VPN Deploying Cisco ASA VPN Solutions Volume 2 Version 1.0 Student Guide Text Pat Numbar:97-2823.05cisco amercns Hence ‘sia Pcie Heaaaeror| Feope Hesagarere Geo stone ne Geea yams SAME ed Eee Sytencinarassal Aree, ‘sc hax on than 20 thos worhwid, Adresse phone ners sn taconite nthe Gas Wa a wwelsacondgalttons, Grea sis er oppo vadaratad Gaso Systane Fa mal iswligasin re lS.avantarcmunies,Alsing ol OsaaeWatemerte canbe mana a cicecacanlgshaenate, Mhrapery aaeraementones ere peoey her fapecive ners The ure ttre werd power assent mpi anrarnp lorem einaan Gezceka sy oirar compar). CCose |CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, INPLIED, STATUTORY OR IN ANY OTHER PROVISION OF Hs CONTENT O8 COMMUNICATION BETWEEN CISCO AND YOU, CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR CRPOSE, OR ARISINGFROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This lesming podust may csomin cary lease Janeny snd while Cio believes to be acum lls subjos othe disclaimer above ‘Suiert Guide| (©2010 Gio andlor is aiatas, Al rights reservedTable of Contents Volume 2 Deployment of Cisco ASA Adaptive Security Appliance AnyConnect Remote Access VPN Solutions 3-4 Overview 34 Module Objectives 34 Deploying a Basic Cisco AnyConnect Full Tunnel SSL VPN Solution 3:3 Overview 33 Objectives 33 Configuration Choices, Basic Procedures, and Required Input Paremeters a4 Configuring Basic Cisco ASA Adaptive Security Appliance SSL VPN Gateway Features 3-7 Configuring Local Pessword-Based User Authentication 3.26 Configuring Client IP Address Management, Basic Access Control, and Split Tunneling 340 Instaling and Configuring the Cisco AnyConnect Client 343 Web Launch (Vie SSL VPN Clientless Session) 344 Manual installation 344 Troubleshooting Base Full Tunnel SSL VPN Operation 357 Installing DART with Cisco AnyConnect 3.59 Manually Installing DART on the Host 3.60 Summary 3.68 Deploying Advanced Cisco AnyConnect VPN Client 3-69 Overview 369 Objectives 3.69 Configuration Choices, Basic Procedures, and Required Input Paremeters 370 Deploying DTLS 371 Managing Cisco AnyConnect Software 380 Configuring Cisco AryConnect Client Profiles 385 Deploying Advanced Cisco AnyConnect Operating System Integration Options 3.95 Customizing the Cisco AnyConnect User interface 3107 Microsoft Windows 3410 Linux. 3410 Mac OS X 3111 Summary 3113 References 3413 Deploying Advanced Authentication in Cisco AnyConnect Full Tunnel SSL VPNs 3-145 Overview 3415 Objectives 3415 Configuration Choices, Basic Procedures, and Required Input Paremeters 3416 Deploying External AAA Authentication 3123 Deploying Certificate-Based Client Authentication Using the Cisco ASA Adaptive Security Appliance Local CA 3-138 Deploying Advanced PKI Integration 3-162 Deploying Multiple Client Authentication 3164 Summary 3474 References 34174 Module Summary 3178 Deployment of Cisco ASA Adaptive Security Appliance Clientless Remote Access VPN Solutions 4-4 Overview 44 Module Objectives 41Deploying a Basic Clientless VPN Solution 4:3 Overview 43 Objectives 43 Configuration Choices, Besic Procedure, and Required Input Parameters 44 Configuring Basic Cisco ASA Adaptive Security Appliance SSL VPN Gateway Features 47 Configuring Local Password-Based User Authentication 418 Configuring Basic Portal Features and Access Control 4.33 Troubleshooting Clientiess SSL VPNs 4.54 Summary 4-59 Deploying Advanced Application Access for Clientless SSL VPN. 4-61 Overview 4-61 Objectives 4-61 Configuration Choices, Basic Procedures, and Required Input Parameters 4-62 Configuring Application Plug-ins 465 Specifying Applet Setings 4-73 Configuring Smart Tunnels 4-79 Configuring Port Forwarding 4-93 ‘Troubleshooting Advanced Application Access 4-405 Summary 4-109 Deploying Advanced Authentication and SSO ina Clientless SSL VPN. 4-444 Overview 4441 Objectives aan Configuration Choices, Basic Procedures, and Required Input Parameters 4112 Deploying Client Certificaie-Based Authentication 4116 Deploying Advanced Gateway PKI Integration, External Certificate Authorization, and Double Authentication 4-129 Troubleshooting PKI Integration 4.437 Deploying Clientless SSL VPN SSO 441 ‘Summary 4-184 Customizing the Clientless SSL_VPN User Interface and Portal 4-155 Overview 4-185 Objectives 4-155 Deploying Basic Navigation Customization 4-156 Deploying Full Portal Cusiomization 4-169 Deploying Portal Localization 4483 Deploying Portal Help Customization 4-193 Cisco AnyConnect Portal Integration 4.201 Summary 4-204 Module Summary 4-205 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreModule 3] Deployment of Cisco ASA Adaptive Security Appliance AnyConnect Remote Access VPN Solutions Overview The Cisco AnyConnect VPN Client and Cisco ASA adaptive security appliance acting as a Secure Sockets Layer (SSL) virtual private network (VPN) gateway provide full tunnel SSL VPN services to remote workers. This module describes how to deploy full tunnel SSL VPNs using basic and certificate-based authentication. The module also describes advanced deployments of Ciseo AnyConnect VPN Client software. Module Objectives Upon completing this module, you will be able to implement and maintain renote-access VPNs based on Cisco AnyConnect technology on the Cisco ASA adaptive security appliance VPN gateway according to policies and environmental requirements, This ability includes being able to meet these objectives: = Deploy and manage basic features of a Cisco AnyConnect full tunnel SSL VPN ured f = Deploy and manage the advanced centrally con 8 of the Cisco AnyConnect client © Deploy and manage the advanced authentication features of a Cisco AnyConnéct full tunnel SSL VPN9 ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreLesson 1 | Deploying a Basic Cisco AnyConnect Full Tunnel SSL VPN Solution Overview A basic Cisco AnyConnect full tunnel! Secure Sockets Layer (SSL) virtual private network (VPN) provides users with flexible client-based access to sensitive resourcesover a remote access VPN gateway, implemented on the Cisco ASA adaptive security appliance. A basic Cisvo AnyConnect full tunnel SSL VPN uses basic user authentication by using usernames and passwords. It also provides IP address assignment to the full tunnel client from the Cisco ASA adaptive security appliance, and uses a basic access control policy. This lesson enables you to contigure, verity, and troubleshoot a basic Cisco AnyConnect full tunnel SSL VPN solution, Objectives Upon completing this lesson, you will be ableto deploy and manage basic features of Cisco AnyConnect full tunnel SSL VPNs. This ability includes being able to meet these objectives Plan the configuration of aCisco AnyConneet full tunnel SSL VPN solution © Configure and verify basic Cisco ASA adeptive security appliance gateway features in Cisco AnyConnect full tunnel SSL VPNs = Configure and verify password-based local user authentication in a Cisco AnyConnect full tunnel SSL VPN © Configure and verify local IP address management, basic access control, and split tunneling in a Ciseo AnyConnect full tunnel SSL VPN = Install, configure, and verify the predeploy version of the Ciseo AnyConneet elient ‘© Troubleshoot VPN session establishment between a Cisco AnyConnect client and a Ciseo ASA adaptive security appliance VPN gatewayConfiguration Choices, Basic Procedures, and Required Input Parameters Thistopic provides an overview of how to plan the configuration of a Cisoo AnyConneet full tunnel SSL VPN solution, Basic Cisco AnyConnect SSL VPN Solution Components In a basic Cisco ASA adaptive security appliance full tunneling remote access Secure Sockets Layer (SSL) virtual private network (VPN) solution, remote users use the Cisco AnyConnect VPN Client to establish an SSL/Transport Layer Security (TLS) tunnel with the Cisco ASA adaptive security appliance. The basic solution uses bidirectional authent client authenticates the Cisco ASA adaptive security appliance with a certificate-based authentication method, and the Cisco ASA adaptive security appliznce authenticates the user based on a username and password against its local user database. After authenticstion, the security appliance applies a set of authorization and accounting rules to the user session. After the Cisco ASA adaptive security appliance establishes an acceptable VPN environment with the remote user, the remote user can forward raw IP traffic into the SSLITLS tunnel, This action occurs as the Cisco AnyConnect client creates a virtual network interface to provide this functionality. The client can use any application to access any resource behind the Cisco ASA adaptive security appliance VPN gateway, subject to access rules epplied to the VPN session. cation, where the 34 Deploying Case ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreBasic Cisco AnyConnect SSL VPN Deployment Tasks 1. Configure basic Cisco ASA securily appliance gateway features including SSL/TLS server authentication, Configure local user authentication 2, 3. Configure IP address assignment. 4, Configure basic access control Install the Cisco AnyConnect client ‘These are the general deployment tasks to create a basic Cisco AnyConneet full tunnel SSL VPN: 1. Configure the Cisco ASA adaptive security appliance with basic SSL VPN gateway features, including provisioning the ides icate ofthe Cisco ASA adaptive security appliance to enable SSLTLS server authentication, 2. Configure basic user authentication by configuring the local user database of the Cisco ASA adaptive security appliance by creating user accounts with static passwords. 3. Configure an IP address assignment method by using either IP address pools or per-user IP addresses that are configured locally on the Cisco ASA adaptive security appliance. 4. Configure basic access control, limiting access to the enterprise internal network, {install the Cisco AnyConnect client on the remote PCs, and configure it to connect to the SSL VPN gateway. Before implementing a basic Ciseo AnyConnect full tunnel SSL VPN, you will need to obtain and analyze several pieces of information that sre related to thenetwork and system environment: = The IP addressing plan that will dictate the VPN gateway addressing, and the enterprise naming plan that will dictate the name of the VPN gatewsy. This data is needed to assign aan IP address to the Cisco ASA adaptive security appliance VPN-terminating interface, and to assign a name inside the VPN gateway SSL/TLS identity certificate. © The enterprise certificate policy and certificate settings. This information is needed in order to enroll the Cisco ASA adaptive security appliance into & public key infrastructure (PKI) {il so desired) and include all relevant fields inside a PKI -provisioned certificate. = The enterprise policy for the user-naming format and the enterprise password policy, in order to create the local user database on the Cisco ASA adaptive security appliance. = The enterprise cryptographic policy, in order to choose the optimal SSL/TLS protocol versions and algorithm bundles (cipher suites) for SSL/TLS sessions on the Cisco ASA adaptive security appliance. (E2010 Cisco Systems, ne, Deployment of Geco ASA Adaptive Sacurty Applance AryComect Remote Access VPN Solutions 3.5m= The IP addressing plan for remote clients. In a full tunneling SSL VPN, the Cisco ASA. adaptive security appliance must assign IP addresses to remote clients, and these addresses must be unique and routed to the Cisco ASA adaptive security appliance in order for VPN connectivity to work. = Access policies that dictate which sensitive internal resources the remote usérs can access. ‘This information is needed to configure an access control policy on the Ciseo ASA adaptive security appliance that will be applied to remote access VPN sessions = A list of client platforms of remote users. This information is needed to correetly provision the Cisco AnyConnect software images to the remote users, and to store on the Cisco. ASA adaptive security appliance flash memory Basic Cisco AnyConnect SSL VPN Deployment Guidelines Consider the following general deployment guidelines: * Use local password-based user authentication in low-risk environments, where all users share the same access policy + Easily extend the basic solution with remote AAA user authentication, and multiple access policies when needed Consider the following deployment guidelines when deploying a basic Ciseo AnyConnect full tunnel SSL VPN solution: = Use local password-based user authentication in low-risk environments where all users share the same access policy = Easily extend the basic solution with remote authentication, authorization, and accounting (AAA) user authentication and multiple access policies when needed 38 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Basic Cisco ASA Adaptive Security Appliance SSL VPN Gateway Features This topic enables you to configure and verily basic Cisco ASA adaptive security appliance SSL VPN gateway features in Cisco AnyConnect full tunnel SSL VPNs, Basic Cisco ASA Adaptive Security Appliance Gateway Features Overview * Configure the Cisco ASA ‘security appliance as SSLTLS server: ~ Provision a server identity eerificate ~ Enable the SSL/TLS ~ Tune SSL/TLS settings * Kentty certificate ~ Temporary self-signed cerifcate generated by fault ~ Configurable persistent eitsigned certificate ~ Pk provisioned eetifcate recommended The first deployment step when configuring a full tunnel SSL VPN solution isto configure basic SSL/TLS server parameters on the Ciseo ASA adaptive security appliance. This step includes provisioning a server identity certificate, which the Cisco ASA adaptive security appliance will send to remote elients so that they can authenticate the Cisco ASA adaptive security appliance, This step also includes enabling the SSL/TLS server functionality on an interface, and optionally tuning SSL/TLS parameters to be compliant with local cryptographic policies. By default, the security appliance will create a self-signed X.509 certificate on each reboot, resulting in many client warnings when you attempt SSL VPN access, as the certificate cannot be verified by any means. You can address this issue by using one of two approaches: = By creating a permanent self-signed certificate that is persistent across reboots, and that u can save on the client. This approach is possible if the remote users have the option of initially accessing the Cisco ASA adaptive security appliance over a trusted network and saving the identity certificate of the appliance to their local storage. This approach is usually not supported by most clients and is generally not recommended, © By enrolling the Cisco ASA adaptive security appliance into an existing PKI, with the clients authenticating the identity certificate of the appliance on each access by validating it using a relevant certificate authority (CA) certificate that was used to issue the identity certificate of the security appliance. This CA certificate needs to be preprovisioned to all clients in order for such authentication to work. (@2010 Cisco Systems, ne, Deployment of Ceca ASA Adaptive Socrty Applance AryComect Remote Access VPN Solutions 3-7Configuring Basic Cisco ASA Adaptive Security Appliance Features Configuration Tasks 4. Provision an identity server certificate to the Cisco ASA security appliance: A. Using ¢ persistent self-signed certificate B. Using PkI-provisioned certificate using SCEP C. Using ¢ PkI-provisioned certificate using manual (cutand- paste) enrollment 2. Leada Cisee AnyConnect image onto the adaptive security appliance. 3. Enable SSL VPN termination on an interface. 4. Configure and optionally tune SSL/TLS settings. To configure basic Cisco ASA adaptive security appliance SSL VPN gateway features, complete the following configuration tasks: 1. Provision an identity server SSL/TLS certificate to the Cisco ASA adaptive security appliance. The security appliance will use this certificate to identify itself to remote clients, and, based on this certificate, remote clients will be able to authenticate the Cisco ASA. adaptive security appliance. You have three options to install a certificate on the Cisco ASA adaptive sceurity appliance: — Option A is to create and install a permanent self-signed certificate that is persistent across reboots, — Option Bis to create and install a persistent, PK -provisioned certificate by enrolling the Cisco ASA adaptive security appliance into an existing PKI. You can use either a PKI internal to your organization, an externally managed PKI, or an external, global PKI. In option B, you will use the Simple Certificate Enrollment Protocol (SCEP) to enroll to the PKI and obtain an identity certificate, — Option Cis essentially the same as option B, but should be used with PKis that do not support SCEP enroliment. Instead, you will use manual (cut-and-paste) enrollment by exchanging raw enrollment data with the PKI manually 2. Load a Cisco AnyConnect client software image onto the Cisco ASA adaptive security appliance, placing it into the persistent flash storage of the security appliance. Enable SSL VPN traffic termination on a Cisco ASA adaptive security appliance interta and therefore enable the security appliance SSL VPN server funetion. 