Securing multiple AnyConnect connection profiles

Hello,
Here is our scenario. We have three (3) separate AnyConnect connection profiles each with different levels of access enforced through ACL filters. We have aliases configured for each connection profile in order for each group member to be able to choose his group when logging in to AnyConnect. Authentication is done via LDAP to one single server/domain instance on which all users have accounts. Given our scenario and without using multi factor authentication, is there any way to keep a user from logging in to a connection profile in the AnyConnect client which he shouldn't have access to?
Thanks,
-Mike

Dear Marvin,
I have a similar situation where i have diferent connection profile and group policies where i apply acl where each profile
has access to different resources.
My question would be. Is there any possibility to allow only specific real IP addresses to initiate VPN session to the firewall.
regards
Nehat

Similar Messages

AnyConnect - connection profiles issue

Hello,
I've configured AnyConnect SSL VPN for two connections profiles which can be chosen when I try to establish connection. Following aliases has been configured for those con profiles:
* Con1
* Con2
the problem is that every time when I try to select the second one (Con2) from the group list it utomatically returns to the first one (con1). Generaly I am not able to choose Con2. It looks like the Con1 is the default and I can connect using only this profile. I've checked the preferences.xml and preferences_global.xml files and the default group is not configured. What is more when I change the aliases name for those connection profiles to:
* 1Con2
* Con1
I can choose only 1Con2 so it seems that only the first con prof on the list can be used. Any ideas?

Hi Marek,
look for old cached connection profiles here:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac02asaconfig.html#wp1431357
Something similar happend to me when I changed the profile name on the server and reconnected. The client found the old profile with the same server address and switched to the old profile although I had provided a new profile on the VPN server.
Just clear all profiles from the specified locations and connect to the server once again. Anyconnect will establish a connection and download the new profile. You should only see the new connection profile offered in the drop down box after that.
If you want to provide two different protocols (SSL and IPsec) for the same server you configure only one profile with two entries in the server list, one with SSL, the other IPsec as a preferred protocol.
In that case you will have a single profile but two choices in the drop down box on the Anyconnect client.
Regards,
MiKa

Anyconnect XML Profile Certificate Matching - Multiple Certs different Issuer

Hi Guys
I am trying to setup an xml profile for cisco anyconnect that will look at multiple certificates that could be issued from 2 different CA's.....
Currently having trouble setting this up and it does not look like it is possible..
Is there a way around this?
Regards
Mohamed

The AnyConnect client supports the following certificate match types. Some or all of these may be used for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect profile. The criteria are:
â¢Key Usage
â¢Extended Key Usage
â¢Distinguished Name
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin7.html#wp1000158

AnyConnect 3.1.01065 error - Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established.

I've got a user running:
AnyConnect 3.1.01065
on
Windows 7 64bit.
Several weeks ago she started encountering the following error:
-after logging into Windows and launching the AnyConnect client, she enters her username and password and successfully authenticates.
-the connection is not established and she's presented with the following message: "Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established."
After doing some troubleshooting, inlcuding uninstalling/reinstalling the anyconnect client, it seems the culprit is the following file:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\<filename>.xml. When the problem occurs (which is not regularly, sometimes it occurs daily, sometimes just once a week) examining that file indicates it has no security or permissions set. Quitting the AnyConnect software, modifying the file so that the user has full control of it, then relaunching AnyConnect fixes the problem (until it happens again). Uninstalling, and making sure to move C:\ProgramData\Cisco to the trash, then reinstalling did not seem to help.
The closest match in these forums is the following thread, https://supportforums.cisco.com/message/3760446 - though no clear resolution was given.
Has anyone else encountered this, and been able to fix it?
Thanks much.

Just FYI, it seems at least in this case, purging all the previous system restore points seems to have resolved this issue...

