Anyconnect VPN-Authentication multiple profiles via ACS

Similar Messages

• Authenticate windows users via ACS

  Hi,
  Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
  I would appreciate valued inputs.
  Regards,

  Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
  Seems you are looking for DACL. Here is a document that can help you to understand the same
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
  Let me know if you need any further help.
  Jatin Katyal
  - Do rate helpful posts -

• ACS shell profile to only allow VPN authentication from TACACS+

  I'm currently rebuilding all of my VPN profiles after it was found that we were using TACACS+ for authentication to the VPNs, that would also allow users to SSH all of the network infrastructure. The new profiles will be radius based and will take some time to get them to the users.
  In the meantime I'm looking to create a new shell profile for the VPN users that will only allow them to authenticate to the VPN and not gain access to the CLI of the infrastructure.
  Thanks

  Hi,
  i tested this with Cisco ACS 5.5 with TACACS for VPN tunnel it doesn't work.
  It gives you an error which is stated that service protocol used is for device administration.
  So it doesn't all VPN authentication to work. but for radius this works properly.
  Thanks & Regards,
  Nitesh

• Default VPN profile (multiple profiles)

  Hi,
  We have 2 VPN profiles on AnyConnect 3.1
  It seems that AnyConnect keep last used profile as default profile (after reboot for example)
  Is it possible to set a default VPN profile and keep it even if user connects to the other? 
  (because the default VPN profile is transparent connection for user)
  Thanks for your help,
  Patrick

  I've done a similar deployment where all authentication/authorization and accounting was pointed from ASA to ACS.
  There are multiple layers to your question. 
  First of all, you have ACS, hopefully 5.x which gives you a nice policy driven authentication and authorization schema. 
  1st layer - setup group-alias and group-urls for specific users on ASA. 
  2nd layer - on ACS decides where those connection should be authenticated/authorized against (go to AD, RSA, local DB). ASA passess tunnel group name in authentication calls to ACS. 
  3rd layer - group-lock feature ensures that user can only have access to resources if they are in a specific group. 

• AP Authentication via ACS.

  Hi All,
  Just a basic question regarding MAC based authenitcation of AP with ACS.
  The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
  My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
  When working in a LAN I know its possible, but how will it work over the WAN.
  Pls. suggest ASAP.
  Thanks in Advance.
  Regards
  Harish

  Harish:
  As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
  The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
  CAPWAP RFC metniones that you can do AP authorization by two ways:
  - with certificates
  - with PSK.
  The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
  2.4.4.4.  PSK Usage
     When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
     contain the "PSK identity hint" field and the ClientKeyExchange
     message MUST contain the "PSK identity" field.  These fields are used
     to help the WTP select the appropriate PSK for use with the AC, and
     then indicate to the AC which key is being used.  When PSKs are
     provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
     the key MUST be specified.
     The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
     SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
     and identities be the ASCII HEX-formatted MAC addresses of the
     respective devices, since each pairwise combination of WTP and AC
     SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
     sufficient to perform authorization, as simply having knowledge of a
     PSK does not necessarily imply authorization.
     If a single PSK is being used for multiple devices on a CAPWAP
     network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
     longer be a MAC address, so appropriate hints and identities SHOULD
     be selected to identify the group of devices to which the PSK is
     provisioned
  you may spend more time reading the CAPWAP RFC if you are interested
  CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
  Hope this answers your concern.
  Amjad

