Windows, unix, linux, and mac os clients are all capable of connecting to a vpn using pptp.

AnyConnect provides many options for automatically connecting, reconnecting, or disconnecting VPN sessions. These options provide a convenient way for your users to connect to your VPN, and they also support your network security requirements.

Trusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a VPN connection when the user is inside the corporate network (the trusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network).

TND does not interfere with the ability of the user to manually establish a VPN connection. It does not disconnect a VPN connection that the user starts manually in the trusted network. TND only disconnects the VPN session if the user first connects in an untrusted network and moves into a trusted network. For example, TND disconnects the VPN session if the user makes a VPN connection at home and then moves into the corporate office.

You configure TND in the AnyConnectVPN profile. No changes are required to the Secure Firewall ASA configuration. You need to specify the action or policy AnyConnect takes when recognizing it is transitioning between trusted and untrusted networks, and identify your trusted networks and servers.

Note	Whenever the TND policy evaluation occurs with the VPN tunnel connected and the policy specifies name-based trusted servers, that name resolution is performed over the VPN tunnel using the DNS servers pushed by the VPN headend.

• Because the TND feature controls the AnyConnect GUI and automatically starts connections, the GUI should run at all times. If the user exits the GUI, TND does not automatically start the VPN connection.

• If AnyConnect VPN is also running Start Before Login (SBL), and the user moves into the trusted network, the SBL window displayed on the computer automatically closes.

• Trusted Network Detection with or without Always-On configured is supported on IPv6 and IPv4 VPN connections to the Secure Firewall ASA over IPv4 and IPv6 networks.

• Multiple profiles on a user computer may present problems if the TND configuration is different.

  If the user has received a TND-enabled profile in the past, upon system restart, AnyConnect attempts to connect to the security appliance it was last connected to, which may not be the behavior you desire. To connect to a different security appliance, they must manually disconnect and re-connect to that headend. The following workarounds will help you prevent this problem:

  • Enable TND in the client profiles loaded on all the Secure Firewall ASAs on your corporate network.

  • Create one profile listing all the Secure Firewall ASAs in the host entry section, and load that profile on all your Secure Firewall ASAs.

  • If users do not need to have multiple, different profiles, use the same profile name for the profiles on all the Secure Firewall ASAs. Each Secure Firewall ASA overrides the existing profile.

• To use TND on Linux, you must have the Network Manager installed and running properly on the target (RHEL/Ubuntu) device, and the network manager must be maintaining the network interfaces.

Always-On operation prevents access to Internet resources when the computer is not on a trusted network, unless a VPN session is active. Enforcing the VPN to always be on in this situation protects the computer from security threats.

When Always-On is enabled, it establishes a VPN session automatically after the user logs in and upon detection of an untrusted network. The VPN session remains open until the user logs out of the computer, or the session timer or idle session timer (specified in the Secure Firewall ASA group policy) expires. AnyConnect continually attempts to reestablish the connection to reactivate the session if it is still open; otherwise, it continually attempts to establish a new VPN session.

When Always-On is enabled in the VPN Profile, AnyConnect protects the endpoint by deleting all the other downloaded AnyConnect profiles and ignores any public proxies configured to connect to the Secure Firewall ASA.

The following AnyConnect options also need to be considered when enabling Always-On:

• Allowing the user to disconnect the Always-On VPN session: AnyConnect provides the ability for the user to disconnect Always-On VPN sessions. If you enable Allow VPN Disconnect, AnyConnect displays a Disconnect button upon the establishment of a VPN session. By default, the profile editor enables the Disconnect button when you enableAlways-On VPN.

  Pressing the disconnect button locks all interfaces to prevent data from leaking out and to protect the computer from internet access except for establishing a VPN session. Users of Always-On VPN sessions may want to click Disconnect so they can choose an alternative secure gateway due to performance issues with the current VPN session, or reconnection issues following the interruption of a VPN session.

• Setting a connect failure policy: The connect failure policy determines whether the computer can access the internet if Always-On VPN is enabled, and AnyConnect cannot establish a VPN session. See Set a Connect Failure Policy.