4. Configure and optionally tune the SSL/TLS settings. You will need to assign the installed identity certificate of the Cisco ASA adaptive security appliance to the chosen VPN traffic termination interface. Optionally, you will need to choose SSL/TLS versions and algorithm, bundles (cipher suites) that you desire to use for traffic encapsulation, 32 Deploying Case ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, IreConfiguring Basic Cisco ASA Adaptive Security Appliance Features Configuration Choices Useselfsignedor Seltsigned certificates should be avcided Pil cerificates ‘except for testing or very small depoyments, \erification is a manual process. Use global (exteral) Pi ceriicates if not ll lenis are managed. Consider local internal) PKI certificates if dienis are managed and have an authentic copy ofthe CA cetifcate, Tuning SSLITLS __Uniessyou have 2 policy dictating he use of settings specific cryplographic algorithms, you can use ‘cefaut SSLTLE settings. ‘There are several configuration choices that you need to make based on locally significant criteria, ‘The first choice is whether you will use self-signed or PK L-provisioned certificates, Using any ind of self-signed certificate is generally not recommended, as the clients typically cannot verify it properly if they do not already have an authentic copy of it locally preinstalled. Self signed certificates should generally only be used for test purposes, and not lor production use over untrusted networks. Deploying a permanent self-signed certificate is simpler compared to using PK|-provisioned certificates, as it requires no interaction with the PKI. However, using a PK -provisioned certificate is # recommended and a more scalable solution. You can use 2 local (internal to the enterprise, or a managed, private PKI service) PK if all of your clients are ‘managed, and you can be reasonably sure that all clients have an authentic copy of the CA certificate installed. Alternatively, you shoulduse a certificate from a global PKif not all of your clients are managed and you have to rely on the operating system default store of global CA certificates (trusted roots) ‘The second choice involves tuning the SSL/TLS settings of the Cisco ASA adaptive security appliance SSL/TLS server function. You may consider tuning these settings if you have a local poliey dictating the use of particular SSL/TLS protocol types, or particular eryptographic algorithms. In most cases, the default Cisco ASA adaptive security appliance SSLITLS settings are optimal for most users. (E2010 Cisco Systems, ne, Deployment of Gico ASA Adaptive Socurty Applance AryComect Remote Access VPN Solutions 3.9Configuring Basic Cisco ASA Adaptive Security Appliance Features Configuration Scenario =a Keaasee Seoe'y waseze010 “The figure presents the configuration secnario that is used in upcoming configuration tasks, The Cisco ASA adaptive security appliance can either issue a self-signed certificate, or receive its lentity certificate from an external or internal CA server, You will also need to configure your Domain Name System (DNS) infrastructure to resolve the name of the Cisco ASA adaptive security appliance (inside its identity certificate) to its VPN-terminating interface IP address (the IP address of the outside interface in the example). He ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Basic Cisco ASA Adaptive Security Appliance Features Task 1A: Provision a Self-signed Identity Certificate ple (aliens ema] Inthe first task, you will generate a permanent self-signed certificate that does not change across Cisco ASA adaptive security appliance reboots. The use of a permanent self-signed certificate is discouraged, as it offers little benefit over the temporary self-signed certificate, ‘To deploy a new permanent self-signed certificate, perform the following steps: Step1 Using Ciseo Adaptive Security Device Manager (Cisco ASDM), choose Configuration > Device Management > Certificate Management > Identity Certificates (not shown in the figure), Step2 Click Add to createa new PK I truspoint. Assign @ local name to the new trustpoint. Step Choose Add a New Identity Certificate, and choose the named Rivest, Shamir, and Adieman (RSA) key pair to be used as the basis for the SSL VPN server centficate. Step Optionally, create an RSA key pair of appropriate strength by clicking the New button. It is recommended to createa separate key pair for each trustpoint. Make sure that you generate a key of appropriate strength (key size) StepS Inthe Certificate Subject DN field, enter the canonical name of the security appliance in the form of CN=hostname. domainname (you can click the Seleet button to construct a more complex subject name, if needed; however, this is not required for self-signed certificates), Step@ Check the Generate Sel signed Certificate check box. Step7 Click Add Certificate to immediately generate the permanent self-signed X.509 certificate. (G2010 Cisco Systems, ne, Deployment of Geo ASA Adaptive Securty Applance AryComect Remote Access VPN Solutions 3-11Configuring Basic Cisco ASA Adaptive Security Appliance Features ‘Task 1B: Provision a PKI Identity Certificate Using SCEP Dretciemianen [Ss pte aay con own etme Se tpi eines Seater Ccontguision > Cavae Management > Certone Management > wantty Oovtants Altematively, you ean deploy a PK provisioned certificate to the security appliance. This procedure is similar to installing a self-signed certificate, except that you have to forward your certificate request (containing the Cisco ASA adaptive security appliance name and public RSA key) to @ PKI enrollment server (a registration authority or a certificate authority), Perform the following steps: Stop1 Ensure that the Cisco ASA adaptive security appliance hostname and domain name are set correctly. Stop2 Optionally, if you have not already done so, create an RSA key pair of appropriate strength. Or you can reuse existing keys, if they are of appropriate strength. Stop3 Using Cisco ASDM, choose Configuration > Device Management > Certificate Management > Identity Certifieates (not shown in the figure), Stops Click Add to create a new PKI trustpoint. Assign a local name to the new trustpoint, Stop5 Choose Add a New Identity Certificate, and select an RSA key pair (or ereate a new key pair) to be usedas the basis forthe HTTPS server certificate. Stopé In the Certificate Subject DN field, enter the canonical name of the security appliance in the form of CN=hostname.domainname (you can click the Seleet button to construct a more complex subject name if needed). Step7 Click the Advanced button to display PKI enrollment parameters, Stop In the Certificate Parameters tab, verify that the fully qualified domain name (FQDN) properly set to the appliance hostname and domain name (not shown in the figure) Stop9 In the Enrollment Mode tab, click the Request from a CA radio button, Enter the enrollment parameters (like the enroliment URL) depending on the PKI that you are using. Use the SCEP Challenge Password tab to optionally enter the SCEP password if required by the PKI CA server. 342 Deploying O8s0 ASA VPN Soluions (VPN) v1.9 (©2010 Cece Systems, IreStop 10 Step 11 Click Add Certificate to generate the certificate request. When the PK! approves your certificate request, choose your request and click Install to install the identity certificate, a Configuring Basic Cisco ASA Adaptive Security Appliance Features Task 1C: Provision a PKI Identity Certificate Using Cut- and-Paste Enrollment rat neptune prin ie ean ‘contguton > Devoe Meragenant> Cantate Marugenent> ent Cevtastas Sen csni Compt Ifthe PK doesnot support SCEP enrollment, you can also enroll using a manual cut-and-paste ‘method. In thismethod, you will generate a cet 1e request, and then send this request (asa file, or paste it into a PKi enrollment user interface) to a PKI certificate or registration authority. The CA will issue you a certificate (in the form of @ file, or as text data) that you ean copy and paste into the Ciseo ASA adaptive security appliance. Perform the following steps in order to complete the cut-and-paste enrollment method: Stop 1 Step 2 Step 3 Step 4 Stop § Stop 6 Step7 Step 8 ‘step 8 sing Cisco ASDM, choose Configuration > Device Management > Certificate Management > Identity Certificates (not shown in the figure), Click Add to createa new PK I truspoint. Assign a local name to the new trustpoint (not shown in the Choose Adda New Identity Certificate, and ehoose an RSA key pair(or create a new key pair) to be used as the basis forthe HTTPS server certificate (not shown in the figure), In the Centficate Subject DN field, enter the canonical name of the security appliance in the form of CN=hostname. domainname (you can click the Seleet button {o construct a more complex subject name if needed) (not shown in the figure). Click the Advanced button to display PKI enrollment parameters (not shown in figure) In the Certificate Parameters tab, verily that the FQDN is properly set to the applianee hostname and domain name (not shown in the figure), In the Enrollment Mode tab, choose the Request by Manual Enrollment (cut- and-paste) method, Enter the enrollment parameters depending on the PK! that you are using Click Add Certificate to generate the certificate request (not shown in the figure). Save the centficate signing request (CSR) data into a file and use it w enroll into the PKI. (©2010 Cisco Systems, Ie, Deployment of Cisco ASA Adaptive Secunty Appliance AnyCanmect Ramat Access VPN Saluione 3.13,Configuring Basic Cisco ASA Adaptive Security Appliance Features Task 1C: Provision a PK Identity Certificate Using Cut- and-Paste Enrollment (Cont.) Eprybue—fosc Tre oe Ccontguraton > bavce Management > Cortona Management > wentty Crfens ‘To finish the manual enrollment procedure, perform these steps: Step1 When the PKI approves your certificate request, obtain the certificate file or text data, and import it to the Cisco ASA adeptive security appliance asa file, or paste it into the Cisco ASDM GUL. Stop2 Choose Configuration > Device Management > Certifieate Management > Identity Certificates and select the trusipoint that was configured in one of the previous steps. Stop3 Choose Install Certificate to install the identity certificate that was obtained rom the CA by selecting the certification fileor by manually pasting in the Base64~ encoded certificate, 314 Deploying Ceca ASAVPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Basic Cisco ASA Adaptive Security Appliance Features Task 2: Load a Cisco AnyConnect Image onto the Cisco ‘ASA Adaptive Security Appliance * Download Cisco AnyCannect PKG pactages from Ciscacom + Loge them inta the flash memory ofthe appliance + Dowsioad and copy PKGSs forall required platforms to the appliance ‘ep ein a amp an neat vom Sts FW een ee ete Secreta mere pomaemaah Semieocienarttas eoa> Pa tareperen) In Task 2 of the configuration sequence, download the Cisco AnyConnect web deployment client software packages from Cisco.com, and transfer them to the Cisco ASA adaptive security appliance fash memory. You should transfer the PKG format of the Cisco AnyConnect software imageto the Cisco ASA adaptive security appliance (as shown in the figure), forall client platforms that you intend to use. The Cisco ASA adaptive security appliance will use these web deployment (or web launch) packages to dynamically install the Cisco AnyConnect client to all users visiting the SSL VPN portal, if so configured. Note In the configuration scenario example that is used inthis lesson, you will also be shown tow to use the predeployment (Microsoft Windows Installer [MSI}) installer package, and not he web deployment package. However, nstaling a web cepioyment is a mandatory step in the SSLVPN gateway configuration. I you are using Ciseo ASDM, you ean use the ASDM File Transfer user interface from the ‘Tools > File Management ASDM menu to transfer these files from your local storage location to the Cisco ASA adaptive security appliance. Note The Cisco AnyConnect client that is loaded on the Cisco ASA adaptive security appliance is 2 Microsoft Windows-based client. Otner operating system environments are also supported, (E2010 Cisco Systems, ne, Deployment of Gico ASA Adaptive Socurty Applance AryComect Remote Access VPN Solutions 3-18Configuring Basic Cisco ASA Adaptive Security Appliance Features Task 3: Enable SSL VPN Termination on an Interface Fst So Gi cen a ig rt rei mn Te eet taupe oe cmt ee eras cae ee eee In Tesk 3, you will globally enable the SSL VPN function on the Cisco ASA adaptive security appliance, and select the interfaces on which the appliance will accept SSL VPN sessions, You can also optionally configure support for Datagram Transport Layer Security (DTLS), which will be automatically negotiated if the path between the client and the Cisco ASA adaptive security appliance supports it. Additionally, you will enable user connection profile selection, which is required if you want to assign users into a specifie connection profile, and not use the default DefaultWebVPNGroup profile for all users Perform the followi Stop1 Stop2 stop3 Stop4 stops Steps steps: In the Cisco ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles Choose Enable Cisco AayConnect VPN Client or Legaey SSL VPN Client Access check box to globally enable SSL VPN functionality. A window appears, asking you to continue to designate a Cisco AnyConnect image, click Yes to continue. ‘The Add SSL VPN Client Image window appears, prompting you to select a Cisco AnyConnect image that the Ciseo ASA adaptive security appliance will use to deploy the client to users who use a browser to initially connect to the full tunneling VPN. Select the pkg image in the Cisco ASA adaptive security appliance Nash that ‘you have previously uploaded. You can also upload an image at this point. Check the Allow Access check box, and optionally check the Enable DTLS check box, on the interface on which you wantto terminate SSL VPN connections. In this ‘example, these connections are enabled on the outside interface. Itis generally recommended to enable DTLS access to provide low-latency tunneling to support real-time applications, such as software IP phones. In the Login Page Setting, check the Allow User to Select Connection Profile check box to allow usersto select their connection profile at login, Click Apply and save your configuration, if necessary. 3H€ Deploying Caso ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Basic Cisco ASA Adaptive Security Appliance Features Task 4: Configure and Tune SSLITLS Settings [on in ] SSSA) [awe atreme me, esiewee see seme si ‘ies Touct sapere yoga Bo km» ‘contguiton > Revite Azzoss VPN> Anvancad > SS. Settoge In Task 4, you need to attach the installed identity appliance to the appropriate network interface that you cor certificate of the Cisco ASA adaptive sceurity figured for SSL VPN termination. Perform the following steps: Step 1 Choose Configuration > Remote Access VPN > Advanced > SSL Settings (or choose Configuration > Remote Aecess VPN > Network (Client) Access > AnyConnect Connection Profiles, and click the Click Here to Assign Certificate to Interface link). Step2 At the top of the SSL Settings pane, you can select the SSL and TLS protocol versions that the appliance will support as the SSLITLS server. If you need to change the default values, you have the following options: SSL Settings Value Description ery “The adaptive security appliance accepis SSL version 2 (SSLV2) client helios, and negatiates either SSL version 3 (SSLv3) or TLS version 1 (TLSV). This option i selected by default. Negotiate SSLVS “The adaptive security appliance accepis SSLv2 client elas, ard negetates fo SSLv3. SSL v3 only ‘The security appliance accepts only S8Lv3 client hellos, and uses only SSLi3 Negotiate TLS v1 “The adaptive security appliance accepis SSLv2 client elas, and negetiates to TLS yt 718 v1 only “The security appliance accepts only TLSV1 client hellos, and uses only TLS Stop 3 (E2010 Cisco Systems, ne, __Dapoyment of Ceca ASA Adaptive Socrty Applance AryComect Remote Access VPN Solution 3.17Inthe Encryption section of the SSL Settings pane, you can select or deselect the cryptographic algorithm bundles (cipher suites) that the Cisco ASA adaptive security appliance will accept in the initial SSL/TLS negotiation. If you need to change these settings based on a local cryptographic policy, you can enable or disable specific bundles in this pane. Stop5 _Inthe SSL Settings pane, where the interfaces are listed, click Edit to edit the interface (or interfaces) on which the security appliance will accept SSL VPN connections, Step6 Inthe Primary Enrolled Certificate drop-down menu, choose the installed identity certificate of the Cisco ASA adaptive security appliance. Stop7 Click OK, and click Apply Step8 Save your configuration, if necessary Configuring Basic Cisco ASA Adaptive Security Appliance Features CLI Configuration with a Self-Signed Certificate Gaypte key generate roa isbel SELF SIGNED-REYS modulus 2008 Reypaie SELP-SIGNED-REYS crypts ea enroll SELE-SIGIED noconfirm —'Eppaiagal This output shows the commandline interface (CLI) commands that are required to configure the basic Cisco ASA adaptive security appliance SSL VPN gateway features using a self-signed identity certificate of the appliance. In the CLI, use the erypto key generate command to generate an RSA key pair, ifrequired. Use the erypto ea trustpoint command to create a self-signed truspoint. Inside the trustpoint configuration, use the enrollment self command to specify that this trustpoint will automatically generate a persistent self-signed certificate upon enrollment. Use the subject name command to specify the name that the Cisco ASA adaptive security appliance will use inside its identity certificate, Optionally, use the keypair command to specily the dedicated RSA key pair (if generated) that the Cisco ASA adaptive security eppliance will use when generating the self-signed certificate Next, use the erypto ea enroll command to actually generate the self-signed certificate based. oon the trustpoint settings SHE Deploying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreNext, enter SSL VPN server configuration submode on the Cisco ASA adaptive security appliance using the webypn command, and enable the SSL VPN server on the outside interface using the enable command, Designate the Cis:o AnyConnect image that is present in the local Cisco ASA adaptive security appliance storage using the sve image command, and enable Tull tunnel SSL VPN connections using the sve enablecommand. To finish the configuration, enable user selection of connection profiles using the tunnel-group-list enable command, Finally, assign the installed self-signed interface to the SSL-VPN-enabled interface by using the ssl trust-point command, crypto key generate rsa To generate RSA key pairs for identity certificates, use the erypto key generate rsa command in global configuration mode. erypto key generate rsa [usage-keys | general-keys] [label fey=pairelabel] [modulus si: (noconfirm} crypto key generate rsa Parameters Parameter Description general-keys Generates a single pair of general-purpose keys. This type is the medulue 2iz2 ‘Specifies the modulus size of the key pair (or pairs): $12, 768, 1024, and 2048, The default modulus size is 1024, noconfirm Suppresses al interactive prompting usage-keys Generates tito key pairs, one for signature use and one for ‘encryption use. The implication is that two certficates for the ‘corresponding identity are required, crypto ca trustpoint ‘To enter trustpoint configuration mode for the specified trustpoint, use the erypto ea trustpoint command in global configuration mode. To remove the specified irustpoint, use the no form of thiscommand, crypto ca trustpaint rrustpoint-name no crypto ca trustpoint trustpaint-name [noconfirm) crypto ca trustpoint Parameters Parameter Description noconfirm Suppresses all interactive prompting. eeuatpoine na Identifies the name of the trustpoint to manage. The maximum name length is 128 characters (E2010 Cisco Systems, ne, Deployment of Geco ASA Adaptive Socurty Applance AryComect Remote Access VPN Solutions 3-19subject-name (crypto ca trustpoint) To include the indicated subject distinguished name (DN) in the certificate during énroliment use the subjeet-name command in erypto CA trustpoint configuration mode. The DN represents the person or system that uses the certificate, To restore the default sett no form of the command. use the subject-name X.500)_name subject-name (crypto ca trustpoint) Parameters Parameter Description 2. 