• AnyConnect Secure Mobility Client Multiple Profiles

  Hi,
  I have multiple clients that use multiple versions of VPNs including Cisco, Sonicwall and others.
  I have a client with the (older) "Cisco Systems VPN Client".  Then I got a new client with instructions to install the "Cisco AnyConnect Secure Mobility Client".  Without warning, the installation uninstalled what I now believe was an older version of this same VPN client - but the name has changed, the installation directories have changed, etc.
  OK, but the new client wiped out the connection parameters to the old client.
  I've tried to read and understand the other discussion entries about storing multiple "profiles" (i.e. vpn connections).  Other VPN clients have a menu option or a simple way to add a connection, but it seems more challenging to do this with the AnyConnect client.  However, I read, and tried to set up, multiple profiles.  From the other discussions, I followed these steps:
  1. Located the (hidden in Windows 7) following directory:
       %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
  2.  Created two xml files, "Client1.xml" and "Client2.xml" in this directory. containing
  <?xml version="1.0" encoding="UTF-8"?>
  <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
    <ServerList>
      <HostEntry>
        <HostName>Client1HostName</HostName>
        <HostAddress>Client1HostaddressDNS</HostAddress>
        <PrimaryProtocol>IPsec</PrimaryProtocol>
      </HostEntry>
    </ServerList>
  </AnyConnectProfile>
  {And a similar file for Client2}
  There was another discussion thread that had more lines in the xml file, which I also tried.  Again, I created 2 separate xml files, each one with the respective client's parameters.
  <?xml version="1.0" encoding="UTF-8"?>
  <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
  <ServerList>
       <HostEntry>
            <User>navadmin</User>
            <SecondUser></SecondUser>
            <ClientCertificateThumbprint></ClientCertificateThumbprint>
            <ServerCertificateThumbprint></ServerCertificateThumbprint>
            <HostName>Client1</HostName>
            <HostAddress>Client1DNS</HostAddress>
            <Domain></Domain>
            <Group>ssl_url</Group>
            <ProxyHost></ProxyHost>
            <ProxyPort></ProxyPort>
            <SDITokenType>none</SDITokenType>
            <ControllablePreferences>
            <LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
       </HostEntry>
  </ServerList>
  </AnyConnectProfile>
  I then quit the AnyConnect Secure Mobility Client and restarted, hoping that I would get a dropdown list that contained "Client1" and "Client2".  This did not happen.
  Prior to trying this, I did NOT delete the "Preferences.xml" file in the following directory:
  C:\users\<myusername>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client
  This is where the Anyconnect client stored the connection info when I manually input it into the GUI.
  So, my questions are:
  1.     Do I need to delete the preferences.xml in order for the profiles in the other directory to be read and displayed in the client dropdown?
  2.     Are there naming conventions for the profile xml files that I'm not following by calling them "Client1.xml" and "Client2.xml"?
  3.     Any other ideas as to why this isn't working?
  4.     There are also references to a "profile editor", but the discussion threads aren't clear whether this utility is installed when you just install the client software, or if you have to have some sort of "administrator package" installed.  If so, is this package available for download, or do you need to purchase a full VPN client license in order to have access to this utility?
  Thanks,
  Ron

  The Client1.xml and Client2.xml files that you created have correct content but wrong names. You only need 1 file called Profile.xml and inside you can then add multiple hosts by adding the nodes.
  So your Profile.xml would look like this -
  <?xml version="1.0" encoding="UTF-8"?>
  http://schemas.xmlsoap.org/encoding/">
        Client1HostName
        Client1HostaddressDNS
        IPsec
        Client2HostName
        Client2HostaddressDNS
        IPsec
  I hope this helps.
  Ratan.

• Select AVC profile on WLC based via ACS

  Hi there
  I just saw the AVC feature in WLC version 7.4.100.0 and wonder, if there is a possibility to select a AVC profile per user, based on it's RADIUS authentication via ACS.
  For example:
  - A user in group teacher can access youtube on SSID A
  - A user in group student can not access youtube on SSID A
  Thanks a lot in advance and best regards
  Dominic

  Well I don't know if this will come in the future for ACS or ISE, but in order for this to work also in other radius servers, it would have to be a new radius standard attribute others have to implement and also the WLC would have to be able to see that attribute. So if its anytime soon, well.... Maybe not:)
  Sent from Cisco Technical Support iPhone App

• Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?

  Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
  I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.

  This looks fairly complete
  http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
  Sent from Cisco Technical Support iPad App

• 2 Factor Authentication for Anyconnect VPN using ISE

  We are planning to implement dual factor authentication for Anyconnect VPN.
  The end users will be authenticated using domain name in machine certificates and username password with
  ISE used as radius server.
  We have the following approaches to achieve this :-
  1. Use primary and secondary authentication with user credentials as primary authentication
  and CN field of the certificate as secondary authentication.However this option prompts users for password for
  both the fields while we want the machine certificate to authenticate itself without a password.
  2. Second approach is to authenticate using user credentials and authorize the user to access the network if
  the machine certificate has a domain name in CN field which we are able to validate from the AD using
  Dynamic Access Policy.
  We are looking forward for discussions on the above approaches and are open to any other
  solution.

  Hi Umahar,
  Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.
  If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.
  If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.

• AnyConnect 3.1.01065 error - Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established.