• Handling captive portal hotspots: See Use Captive Portal Hotpost Detection and Remediation.

• Allowing access to certain hosts while VPN is disconnected: An optional configuration available with Allow access to the following hosts with VPN disconnected (which may be required for certain HostScan deployments) that allows endpoints to access the configured hosts while AnyConnect VPN is disconnected during Always On. Values are a comma-separated list of hosts which can be specified IP addresses, IP address ranges (CIDR format), or FQDNs. A maximum of 500 hosts are allowed.

  To configure this parameter for the use of SAML authentication, refer to Use Always-On VPN With External SAML Identity Provider.

• Always On is available only on Windows and macOS

• If Always-On is enabled, but the user does not log on, AnyConnect VPN does not establish the VPN connection. AnyConnect VPN starts the VPN connection only post-login.

• Always-On VPN does not support connecting though a proxy.

To enhance protection against threats, we recommend the following additional protective measures if you configure Always-On VPN:

• We strongly recommend purchasing a digital certificate from a certificate authority (CA) and enrolling it on the secure gateways. The ASDM provides an Enroll ASA SSL VPN with Entrust button on the Configuration > Remote Access VPN > Certificate Management > Identity Certificates panel to facilitate enrollment of a public certificate.

• Predeploy a profile configured with Always-On to the endpoints to limit connectivity to the pre-defined Secure Firewall ASAs. Predeployment prevents contact with a rogue server.

• Restrict administrator rights so that users cannot terminate processes. A PC user with admin rights can bypass an Always-On policy by stopping the agent. If you want to ensure fully-secure Always-On, you must deny local admin rights to users.

• Restrict access to the Cisco sub-folders on Windows computers, typically C:\ProgramData.

• Users with limited or standard privileges may sometimes have write access to their program data folders. They could use this access to delete the AnyConnect profile and thereby circumvent the Always-On feature.

• Predeploy a group policy object (GPO) for Windows users to prevent users with limited rights from terminating the GUI. Predeploy equivalent measures for macOS users.

Many facilities that offer Wi-Fi and wired access, such as airports, coffee shops, and hotels, require the user to pay before obtaining access, to agree to abide by an acceptable use policy, or both. These facilities use a technique called captive portal to prevent applications from connecting until the user opens a browser and accepts the conditions for access. Captive portal detection is the recognition of this restriction, and captive portal remediation is the process of satisfying the requirements of a captive portal hotspot in order to obtain network access.

If you are enabling captive portal detection with Network Access Manager, refer to the Client Policy Window section for configuration and requirements.

Captive portals are detected automatically by AnyConnect when initiating a VPN connection requiring no additional configuration. Also, AnyConnect does not modify any browser configuration settings during captive portal detection and does not automatically remediate the captive portal. It relies on the end user to perform the remediation. AnyConnect reacts to the detection of a captive portal depending on the current configuration:

• If Always-On is disabled, or if Always-On is enabled and the Connect Failure Policy is open, the following message is displayed on each connection attempt:

  
  The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
  

  The end user must perform captive portal remediation by meeting the requirements of the provider of the hotspot. These requirements could be paying a fee to access the network, signing an acceptable use policy, both, or some other requirement defined by the provider.

• If Always-On is enabled and the connect failure policy is closed, captive portal remediation needs to be explicitly enabled. If enabled, the end user can perform remediation as described above. If disabled, the following message is displayed upon each connection attempt, and the VPN cannot be connected.

  
  The service provider in your current location is restricting access to the Internet. The AnyConnect protection settings must be lowered for you to log on with the service provider. Your current enterprise security policy does not allow this.
  

With enhanced captive portal remediation, the AnyConnect embedded browser is used for remediation whenever captive portal is detected with network access restricted by AnyConnect (for example, due to Always On). Other applications remain with network access blocked while captive portal remediation with the AnyConnect browser is pending. The user can close the AnyConnect browser and fail over to an external browser (when enabled in the profile), causing AnyConnect to revert to the regular captive portal remediation behavior. In doing so, the following message is shown:

Please retry logging on with the service provider to retain access to the Internet, by visiting any website with your browser.