500_name | Defines the X S00distinguished name. Use commas to separate attibute-value = fais. Insert quotaion marks arouns any value that contains commas or spaces. For example: en=criou=corts,o="cisco systems, inc.”,c=US, The maximum length is 600 characters keypair To specify the key pair whose public key is to be certified, use the keypair command in crypto CA trustpoint configuration mode. To restore the default setting, use the no form of the command. keypair name keypair Parameters Parameter Description mane Specify the name ofthe key pair. webvpn To enter webypn mode, in global configuration mode, enter the webypn command. To remove any commands that are entered with this command, use the no webypn command. These webypn commands apply to all WesVPN users These webypn commands let you configure AAA servers, default group policies, default idle timeout, HTTP and HTTPS proxies, and NetBIOS Name Service (NBNS) servers for WebVPN, as well as the appearance of WebVPN screens that end users see. webypn enable (webvpn) To enable WebVPN or email proxy access on a previously configured interface, use the enable command. For WebVPN, use this command in webvpn mode. For email proxies (Internet Message Access Protocol version 4 Secure (IMAP4S), Post Office Protocol version 3 Seoure [POP3S], and Simple Mail Transfer Protocol Secure [SMTPS}), use this command in the applicable email proxy mode. To disable WebV PN on an interface, use the no version of the command. enable iframe enable (webvpn) Parameters Parameter Description fname Identifies the previously configured interface. Use the namoif command to configure interfaces 320 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, Iresvc image ‘To specify an SSL VPN client package file thet the adaptive security appliance expands in cache memory for downloading to remote PCs, use the sve image command from webypn configuration mode, To remove the command from the configuration, use the no form of the command, sveimage filename order [regex expression] sve age Parameters Parameter Description Species the flename of the package file, up to 255 characters, order With multiple client package files, arderspeciies the order of the package flies, fram 1 to 65,535, The security appliance downloads ations of each client, in the order that you sperity, to the remote PC. Unilit achieves a match with the operating system, regex expression — | Specifies a string trat the acaptive security appliance uses to match ‘against the user agent string that is passed by the browser. sve enable ‘To enable the adaptive security appliance to download an SSL VPN client toremote computers, use the sve enable command from webvpn configuration mode. To remove the command from the configuration, use the no form of the command. sveenable ssl trust-point To specify the certificate trustpoint that represents the SSL cetificate for an interface, use the ssl trust-point command with the interface argument in global configuration mode. If you do not specify an interface, this command creates the fallback trustpoint forall interfaces that do not have a trustpoint configured. To remove an SSL trustpoint from the configuration that does not specify an interface, use the no version of this command. To remove an entry that does specily an interface, use the no ssl trust-point {trustpoint |inierface)} version OF the command, ssl trust-point {sustpoint [interface]} ssi trust-point Parameters Parameter Description ‘The name forthe interface to which the trusipannt applies. The namelf command specifies the name of the interface. Erustpoint | The name ofthe CA tustpoin!as configured inthe erypto ca trustpoint fname} command. (E2010 Cisco Systems, ne, Deployment of Gio ASA Adaptive Securty Applance AryComect Remote Access VPN Solutions 3.21Configuring Basic Cisco ASA Adaptive Security Appliance Features CLI Configuration with a PKI Certificate and SCEP ‘Taypte kay generate vea libel PEE-REYE nodulue 208 Somos) owe exypto ca trustpeine rNTemIAL-pRr a ase enrollment url beeps //172.26.200.10/eertazv/nacer/necep.422 aubject-nane Ckevpn. domain. eon Reypaiz PRI-REYS ee aie ae erust-peine INTERNAL. PEE outaide “This output shows the CLI commands that arc required to configure the basic Cisco ASA adaptive security appliance SSL VPN gateway features using a PKI-provisioned identity certificate of the appliance. The procedure is generally the same as when using a self-signed certificate, except for the trustpoint configuration and enroliment procedure. Inside the trustpoint configuration, use the enrollment url command to specify the SCEP enrollment URL provided to you by the PKI administrator. Use the subject-name command to specily the FQDN that the security appliance will use inside its identity certificate in the canonical name certificate field, and any other comporients of the name that the PKI requires (provided to you by the PK! administrator). Optionally, use the keypair command to specify the RSA key pair that the security appliance will use when requesting its identity certificate. Use the erypto ea authenticate command to download the identity certificate of the PKI CA to the Cisco ASA adaptive security appliance. A fingerprint of the downloaded certificate will be displayed, and you should accept itafter verifying that it is the correct CA certificate fingerprint. To verify the fingerprint, use a secure communication channel with the PKI administrator, or perform this transection over a trusted network, Next, use the erypto ea enroll command to request the identity certificate of the Cisco ASA adaptive security appliance from the PKI, sending the name parameters and the public key of the configured key pair to the PKI CA. The PKI CA will issue you an identity certificate, which the Cisco ASA adaptive security appliance will automatically download by periodically polling the PKICA server. Other CLI steps.and commands are the same as when enabling the SSL VPN gateway functions witha self-signed certificate. 322 Deploying Caso ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, Ireenrollment url ‘To specify automatic ennoliment (SCEP) to enroll with this trustpoint and to configure the enroliment URL, use the enrollment url command in crypto CA trustpoint configuration mode, To restore the default setting of the command, use the no form of the command. enrollment urlur! enrollment url Parameters Parameter _| Description ‘Specifies the name of the URL for automatic enrolment. The maximum length is 1000 characters (effectively unbounded) crypto ca authenticate ‘To install and authenticate the CA certificates that are associated with a trustpoint, use the erypto ca authenticate command in global configuration mode, To remove the CA certificate, use the no form of this command. crypto ca authent ate trustpoint [fingerprint hexvalue] [nointeractive] crypto ca authenticate Parameters Parameter Deseription fingerprint | Specifies a hash value corsisting of alphanumeric characters that the adaptive security appliance uses to authenticate the CA certificate. Its fingerprint is Provided, the adaptive security applance compares it to the computed fingerprint of the CA certficate and accep the certificate ani ifthe two values match, ifthere is no fingerorint, the adaptive security appliance displays the computes tngerprint ana asks whether to accept tne certicate, 2 Identifies the hexadecimal value of the fingerprint nointeractive | Obiains the CA certificate for this trustpoint by using no interadive mode. It's intended for Use by the deice manager only In hs case, f there i no fngerprnt, the adaptve security appliance accepts the certificate without question, trustpoint ‘Specifies the trustpaint from which to abtain the CA certificate, Maximum name length is 128 characters. (E2010 Cisco Systems, ne, Deployment of Gco ASA Adaptive Securty Applance AryComect Remote Access VPN Solutions 3.23Configuring Basic Cisco ASA Adaptive Security Appliance Features Identity Certificate Verification ‘Sats Slane (cowl (Cenfane Sarat Nummer 51 SS ‘Genene Usge: Gave Pc sipen tame that the identity certificate of the Cisco ASA adaptive security appliance has been successfully installed, choose Configuration > Device Management > Certificate Management > Identity Certificates by using Cisco ASDM. Select the identity certificate of the Cisco ASA adaptive security appliance and click the Show Details button. The certificate status should be listed as “Available.” In the CLI, use the show erypto ea certificates command and verify that the certificate status shows as“Availabli show crypto ca certificates To display the certificates that are associated with « specific trustpoint oto display all the certificates that are installed on the system, use theshow erypto ea certificates command in global configuration or privileged EXEC mode. show erypto ea certificates [orustpaintname] show crypto ca certificates Parameters Parameter Description trustpointname | (Optional) The name ofa trustpoint. Ifyou donot specify a name, this ‘command displays all cerficates that are installed on the system 324 Deploying Case ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, IreVerifying Basic Cisco ASA Adaptive Security Appliance Features Implementation Guidelines = Avoid self-signed certificates, unless you will manually load the Cisco ASA adaptive security appliance identity certificate ‘wall clients before they log into the VPN (not scalable) + Observe proper enrollment procedures—submit your public key toa CA using a secure procedure * Consider using the Entrust enrollment wizard in the ASDM GUIto easily enroll into the global PKI When implementing basic Cisco ASA adaptive security appliance SSL VPN gateway features, consider the following implementation guidelines: © Generally, avoid using self-signed certificates, except in very small deployments where you can manually load the identity certificate of the Cisco ASA adaptive security appliance to all the remote clients before they log into the VPN. The remote users can also install the self-signed certificate themselves if they initially log in over a trusted network, which is ‘often not the ease. © When enrolling into a PK lover an untrusted network, observe proper enrollment procedures and make sure that the PK! administrator properly verifies the appliance name and public key before issuing a certificate, in order to avoid issuing the certificate toa malicious entity © The Cisco ASDM ineludes an Entrust enrolliment wizard, which simplifies the enrollment into the global PKI by providing you with step-by-step instructions for obtaining. an Entrust-provisioned certificate. Consider using this wizard if you are unsure how to enroll into the global PKI. ‘The wizard can be started by clicking the Enroll ASA SSL VPN with Entrust bution in the Configuration > Device Management > Certificate Management > Identity Certificates pane. (E2010 Cisco Systems, ne, Deployment of Gco ASA Adaptive Sacrty Applance AryComect Remote Access VPN Solutions 3.25Configuring Local Password-Based User Authentication Thistopic enables you to configure and veri Cisco AnyConnect full tunnel SSL VPN. password-based local user authentication in a Configuring Local Authentication Local Password-Based User Authentication Overview * The simplest user authentication method uses local passwords: ~ Local user database — Locally configured static passwords + Password-based users: ~ May be permitted to select connection profile based on selection menu or group URL ~ DefautiVebVPNGroup uses local AAA authenticaton by default (beal Use Database \semametipasewortt wemame2/passwani2 Se After configuring basic Cisco ASA edaptive security appliance SSL VPN gateway parameters, the next deployment task is to configure a user authentication method, and prepare the Ciseo ASA adaptive security appliance with all necessary configuration objects o enable later assignment of VPN policies. In this basie SSL VPN full tunne! solution, you will deploy simple password-based. User authentication, using the local user database on the adaptive security appliance. When SSL VPN full tunnel users connect to the Cisco ASA adaptive security appliance, the users may be permitted to select their connection profile by either choosing the desired profile from a drop-down fist or connecting to the group URL. Ifno specific connection profile has been chosen, the security appliance will assign users to the default WebVPN group (DefwultWebVPNGroup) connection profile. This profile is, by default, configured to use user authentication by leveraging the local user of the Cisco ASA adaptive security appliance database. In this topic, you will configure a custom connection profile, and lock users into this custom connection profile after they authenticate to the security appliance. 328 Deploying O8s0 ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Local Authentication Configuration Tasks 4, Configure group policy: ~ Greate a new group policy for Cisco AnyConnect connections — Nodify the default group policy (not recommended) Create @ new connection profile for Cisco AnyCornect connections, and essign to itthe new group policy. (Optional) Define en alias for the connection profile. Configure local users (credentials, access permissions). (Optional) Configure connection profile lock. To configure besic user authentication in the basic Cisco ASA adaptive security appliance full tunnel SSL VPN solution, perform the following configuration tasks: 1. Configure group policy. You can use one of two methods: — Create a new, custom group policy for your Cisco AnyConnect users. In this topic, ‘you will create a single custom group policy for all users. Based on your requirements, you may need to creete multiple group policies to differentiate users based on their access needs. This method is recommended in favor of tuning the «default group poliey. — Modify the default group policy to allow SSL VPN connections, The default group policy is the root policy from which all other connection or user profiles inherit settings. By default, full tunnel SSL VPN connections are not allowed. This approach is not recommended. 2. Create a new, custom connection profile into which you can assign users, and, based on this connection profile, assign the custom group policy to the users. As with the group policy, based on your requirements, you may need to create multiple connection profiles to differentiate users based on their access needs, and assign each connection profile a different group policy. 3. Optionally, define an aliasfor the connection profile. This approach is required to allow users to select the connection profile using the drop-down menu, 4. Configure users and their credentials in the Cisco ASA adaptive security appliance local user database. 5. Optionally, configure the conneet n profile lock Feature for the ereated user account. (E2010 Cisco Systems, ne, Deployment of Gco ASA Adaptive Securty Applance AryComect Remote Access VPN Solutions 3Configuring Local Authentication Configuration Scenario “This figure presents the configuration scenario that is used in upcoming configuration tasks. On the Cisco ASA adaptive security appliance, you will create a custom connection profile named BASIC-ANYCONNECT-PROFILE, and a related group policy named BASIC- ANYCONNECT-POLICY. Then, you will ereate one user named “ypnuser” in the local user database. 