  I've got a user running:
  AnyConnect 3.1.01065
  on
  Windows 7 64bit.
  Several weeks ago she started encountering the following error:
  -after logging into Windows and launching the AnyConnect client, she enters her username and password and successfully authenticates.
  -the connection is not established and she's presented with the following message: "Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established."
  After doing some troubleshooting, inlcuding uninstalling/reinstalling the anyconnect client, it seems the culprit is the following file:
  C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\<filename>.xml. When the problem occurs (which is not regularly, sometimes it occurs daily, sometimes just once a week) examining that file indicates it has no security or permissions set. Quitting the AnyConnect software, modifying the file so that the user has full control of it, then relaunching AnyConnect fixes the problem (until it happens again). Uninstalling, and making sure to move C:\ProgramData\Cisco to the trash, then reinstalling did not seem to help.
  The closest match in these forums is the following thread, https://supportforums.cisco.com/message/3760446 - though no clear resolution was given.
  Has anyone else encountered this, and been able to fix it?
  Thanks much.

  Just FYI, it seems at least in this case, purging all the previous system restore points seems to have resolved this issue...

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• Really Need Some Help with CME 8.6 using IOS as Firewall and Anyconnect VPN on Phones

  Hello,
  I have a 2911 Router with IOS Security and Voice enabled and we are using CME 8.6.  I am using a built-in Anyconnect VPN on 3 phones that are for remote users and thus I needed to enable security zones on the router which works because the remote phones will boot up, get their phone configs and I am able to call those remote phones from an outside line.
  The issue I am having is that when I try to dial a remote phone connected via the VPN through port g0/0 from and internal office phone, i.e., NOT involving the PSTN then there is no audio.  It's as if no audio is going back and forth.  When I take off the security zones from the virtual-template interface and the g0/0 interface then the audio works great and I can reach the phone from internal as I am supposed to.
  Could someone take a peek at my security config and see why audio would not be traveling through the VPN when I have my security zones turned on?
  clock timezone PST -8 0
  clock summer-time PST recurring
  network-clock-participate wic 0 
  network-clock-select 1 T1 0/0/0
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 192.168.8.1 192.168.8.19
  ip dhcp pool owhvoip
   network 192.168.8.0 255.255.248.0
   default-router 192.168.8.1 
   option 150 ip 192.168.8.1 
   lease 30
  multilink bundle-name authenticated
  isdn switch-type primary-ni
  crypto pki server cme_root
   database level complete
   grant auto
   lifetime certificate 7305
   lifetime ca-certificate 7305
  crypto pki token default removal timeout 0
  crypto pki trustpoint cme_root
   enrollment url http://192.168.8.1:80
   revocation-check none
   rsakeypair cme_root
  crypto pki trustpoint cme_cert
   enrollment url http://192.168.8.1:80
   revocation-check none
  crypto pki trustpoint TP-self-signed-2736782807
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2736782807
   revocation-check none
   rsakeypair TP-self-signed-2736782807
  voice-card 0
   dspfarm
   dsp services dspfarm
  voice service voip
   allow-connections h323 to h323
   allow-connections h323 to sip
   allow-connections sip to h323
   allow-connections sip to sip
   fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
   vpn-group 1
    vpn-gateway 1 https://66.111.111.111/SSLVPNphone
    vpn-trustpoint 1 trustpoint cme_cert leaf
   vpn-profile 1
    host-id-check disable
  voice class codec 1
   codec preference 1 g711ulaw
  voice class custom-cptone jointone
   dualtone conference
    frequency 600 900
    cadence 300 150 300 100 300 50
  voice class custom-cptone leavetone
   dualtone conference
    frequency 400 800
    cadence 400 50 200 50 200 50
  voice translation-rule 1
   rule 1 /9400/ /502/
   rule 2 /9405/ /215/
   rule 3 /9410/ /500/
  voice translation-rule 2
   rule 1 /.*/ /541999999/
  voice translation-rule 100
   rule 1 /^9/ // type any unknown plan any isdn
  voice translation-profile Inbound_Calls_To_CUE
   translate called 1
  voice translation-profile InternationalType
   translate called 100
  voice translation-profile Local-CLID
   translate calling 2
  license udi pid CISCO2911/K9 sn FTX1641AHX3
  hw-module pvdm 0/0