When captive portal is detected but network access is restricted by AnyConnect, the AnyConnect browser is automatically launched, with the following message displayed to prompt the user to remediate:

The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you establish a VPN session, using the AnyConnect browser.

AnyConnect can falsely assume that it is in a captive portal in the following situations.

• If attempts to contact an Secure Firewall ASA with a certificate containing an incorrect server name (CN), then AnyConnect will think it is in a “captive portal” environment.

  To prevent this, make sure the Secure Firewall ASA certificate is properly configured. The CN value in the certificate must match the name of the Secure Firewall ASA server in the VPN client profile.

• If there is another device on the network before the Secure Firewall ASA, and that device responds to the client's attempt to contact the Secure Firewall ASA by blocking HTTPS access to the ASA, then AnyConnect will think it is in a “captive portal” environment. This situation can occur when a user is on an internal network, and connects through a firewall to connect to the Secure Firewall ASA.

  If you need to restrict access to the Secure Firewall ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic  to the ASA’s address does not return an HTTP status. HTTP/HTTPS access to the Secure Firewall ASA should either be allowed or completely blocked to ensure that HTTP/HTTPS requests sent to the ASA will not return an unexpected response.

If users cannot access a captive portal remediation page, ask them to try the following:

• Terminate any applications that use HTTP, such as instant messaging programs, e-mail clients, IP phone clients, and all but one browser to perform the remediation.

  The captive portal may be actively inhibiting DoS attacks by ignoring repetitive attempts to connect, causing them to time out on the client end. The attempt by many applications to make HTTP connections exacerbates this problem.

• Disable and re-enable the network interface. This action triggers a captive portal detection retry.

• Restart the computer.

A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts which require corporate network connectivity will also benefit from this feature.

The management VPN tunnel is meant to be transparent to the end user; therefore, network traffic initiated by user applications is not impacted, by default, but instead directed outside the management VPN tunnel.

When a management tunnel feature is detected as enabled, a restricted user account (ciscoacvpnuser) is created to enforce the principle of least privilege. This account gets removed during AnyConnect uninstallation or during an installation upgrade.

If a user complains of slow logins, it may be an indication that the management tunnel was not configured appropriately. Configure the Management VPN Tunnel describes the configuration steps that are required to enable the feature. If symptoms suggest lack of connectivity to the corporate network despite following this configuration, refer to Troubleshooting Management VPN Tunnel Connectivity Issues.

Compatibilities and Requirements of Management VPN Tunnel

• Requires ASA 9.0.1 (or later) and ASDM 7.10.1 (or later)

• Connects whenever the user initiated VPN tunnel is disconnected, before or after user login.

  Note	The management VPN tunnel is not established when a trusted network is detected by the Trusted Network Detection (TND) feature or when AnyConnect software update is in progress.

• Disconnects whenever the user initiates a VPN tunnel, before or after user login.

• Uses only machine store certificate authentication.

• Requires split include tunneling configuration, by default, to avoid impacting user initiated network communication (since the management VPN tunnel is meant to be transparent to the end user). To override this behavior, see Configure a Custom Attribute to Support Tunnel-All Configuration.

• Performs strict certificate checking on server certificate. The server certificate's root CA certificate must reside in the machine certificate store (computer certificate store on Windows, or system keychain or system file certificate store on macOS).

• Works with backup server list.

• Currently available only on Windows and macOS. Linux support will be added in subsequent releases.

Incompatibilities and Limitations of Management VPN Tunnel

• The management VPN profile does not support the value Native for proxy settings. This restriction applies only to Windows client, since the management VPN tunnel can be initiated without any user logged in; therefore, it cannot rely on user-specific browser proxy settings.

• The management VPN profile does not support private proxy settings that are pushed from the VPN server. Since the management VPN tunnel is meant to be transparent to the end user, user-specific or system proxy settings are not altered.