328 Deploying O80 ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Local Authentication Task 1A: Create a Custom Group Policy ‘contguiton > Rerte Azcess VPN> Neto (Cie) Acuess > Gove Posies First, you will create a custom group poliey that you will apply to the full tunnel VPN users vie their connection profile. Perform the following steps: Step 1 Stop2 Stop 3 Stop 4 Step 5 In Cisco ASDM, choose Configuration > Remote Access VPN > Network (Client) Access> Group Policies. Click Add to add anew policy Provide a name for the new group policy (BASIC-ANYCONNECT-POLICY, in this example). Expand the More Options pane, and check the SSL VPN Client check box in the Tunneling Protocols section. This protocol is needed to support Cisco AnyConnect SSL VPNs. You should uncheck all other tunneling protocols, if they are not used in your particular environment Click OK. Click Apply to apply the configuration, (©2010 Cisco Systems, Ie, Deployment of Cisco ASA Adaptive Secunty Appliance AnyCanmect Ramat Access VPN Solutions 3.29Configuring Local Authentication Task 1B: Modify the Default Group Policy “cntgetin Nee > ate a A on nie ee Ccontguision > Rarite Aaess VEN > Nation Cian) Ascae > Grove Poices Alternatively, you may modify the default group poli wo situations: . This approach is recommended only in = Insmall environments with a single group poli m= When a certain parameter is identical in all custom group policies and ean be inherited fom the default policy Perform the following steps to tune the default group policy Stop1 In Cisco ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Choose DiltGrpPolicy, and click Edit to edit it. Step2 Expand the More Options pane, and check the SSL VPN Client check box in the ‘Tunneling Protocols section to support SSL VPN full tunnel connections. Note I your Caco ASA adaptive security appliance wil support ofver VPN access options, you may need to leave some of the other tunneing protocols enabled, 330° Deploying O80 ASA VPN Soluions (VPN) v1.9 (©2010 Cece Systems, IreConfiguring Local Authentication Task 2: Create a Custom Connection Profile Crinvatirs Rene Aces VEN Sabet ica AnfOoier arent ates Next, you will ercate a custom connection profile to which you will assign the full tunnel VPN. users. Perform the following steps: Step1 In Cisco ASDM, choose Configuration > Remote Access VPN > Network (Client) Access> AnyConnect Connection Profiles. In the Connection Pri section, click Add to add a new connection profile. Step2 Provide a name for the new connection profite (BASIC-ANYCONNECT-PROFILE, in this example). Step3 Inthe Authentication section, leave the authentication method at its default settings (LOCAL AAA authentication). Step4 Inthe Default Group Poliey section, choose the custom group policy (BASIC- ANYCONNECT-POLICY that was configured in the previous set of tasks) from the drop-down list (E2010 Cisco Systems, ne, Deployment of Gio ASA Adaptive Secrty Applance AryComact Remote Access VPN Solutions 3-31Configuring Local Authentication Task 3: (Optional) Define Connection Profile Alias Aliases are displayed to the user upon login. + Enable users to choose desired connecton profile | ai noe ink pea ni pm ch ee piace oem ne Next, you may define an alias for the connection profile. Once thealias is defined, users may be permitted to select the desired connection profile when connecting to the SSL VPN. Perform the following steps: Stop1 Inthe connection profile edit window, choose Advanced > SSL. VPN. Click Adi the Connection Aliases section. Stop2 Assign an alias name to this connection profile. Use a user-friendly name, as this, alias will be visible to your VPN users in their Cisco AnyConneet client (Basie- profile in this example). Check the Enable check box. You can use speces in alias text, but if you do, you must provide the alias name inside quotes. Stop3 Click OK in the Add Connection Alias window. Click OK in the Connection Profile window Stops Click Apply, and then click Save to save your configuration. 33 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Local Authentication Task 4: Configure Local Users and Credentials Lat nt redo Ne) Finally, you will ereate user accounts in the Cisco ASA adaptive security appliance local database. These user accounts must only be able to log into the VPN, and not to the security appliance management user interfaces (the Cisco ASDM and the CL). Performthe following tasks: Step1 In Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > Local Users. Click Add to add a new user account, Step2 Provide name for the new user account (ypnuser, in this example). Step3 Create a password for the new user account. Step Inthe Access Restriction section, select the No ASDM, SSH, Telnet or Console Access option. Thisselection will restrict the user 'o prevent these credentials from being accepted for device management functions (E2010 Cisco Systems, ne, Deployment of Geco ASA Adaptive Socrty Applance AryComect Remote Access VPN Solutions 3.33Configuring Local Authentication Task 5: (Optional) Configure Connection Profile Lock Lock user to connection profile + Enforces use of connection profile * Access denied if user attempts to connect to other profile cp er Zee onan re Ccontguision > aeate Asass VPN >AAALos@ Une > Len Lae ‘To configure the connection profile lock feature, perform the following tasks: Stop1 Inthe user account edit window, choose VPN Policy. Step2 Uncheck the Inherit check box next to the Connection Profile (Tunnel Group) Lock field. Assign this user aesount to the custom connection profile by using the drop- down menu to select the custom connection profile (BASIC-ANYCONNECT- PROFILE, in this example) Step3. Click OK in the Edit User Account window. Stop4 Click Apply, and then click Save to save your configuration, 334 Deploying Case ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Local Authentication CLI Configuration -ARYCORNECT -POLIGY atte buter The output shows the CLI commands that arc required to configure basic Cisco ASA adaptive security appliance SSL VPN user authentication. In the CLI, use the vpn-tunnel-protocol sve command in the group-policy DiltGrpPolicy attributes mode to enable the SSL VPN full tunnel Functionality inthe default group policy Next, create a new, custom group policy by using the group-poliey command, and specify the group policy asinternal. In the new group-policy attributes mode, enable the SSL VPN full ‘une! functionality for this group policy by using the vpn-tunnel-protocol command. Next, create a new, custom conneotion profile by using the tannel-group command, and attech the custom BASIC-ANYCONNECT-POLICY to this connection profile by using the default- group-poliey command, Also, assign a user-friendly connection profile alias name to this connection profile by using the group-alias command, and enable it Finally, create a user account in the local database by using the username command, and assign to ita password. In the username attributes mode, restrict this user to VPN access (without the possibility of management aecess) by using the service-type remote-access command. Also, assign this user into the BASIC-ANYCONNECT-PROFILE connection profile by using the group-lock value command, group-policy To create or edit group policy, use the group-poliey command in global configuration mode. To remove group policy from the configuration, use the no dorm of this command, group-poliey name {internal [from groupepolicy_name] | external server-group server_group password server_password} (E2010 Cisco Systems, ne, __Dapoyment of Gico ASA Adaptive Socrty Applance AryComect Remote Access VPN Solutions 3.35group-policy Parameters Parameter Description external server-group _ | Specifies the group policy 2s extemal and identifies the AAA gerver_group server group for the adaptive security appliance to query for attributes, Initializes the attributes of this intemal graup policy to the values of pre-existing group policy from group-policy internal Identifies the group policy as internal mane Specifies the name of the group policy. The name can be up to 84 characters long and cannot contain spaces password Provides the password to use when retrieving attributes from the server password ‘external AAA server group. The password can be up fo 128 characters long and cannot contain spaces. group-policy attributes To enter group-policy configuration mode, use the group-poliey attributes command in global configuration mode. To remove all attributes from a group policy, use the no version of this, command. In group-policy configuration mode, you can configure attribute-value pairs fora specified group policy or enter group-poliey webvpn configuration mode to configure WebVPN attributes for the group. group-poliey name attributes group-policy attributes Parameters Parameter Description nane Species the name of the graup palicy vpn-tunnel-protoco! To configure a VPN tunnel type (1P Security [IPsec], Layer 2 Tunneling Protocol [L2TP] over IPsec, Cisco VPN Client, or WebVPN), use the ypn-tunnel-protocol command in group= policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command, ypn-tunnel-protocel {ipsee | I2tp-ipsee | sve| webypn} vpn-tunnel-protocol Parameters Parameter Description ipsec Negotiates an IPsec tunnel between two peers (a remote access ent or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management I2tp-ipeee Negotistes an IPsec tunnel for an LZTP connection. ave Negotiates an SSL VPN tunnel with an SSL VPN client webvpa Provides VPN senices to remote were vie an HTTPS-enabled ‘web browser, and does at require a dient. 336 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, Iretunnel-group general-attributes To enter generéleattributes configuration mode, use the tinnel-group general-attributes command in global configuration mode. This mode is used to configure settings that are common to all supported tunneling protocols, To remove all general attributes, use the no form of this command, tunnel-group name general-attributes tunnel-group general-attributes Parameters Parameter Description general-attributes Spectfies atributes for this tunnel group name ‘Specifies the name of the tunnel group default-group-policy group-al username To specify the set of attributes that the user inherits by default, use the default-group-policy command in tunnel-group general-atiributes configuration mode. To eliminate a default group policy name, use the no form of this command. default-group-poliey group-name default-group-policy Parameters Parameter Description group-name Specifies the name of the default group is To create one or more alternate names by which the user can refer to a tunnel group, use the group-alias command in tunnel-group webvph configuration mode. To remove an alias from the list, use the no form of thiseommand, group-alias name [enable | disable] group-alias Parameters Parameter Description Gisable DisabIes the group alias enable Enables a previously disabled group alias name Specifies the name of a tunnel group alias. Ths name can be any string that you choose, except that fhe string cannot contain spaces ‘To add a user to the adaptive security appliance database, enter the username command in global configuration mode. Toremove a user, use the no version of this command with the Username you Want to remove. To remove all usernames, use the no version of this command without appending a username. username name {nopassword | password lege priv_fevel] sword [mschap | enerypted | nl-enerypted)} (E2010 Cisco Systems, ne, Deployment of Geco ASA Adaptive Sacrty Applance AryComect Remote Access VPN Solutions 3.37usemame Parameters Parameter Description encrypted Indeates that the password is encrypied (if you did notspecty mmschap). When you define a passwrd in the usemame command, theadaptive securty appliance encrypts it when it saves it to the ‘corfiguration for security purposes. When you enter the show running-config command. the usemame command ches nat show theactual password: it shows the encrypted password, which is follawed by the enerypted keyword. Far example, iTycu enter the password “test, the show running-config display would appear as Something ike the folowing! ‘The only time that you would actualy enter the encrypted keyviord at he CLI is if you are cutting and pasting a configuration to another ‘adentive security appliance and you are using the same password. mechap ‘Specifies that the passviord will be converted to Unicode and hashed using Message Digest 4 (MD4) after you enter it. Use this keyword if users areauihenticaled usng Microsoft Challenge Handshake Authentization Protocol version 1 (MS-CHAPV1) or MS» CHAP version 2 (MS-CHAPV2) mane Specifies the name of the user as a sting from 4 to 18characters in length, nopassword Indeates tha this user needs no password. nt-enerypted Indicates that the password is encrypied for use with NS.CHAPv1 or MS-CHAPV2. Ifyou specified the mschap keyword ‘when you added the user, then this keyword is displayed instead of theencrypted keyword vihen you view the configuration using the show running-config command. password password Sets the password as @ string from 3/0 16 characters in length privilege priv els 2 privilege leve' for this use from O to 15 (lowest to highest). ‘The default privilege level is 2. This pivilege leve! is used with command authorizaton, username attributes To enter username attributes mode, use the username attributes command in username configuration mode, To remove all attributes for a particular user, use the no form of this command and apperd the username. To remove all attributes for all users, use the no form of this command without appending ausername, The attributes mode lets you configure attribute- value pairs fora specified user. username name attributes usemame attributes Parameters Parameter Description ane Provides the name of the user group-lock To restriet remote usersto access through the tunnel group only, issue the group-lock command in group-policy configuration mode or username configuration mode. To remove the group-lock attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group poli 338 Deploying Case ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, Iregroup-lock { yalue unel-grp-name | none) group-lock Parameters Parameter Description none ‘Sets group lock to a null value, thus allowing na graup-lock restriction. Prevents inheriting a groupslock vaue from a default br specified group policy value cunn! ‘Specifies the name of an existing tunnel group that the adaptive ‘security appliance requires forthe user to connect, Configuring Local Authentication implementation Guidelines * Only use static passwords in small, single-device, low-risk environments. * Strictly set the service type of local VPN user accounts to prevent these accounts from having management access. You can use the Default\VebVPNGroup instead of a specific group; however, this will make it more difficult to differentiate Users later on, When implementing local password-based user authentication in an SSL VPN full tunnel solution, consider the following implementation guidelines: © Only use user authentication with static passwords and the local database in small, single gateway, low-risk environments, as these passwords are reusable and typically easy to guess Always strictly set the service type of the users to only'allow VPN access, This setting is ‘extremely important to prevent unauthorized access to Cisco ASA adaptive security appliance management functions. topic, all examples used a custom connection profile and a custom group policy. IP all of your users share the same authentication method and access policies, you could also implement this by using only the DefaultWebVPNGroup connection profile and the default group policy. Note, however, that the approach that is taken in this topic makes it very easy to differentiate users later on, if needed. (E2010 Cisco Systems, ne, Deployment of Gco ASA Adaptive Sacrty Appliance AryComect Remote Access VPN Solutions 3:39Configuring Client IP Address Management, Basic Access Control, and Split Tunneling Thistopic enables you to configure IP address management, basic access control, and split tunneling in a Cisco AnyConnect fall tunnel SSL VPN. Client IP Address Assignment Overview + Full tunneling SSLVPNe need to assign an IP accress tothe cient ~ Can be private = Needsto be routed to the security appliance + Aaaress assignment options (as in isco Essy VPN) ~ Using 8 IGrpPoicy pol Using a pool in specie sgr0Up policy Fersiser in tne locaiAaA (ser database Persuser or per-group vie Sremetoanh server Using a DHOP server When elients connect using the full tunnel VPN methods, the VPN gateway will assign them an IP address on their virtual network interface (adapter), and the clients will use this IP address as, their source IP address to access resources beyond the VPN gateway. These addresses can be fromthe private addeess space, but they need to be routed to the goteway (Cisco ASA adaptive security appliance) in the internal network. There are five different IP address assignment options available in the Cisco ASA security appliance SSL VPN full tunnel solution. They are identical to the Cisco Easy VPN deployment methods and include the follow: = Use pool of IP addresses, which are configured on the Cisco ASA adaptive security spplianee, and assign the pool to the default group policy. By default these addresses are Jeased to all users (if their more specific policies do not provide other IP assignment methods). = Use a poo! of IP addresses, which are configured on the Cisco ASA adaptive security appliance, and assign the pool to a specific custom group policy, and therefore to specific connection profiles that use the specific group policy = Configure the addresses as part of the user account in the local user database, enabling per- user IP addresses. = Configure the addresses as part of the user account in a remote(AAA) user database, enabling per-user IP addresses. = Use a DHCP server, which the Cisco ASA adaptive security appliance will query to obtain an IP address for remote elients 340° Deploying O80 ASA VPN Solutions (VPN) v1.9 (©2010 Cece Systems, IreAddress Assignment and Access Control Optional Configuration Tasks (Identical to Cisco Easy VPN) 1. Define IP address assignment methods, 2. Configure an address pool 3. Assign an address poo! to the group policy. 