  hw-module pvdm 0/1
  hw-module sm 1
  username routeradmin password 7 091649040910450B41
  username cmeadmin privilege 15 password 7 03104803040E375F5E4D5D51
  redundancy
  controller T1 0/0/0
   cablelength long 0db
   pri-group timeslots 1-12,24
  class-map type inspect match-any sslvpn
   match protocol tcp
   match protocol udp
   match protocol icmp
  class-map type inspect match-all router-access
   match access-group name router-access
  policy-map type inspect firewall-policy
   class type inspect sslvpn
    inspect 
   class class-default
    drop
  policy-map type inspect outside-to-router-policy
   class type inspect router-access
    inspect 
   class class-default
    drop
  zone security trusted
  zone security internet
  zone-pair security trusted-to-internet source trusted destination internet
   service-policy type inspect firewall-policy
  zone-pair security untrusted-to-trusted source internet destination trusted
   service-policy type inspect outside-to-router-policy
  interface Loopback0
   ip address 192.168.17.1 255.255.248.0
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description Internet
   ip address dhcp
   no ip redirects
   no ip proxy-arp
   zone-member security internet
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.8.1 255.255.248.0
   duplex auto
   speed auto
  interface GigabitEthernet0/2
   no ip address
   shutdown
   duplex auto
   speed auto
  interface Serial0/0/0:23
   no ip address
   encapsulation hdlc
   isdn switch-type primary-ni
   isdn incoming-voice voice
   no cdp enable
  interface Integrated-Service-Engine1/0
   ip unnumbered Loopback0
   service-module ip address 192.168.17.2 255.255.248.0
   !Application: CUE Running on NME
   service-module ip default-gateway 192.168.17.1
   no keepalive
  interface Virtual-Template1
   ip unnumbered GigabitEthernet0/0
   zone-member security trusted
  ip local pool SSLVPNPhone_pool 192.168.9.1 192.168.9.5
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http path flash:/cme-gui-8.6.0
  ip route 192.168.17.2 255.255.255.255 Integrated-Service-Engine1/0
  ip access-list extended router-access
   permit tcp any host 66.111.111.111 eq 443
  tftp-server flash:apps31.9-3-1ES26.sbn
  control-plane
  voice-port 0/0/0:23
  voice-port 0/3/0
  voice-port 0/3/1
  mgcp profile default
  sccp local GigabitEthernet0/1
  sccp ccm 192.168.8.1 identifier 1 priority 1 version 7.0 
  sccp
  sccp ccm group 1
   bind interface GigabitEthernet0/1
   associate ccm 1 priority 1
   associate profile 1 register CME-CONF
  dspfarm profile 1 conference  
   codec g729br8
   codec g729r8
   codec g729abr8
   codec g729ar8
   codec g711alaw
   codec g711ulaw
   maximum sessions 4
   associate application SCCP
  dial-peer voice 500 voip
   destination-pattern 5..
   session protocol sipv2
   session target ipv4:192.168.17.2
   dtmf-relay sip-notify
   codec g711ulaw
   no vad
  dial-peer voice 10 pots
   description Incoming Calls To AA
   translation-profile incoming Inbound_Calls_To_CUE
   incoming called-number .
   port 0/0/0:23
  dial-peer voice 20 pots
   description local 10 digit dialing
   translation-profile outgoing Local-CLID
   destination-pattern 9[2-9].........
   incoming called-number .
   port 0/0/0:23
   forward-digits 10
  dial-peer voice 30 pots
   description long distance dialing
   translation-profile outgoing Local-CLID
   destination-pattern 91..........
   incoming called-number .
   port 0/0/0:23
   forward-digits 11
  dial-peer voice 40 pots
   description 911
   destination-pattern 911
   port 0/0/0:23
   forward-digits all
  dial-peer voice 45 pots
   description 9911
   destination-pattern 9911
   port 0/0/0:23
   forward-digits 3
  dial-peer voice 50 pots
   description international dialing
   translation-profile outgoing InternationalType
   destination-pattern 9T
   incoming called-number .
   port 0/0/0:23
  dial-peer voice 650 pots
   huntstop
   destination-pattern 650
   fax rate disable
   port 0/3/0
  gatekeeper
   shutdown
  telephony-service
   protocol mode ipv4
   sdspfarm units 5
   sdspfarm tag 1 CME-CONF
   conference hardware
   moh-file-buffer 90
   no auto-reg-ephone
   authentication credential cmeadmin tshbavsp$$4
   max-ephones 50
   max-dn 200
   ip source-address 192.168.8.1 port 2000
   service dnis dir-lookup
   timeouts transfer-recall 30
   system message Oregon's Wild Harvest
   url services http://192.168.17.2/voiceview/common/login.do 
   url authentication http://192.168.8.1/CCMCIP/authenticate.asp  
   cnf-file location flash:
   cnf-file perphone
   load 7931 SCCP31.9-3-1SR4-1S.loads
   load 7936 cmterm_7936.3-3-21-0.bin
   load 7942 SCCP42.9-3-1SR4-1S.loads
