configuring and maintaining certificate pinning. Consider these recommendations when setting preferences:
Global and Per Host Pins
What security encryption protocol requires regular re establishment of a connection and can be used with any type of TCP IP transmission?aaaaaaaaaa borger. Can PPP support several types of network layer protocols that might use the connection?PPP works with several network layer protocols, such as IP and IPv6. PPP also has built-in security mechanisms such as PAP (Password Authentication Protocol), CHAP (Challenge Authentication Handshake Protocol), and EAP (Extensible Authentication Protocol).
At what layer of the OSI model does the IPsec encryption protocol operate?The IPsec protocol suite operates at the network layer of the OSI model. It runs directly on top of IP (the Internet Protocol), which is responsible for routing data packets. Meanwhile, SSL operates at the application layer of the OSI model.
What security principle provides proof of delivery and proof of the sender's identity?Definition(s): Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information.
|