4, Alternatively, assign per-user IP addresses to users. Configure interface ACL bypass CConrigure intertace ACLS. ‘Alternatively, configure per-profile and per-user ACLs, Configure split tunneling ‘To configure clicnt IP audress assignment, basic aceess control, and split tunneling, you may need to perform some of the optional configuration tasks that have been explained in the lesson on Cisco Easy VPN. The procedures surrounding Ciseo Easy VPN will not be further discussed in this lesson. The optional tasks are as follows: 1. Globally configure the allowed IP address assignment methods on the Cisco ASA adaptive security appliance. 2. Configure IP address pools, if'you decide to use pools from which users ean lease client IP addresses, 3. A) Assign the configured IP address poo! to the default or specific custom group policy. B) Optionally, assign IP addresses to individual users, where each user “owns” a particular IP address, ‘you require per-user IP addresses, 4. Configure interface access contro! list (ACL) bypass. 5. A) Configure interface ACLs. B) Configure per-profile and per-user ACLS. 6. Con ure split tunneling. Note You need to configure either perecroup-policy, or per-user IP addresses. Ifyou configure na adcress assignment, SSL VPN full tunnel connections to the Cisco ASA adaptive security appliance wil fal E2010 Cisco Systems, ne, Deployment of Gio ASA Adaptive Scurty Applance AryComect Remote Access VPN Solutions 3-41Client IP Address Assignment Deployment Choices Use of one|ocal pool for When all users shave the same policy in al users (OTtGrpPolcy) ths and other paris of the network Use of per-profile pools in When you need to distinguish users ofthis ‘group policies Piofle in other network devices Use of peruser IP When you need to distinguish this user ‘addresses (local or profile in other network devices: Tamole AAA) Use of DHCPservers When you are using completely centalized IPadaress management, or, with multiple VPN servers, whena group policy (exsting ‘on multiple ASAs) has an associated IP ‘address range ‘The selection of the IP assignment method should be based on the following criteria: = Ifall of your users will share a common VPN policy on the Cisco ASA adaptive security appliance, and also in other parts of the protected network, where you may use other IP- aduress-based access controls, you can consider using a local poo! of IP addresses that are assigned to the default group policy. = I you want to differentiate between multiple groups of users on the Cisco ASA adaptive security appliance, and also in other parts of the protected network, you should consider using a local pool of IP addresses that are assigned to the specific group policies and, as a consequence, to specific connection profiles. = I'you want to assign specific, per-user policies on the Ciseo ASA adaptive security appliance, and especially in other parts of the protected network, you should consider using assigned per-user IP addresses. This approach also simplifies user auditing and tracking, as each user is always uniquely identified by a particular IP address when connected to the VPN. = I your IP address assignment is completely centralized, using a DHCP server, you can consider reusing the DHCP server to also assign VPN IP addresses. The DHCP server must assign addresses in a VPN with multiple VPN servers, when a group policy (existing on multiple Cisco ASA adaptive security appliances) has an associated IP address range. 342 Deploying Caso ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, IreInstalling and Configuring the Cisco AnyConnect Client This topic enables you to install, configure, and verify the predeploy version of the Cisco AnyConneet client Cisco AnyConnect Client Installation Options + Preceploy installation package: ~ Sandalone installer (EXE MSI, CAB, DMG, targ2) ~ Must be downloaded to cients + Web installation: a — Using PKG files on Cisco iragigeoeeetesiasest ASA security appliance * ~ Via an SSL VPN clientiess session (web launch) ‘The Cisco AnyConnect VPN Client is the next-generation VPN client, providing remote users with secure VPN connections to the Cisco ASA 5500 Series Adaptive Security Appliance running Cisco ASA Software Release 8.0 and higher. It does not work with a Cisco PIX device or with Cisco VPN 3000 Series Concentrator Software. As the network administrator, you configure the Cisco AnyConneet client features on the Cisco ASA adaptive security appliance. Then, you can load the client software on the Cisco ASA adaptive security appliance and have it automatically download to remote users when they log in using web launch, or you ean manually install the Cisco AnyConneet client software as an application on the elient PCs. The Cisco AnyConnect client allows user profiles to be displayed in the user interface that defines the names and addresses of VPN gateways. The network administrator can assign particular features to individual users or groups. Note Initial instalation of he Cisco AnyConnect cient requires administrator privileges. ‘The Cisco AnyConnet VPN Client packages can be downloaded from the Cisco website and uploaded to the Cisco ASA adeptive security appliance so that clients ean download the software as needed. (E2010 Cisco Systems, ne, __Dapoyment of Gico ASA Adaptive Sacrty Applance AryComect Remote Access VPN Solutions 3-43Web Launch (Via SSL VPN Clientless Session) The web launch installation method requires that the client system connect to the Cisco ASA adaptive security appliance by using a compliant web browser over an SSL connection. After being connected and authenticated, the user will be redirected by the security appliance to the Cisco AnyConnect VPN Client installation through ActiveX or Java. After the remote device has successfully installed the new software, the Cisco AnyConnect VPN Client will automatically log the user onto the network using the eredentials that were originally supplied during the web session, Manual Installation In addition to the autodownload packages that are available from the Cisco ASA adaptive security appliance, the remote device can also install the Cisco AnyConnect VPN Client manually by using an MS1 installer on Windows-besed systems. This installer is not a downloaded package from the security appliance, and the client will not be required to use a web browser for initial access to the network. After it is installed, the VPN client can be used to access the desired network resources. Note In this tosic, you will learn to use the manual installation of the predeplay Cisco AnyConnect lent Cisco AnyConnect Client Cisco AnyConnect VPN Client 2.4 Supported Pletforms a ea ea Microsoft Merosoft Windows 7 (32-bit and 64-bit) Windows Microsoft Windows Vista (32-bitand 64-bit) —Senice Pack (SP) 2or Visia SP t with KBSS2576 Microsoft Windows XP SP2 and SP3 Microsoft Wingows Mobile Red Hat Enterprise Linux § Desktop Ubuntu 8x Mac OS X 10.6 Mac OS X 10.6 and 10.6.1 (both 82-bit and 64.bi) ‘The Cisco AnyConnect client supports the following operating sysems: = Microsoft Windows 7, Windows Vista, Windows XP, and Windows Mobile m= Mac OS X (version 10.5 or later) on either Intel or PowerPC = Red Hat Linux (version 9 or later) m= Ubuntu 9 or later See the Release Notes on Cisco.com for the full set of platform requirements and supported ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreCisco AnyConnect Client Configuration Tasks Insiall the predepley Cisco AnyConnect client Verily the presence of the CA certificate. Configure basic Cisco AnyConnect profile settings. Establish the SSL VPN connection In order to install and configure the AnyConneet client in a besie Cisco AnyConnect full tunael solution, you will perform the following configuration tasks: 1. Manually install the Cisco AnyConnect client on the remote user PC. 2. Verify that the client has the necessary root CA certificates installed. The client should have @ focal, authentic copy of the CA certificate that was used to issue the Cisco ASA. adaptive security appliance identity certificate. ed domain name of the 3. Configure basic Cisco AnyConnect profile settings (the fully qual Cisco ASA adaptive security appliance). 4, Establish the SSL VPN full tunnel connection. (E2010 Cisco Systems, ne, Deployment of Gico ASA Adaptive Socurty Applance AryComect Remote Access VPN Solutions 3-45Cisco AnyConnect Client Configuration Scenario a] o-. “The figure presents the configuration secnario that is used in upcoming configuration tasks, The Cisco AnyConnect client will be installed on a Microsoft Windows XP system, and the Cisco ASA adaptive security appliance will use an identity certificate thet was issued by the global PKL The name ypn.domain.com will resolve to the security appliance outside interface IP address. This name will also be the identifier of the appliance in its identity certificate. The Cisco ASA adaptive security appliance will authenticate the remote users by using the username and password method. 46 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreCisco AnyConnect Client Task *: Install the Predeploy AnyConnect Client In the first task, you will install the predeploy version of the Ciseo AnyConnect client, Perform the following stéps on your client system: Step 1 Stop2 Stop 3 Stop 4 stop 5 Stop 6 Obtain the MSI installation package of the Cisco AnyConnect client from Cisco.com, and transfer it to the client. Double-click the MSI installation package to start the installation process. Click Examine the license agreement, check the I Accept the Terms of the License Agreement check box, and click Next. at to start the installation dialog. Click Install to start the installation process, Click Finish to close the installer. (G2010 Caco Systems, ne, Deployment of Ceca ASA Adaptive Socurty Applance AryComect Remote Access VPN Solution 3.47Cisco AnyConnect Client Task 2: Verify Server Certificate The client certificate store must include the | onion correct CA certificate: | ‘raxncteu kas tense lame * Cisco AnyConnect uses | finiie asym Hrd cettificate store and Charen. tft ea. Ys) ee preintaled global Cas. | 3iirerh Gane is Wo * This certificate must be | crn SRNR” abe scram casa oblained via a secure SGeminans. tear Sere. 2200 bet ‘chaning CStyacsere tomers 08 cot * fusing an internal CA, import an authentic ‘copy of your CA, certificate. Scop -comnnney \Gareaparna eects eines Tost» nie Oona» Cotes Ohaton > Td oa GnitonotAttien In Tesk 2, on the elient PC, examine the installed root CA certificates to determine that the CA that issued the Cisco ASA security appliance identity certificate is present. This verification will prevent certificate warnings from being displayed at SSL/TLS session establishment, and allow you to authenticate the appliance VPN gateway ‘Typically, with global CAs, this verification will not be an issue as their CA certificates are embedded in the default operating system install or operating system updates. If you are using a rnonglobal PKI, install the CA certificate to all elient PCs. at Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreCisco AnyConnect Client Task 3: Configure Basic Cisco AnyConnect Profile Settings Start the Cisco AnyConnect Glient and specify gateway ares information: silt DNS name must match the name of the security appliance in the certificate canonical name field * By dicking Select, the client will connect to the gateway In Task 3, start the Cisco AnyConnect client and configure it with Cisco ASA adaptive security appliance VPN gateway information. in the Connect To field, enter the fully qualified domain name that resolves to the SSL-VPN-terminating interface of the security appliance. In the example, the ypn.domain.com fully qualified domain name (FQDN) has been used. This name ‘must match the canonical name in the identity certificate of the Cisco ASA adaptive security appliance; otherwise, you will receive certificste name mismatch warnings. Click Seleet to make the Cisco AnyConneet client connect tothe Cisco ASA adaptive security appliance using an SSLITLS session. (E2010 Cisco Systems, ne, Deployment of Gico ASA Adaptive Sacrty Applance AryComect Remote Access VPN Solutions 3-49Cisco AnyConnect Client Task 4: Establish the SSL VPN Connection The client will download instructions for its next action from the gateway: * Prompt for user authentication = Enter your VPN usemame and password * Click Conneet to establish the SSL VPN tunnel ‘After the initial connection, the Cisco ASA adaptive security appliance will push instructions for the next step of VPN establishment to the Cisco AnyConnect client. In the example, the AnyConnect client will display the list of configured connection profile aliases (in the example, Basic profile, referencing the BASIC-ANYCONNECT-PROFFILE, is the only available alias) and prompt you for user authentication. Enter youreredentials, and click Connect to establish the VPN connection 350 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreCisco AnyConnect Client Tasks 3 and 4: Alternatively, Using Web Launch vl S84 ypu Service seo oman, Altemnatively, you can use the web launch feature to start the VPN connection by using a browser: 'no web portal has been configured (for example, a clientless SSL VPN was not enabled on the security appliance interface), the security appliance will automatically start the Cisco AnyConnect client (using an ActiveX or Java applet, automatically selected depending on the user environment) after the user fogs into the main page. The Ciseo AnyConnect client will use the credentials that are supplied for the web page to attempt to log the user into thenetwork. (E2010 Cisco Systems, ne, Deployment of Gio ASA Adaptive Secrty Applance AryComect Remote Access VPN Solutions 3.81Verifying Cisco AnyConnect Session Client-Side Verification The AnyConnect client will automatically minimize by default. saltotlts cisco * Open the AnyConnect GUI from the tray to ‘examine session properties + Nonzero sent and received bytes indicate proper routing to and from VPN addresses * Details will reveal additional feature: properties ‘The Cisco AnyConnect VPN Client will automatically minimize alter a successful connection, You can verify connection properties by clicking the AnyConnect icon in the Windows icon tray. In its Statisties pane (not shown in the example), you can observe the state of the connection, the IP address that is assigned to the client, the bytes that are sent and received through the tunnel, end the connection time. By clicking the Details button, you cen observe more detailed feature properties (shown in the example), Note “The client interface (Connection Pane > Disconnect) can also be used to log he user aut 352 Deploying Caso ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreVerifying Cisco AnyConnect Session Client-Side Verification (Cont.) = Tagsanireue soma ® De ryess saaote rout ome aay [Eesne swan Pasa To verify the state of split tunneling and routing on the client, you can navigate to the Route Details tab of the Details window. (On the left side, you can see a client that is configured with no split tunneling (that is, the default setting). In the Secured Routes pane, you can see the default network 0.0.0.0/0 instructing all traffic to enter the tunnel, You can also verify this setting by using the route print Windows CMD command, where a default route should point to the VPN adapter (recognized by its assigned IP address). On the right side, you can see # client that is configured for split tunneling. In the Secured Routes pane, you can see the default network 10.0.0.0/8 instructing only traffic to this specific network to enter the tunnel. You can also verify this setting by using the route print Windows CMD command, where a route to this network should point to the VPN adapter (recognized by its assigned IP address, 10,2550. 11), The default route should point to the physical interface of the client (172.16. 1.200, in the example). (E2010 Cisco Systems, ne, Deployment of Geco ASA Adaptive Socurty Appliance AryComect Remote Access VPN Solutions 3.53Verifying Cisco AnyConnect Session Gateway-Side Verification To verify the connection of the elient on the Cisco ASA adaptive sceurity appliance, use Cisco ASDM to choose Monitoring > VPN > VPN Statisties > Session. From the drop-down menu, choose SSL VPN Client in the Filter By field. The VPN session should be displayed in the main pane. {In the example, you can see that the SSL_VPN user with the vpnuser username has been assigned the 10.255,0.200 IP address. The group policy that is being used is BASIC- ANYCONNECT-POLICY, and the connection profile is BASIC-ANYCONNECT-PROFILE. 