• Not compatible with the Always On feature, since the management VPN tunnel is established whenever the user VPN tunnel is inactive. However, you can configure the group policy for the management tunnel connection to tunnel all traffic, ensuring that no traffic is leaked by physical interfaces while the user VPN tunnel is inactive. Refer to Configure a Custom Attribute to Support Tunnel-All Configuration.

• Captive portal remediation is only performed when the AnyConnect UI is running and while the user is logged in, as if the management VPN tunnel feature was not enabled.

• The management VPN profile settings are only enforced by AnyConnect while the management VPN tunnel is active. When the management VPN tunnel is disconnected, only user VPN tunnel profile settings are enforced. Therefore, the management VPN tunnel is initiated according to the Trusted Network Detection (TND) settings in the user VPN tunnel profile, namely when TND is disabled or when it detects "untrusted network," regardless of the configured Untrusted Network Policy. Additionally, the TND Connect action in the management VPN profile (enforced only when the management VPN tunnel is active), always applies to the user VPN tunnel, to ensure that the management VPN tunnel is transparent to the end user. For a consistent user experience, you must use identical TND settings in both user and management VPN tunnel profiles.

Mandatory Preferences Enforced by Management VPN Profile

Certain profile preferences are mandatory while the management VPN tunnel is active. To assist you in configuring a valid profile, mandatory preferences are enforced by the AnyConnect Management VPN Profile Editor, by disabling the corresponding UI controls. During a management tunnel connection, the following preference values are overridden, mostly to eliminate user interaction and to minimize tunnel interruptions:

• AllowManualHostInput: false—Not relevant to the management tunnel (headless client).

• AlwaysOn: false—Not relevant, since user tunnel profile preferences are enforced whenever the management tunnel is disconnected.

• AutoConnectOnStart: false—Relevant only to a UI client, for automatic connection on start-up to the previously connected host.

• AutomaticCertSelection: true—To avoid certificate selection popups.

• AutoReconnect: true—To avoid management tunnel termination on network changes.

• AutoReconnectBehavior: ReconnectAfterResume—To avoid management tunnel termination on network changes.

• AutoUpdate: false—No software updates are performed during a management tunnel connection.

• BlockUntrustedServers: true—To avoid untrusted server certificate prompts.

• CertificateStore: MachineStore—Management tunnel authentication should also succeed without a logged in user.

• CertificateStoreOverride: true—Required for machine certificate authentication on Windows.

• EnableAutomaticServerSelection: false—Only one host entry is expected in the management VPN profile.

• EnableScripting: false—AnyConnect customization scripts (invoked at connect and/or disconnect time) are not executed during a management tunnel connection.

• MinimizeOnConnect:false—Not relevant to the management tunnel (headless client).

• RetainVPNOnLogoff:true—The management tunnel should remain active on user logoff.

• ShowPreConnect Message—Not relevant to the management tunnel (headless client).

• UserEnforcement: AnyUser—To ensure that the management tunnel is not potentially disconnected when a certain user logs in.

• UseStartBeforeLogon:False—Only applicable to user tunnel.

• WindowsVPNEstablishment: AllowRemote Users—To ensure that the management tunnel is not impacted by any type of user (local/remote) logging in.

• LinuxVPNEstablishment: Allow Remote Users— To ensure that the management tunnel is not impacted by any type of user (local/remote)

Also, AnyConnect does not enforce the following profile preferences during a management tunnel connection: WindowsLogonEnforcement and SCEP related preferences.

Because the management tunnel connection may occur without any user logged in, only machine store certificate authentication is supported. Consequently, at least one relevant client certificate needs to be available in the client host's machine certificate store.

If the client host is not reachable remotely, various scenarios may have occurred causing the management VPN tunnel to disconnect or not be established. In these scenarios, the AnyConnect GUI and CLI reflect the Management Connection State as a statistics entry:

• Disconnected (disabled)—The feature is disabled.

• Disconnected (trusted network)—TND detected a trusted network so the management tunnel is not established.

• Disconnected (user tunnel active)—A user tunnel is currently pending (thus disconnecting the management tunnel).

• Disconnected (process launch failed)—A process launch failure was encountered upon attempting the management tunnel connection.