Anyconnect Client profile files deleted after client upgrade

L.S.
I am running anyconnect version 3.1.02040 on a Windows 7 64-bit machine with UAC turned on.
The ASA I am connecting to is a 5510 running ASA OS 8.4.5
The problem I have is the following:
We are using machine certificate authentication combined with RADIUS user authentication.
The machine certificates are stored in the Machine/Personal container in the local machine.
By default, the anyconnect client does not have the rights to access this certificate store when run by the user in non-elevated mode.
We do not want to have the user run the client as administrator (in elevated mode) all the time.
Therefor we have made an Anyconnect Client profile that sets the Certificate Store Override parameter to true and attached it to the group policy.
With this XML in place (in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder)
the users can connect to the ASA and authenticate using the certificate without the need for elevated rights. This is all working perfectly.
The anyconnect client and XML file are distributed to the clients using a software distribution system (Microsoft SCCM).
The problem happens when I update the Anyconnect package on the ASA. I recently updated the package to release 3.1.03103. This is what happens:
The user can connect using the 3.1.02040 client (certicate authentication works without elevation, since the XML Anyconnect Client Profile is present)
The Anyconnect software updates itself to the new version during the connection, pushed from the ASA.
The VPN is established.
However, the XML file that is associated with the group policy is deleted during the upgrade process and not placed back in the Profile folder on the client after the upgrade.
This means the user cannot connect without using elevated rights the next time he wants to connect.
If he uses elevated rights after the upgrade, the XML is pushed back from the ASA normally, allowing the user to connect without elevation again any subsequent times.
Is there any way to push the XML profile to the client from the ASA after the upgrade of the Anyconnect software?

Hi poiu720408 ,
1. You need to set up a web-url or group-alias under the group policy as web have enable the "tunnel-group-list enable" under the webvpn configuration. So once the user connect to the proper URL/alias the profile will be applied.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
2. Yes the Anycopnnect store a "Cache " information on the PC , if you want to clan up you have to go to the anyconnect folder on C: on the PC and delete the global_preferences.xml profile.
3. This behavior is totally expected and they should disappear after a some minutes , however if you wan to force this , you can use the command "vpn-sessionsdb logoff webvpn noconfirm"
Please rate helpful post !
Hope this helps
- Randy -

Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

Hello,
I'm trying to do machine and user authentication using EAP-TLS and digital certificates. Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
In ISE, I can define multiple Certificate Authentication Profiles (CAP). For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
Problem is how do you specify ISE to check both in the Authentication Policy? The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.
Any way to resolve this?
Thanks,
Steve

You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
an example (uses user/pass though, but same concept)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen Hristov

Hi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier

Assigning AnyConnect Client Profiles based on the machine?

I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.
If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
If at all possible, I do not users to have to pick a conenction profile or use different URL's.
Is there anyway to accomplish this?

Hi
Did you ever resolve this issue? I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.
Has anyone got any idea how I could do this?
thanks
Steve

"Anyconnect client profile" option missing in ASDM

Hello,
I'm in the process of setting up Anyconnect on the ASA, and have successfully updated the licensing, as well as uploaded the anyconnect pkg for web deployment. I enabled anyconnect on the outside interface and can now have the ASA push the client to the machine. Works fine. However, I want to add backup servers that the client will attempt to reach in the event the primary is down. I understand that "client profiles" can be created to customize settings like this. Problem is, when I follow the configuration guide with instructions for making client profiles at this location:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1289905
It shows that I should have an option for Anyconnect Client Profile and Anyconnect Client Settings.
I don't have either of those options in ASDM. Here's what mine shows:
I have another "SSL Client profiles" option, but it doesn't seem the same as the options above.
Can someone assist with what I need to do to get the Client Profiles option to be available so I can add backup server information to the client? Thanks!

Thanks for the response Marvin,
It shows the ASA and ASDM versions are 8.2 and 6.2 respectively.
Result of the command: "sh version"
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Result of the command: "sh act | i Ess"
AnyConnect Essentials : Enabled
I don't have the premium license, just the Anyconnect Essentials and Mobile licenses. I would imagine essentials should have the same profile configuration options, though. If it is in fact because I'm running an older version of ASDM, do I need to update both the ASA IOS and ASDM together, or can I just upgrade ASDM on its own? Thanks again.