   load 7962 SCCP42.9-4-2-1S.loads
   time-zone 5
   time-format 24
   voicemail 500
   max-conferences 8 gain -6
   call-park system application
   call-forward pattern .T
   moh moh.wav
   web admin system name cmeadmin secret 5 $1$60ro$u.0r/cno/OD2JmtvPq4w9.
   dn-webedit 
   transfer-digit-collect orig-call
   transfer-system full-consult
   transfer-pattern .T
   fac standard
   create cnf-files version-stamp Jan 01 2002 00:00:00
  ephone-template  1
   softkeys connected  Hold Park Confrn Trnsfer Endcall ConfList TrnsfVM
   button-layout 7931 2
  ephone-template  2
   softkeys idle  Dnd Gpickup Pickup Mobility
   softkeys connected  Hold Park Confrn Mobility Trnsfer TrnsfVM
   button-layout 7931 2
  ephone-dn  1  dual-line
   number 200
   label Lisa
   name Lisa Ziomkowsky
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  2  dual-line
   number 201
   label Dylan
   name Dylan Elmer
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  3  dual-line
   number 202
   label Kimberly
   name Kimberly Krueger
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  4  dual-line
   number 203
   label Randy
   name Randy Buresh
   mobility
   snr calling-number local
   snr 915035042317 delay 5 timeout 15 cfwd-noan 500
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  5  dual-line
   number 204
   label Mark
   name Mark McBride
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  6  dual-line
   number 205
   label Susan
   name Susan Sundin
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  7  dual-line
   number 206
   label Rebecca
   name Rebecca Vaught
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  8  dual-line
   number 207
   label Ronnda
   name Ronnda Daniels
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  9  dual-line
   number 208
   label Matthew
   name Matthew Creswell
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  10  dual-line
   number 209
   label Nate
   name Nate Couture
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  11  dual-line
   number 210
   label Sarah
   name Sarah Smith
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  12  dual-line
   number 211
   label Janis
   name Janis McFerren
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  13  dual-line
   number 212
   label Val
   name Val McBride
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  14  dual-line
   number 213
   label Shorty
   name Arlene Haugen
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  15  dual-line
   number 214
   label Ruta
   name Ruta Wells
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  16  dual-line
   number 215
   label 5415489405
   name OWH Sales
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  17  dual-line
   number 216
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  18  dual-line
   number 217
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  19  dual-line
   number 218
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  20  dual-line
   number 219
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  21  dual-line
   number 220
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  22  dual-line
   number 221
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  23  dual-line
   number 222
   label Pam
   name Pam Buresh
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  24  dual-line
   number 223
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  25  dual-line
   number 224
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  26  dual-line
   number 225
   label Elaine
   name Elaine Mahan
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  27  octo-line
   number 250
   label Shipping
   name Shipping
  ephone-dn  28  dual-line
   number 251
   label Eli
   name Eli Nourse
   call-forward busy 500
   call-forward noan 500 timeout 10
  ephone-dn  29  dual-line
   number 252
  ephone-dn  30  dual-line
   number 253
  ephone-dn  31  octo-line
   number 100
   label Customer Service
   name Customer Service
   call-forward busy 500
   call-forward noan 500 timeout 12
  ephone-dn  32  octo-line
   number 101
   label Sales
   name Sales
   call-forward busy 214
   call-forward noan 214 timeout 12
  ephone-dn  33  dual-line
   number 260
   label Conference Room
   name Conference Room
   call-forward busy 100
   call-forward noan 100 timeout 12
  ephone-dn  100
   number 300
   park-slot timeout 20 limit 2 recall
   description Park Slot For All Company
  ephone-dn  101
   number 301
   park-slot timeout 20 limit 2 recall
   description Park Slot for All Company
  ephone-dn  102
   number 302
   park-slot timeout 20 limit 2 recall
   description Park Slot for All Company
  ephone-dn  103
   number 700