• Disconnected (connect failed)—A connection failure was encountered upon establishing the management tunnel.

• Disconnected (invalid VPN configuration)—An invalid split tunneling configuration was encountered upon management tunnel establishment. Refer to Configure a Custom Attribute to Support Tunnel-All Configuration for additional information.

• Diconnected (software update pending)—AnyConnect software update is currently pending (thus disconnecting the management tunnel).

• Disconnected—The management tunnel is about to be established or could not be established for some other reason.

To troubleshoot the lack of connectivity over the management VPN tunnel (expected to be established on the client host), verify the following:

• Check the state of the management VPN connection on the AnyConnect UI Statistics tab, in the Export Stats output, or the Connection Information/Management Connection State in the CLI. If the management connection state is unexpectedly listed as "disconnected" and the provided explanation is insufficient, capture the AnyConnect logs with the DART tool for further troubleshooting.

• If you see Management Connection State: Disconnected (disabled) in the UI stats line, ensure that the management VPN profile is configured with a single host entry, pointing to a tunnel group set up with certificate authentication. The associated group policy must have a single profile configured: the management VPN profile.

  Note	The associated group policy should have no banner enabled. User interaction is not supported during a management tunnel connection.

• If you see Management Connection State: Disconnected (disabled) in the UI stats line, ensure that the management VPN profile is configured within the group policy that is associated with the tunnel group used for regular user tunnel connections. When the user connects with that tunnel group, the management VPN profile is downloaded, and the feature is enabled.

  Note	Alternatively, you can deploy the management VPN profile out of band.

• If you see Management Connection State: Disconnected (connect failed) in the UI stats line, note that the management tunnel connection fails whenever user interaction is needed, as follows:

  • if the server certificate is not trusted. The server certificate's root CA certificate must reside in the machine certificate store.

  • if a private key (pertaining to a machine store certificate) is password protected, the corresponding client certificate is not usable by the management tunnel connection. The client certificate is not usable because the user cannot be prompted for the private key password.

  • if a macOS system keychain private key is not configured to allow access without prompting to the AnyConnect agent executable (vpnagentd); the corresponding client certificate is unusable by the management tunnel connection, since the user cannot be prompted for credentials to access the private key.

  • if group policy was configured with a banner.

AnyConnect supports VPN sessions through Local, Public, and Private proxies:

• Local Proxy Connections:

  A local proxy runs on the same PC as AnyConnect, and is sometimes used as a transparent proxy. Some examples of a transparent proxy service include acceleration software provided by some wireless data cards, or a network component on some antivirus software, such as Kaspersky.

  The use of a local proxy is enabled or disabled in the AnyConnect profile, see Allow a Local Proxy Connection.

• Public Proxy Connections:

  Public proxies are usually used to anonymize web traffic. When Windows is configured to use a public proxy, AnyConnect uses that connection. Public proxy is supported on macOS and Linux for both native and override.

  Configuring a public proxy is described in Public Proxy .

• Private Proxy Connections:

  Private proxy servers are used on a corporate network to prevent corporate users from accessing certain Web sites based on corporate usage policies, for example, pornography, gambling, or gaming sites.

  You configure a group policy to download private proxy settings to the browser after the tunnel is established. The settings return to their original state after the VPN session ends. See Configure a Private Proxy Connection.

  Note

  AnyConnect SBL connections through a proxy server are dependent on the Windows operating system version and system (machine) configuration or other third-party proxy software capabilities; therefore, refer to system wide proxy settings as provided by Microsoft or whatever third-party proxy application you use.

OS support of proxy connections varies as shown:

• Connecting through a proxy is not supported with the Always-On feature enabled.

• A VPN client profile is required to allow access to a local proxy.

Public proxies are supported on Windows and Linux platforms. Proxy servers are chosen based on preferences set in the client profile. In case of proxy override, AnyConnect extracts proxy servers from the profile. With release 4.1 (and later) we added proxy support on macOS along with Native-proxy configuration on Linux and macOS.

On Linux, native-proxy settings are exported before AnyConnect runs. If you change the settings, a restart must happen.