35 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreVerifying Cisco AnyConnect Session Gateway-Side CLI Verification designe: 2 Inthe CLI, usethe show ypa-sessiondh sve command to obtain the same information. show vpn-sessiondb ‘To display information about VPN sessions, use the show ypa-sessiondb command in privileged EXEC mode. detail, Italso lets you speci and sort th show ypn-sessiondb [detail] [ full) {remote | 21 index indexrumber| webypn | em The command includes options for displaying information in full or in the type of sessions to display, and it provides options to filter information, The syntax table and usage notes organize the choives accordingly. iI-proxy | sve} [filter {name username ipaddress !Padér | aipaddress [Paddr | pripaddress !Paddr | tunnel-group groupname | protocol protacol-rame | eneryption encryption-algo |inactive}| [sort {name ipaddress |a-ipaddress| p-ipaddress | tunnel-group | protocol | encryption | inactivity] show vpn-sessiondb Parameters Parameter Description detail (Optional Displays extended details about a session. For example, using the detall apion for an IPsec session displays ‘adsitional details such as the Internet Key Exchange (IKE) hashing algorithm, authentication mode, and rekey interval Ityou choose detail with the full option, the adaptive security ‘appliance displays the detailed output ina machine-readable format filter fiver eriteria (Optional) Fiters the output to display only the information you ‘Specify by using one or more of the filter options. ‘Ball (Optional) Displays streamed, untruncated ouisut. Outputs Remote Access VPN > Network (Client) Access > Group Policies and add a new group policy or edit an existing group policy. In the group policy dialog box, exoand the Advanced selection and click SSL. VPN Client (E2010 Cisco Systems, ne, Deployment of Gico ASA Adaptive Securty Appliance AryComect Remote Access VPN Solutions 3.69m= Inthe SSL VPN Client dialog box, uncheck Inherit for the Optional Client Modules to Download cheek box. Choose the DART module in the option drop- down list m= ithe version of Ciseo ASDM that you aré using does not have the DART option check box, enter the keyword dartin the field. Click OK, and then click Apply. Manually Installing DART on the Host Perform these steps to install DART using the standalone package: Stop 1 Step2 stops Stops Stops Obtain the DART software from Cisco.com (http://www.cisco.com/ pogi- bin/tablebuild pl/anycomnect), Store the anyconnect-dart-win-2.4.version-k9.pkg file tocally Using a file compression utility, extract the contents of the anyconnect-dart-win- 2.4.version-k9.pkg file and maintain the directory structure. Open thebinaries directory that is created from extraoting the contents of the anyeonneet-dart-win-2.4.version-k9.pkg file. version-k9.msi file to launch the DART Double-click the anyconneet-dart-win Setup Wizard, Follow the wizard prompts. The installation wizard installs DatOfMine.exe in the ‘:\Program Files\Cisco\Cisco DART directory. Click Finish to ‘complete the installation, 320 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreTroubleshooting Cisco AnyConnect SSLVPNs Task 2: Collect Diagnostic Information noe! Bpewrrcosincne Senseo ‘You must launch the DART wizard to collect diagnostic information. Follow these steps to create a DART bundle on.a Windows PC: Step 1 Step 2 Step 3 Step 4 Start the DART wizard by using one of the two options: = From the Ciseo AnyConnect client GUI, click the Statisties teb and then click the Details bution at the bottom of the dialog box. This action opens the Statistics Details dialog box. Click Troubleshoot at the bottom of the Statistics Details window. = From the Start menu, choose and launch the DART wizard. Click Next at the Welcome sereen. This brings you to the Bundle Creation Option dialog box. Inthe Bundle Creation Option area, choose Default or Custom: = The Default option includes the typical og filesand diagnostic information, such as the Cisco AnyConnect and Cisco Secure Desstop log files, general information about the computer, and a summary of what DART did and did not do, = When you choose Default and then elick Next at the bottom of the dialog box, DART immediately begins creating the bundle, The default name for the bundle is DARTBundle.zip, and itis saved to the local desktop. m= you choose Custom, the DART wizard will present you with more dialog boxes after you click Next. These boxes will allow you to specify which files ‘you want to include in the bundle and where to store the bundle If you want to encrypt the DART bundle, in the Encryption Option area, check the Enable Bundle Eneryption check box. Then, enter a password inthe Eneryption Password field. Optionally, check the Mask Password check box. This selection will cause the password that you enter in the Encryption Password and Reenter Password fields to be masked with asterisks (*), Follow the wizard to create the bundle, (©2010 Cisco Systems, Ie, Deployment f Cisco ASA Adaptive Securty Appice AnyCamect Rema Access VPN Soluione 3.61Troubleshooting Cisco AnyConnect SSL VPNs Task 3: (Optional) Examine Gathered Data Three folders: * Cisco AnyConnect Gee) 7 me * VPN Client panne = Cisco Secure Desktop * General Information Summanytet: DART generates a bundle that is useful when escalating the problem to Cisco TAC or another troubleshooting team. The bundle, when unpacked, contains three folders with diagnostic information: Ciseo AnyConnect VPN Client, Ciseo Secure Desktop, and General information. ‘You may examine the logs when you are troubleshooting AnyConnect problems. 322 Deploying Case ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreTroubleshooting Cisco AnyConnect SSLVPNs Troubleshooting Flow If you are encountering session establishmentissues, you may follow these steps to troubleshoot the issues: Step1 First, check that the SSL/TLS session initially establishes, and that there are no negotiation problems that are related to the use of incompatible protocol versions or cipher suites. You ean observe these issues in the Cisco AnyConnect GUI, but you will obtain more-detailed and specific information by examining Cisco ASA adaptive security appliance syslog messages. Step2 If the SSL/TLS negotiation completes with no errors, cheek whether user authentication works and whether the user is supplying the correct credentials. The Cisco ASA adaptive security appliance will elearly indicate these issues in its syslog messages. Step3 Next, check whether the connection profile and the associated group policy allow SSL VPN tunnels, The Cisco ASA adaptive security appliance will clearly indicate these issues in its syslog messages Stop4 Finally, verify that the Cisco ASA adaptive security appliance is able to assign an IP address to the client. The IP Address Assignment (IPAA) subsystem will extensively log to the syslog subsystem to indicate any issues, {Pall these steps do not resolve your issue, you may need to deploy troubleshooting tools that are beyond the scope of this course. (E2010 Cisco Systems, ne, Deployment of Geco ASA Adaptive Sacrty Applance AryComect Remote Access VPN Solutions 3.63Troubleshooting Cisco AnyConnect SSL VPNs Troubleshooting Flow (Cont.) If your SSL VPN session establishes, but ther. follow these steps to troubleshoot the issue: is no connectivity over the tunnel, you may Stop1 First, if you are using split tunneling, check that the correct routes (networks) to the tunneled destination are present in the routing table of the client PC. You can observe this information in the Ciseo AnyConneet GUI, or by examining the routing table of the elient PC. Stop2 Next, veri from the hat the Cisco ASA adaptive security appliance is not denying traffic PN tunnel. Examine the Cisco ASA adaptive security appliance syslog to see messages regarding permitted or denied packets, Stop3 Finally, verify that the protected network has a route to the client-assigned addresses by examining routing tables in internal network routers along the path to the destination, all these steps do not resolve your issue, you may need to deploy troubleshooting tools that are beyond the seope of this course. 324 Deploying Caso ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, IreTroubleshooting Cisco AnyConnect SSLVPNs Gateway-Side Issues + No shared SSUTLS cipher suite between client and gateway the following 2 cipher‘) speerit] 1 ASEL26-204 spher{t] + ABSIES.o ‘The outputs in this figure list the Cisco ASA adaptive security appliance syslog messages thet indicate two common session establishment issues: a failed SSL/TLS negotiation due to incompatible cipher suites, and a session teardown due to the SSL VPN full tunnel function not being enabled for a user, a connection profile, or a group policy. OT Troubleshooting Cisco AnyConnect SSLVPNs Gateway-Side Issues (Cont.) * Client authentication failure; bad pessword Aaalcontig)# loyging console & + No IP address pool assigned to a specific or default group. policy ‘The outputs in this figure list the Cisco ASA adaptive security appliance syslog messages that indicate failed user authentication due to a bad password, anda failed IP address assignment due to @ lack of IP address pools configured on the Cisco ASA adaptive security appliance. (©2010 Cisco Systems, Ie, Deviant of Caco ASA Adaptive Secity Apglanca AnyConnect Remote Acoies VPN Solsione 3-08Troubleshooting Cisco AnyConnect SSL VPNs Client-Side Issues: Certificates + Acerificate waming can appear because of: — Unvetfiable security appliance identity certificate — Aname mismatch belween certificate canonical name and AnyConnect profile hosiname — An expired security appliance identity certiicate * You should never see this issue in production use’ This message indicates @ man-in-the-middle attack — Ifusers are conditioned to accept, they negate all SSLILS protection On the client, the most common issue that you may observe is a cet jeate warning at VPN session establishment. There are three main reasons for this message to appear: = The Cisco ASA adaptive security appliance identity certificate is not verifiable, due to a missing CA certificate on the client that should be used to verily the signature of the sppliance identity certificate. To resolve this issue, install an authentic copy of the CA certificate on the client. = Aname mismatch between the name that is specified in the Ciseo AnyConneat profile (in the Connect To field), and the canonical name field in the security appliance identity certificate, To resolve this issue, fix either of these values to match the other. m= Anexpired Cisco ASA adaptive security appliance identity certificate. To resolve this issue, renew the security appliance identity certificate, You should never see these issues occurring during production use of the network. If users are conditioned to proceed with the VPN conneetion despite these wamings, their VPN connection will be vulnerable to man-in-the-middie interception attacks, where the attacker poses as the Cisco ASA security appliance and terminates VPN connections from legitimate users. This message is the only message that indicates such an attack. 326 Deploying Case ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, Ireei Troubleshooting Cisco AnyConnect SSLVPNs Client-Side Notifications pinpoint the cause of an issue. The figure shows the five common scenarios and th that they produce inside the Cisco AnyConnect GUL During session establishment, the client will display informative messages that you can use 1 je messages Troubleshooting Cisco AnyConnect SSLVPNs Client-Side Notifications: Windows Event Viewer som rae 2 The Cisco AnyConnect client will also use the Windows Event Log to store all error messages, as well as informational messages about client operation, You can use the Windows Event ‘Viewer to examine this log for past and current issues with client operation. (©2010 Cisco Systems, Ie, ‘Deployment f Ckco ASA Adaptive Secirty Anplanee AnyCannact Rama couse VPN Sotione 287Summary Thistopic summarizes the key points that were discussed in this lesson. es Summary + Abasic fll tunneling SSL VPN involves basic gateway configuration, user authentication, address assignment, and access control configuration + In basic gateway configuration, you should enable the SSLITLS server and provision the idently certificate of the Cisco ASA adaptive security appliance. + Basic user authentication uses the local user database. + You have multiple options for IP address assignment, and you can create general, per-user, or perprofle access controls. + The Giseo AnyConnect dient can be installed manually or by using the web launch feeture through a clientless SSL VPN session * Use the DART tool, Cisco AnyConnect warning messaces, ‘and logging messages on the Cisco ASA adaptive security appliance to troubleshoot SSL VPN session establishment. 388 Deploying O8s0 ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreLesson 2| Deploying Advanced Cisco AnyConnect VPN Client Overview Diflerent deployment objectives require a scalable and flexiblesolution. This lesson enables you ‘o deploy and manage advanced deployment functionality of the Cisco AnyConnect VPN Client Objectives Upon completing this lesson, you will be able to deploy and manage the advanced centrally configured features of the Cisco AnyConnect VPN Client, This ability includes being able to meet these objectives: Configure and verily DTLS encapsulation in Cisco ASA adaptive security appliance Cisco AnyConnect full tunnel VPNs © Choose certrally controlled client functions in Cisco AnyConnect full tunnel SSL VPNs © Manage Cisco AnyConneet software = Configure and verify Cisco AnyConneot client profiles = Deploy advanced Cisco AnyConneet operat ig system integration options Connect user interface customization = Configure and verify Cisco AnyConfiguration Choices, Basic Procedures, and Required Input Parameters Thistopic provides an overview of how to choose centrally controlled client functions in Cisco AnyConneet full tunnel Secure Sockets Layer (SSL) virtual private networks (VPNs). Advanced Cisco AnyConnect Deployment Options Deployment Tasks 1. Deploy Datagram Trarsport Layer Security (DTLS). 2. Manage the Cisco AnyConnect software. 2. Configure Cisco AnyConnect gateway-deployed settings. 4. Deploy advanced Cisco AnyConnect operating system integration options. 5. Customize the Cisco AnyConnect user interface. The deployment tasks for centrally controlled client functions in the Ciseo AnyConnect VPN Client inciude the following: 1. Deploy Datagram Transport Layer Security (DTLS). 2. Manage Cisco AnyConneet software. 3. Configure Cisco AnyConnect gateway-deployed settings, 4. Deploy advanced Cisco AnyConnect operating system integration options Customize the Cisco AnyConnect user interface. Before you deploy the Cisco AnyConnect VPN Client, several input parameters need to be examined in order to ensure success: ‘= Ensure that the Cisco AnyConnect VPN Client exists for operating systems that are used by your clients, = Determine the experience and environment integration needs of future VPN users in order to select the customization options that need to be deployed. = Consult client security policy to determine software update requirements. = Determine any requirements for Cisco AnyConnect user interface customization and localization needs. These needs can be different based on the country where the Cisco AnyConnect client is used, owing to different laws, different languages, and so on. 370 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreDeploying DTLS This topic describes how to improve DTLS. isco AnyConneet VPN Client performance by using Datagram Transport Layer Security Overview * Standard protocol (RFC 4347) » Based on TLS. + Equivalent seourity to TLS + UDP transport — Avoids latency and bandwidth problems — No retransmission of lost packels at TLS layer + Only application retransmission ~ Improves the performance of real-time applications that are sensitive fo packet delays Datagram Transport Layer Security (DTLS) is an alternative VPN transport protocol to Secure Sockets Layer (SSL)/Transport Layer Security (TLS) DTLS allows datagram-based applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DLS protocol is based on the stream-oriented TLS protocol and is intended to provide similar security guarantees. DILS mitigates latency and bandwidth problems that are associated with some SSL-only connections, and improves the performance of real-time applications that are sensitive to packet delays. DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. Itis defined in REC 4347, DLS improves the application performance in two ways: © User Datagram Protocol (UDP) transport does not stipulate any retransmissions on the VPN layer. If VPN packets are lost in transit, only the TCP stack of the application endpoints will retransmit the datagrams. In contrast, when VPN packets that are transported ‘over an SSL session are lost, both the SSL VPN endpoint and the TCP stack of the application endpoint will retransmit the packet. © UDPis simpler than TCP, creates less overhead, and consumes fewer resources. ©2010 Cece Systems, ne, Depoymant of Caco ASA Adactve Sacurty Applanca AnyConnect Remote Access VPN Soldione 3-77Datagram Transport Layer Security Deployment + DTLS enabled: — TLS isused to negotiate and establish DTLS connection (control messages and key exchange) ~ Two simultaneous tunnels: TLS and DTLS — DTLSfallback to TLSin case of DTLS tunnel failure — Automatic, requires DPD. + DTLS disabled ~ Clients connect with an SSL VPN tunnel only Enabling DTLS allows the Cisco AayConneet VPN Client that is establishing an SSL VPN connection to use two simultaneoustunnels—an SSL tunnel and a DTLS tunnel. ‘The SSL/TLS channel is used to negotiate and establish the DTLS tunnel by exchanging @ series of secured contro! and key exchange messages. The security appliance supports an automatic fallbeck from DTLS to TLS it DTLS is no longer working. The DTLSo-TLS fallback requires that dead peer detection (DPD) is enabled. DPD. is deseribed later in this lesson. Ifthe DTLS tunnel does not work and DPD is not enabled, connectivity is broken If you do not enable DTLS, Cisco AnyConnect client users who are establishing SSL VI connections connect with an SSL VPN tunnel only N an ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring DTLS Enable DTLS Globally = DTLS takes precedence over SSL. + DTLSis enabled by default. * Default DTLS port is 443 swear cutie, ‘confgurten > Rerate Access VPN> Nets (Cian asses >AnyCannast Connasten Protas When configuring DTLS, you have to first make sure that DTLS is enabled globally. To configure DTLS globally, complete the following steps: Step 1 Stop2 Stop 3 Choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Choose an interface that is configured for an SSL VPN. Check the check box under the Enable DTLS column for the desired interface. Note By default, the SSL VPN wizard will enable DTLS on the interface that is configured for (Cisco AnyConnect SSLVPN service, Stop 4 step 5 Enter the DTLS port number (UDP) in the DTLS port field. The default value is 443, the same as for SSLITLS that uses TCP, Click Apply to apply the configuration, In this figure, the outside interface is configured to use DTLS with the Ciseo AnyConneet SSL VPN. (G2010 Cisco Systems, Ine, Depioyment of Cisco ASA Adartve Securty Applance AryConmect Remote Access VPN Soutone 3:73Configuring DTLS Configure DTLS in Group Policy * DTLS can be activated an group or userpolicy level ~ Must be enabled on en interface + DiGrpPolicy has DTLS activated by default FFresetatsatg = Jo mantoTes to ohne nana pene or Agta VPN > Nation (Clan Aaseta> Gra Acca VPN>AKA/ Loc Users > Lae Users Onec enabled, DLS can be activated in group policy or individual user settings. To configure DILS at the group policy or user level, complete the following steps: Stop Stop2 Choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Choosethe policy that you want to edit, and then click the Edit button. If you want to activate DTLS for individual users, choose the Configuration > Remote Access VPN > AAA / Local Users > Local Users submenu and perform the same action. Inside the group poliey or user configuretion window, choose the Advanced > SSL VPN Client submenu, and choose the desired option (Inherit, Enable, or Disable) that is associated with DTLS. Note DTLS is, by default, that is activated in the default group policy (DitGrpPolicy|. By defaut, all other graup policies and users inherit from the DftGrpPolicy. ifyou leave the Inherit check box selected, DTLS will effectively be activated forthe group or user. Stop3 Stop4 Click OK Click Apply to apply the configuration. In this figure, DTLS is enabled in the SSL VPN group policy named SalesGroupPolicy. 