   name All Company Paging
   paging ip 239.1.1.10 port 2000
  ephone-dn  104
   number 8000...
   mwi on
  ephone-dn  105
   number 8001...
   mwi off
  ephone-dn  106  octo-line
   number A00
   description ad-hoc conferencing
   conference ad-hoc
  ephone-dn  107  octo-line
   number A01
   description ad-hoc conferencing
   conference ad-hoc
  ephone-dn  108  octo-line
   number A02
   description ad-hoc conferencing
   conference ad-hoc
  ephone  1
   device-security-mode none
   mac-address 001F.CA34.88AE
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:2 2:31
  ephone  2
   device-security-mode none
   mac-address 001F.CA34.8A03
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:12
  ephone  3
   device-security-mode none
   mac-address 001F.CA34.898B
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
  ephone  4
   device-security-mode none
   mac-address 001F.CA34.893F
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
  ephone  5
   device-security-mode none
   mac-address 001F.CA34.8A71
   ephone-template 1
   max-calls-per-button 2
   username "susan"
   paging-dn 103
   type 7931
   button  1:6
  ephone  6
   device-security-mode none
   mac-address 001F.CA34.8871
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:7 2:31 3:32
  ephone  7
   device-security-mode none
   mac-address 001F.CA34.8998
   ephone-template 1
   max-calls-per-button 2
   username "matthew"
   paging-dn 103
   type 7931
   button  1:9
  ephone  8
   device-security-mode none
   mac-address 001F.CA36.8787
   ephone-template 1
   max-calls-per-button 2
   username "nate"
   paging-dn 103
   type 7931
   button  1:10
  ephone  9
   device-security-mode none
   mac-address 001F.CA34.8805
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:5
  ephone  10
   device-security-mode none
   mac-address 001F.CA34.880C
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:14
  ephone  11
   device-security-mode none
   mac-address 001F.CA34.8935
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:3
  ephone  12
   device-security-mode none
   mac-address 001F.CA34.8995
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:8 2:31
  ephone  13
   device-security-mode none
   mac-address 0021.5504.1796
   ephone-template 2
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:4
  ephone  14
   device-security-mode none
   mac-address 001F.CA34.88F7
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:23
  ephone  15
   device-security-mode none
   mac-address 001F.CA34.8894
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:26
  ephone  16
   device-security-mode none
   mac-address 001F.CA34.8869
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:28 2:27
  ephone  17
   device-security-mode none
   mac-address 001F.CA34.885F
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:11
  ephone  18
   device-security-mode none
   mac-address 001F.CA34.893C
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:27
  ephone  19
   device-security-mode none
   mac-address 001F.CA34.8873
   ephone-template 1
   max-calls-per-button 2
   paging-dn 103
   type 7931
   button  1:27
  ephone  20
   device-security-mode none
   mac-address A456.3040.B7DD
   paging-dn 103
   type 7942
   vpn-group 1
   vpn-profile 1
   button  1:13
  ephone  21
   device-security-mode none
   mac-address A456.30BA.5474
   paging-dn 103
   type 7942
   vpn-group 1
   vpn-profile 1
   button  1:15 2:16 3:32
  ephone  22
   device-security-mode none
   mac-address A456.3040.B72E
   paging-dn 103
   type 7942
   vpn-group 1
   vpn-profile 1
   button  1:1
  ephone  23
   device-security-mode none
   mac-address 00E0.75F3.D1D9
   paging-dn 103
   type 7936
   button  1:33
  line con 0
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport input all
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line 67
   no activation-character
   no exec
   transport preferred none
   transport input all
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  line vty 0 4
   transport input all
  scheduler allocate 20000 1000
  ntp master
  ntp update-calendar
  ntp server 216.228.192.69
  webvpn gateway sslvpn_gw
   ip address 66.111.111.111 port 443  
   ssl encryption 3des-sha1 aes-sha1
   ssl trustpoint cme_cert
   inservice
  webvpn context sslvpn_context
   ssl encryption 3des-sha1 aes-sha1
   ssl authenticate verify all
   policy group SSLVPNphone
     functions svc-enabled
     hide-url-bar
     svc address-pool "SSLVPNPhone_pool" netmask 255.255.248.0
     svc default-domain "bendbroadband.com"
   virtual-template 1
   default-group-policy SSLVPNphone
   gateway sslvpn_gw domain SSLVPNphone
   authentication certificate
   ca trustpoint cme_root
   inservice
  end