Authenticating Proxy Servers requires a username and password. AnyConnect supports Basic and NTLM authentication when the proxy server is configured to require authentication. AnyConnect dialogs manage the authentication process. After successfully authenticating to the proxy server, AnyConnect prompts for the Secure Firewall ASA username and password.

• For Windows: Find the user and system proxy settings in the registry under:

  
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings


  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

• For macOS: Open a terminal window, and type:

  
  scutil --proxy
  

See the Client Firewall with Local Printer and Tethered Device Support section in the Cisco ASA Series VPN CLI or ASDM Configuration Guide.

Split tunneling is configured in a Network (Client) Access group policy. See the Configure Split Tunneling for AnyConnect Traffic section in the Cisco ASA Series VPN CLI or ASDM Configuration Guide.

After making changes to the group policy in ASDM, be sure the group policy is associated with a Connection Profile in Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Add/Edit > Group Policy.

Dynamic split tunneling was designed to enhance the current split tunneling options, which are configured with the "Exclude Network List Below" or "Tunnel Network List Below" option in ASDM group policy configuration. Beyond the static inclusions or exclusions typically used to define split tunneling, the dynamic split tunneling inclusions or exclusions address scenarios when traffic pertaining to a certain service needs to be excluded from or included into the VPN tunneling. You cannot configure a distinct split tunneling setting for each IP protocol. For example, if you enable dynamic split include tunneling for IPv4 (such as IPv4 split include and dynamic split include domains), you cannot enable dynamic split exclude tunneling for IPv6 (such as IPv6 tunnel-all and dynamic split exclude domains). Additionally, we provide an enhanced dynamic split tunneling, where both dynamic split exclude and dynamic split include domains are specified for enhanced domain name matching.

The limits also vary from static split tunneling to dynamic split tunneling. For static split tunneling, the limit is 2500 networks/ACEs per IP protocol. With dynamic split tunneling, AnyConnect takes into account only dynamic split tunneling domains with the first 20,000 characters of the domain list pushed by the headend, and is only enforced via truncation on the client. Wildcards are not supported. For both dynamic split exclude and dynamic split include, besides the configured domains, all of their subdomains are also excluded from (or included into for dynamic split include) the tunnel.

Dynamic Split Exclude Tunneling—Multiple cloud-based services may be hosted on the same IP pool and may resolve to different IP addresses based on the location of the user or the load of cloud-hosted compute resources. Administrators who only want to exclude a single such service from the VPN tunnel would have a difficult time defining such a policy using static exclusions, especially when ISP NAT, 6to4, 4to6, and other network translation schemes are also considered. With dynamic split exclude tunneling, you can dynamically provision split exclude tunneling after tunnel establishment, based on the host DNS domain name. For example, a VPN administrator could configure example.com to be excluded from the VPN tunnel at runtime. When the VPN tunnel is up and an application attempts to connect to mail.example.com, the VPN client automatically changes the system routing table and filters to allow the connection outside of the tunnel.

Enhanced Dynamic Split Exclude Tunneling—When dynamic split exclude tunneling is configured with both dynamic split exclude and dynamic split include domains, traffic dynamically excluded from the VPN tunnel much match at least one dynamic split exclude domain, but no dynamic split include domains. For example, if a VPN administrator configured a dynamic split exclude domain example.com and a dynamic split include domain of mail.example.com, all example.com traffic other than mail.example.com is excluded from tunneling.

Dynamic Split Include Tunneling—With dynamic split include tunneling, you can dynamically provision split include tunneling after tunnel establishment, based on the host DNS domain name. For example, a VPN administrator could configure domain.com to be included into the VPN tunnel at runtime. When the VPN tunnel is up and an application attempts to connect to www.domain.com, the VPN client automatically changes the system routing table and filters to allow the connection inside the VPN tunnel.

Enhanced Dynamic Split Include Tunneling—When dynamic split include tunneling is configured with both dynamic split include and dynamic split exclude domains, traffic dynamically included into the VPN tunnel must match at least one dynamic split include domain, but no dynamic split exclude domains. For example, if a VPN administrator configured domain.com as a split include domain and www.domain.com as a split exclude domain, all domain.com traffic other than www.domain.com is tunneled.