Multiple IDLE connections

Hi,
I have two IDLE enabled IMAP accounts and I'm trying to work out if everything is working properly as it doesn't feel like it is.
When I check netstat it shows multiple established connections for each account which seems to many for it to be right.
Any thoughts on what to check? Server is showing two connections which would be right.
Thanks,
Adam

If you must have a 1-1 app user/connection to database user/connection, then using a DatabaseSession would probably be the easiest solution. The means that each user would create and connect to their own DatabaseSession when they login to the app. You could still share the same TopLink project instance to reduce some of the connecting/initialization overhead, but there would be no way to pool connections. Using a DatabaseSession would not allow for any shared caching across users.
Do you need to be connected as the user for reading, or just for writing to the database? If you can use a shared user/connection for reading, then you could use a ServerSession and have a shared cache. Define the shared user in the ServerSession, and when each user connects acquire a ClientSession through the acquireClientSession(DatabaseLogin) API, which allows you to specify the user/password to connect as for writing.
In TopLink 10.1.3 you may also wish to investigate the VPD and exclusive client connection support. This allows for some of your data to be read through a user/VPD secure connection, and other shared data to still be cached. It also allows for the user/VPD to be switched on a pooled connection.

I need to configure a redundant IPSec Connection Profile

I'm moving off of a single RADIUS server on a Windows 2003 domain controller, and onto a pair of Network Access Protection / Network Policy domain controllers on Windows 2008 servers.
I've set up the Windows server side. My questions are regarding the configuration on the Cisco 5520 ASA.
I am trying to configure the pair of servers in the AAA Server Group so that if one fails, the other will provide authentication for remote VPN users.
The remote users are all using the latest version of the Cisco VPN client to connect.
1) Am I correct in understanding that the default behavior of having multiple servers listed in an AAA Server Group will result in the next one in the list used for remote authentication if the first one fails to respond? In other words,do I need to do anything other than having that second server in the list to provide simple redundancy?
2) Having configured a new AAA Server Group and already having a Group Policy, am I correct in assuming that all I have to do to switch to the new configuration is to go to the current IPsec Connection Profile and use the drop down menu to select the new User Authentication Server Group? The reason I ask is because
3) In IPsec Connection Profiles, under a specific profile, under Advanced, under Authentication, the heading says "Interface-Specific Authentication Server Groups", and it looks like we can set or override the Server Group. Currently I am thinking I can leave this Advanced setting blank, because we have another correctly working Connection Profile that allows remote iPhones to connect, and it has nothing in this setting.

Roberto 17 wrote:
I started this morning at 12 and after 5 hours now the backup is about 6 GB up on 56 GB.
The new HD is a WD My Passport Edge 500 GB capacity
5 hours to do 6 GB of transfer is NOT normal, even for USB 2.0 so there's something wrong here. I'd say cancel it, wipe the drive and then test the integrity of the drive. Do some file transfers over to and see if it's behaving normally. It could be a bad USB cable, it could be a bad drive or bad enclosure. As it's new, I suspect you haven't really put it through its paces yet and it's important to do that first before commissioning it to serve as your "reliable backup."

AnyConnect Client Profile Backup Server Configuration

I'm trying to understand the use of Backup Server option in AnyConnect Client Profile
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Edit > Backup Server
(Screenshot attached)
My questions:
1. In what all scenarios do we add servers (ASA devices) in this tab
2. If I have same information in two different locations (Site A and Site B) for AnyConnect user, can I add Site A-ASA and Site B-ASA into Backup Server tab as a failover mechanism for end user.
3. Or is it only used to mention ASA devices configured in failover unit
4. In case of failover unit, does it support stateful failover
I could not find answers to above questions from Google search. So, asking here