  I think your ACL could be the culprit.
  ip access-list extended router-access
   permit tcp any host 66.111.111.111 eq 443
  Would you be able to change the entry to permit ip any any (just for testing purpose) and then test to see if the calls function properly.  If they work fine then we know that we need to open som ports there.
  Please remember to select a correct answer and rate helpful posts

• Multiple profile help needed

  I work for a company that requires me to connect to several customer Cisco VPNs via AnyConnect 3.0.5075. 
  Each customer site has provided it's own URL and certificate, etc.
  How do I get Cisco AnyConnect Secure Mobility Client version 3.0.5075 to agree to multiple profiles?
  I also would love some advice on how to add certificates to the tool without the "double click the certifiate" route.  My laptop has an encrypted hard drive and when I try and "double click" the Cisco certificates the hard-drive encryption tool believes I am trying to add a certificate to it instead of to the Cisco VPN tool. 
  AnyConnect does not appear to have any editable/configurable settings for multiple profiles or to directly add a certificate.
  I have googled furiously to no avail.
  Any help available here?  Even just to give me some bumps in the right direction?
  Thanks in advance.
  -Jim

  Hi Jim,
  You can have multiple profile bind to different certificates
  For example
  crypto ca certificate map mymap 1
  subject-name attr cn eq Joe Smith
  crypto ca certificate map mymap 2
  issuer-name co SubCA1
  crypto ca certificate map mymap 25
  alt-subject-name eq [email protected]
  subject-name attr ou co Sales
  crypto ca certificate map mymap 65535
  subject-name ne ""
  SSL certificate mapping applies to both clientless WebVPN and AnyConnect  connections where certificates are used.  The certificate-group-map  entries are processed in the order they are entered and appear above  until a match is found.  They do not need to be in numerical order.
  webvpn
  certificate-group-map mymap 1 Tunnel-group1
  certificate-group-map mymap 2 Tunnel-group2
  certificate-group-map mymap 25 Tunnel-group3
  certificate-group-map mymap 65535 Tunnel-Group4
  The certificate selection can be done automatically by enabling the automatic certificate selection in the XML profile
  Hope this helps you.
  Thanks
  Raj

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• Issue with Mac OS 10.8.3 and Anyconnect VPN Client 3.1.02026

  Hi all,
    I am running Anyconnect VPN Client 3.1.02026 on Mac OS X 10.8.3.  I am unable to connect to my corporate network as the connection fails with following error :
  The VPN client was unable to successfully verify the IP forwarding table modifications.  A VPN connection will not be established.
  Can anyone suggest remedies. I am completely stuck. I had an older AnyConnect client and it was working until  a few days back when it stopped working. I then upgraded to 3.1.02026.
  As suggested in some of the pots on the web, i  have disabled the following  AirPort, Bonjour, Bluetooth, Adium, restarted after these changes and yet i am seeing this.
  My company has corporate license for Cisco AnyConnect VPN.
  TIA
  kumar

  MartyP wrote:
  Or is there a problem with both OS's writing stuff to the
  ~/Home/Library folder that may be incompatible?
  Yes, big time.  Mail, for sure, has a different file/folder structure, and would not be happy.
  Plus, a number of apps (Apple and 3rd-party) are "Sandboxed."  That's a security feature, to prevent malware or bad coding from affecting things it shouldn't.  Some of their files, including the preferences files, aren't even stored in the same places!
  Or to other places I'm not aware of?
  Probably.  If you have two versions of the same app, they may or may not expect the same data setup.
  To have one User folder for both OS's would save a lot of drive space
  Not if you use some or all of woodmeister50's suggestions. 
  But I'm also not sure how I'd use Time machine with such a set up.
  Just as you do now.  By default, Time Machine backs-up everything (except things like system work files, most caches and logs, trash) for all users and all internal drives & partitions.  By default, it excludes external drives.
  You can change those defaults, of course, via TM Preferences > Options.
  See Time Machine - Frequently Asked Question #32 for details and considerations of multiple drives.
  Presently I backup with . . . clones to other HD's
  Good.   Yes, clones are different.  You need multiple "tasks" to back up multiple drives/partitions.  But once set up, that shouldn't be a big deal.