Note	Dynamic split tunneling is not supported in Linux or any mobile platforms.

Split DNS is supported for both split include and split exclude tunneling configurations.

When split DNS for split include tunneling is configured in the Network (Client) Access group policy, AnyConnect tunnels specific DNS queries to a VPN DNS server (also configured in the group policy). All other DNS queries are directed outside the VPN tunnel, to a public DNS server.

When split DNS for split exclude tunneling is configured, specific DNS queries are sent outside the VPN tunnel, to a public DNS server. All othe DNS queries are tunneled to a VPN DNS server.

If split DNS is not enabled with a split tunneling configuration, DNS queries are routed over the tunnel only if "Send All DNS lookups through tunnel" is configured in the group policy. Otherwise, they could be also routed outside the tunnel.

We strongly recommend that you enable Strict Certificate Trust for the AnyConnect client. To configure Strict Certificate Trust, see the Local Policy Parameters and Values section: Local Policy Preferences.

AnyConnect supports RSA and ECDSA certificates for both server certificate verification and for client certificate authentication.

• RSA Certificates

  AnyConnect supports RSA certificates with the following properties:

  • Key length of 2048, 4096, or 8192 bits

  • Hash algorithms MD5*, SHA1, SHA256, SHA384, or SHA512

    * RSA certificates that use the MD5 hash are not supported when AnyConnect is operating in FIPS mode.

• ECDSA Certificates

  AnyConnect supports ECDSA certificates with the following properties:

  • Key lengths of 256, 384, or 521 bits. These correspond to the NIST P-256, P-384, and P-521 elliptic curves respectively.

• EdDSA Certificates

  AnyConnect relies on the Windows and macOS operating systems to establish trust and perform signing operations using digital certificates. Since these operating systems do not yet support EdDSA certificates, AnyConnect also cannot support them.

The AnyConnect Secure Mobility Client uses the Simple Certificate Enrollment Protocol (SCEP) to provision and renew a certificate as part of client authentication. Certificate enrollment using SCEP is supported by AnyConnect IPsec and SSL VPN connections to the Secure Firewall ASA in the following ways:

• SCEP Proxy: The Secure Firewall ASA acts as a proxy for SCEP requests and responses between the client and the Certificate Authority (CA).

  • The CA must be accessible to the Secure Firewall ASA, not AnyConnect, since the client does not access the CA directly.

  • Enrollment is always initiated automatically by the client. No user involvement is necessary.

AnyConnect integrates support for RSA SecurID client software versions 1.1 and later running on Windows x86 (32-bit) and x64 (64-bit).

RSA SecurID software authenticators reduce the number of items a user has to manage for safe and secure access to corporate assets. RSA SecurID Software Tokens residing on a remote device generate a random one-time-use passcode that changes every 60 seconds. The term SDI stands for Security Dynamics, Inc. technology, which refers to this one-time password generation technology that uses hardware and software tokens.

Typically, users make the AnyConnect connection by clicking the AnyConnect icon in the tools tray, selecting the connection profile with which they wish to connect, and then entering the appropriate credentials in the authentication dialog box. The login (challenge) dialog box matches the type of authentication configured for the tunnel group to which the user belongs. The input fields of the login dialog box clearly indicate what kind of input is required for authentication.

For SDI authentication, the remote user enters a PIN (Personal Identification Number) into the AnyConnect software interface and receives an RSA SecurID passcode. After the user enters the passcode into the secured application, the RSA Authentication Manager validates the passcode and allows the user to gain access.

Users who use RSA SecurID hardware or software tokens see input fields indicating whether the user should enter a passcode or a PIN, a PIN, or a passcode and the status line at the bottom of the dialog box provides further information about the requirements. The user enters a software token PIN or passcode directly into the AnyConnect user interface.