I think we need to be careful when we talk about failover. The original post was clearly asking about two different scenarios
1) ASAs at two different sites
2) ASAs configured as a High Availability failover pair (Active/Standby).
The profile does work to provide failover in 1) but does not work to provide failover in 2).
I do not know the authoritative answer to the question about IP phones use of the profile. I believe that the answer ought to be that yes the phone would receive the profile after its first connection and would use the backup server identified in the profile is the primary server was not available. That is a basic functionality of the AnyConnect client and if the phone is using the AnyConnect client then it ought to support that failover.
If someone does have an authoritative answer then please speak up. Several of us would like to know the right answer here.
HTH
Rick

AnyConnect Client Profile in ASDM

I am trying to configure a client profile under the AnyConnect Client Profile tab in the ASDM but keep getting an error message stating "Check that you have a proper AnyConnect package installed in the AnyConnect Client Software menu. Also check that your ASDM username have enough privelege."
My user has sufficient privilege but I am not sure which AnyConnect software I should have to enable this. Righ now I have
anyconnect-win-3.0.10055-k9.pkg installed.
This is a lab setup using GNS3.
Any ideas?

Hi Marius,
I would assume you are running ASA 8.0x, right?
Please check this out:
"If you wish to use the ASDM-integrated Profile Editor to configure any of AnyConnect's components, you must use ASDM version 6.4(1) or later."
Security Appliance Software Requirements
So at this point, I would suggest to try to upgrade your ASDM to 6.4 or try with AnyConnect 2.5.
Let me know.
Thanks.
Portu
Please rate any posts you find helpful.

Multiple SharePoint Connections Appearing

Has anyone else encountered multiple SharePoint connections appearing for the same server in Office 2013. We are using Office 365 and I work on office across multiple devices. This anomaly seemed to pop up when I started using Office for iPad,
though I've no idea if its connected. I can remove the extra account and then all works fine, but on reboot the extra account reappears and then I can't open files from the web interface - most frustrating.

Hi,
It could be that the cache for the account was still being stored in the registry.
I suggest you try the method below to delete the Office profile that may still be cached:
Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it,
back up the registry for restoration in
case problems occur.
From Registry Editor, browse to: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity\Identities
Choose the Office profile that you want to delete, and then choose Delete.
From the Identity hive, navigate to the Profiles node, choose that same identity, open the shortcut menu (right-click), and then choose
Delete.
The steps above are quoted from this article below, you may also learn something useful from it:
https://technet.microsoft.com/en-us/library/jj683102.aspx?f=255&MSPPError=-2147217396
Regards,
Melon Chen
Forum Support
Come back and mark the replies as answers if they help and unmark them if they provide no help.
If you have any feedback on our support, please click
here

ASA VPN SSL 8.4.x : Using differents certificates by connection profile

I want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?
My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.
Thanks
Jeff

Hi Jeff,
no, this is not possible (unless the 2 certificates are used on 2 different interfaces, but I guess that that is not what you want) - the reason for this is that the ASA needs to send a certificate to the client/browser when the SSL connection initiates, so before it gets the HTTP GET request (which contains the Host header indicating which hostname you are connecting to). So at that time the ASA would not yet know which of the 2 certs to send.
However, there is an alternative that you may find useful: you can create/request a single certificate that contains both hostnames (there can be only one in the Subject/DN, but you can have multiple SAN - Subject Alternate Name). There may be an additional cost associated with this if you are requesting the cert from a 3rd party CA.
To map a hostname to a connection profile (tunnel-group), you can configure a group-url per tunnel-group.
e.g.
tunnel-group foo webvpn-attributes
group-url https://vpn.itcom.fr/
(don't know off the top of my head if it should include the trailing slash - try without if it doesn't work).
This part should work regardless of the certificate - you'll just get a certificate warning if the hostname you connect to is not in the ASA cert.
hth
Herbert

Securing multiple AnyConnect connection profiles

Similar Messages

Maybe you are looking for