374 Deploying Case ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, Irewebypn Configuring DTLS CLI Configuration yaa wen yuu orate SGLonan meas greup-poliey BASIC-ANYCONNECT-POLICY at tributes “ive dois enable SETS | sgrus 20. ‘The figure illustrates the DTLS-related command-line interface (CLI) configuration that is applied to the Cisco Adaptive Security Appliance (ASA) adaptive security appliance in this procedure. Use the dtls port command in webvpn configuration mode to set the DTLS port umber, The default port is 443 and will not be shown in the configuration. In the example, the SSL VPN is enabled on the outside interface, and DTLS is enabled by default. DTLS port is set to port 443. To enable DTLs in a group policy, enter group-policy configuration mode, then enter webvpa mode and use the sve dtls enable command, In the example, DTLS is enabled in the SalesGroupPolicy group policy ‘To enter webypn mode, enter the webypn command in global configuration mode. To remove any commands that are entered with this command, use the ne webypn command. These WebVPN commands apply to all WebVPN users ‘These webvpn commands let you configure authentication, authorization, and accounting (AAA) servers, default group policies, default idle timeout, HTTP and HTTPS proxies, and NetBIOS Name Service (NBNS) servers for WebVPN, as well as the appearance of WebVPN sereens that end users see. webvpn (©2010 Cece Syetems, ne, Dapoymant of Caso ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Solione 3:75dtis port To specify a port for DTLS connections, use the dtls port command from webypn configuration mode, To remove the command from the configuration, use the no form of this command, dils port number dtls port Parameters Parameter Description nunber The UDP port number, which can range from 1 to 65,535 group-policy attributes To enter group-policy configuration mode, use the group-poliey attributes command in global configuration mode. To remove all attributes from a group policy, use the no version of this command. In group-policy configuration mode, you can configure attribute-value pairs {or a specified group policy or enter group-policy webvpn configuration mode to configure WebVPN attributes for the group. group-policy name attributes group-policy attributes Parameters Paramets Description ane Species the name of the graup paicy webvpn (group-policy and username modes) To enter this webypn mode, use the webypn command in group-policy configuration mode or in username configuration mode. To remove all commands that are entered in webvpn mode, use the no form of this command. These WebVPN commands apply to the username or group policy from which you eonfigure them. WebVPN commands for group policies and usernames define access to files, Messaging Application Programming Interface (MAP!) proxy, URLS, and TCP applications over WebVPN, They also identify ACLs and types of traffic to fi webypn sve dtls enable To enable DTLS connections on an interface for specific groups or users who are establishing SSL VPN connections with the Cisco AnyConneet VPN Client, use the dtls enable command from group-policy webypn or username attributes webvpn configuration mode, To remove the command from the configuration and cause the value to be inherited, use the no form of the command. sve dtls enable interface 378 Deploying C880 ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreVerifying DTLS suftatlie cisco, Semrasien Tees Inthe example, DTLS has been enabled on the outside interface, and the group policy (BASIC- ANYCONNECT-POLICY) that is associated with the user who logged in was configured to have DTLS enebled. ‘The remote user can examine the selected transport protocol by choosing Statistics and then. Details in the Cisco AnyConnect elient GUL The protocol is displays in the Transport Information section. ‘The show conn command output that is displayed is taken from a security appliance that resides inthe VPN path. It shows a UDP connection that is established in addition to the SSL session. (©2010 Cece Syetems, ne, Dapaymant of Caco ASA Aaactve Sacurty Applanca An/Connect Remcte Access VPN Solutions 3:77Verifying DTLS session type: eve ‘To verily DTLS, you can use the show ypn-sessiondb sve command on the terminating full client SSL session of the security appliance. In the example, you can see that the SSL and DILS tunnels are used fora connection, show vpn-sessiondb To display information about VPN sessions, use the show ypn-sessiondb command in privileged EXEC mode. The command includes options for displaying information in full or in detail. It also lets you specify the type of sessions to display, and it provides options to filter and sort the information. The syntax table and usage notes organize the choices accordingly show vpn-sessiondb [detail] [full] {remote | I21| index indexnumber| webypn |email-proxy | sve} [filter {nameusername | ipaddress [Paddr |ipaddress IPaddr| pipaddress !Paddr tunnel-group groupname | protocol protocol-name| encryption encryption-algo| inactive }] {sort {name | ipaddress | sipaddress | p-ipaddress | tunnel-group | protocol encryption inactivity] show vpn-sessiondb Parameters Parameter Description Getail (Optional) Displays extended detais about 2 session. For exemple, using the detail option for an IP Secunty ([Psec) session displays additional cetals such as the Internet Key Exchange (IKE) tashing algorithm, authentication mode, and rekey inferval Ifyou choose detail, nd the full cption, the Cisco ASA adaptive security appliance displays the detaled output in a machine readable format, filter fiirer_ criteria | (Optional) Filters ihe output display only the information that you specify by using one or more ofthe filter options full (Optional) Displays streamed, untruncated output. Output is delineated by horzontal line ("[) characters and 2 double horizontal ine ') string between records. 378 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreParameter Description ‘seasion cype {Optional To show cata for aspecitic sessiontype, enter one ct the following keywords: omail-proxy: Displays enaikproxy sessions, index indexnumber- Displays a single session by index ‘number. Specify the index number for the session, between and 750, Iai: Displays VPN LAN-to-LAN (L2L) session information. ratio: Cisplays VPN session protocol or encryption ratios. romote: Displays IPsec remote access sessions, summary: Displays the VPN session summary. ave: Displays Cisco AnyConnect VPN Cient sessions, vpn-Ib: Displays VPN load-balancing management sessions. webvpn: Dispiays information about clertiess SSL VPN gort sort_criteria (Cotional) Sorts the output accarding to the sert option that you specify (©2010 Cisco Systems, Ie, Depoyment of Cisco ASA Adaptive Securty Aplance AnyConmect Remote Access VPN Solutions 3:79Managing Cisco AnyConnect Software Thistopic describes how to manage Cisco AnyConnect software. Managing Cisco AnyConnect Software Overview You can install or upgrade [% como [psp I Weel the Cisco AnyConnect client: “aitis + Manuatly, using an omine cisco installer package = Using software management tools + Ma the clentiess portal You can uninstall the C'sco AnyConnect client: * Manually + Using sofware management tools + Triggered by the Cisco ASA security appliance after logout Depending on client experience and security policy, the Cisco AnyConnect VPN Client ean be distributed and upgraded on workstations using several delivery methods: = Manually, using an installation package that is downloaded from Cisco.com. This method is best suited for clients with a higher level of experience or for those with slower Internet connections. ‘= Installation of the Cisco AnyConnect VPN Client over different software management twols isthe preferred method of installation in large organizations that have esablished infrastructure for software package deployment, such as Symantec Altiris or Microsoft Systems Management Server (SMS). Cisco AnyConnect installation is available in msi format for the Windows platform, .pkg format for Linux and the Mac OS X Intel platform, and .dmg format for the Mac OS platiorm, ‘= Installation over the SSL VPN clientless portal can be initiated over the web. Ifa client has not been previously installed, a remote user can enter into a browser the IP address or Domain Name System (DNS) name of a security appliance interface that is configured to secept clientless SSL VPN connections. The users isthen presented with a login screen, and, ithe user satisfies the login and authentication, the security appliance identifies the user as requiring the Cisco AnyConnect client. Itthen uploads the AnyConnect client that matches the operating system of the remote computer. After loading, the Cisco AnyConneet client installs and configures itself and establishes a secure full tunnel SSL connection. 380 Deploying Caso ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreUninstallation of the Cisco AnyConnect VPN Client can be performed using several methods: = Manually, using a computer operating system program manager. © Using software management tools. = Triggered by the security appliance after logout. The Cisco AnyConnet client that is, installed over a web portal can be configured to uninstall automatically after a client logs ‘out from a security appliance. Managing Cisco AnyConnect Software Configuration Tasks 4. (Optional) Configure client persistence. 2. (Optional) Configure automatic client software update. Lbgusa ne Ancomen satonaicans. ‘The following configuration tasks are required to manage the Cisco AnyConnect client: 1. Optionally, configure elient persistence. 2. Optionally, configure automatic client software update. Ifa client has already been installed, the Cisco ASA adaptive security appliance can be configured to examine the revision of the AnyConnect client with the user authenticates. The client can then upgrade the Cisco AnyConnect client on the remote computer if needed. In the configuration scenario, the client that is connected to the Cisco ASA adaptive security appliance is using version 2.3 of the Ciseo AnyConnect VPN Client software, but the Cisco ASA adaptive security appliance configuration requires the client to use version 2.4. Therefore, the security appliance will load the latest 2.4 version of the AnyConneet client to the PC. Afier the 2-4 AnyConnect client install, the software will establish the SSL tunnel to the Cisco ASA adaptive security appliance. After a user logs off, the adaptive security appliance will keep the Cisco AnyConnect client on the client PC. ©2010 Cece Systems, ne, Depoymant of Caso ASA Adectve Sacurty Applanca AnyConnect Remote Access VPN Solgione 3-81Managing Cisco AnyConnect Software Task 1: (Optional) Configure Client Persistence ‘gup poly BASIC-ANYCONNECT POLICY attsbutes ‘asbvpn 80 Keep-nstalor nstated Boeaiy weaves AnyConned shea oe suomaiiny wnoainis 29 VPN ogo pet ated: re Ccontguision > arate sess VEN > Nation (Clan Astle > Grove Poices Optional! remains i the Cisco AnyConnect client can be configured in such a way that theclient stalled on a remote computer after client logout. Using Cisco Adaptive Security Device Manager (ASDM), perform the following steps: Stop1 Choose Configuration > Remote Access VPN > Network (Client) Aceess (not shown inthe figure), Stop2 Select the group policy that you want to edit, and choose Edit (not shown in the figure). Step3 Choose Advanced > SSL VPN Client. Stop4 Uncheck the Inherit check box next to the Keep Installer on Client System field, and choose Yes to allow permanent Cisco AnyConneet client installation on the remote computer. By choosing Yes, you disable the automatic uninstalling feature of the AnyConnect client, which allows the software to remain installed on the remote computer for subsequent connections, StepS Click OK, and click Apply to apply the changed policy to the security appliance. Using the CLI, enter group-policy configuration mode using the group-poliey attributes command. Enter the SSL VPN portion of the group policy configuration using the webypn command, and use the sve keep-installer installed command to instruct the Cisco AnyConnect, client to remain installed on the remote computer. sve keep-installer To enable the permanent installation of an SSL VPN client on aremote PC, use the sve keep- installer command from group-policy webypn or username webvpn configuration mode. Use the no form of the command toremove the command from the configuration and cause the value to be inherited, sve keep-installer {installed |none} 382 Deploying Ceso ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, Iresvc keep-installer Parameters Parameter Description installed Disables the automatic uninsialling feature of he client. The client remains insialled on the remate PC for future connections, Specifies thatthe client uninstalls from the remote computer after the active connection terminates, Managing Cisco AnyConnect Software Task 2: (Optional) Configure Automatic Client Software Update Wrens es mrsen'a sent ‘Soonancy ae Sums meee nce ee tren te SR =| ‘The security appliance can be configured to match a regular expression with a user agent string that is reported by the browser of a remote computer in order to upload the correct Cisco AnyConnect client version, Ia regular expression parameter is not entered, the security ap ce will try to mateh the operating system that is reported in the user agent of the browser with the operating system string that is inthe Ciseo AnyConnect installation filename. Using Cisco ASDM, perform the following steps: Step 1 Step 2 Stop 3 Stop 4 step 5 Choose Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN > Client Settings (not shown in the figure). Choose Add to add the Cisco AnyConnect client installation image from the flash memory of the Ciseo ASA adaptive security appliance (not shown in the figure). Click Browse Flash, Locate the Cisco AnyConnedt client installation image and select it. Click OK. (This step isnot shown in the figure.) I the file version that is listed hereis higher than the one used by the remote computer, the Ciseo AnyConnect client will be updated on the remote computer. Optionally, enter a regular expression to match the user agent of abrowser in order tw reduce the time that is taken by the security appliance to locate the correct image. Click OK, and click Apply to apply the changed poliey to the security appliance, (©2010 Cisco Systems, Ie, Depoyment of Cisco ASA Adaptive Securty Aplance AnyConmect Remote Access VPN Solutions 3.83Managing Cisco AnyConnect Software Implementation Guidelines Consider the following implementation guidelines: + Use web launch to install software for skilled users with ‘administaive rights + Itis generally not recommended to remove the Cisco AnyConnect client from dents exceptin very specific environments, * Selectively enable or disable automatic updates using local policy files, «+ Federal Information Processing Standard (FIPS)-enabled clients do not update the client software on login — Bypass downloader for FIPS clients When you are managing Cisco AnyConnect software, consider the following implementation guidelines: = Use the web launch feature to install software for skilled users with administrative rights, = It isgenerally not recommended to remove the Ciseo AnyConneet client from clients except in very specific environments. = Selectively enable or disable automatic updates using the Ciseo AnyConneet client XML profiles (This topic is addressed later in this lesson), m= Be aware that FiPS-enabled clients do not update the client software on logit 3B Deploying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Cisco AnyConnect Client Profiles ‘This topic describes how to configure and verily Ciseo AnyConnect client profiles. Cisco AnyConnect Client Profiles Cisco AnyConnect Configuration ‘The Cisco AnyConnect client configuration is fully catogn (Saas controlled by the Cisco 2a ASAsecurity appliance == using XML configuration a2 profiles. + You can create XML profiles manually, or by using a See ey RD + Profiles are deployed after Seowry Aopiarce login, atached to specific group policies. + You can allow the user to contol some settings. Afier the Cisco AnyConnect client connects to the Cisco ASA adaptive security appliance and «user successfully logs in, the AnyConneet client configuration that is defined in the XML configuration profile is uploaded to the remote computer. XML profiles can be ereated and edited as regular text files on a computer, or the Ciseo AnyConnect Profile Editor can be used. A Java-based standalone program, the Profile Editor can be run on any operating system that has Java software installed on it, (E2010 Cisco Systems, Ine, Depoyment of Cisco ASA AAartve Securty Applance AryConmect Remote Access VPN Solutions 3.85Cisco AnyConnect Client Profiles Example XML Profile ‘ false Hostentry> ‘MY-VPNe/HastName> ‘Hostacress>vpn.comain.come/HostAddress> Hoste in> ‘The Cisco AnyConnect client profile is XML formatted text that contains all configured AnyConnect client parameters. Standard XML format is a collection of beginning and ending tags with configuration values between them, The recommended procedure isto initially ereate an XML profile by using the Cisco AnyConneet Profile Editor to correctly define the file structure. Later, you can edit the profile by using the text editor or by again using the Profile Editor. The figure shows a sample XML profile, which specifies the name and address of'a VPN gateway. Ss Cisco AnyConnect Client Profile Parameters ‘ShowreConnesiisssage Confgutestte depsy of» reconnect ent message AubCorneniOrStart —_Carfgures ecient tesutoratesly connect when stated Nenmzeoncornest _—_Cantgures automate mnmaatonattrs succoastulcawsact LossLanaccoss| Corfgures access to the oes LAK AutoRacannect [Configures suerte reconnect afar invluntay disconnection ‘utile Enables or denbies sutorst upctes MosiePoy CContgutes sites speofe othe WVindone Mable patorm ‘WikewaVONExis intone nina eases of Acorn tron nati Serariat ‘Conigurosisiofaorvere that Ary Connect can ino (VPN gstousys, ets) BeckunSevetist Conigus stot nackunssrves Confestetston ‘Configures esto crooss he acs canfeste Confessions Confgures nee o croonethe os! cat Feat store CenfesteEwoimet _—_Canfgurescatficstosrriimentpeameters AuomateVPNPoicy __Canfgures a Tut Netwark Detection THD) patey UseBiatBetorLagon Enables or Susbes the Stet Below Logon (SSL) feature ‘The table describes the various XML profile settings, 38 Deploying Caso ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, IreConfiguring Cisco AnyConnect Client Profiles Configuration Tasks 1. Create an XML profile 2. Upload and verity the XML profile. 