The appearance of the initial login dialog box depends on the secure gateway settings: the user can access the secure gateway either through the main login page, the main index URL, a tunnel-group login page, or a tunnel group URL (URL/tunnel-group). To access the secure gateway via the main login page, the “Allow user to select connection” checkbox must be set in the Network (Client) Access AnyConnect Connection Profiles page. In either case, the secure gateway sends the client a login page. The main login page contains a drop-down list in which the user selects a tunnel group; the tunnel-group login page does not, since the tunnel-group is specified in the URL.

In the case of a main login page (with a drop-down list of connection profiles or tunnel groups), the authentication type of the default tunnel group determines the initial setting for the password input field label. For example, if the default tunnel group uses SDI authentication, the field label is “Passcode;” but if the default tunnel group uses NTLM authentication, the field label is “Password.” In Release 2.1 and later, the field label is not dynamically updated with the user selection of a different tunnel group. For a tunnel-group login page, the field label matches the tunnel-group requirements.

The client supports input of RSA SecurID Software Token PINs in the password input field. If the RSA SecurID Software Token software is installed and the tunnel-group authentication type is SDI, the field label is “Passcode” and the status bar states “Enter a username and passcode or software token PIN.” If a PIN is used, subsequent consecutive logins for the same tunnel group and username have the field label “PIN.” The client retrieves the passcode from the RSA SecurID Software Token DLL using the entered PIN. With each successful authentication, the client saves the tunnel group, the username, and authentication type, and the saved tunnel group becomes the new default tunnel group.

AnyConnect accepts passcodes for any SDI authentication. Even when the password input label is “PIN,” the user may still enter a passcode as instructed by the status bar. The client sends the passcode to the secure gateway as is. If a passcode is used, subsequent consecutive logins for the same tunnel group and username have the field label “Passcode.”

The RSASecureIDIntegration profile setting has three possible values:

• Automatic—The client first attempts one method, and if it fails, the other method is tried. The default is to treat the user input as a token passcode (HardwareToken), and if that fails, treat it as a software token pin (SoftwareToken). When authentication is successful, the successful method is set as the new SDI Token Type and cached in the user preferences file. For the next authentication attempt, the SDI Token Type defines which method is attempted first. Generally, the token used for the current authentication attempt is the same token used in the last successful authentication attempt. However, when the username or group selection is changed, it reverts to attempting the default method first, as shown in the input field label.

  Note	The SDI Token Type only has meaning for the automatic setting. You can ignore logs of the SKI Token Type when the authentication mode is not automatic. HardwareToken as the default avoids triggering next token mode.

• SoftwareToken—The client always interprets the user input as a software token PIN, and the input field label is “PIN:.”

• HardwareToken—The client always interprets the user input as a token passcode, and the input field label is “Passcode:.”

Note	AnyConnect does not support token selection from multiple tokens imported into the RSA Software Token client software. Instead, the client uses the default selected via the RSA SecurID Software Token GUI.

AnyConnect certificate pinning helps to detect if a server certificate chain actually came from the connecting server. This feature is guided by VPN profile settings and is an addition to the AnyConnect server certificate verification policies. The strict certificate trust settings in the AnyConnect local policy file have no influence on Certificate Pinning check. You can configure pins globally or by per host basis in the VPN profile. Those pins configured for primary host are also valid for back up hosts in the server list. The preference to perform certificate pinning checks is not user controllable. A pin verification failure results in the termination of the VPN connection.

Note	AnyConnect performs pin verification only when the preference is enabled and the connecting server has pins in the VPN profile.

In the VPN profile editor AnyConnect Profile Editor, Certificate Pin, you can enable the preference and configure the global and per host certificate pins.

You must be cautious when configuring and maintaining certificate pinning. Consider these recommendations when setting preferences:

• Pin root and/or intermediate certificates since they are well maintained by CA vendors in the operating system

• Pin multiple root and/or intermediate certificates from a different CA to serve as a backup when any CA is compromised

• Pin multiple root and/or intermediate certificates for ease of CA transitions

• Use the same Certificate Signing Request if a leaf certificate is pinned, to retain the public key upon certificate renewal

• Pin all connection hosts in the server list