3. Altach the XML prefile fo a group poliey. = (Caco ASA seats seas appianee ‘To create and use Cisco AnyConnect client profiles, perform the following configuration tasks: 1. Create an XML profile either by using the Cisco AnyConnect Profite Editor or the text editor on a computer. 2. Upload the XML profile to the security appliance. XML profile verification can be done ‘online using Cisco ASDM or standalone XML verification tools. 3. Attach the uploaded XML profile to a group policy so that it ean be uploaded and applied ‘on the remote computers. In the configuration scenario, after successful SSL VPN connection and usér authentication, the group policy named BASIC-ANYCONNECT-POLICY is applied, During the Cisco AnyConneet client deployment, the XML AnyConnect client profile is also deployed. This XML profile will allow terminal services to establish the SSL VPN connection. The XML. AnyConnect client profile is provisioned to the remote computer, and the Cisco AnyConnect client is configured accordingly ©2010 Cece Syetems, ne, Dapaymant of Caco ASA Adactve Sacurty Applanioa An/Connect Remcte Access VPN Solutone 2.87Configuring Cisco AnyConnect Client Profiles Task 1: Create an XML Profile sili ame aa ; eres romero [Daae a VPN aoner arty Speci a sary eocatce noarare erty quaites, denen ame FODV) Jana Paereas To create the XML profile using the Ciseo AnyConnect Profile Editor, follow these steps: Step1 Run the Cisco AnyConnect Profile Editor on a PC. Stop2 Choose File > New (not shown in the figure). Stop3 Choose the Server List tb. Stop4 Click Add to add the security appliance as a server list entry. The client will be ‘connecting to this appliance as a server. StopS —_Specifly the security appliance name in the Hostname (Req) od) field. Steps — Click OK. Stop7 Repeat the previous steps for all the security appliances that will be used for terminating the SSL VPNs ‘38 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Cisco AnyConnect Client Profiles Task 1: Create an XML Profile (Cont.) Toallow terminal services to start a VPN conncetion, complete the following steps: Step 1 Step 2 Step 3 Step 4 Stop 5 Click the Preferences tab. Select Allow RemoteUsers from the Windows VPN Establishment drop-down, menu, Optionally, change all other required profile parameters, Choose File > Save As, Save the newly ereated XML profile locally on the PC. (©2010 Cisco Systems, Ie, ‘Dapoyment of Cisco ASA Adagtive Secunty Azpance AnyComect Remote Access YPN Solutions 389Configuring Cisco AnyConnect Client Profiles Task 2: Upload and Verify the XML Profile Pees creamy setts ome 9 6 eeorrs iene pe Caco ASA scant sy open Tops ene SessaiSemen Micaoane Upload and verifly the newly exeated XML profile using Cisco ASDM by following these steps: Stop Stop2 Steps Stop 4 steps Stops ‘Choose Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN > Client Settings. Inthe SSL VPN Client Profiles section, click Add to add the XML profile. The Add SSL VPN Client Profile window displays. Assign a name to the profile (MY-XML-PROFILE, in the example), Click the Browse Flash button to add an XML file thats already available on the flash memory of the Cisco ASA adaptive security appliance. If the XML fite is not resident in the Cisco ASA adaptive security appliance flash, click Upload, and then click Browse Local Files to locate the XML file on the PC that is runing Cisco ASDM. Once the locally stored XML file is located, click Upload Fite to upload the file to the flash memory of the Cisco ASA adaptive security appliance (not shown in the example). Click OK. The security appliance will veri AnyConneet XML schema, ihe XML profile against the Ciseo 390 Deploying O8e0 ASA VPN Soluions (VPN) v1.9 (©2010 Cece Systems, IreConfiguring Cisco AnyConnect Client Profiles Task 3: Attach the XML Profile toa Group Policy ‘ai profes MY-KML-PROFILE s¢0/MY-PROPLE XML (gouec0:a) BASICANYCONNECT-POLICY attnust fas We MYON PROFL pai smongmeraeepbice amt BeveE EMS | spe a: en Se VEN Chet | vse [pour corey | onanmm snr on ‘contguiton > Rerate Azzess VPN> Netnat (Cie) Aaaaas > Grove Potzss Attach the XML profile to a group policy using Cisco ASDMby following these steps: Step Choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies (not shown in the figure). Step2 Select a group policy in which you want to attach the XML profile, and elick Edit. ‘The Edit Internal Group Policy window displays. Stop3 Choose SSL VPN Client and uncheck the Inherit box next to the Client Profile to Download field. From the drop-down list, choose the uploaded XML profile to use for this group policy. Step Click OK, and click Apply to savethe configuration changes to the security appliance. Using the CLI, the security appliance can be configured to use the custom XML profile. Enter the SSL VPN portion of the group policy configuration by using the webypn command. Use the sve profiles command to define the name of the XML profile and the location of the XML profile file. Use the group-poliey attributes command to edit the group-poliey properties and use the sve profiles value command to associate the XML profile with the group policy. svc profiles (webvpn) To specify a file as a profiles package that the Cisco ASA adaptive security appliance loads in cache memory and makes available to group policies and username attributes of Cisco AnyConnect VPN Client users, use the sve profile command from webypn configuration mode. svc profiles (group-policy and username modes) ‘To specify a Cisco AnyConnect client profiles package that is downloaded to AnyConneet VPN Client users, use the sve profile command from group-policy webvpn or username attributes webypn configuration mode. ©2010 Cece Syetems, ne, Depoymant of Caso ASA Adectve Sacurty Applanca AnyConnect Remote Access VPN Soldione 3-91Verify Cisco AnyConnect Client Profiles Client File Verification Windows XP: C:\Documents and Settings\All Users\Application Data\Cisco\Csco AryConnect VPN ClientiProfis Windows VistalWindows 7: C2ProgramData\Cisco\Gisco AnyComect VPN ClientProfle fees te Sl eet Sesame ee ae a icseaier ea EUS tow PAaTe XML profs | |usercontrottabtesterue®sfalsecfugestartdetore opr SEESENEE, | feeconananed atte lah Mere ore erga ae eatestoresal /cerd) Facaeastare> corti t leatestoneoverrdefalsec/Cert fleatestoreoverride ‘After suceessful conncetion and authentication to the SSL VPN, the security appliance uploads the XML profile file to the remote computer. Correct configuration and successful upload of the XML profile file ean be checked by examining the location in which the XML profile file is stored based on the operating system of the client 38 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreVerify Cisco AnyConnect Client Profiles Event Viewer Verification eA eH eect ue fw en vevertee Stninn i 2 eine toe Uidgpreson seu Bisse Elson te lacs eye oN et Ginoreetee Ene ee Eley tnapere Sees Fei ee anetes iemss- 520058838 yrs 1 Now Demat. LszioRsni® oma? Nene Weynaiee pote ng oe Te pC RET Tasca Everts > Appicatone ana Sees Loge > Cass AnjCannacl VPN Geet rere: ‘sie a Successful deployment of the XML profile file can also be checked using the Windows Event ‘wer application: Step1 Inthe Event Viewer window, choose Applications and Services Logs> Cisco AnyConnect VPN Client (the path may vary depending on the operating system and version), Stop2 Verily the XML profile usage by examining event details. (@2010 Cisco Systems, Ine, Depoyment of Cisco ASA Atartve Securty Applance AryConnect Remote Access VPN Solutions 393Verify Cisco AnyConnect Client Profiles Implementation Guidelines Consider the following implementation guidelines: = Use XML profiles only when you need to change default Glient setiings, = Use the XML profil editor to simplify profile configuration, ‘The use of XML profiles is not mandatory. You can use them only when you need to change default Cisco AnyConnect client settings or add advanced features. In onder to avoid syntax errors and to simplify profile creation and configuration usage, itis recommended that you use the Cisco AnyConnect Profile Editor. 326 Deploying Cece ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, IreDeploying Advanced Cisco AnyConnect Operating System Integration Options This topic describes how to deploy advanced Ciseo AnyConnect operating system integration options. Cisco AnyConnect Operating System Integration Options Trusted Network Detection (TND) + TNDallows the Cisco AnyConnect client to start = Intiate VPN auiomatically when the user is LL ‘cutsde or inside @ specific network ‘The trusted network is identified based on: Soong vecisorneispents DACP Asignad ONS Paranal ~ Configured DNS server (or Bon servers) Deseret ~ The available actions are connect rar 288 and disconnect. Trusted Network Detection (TND) gives youthe ability to have the Cisco AnyConneet elient automatically disconnect a VPN eonneetion when the user is inside the corporate network (the trusted network), and start the VPN connection when the user is outside corporate network (the entrusted network). TND does not interfere with the ability of the user to manually establish a VPN comnection. ‘The Cisco AnyConnect client supports TND on Microsoft Windows XP and later, and on Mac OS X, ‘ND is configured in the Cisco AnyConneet profile, No changes are required to the security appliance configuration, (G2010 Cisco Systems, Ine, Depoyment of Cisco ASA Adartve Securty Applance AryConect Remote Access VPN Solutions 3.85Cisco AnyConnect Operating System Integration Options Start Before Login (SBL) SBL is a Windows-only —— Cisco AnyConnect feature ‘alas that allows the client to start am before user login to Windows. * Useful to og in to domains of Microsoft Active Directory over VPN connection + Integrates with Windows login interface + Required to establish VPN if Group Policy Object (GFO) does notallow caching Start Before Logon (SBL) forces the user to connect to the enterprise infrastructure over a VPN connection before logging into Windows. It accomplishes this forced connection by starting the Cisco AnyConnect client before the Windows login dialog box appears. After authenticating to the security appliance, the user logs in as usual through the Windows login dialog. SBL is only available for Windows and lets you control the use of login scripts, password caching, network-drive-to-local-drive mapping, and more. Note “The Cisco AnyConnect client does nat support SBL far Windows XP x64 (64-bit) Edition 308 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreCisco AnyConnect Operating System Integration Options Client Scripting * Cisco AnyConnect runs up to one script atlogin and up to ‘one script at logout, + The two scripts are defined globally and toggled per group policy in the XML profil. * Useful to: — Refresh Active Directory GPOs ~ Map and unmapnetwork drives ~ Automatically start user applicatons ‘The Cisco AnyConnect client does not require the script to be written in a specific language, but it does require an application that can run the script to be installed on the client computer. ‘Thus, for the Cisco AnyConnext client to launch the script, the script must be capable of running from the command line. Write and test the script using the operating system type on waich it will run when the AnyConneet client launches it Note You should write and test the script on the targeted operating system. fa script cannot run proserly ftom the command ine on the native operating system, the Cisco AnyConnect Glient cannot runit properly either. The Cisco AnyConnect client supports script launching on all Microsoft Windows, Mac OS X, and Linux platforms that accommodate the AryConnect software. On Microsoft Windows, Cisco AnyConnect cen only launch scripts after the user logs into Windows and establishes a VPN session. Thus, the restrictions that are imposed by the security environment of the user apply to these scripts. Seripts can only execute funetions that the user has rights to invoke. Cisco AnyConnect hides the command window during the execution of a script on Windows, so executing a script to display a message in a bat file for testing purposes does not work. (On Linux-based operating systems, group, and other. ssign execute permissions to the script files for user, ©2010 Cece Syetems, ne, Dapoymant of Caco ASA Aaactve Sacurty Applanca An/Connect Remate Access VPN Solutions 3.97Cisco AnyConnect Operating System Integration Options Configuration Tasks (Optional) Configure TNO (Optional) Configure SBL. ~ Whenusing SBL, ensure that transport network connectivity does not depend on user login (IEEE 802.1X), (Optional) Configure scripting To configure Cisco AnyConneet advanced operating system integration options, perform the following tasks: 1. Configure the TND feature if you need automatic SSL VPN connection for remote computers when they are connected to an untrusted network. 2. Configure the SBL feature when SSL VPN connectivity login procedure, 's needed before the Microsoft Note When using SBL, ensure thal the transport network connectvity does not depend on user login (IEEE 802.1x). 3. Configure scripting if you need to execute commands after the SSL VPN is successfully connected or when the SSL VPN tunnel connection is terminated, 3a ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreCisco AnyConnect Operating System Integration Options Configuration Scenario Cagra yeoman domain.com Trusted Network Configuration of all three ‘isco AnyConnect client features is included in the XML profile. in the example, you will configure Trusted Network Detection (TND) and Start Before Login (SBL), and youwill enable seripting to run the CONNECT.cmd seript. After successful user authentication, the XML profile is parsed for those configurations, Ifthe security appliance has a newer version of scripts than those stored on remote computers, then those scripts are replaced and a new version of scripts is executed. Also, TND and SBL configuration are refreshed on remote computers. (©2010 Cece Syetems, ne, Dapoymant of Caco ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Solone 3:99Cisco AnyConnect Operating System Integration Options Task 1: (Optional) Configure TND Stace hn TND security appliance configuration except uploading of the changed XML pr Sentai ‘Susudd Wosransodoraincom echinerchs-cyoDeeonras, STusennenba se ELnwustslatiouPe ayeCannane Unieaeshatena shusmataiPurs ep. relia Ecvennteiaatons configured ia the Cisco AnyConnect XML profile. No chaages are required to the ‘To configure the XML profile using the Cisco AnyConnect Profile Editor to enable TND, follow Stopt Step2 Step3 Stops these steps: Choose the Proferenees tab. Enable TND by checking the Automatic VPN Poliey check box. Inthe Trusted DNS Domains field, enter a list of DNS suffixes (a string that is separated by commas) that a network interface may have when the client is in the trusted network. In the example, domain.com is the trusted domain Inthe Trusted DNS Servers field, enter a list of DNS se-ver addresses (a string that is separated by commas) that a network interface may have when the elient is in the trusted network. Note Ifyou configure both the Trusted DNS Domain and Trusted DNS Servers fields, users must match both settings in ordar to be includedin the trusted network Stops stops stop7 Select a network policy’ in the trusted nework. In the example, when the client is ‘connected to the trusted network, the network policy is configured to disconnect the Cisco AnyConneet client. Select a network policy outside the trusted network. In the example, when the client is connected to the untrusted network, the network policy is configured to connect the Cisco AnyConnect client. Choose File> Save (Save As) to save changes in policy 3400 Deploying Case ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreThe following example shows the Client/nitialization section of the profile file with TND contigured. The output reflects the configuration for automatic connection to the VPN when the client is in the untrusted network, and automatic disconnection when it is in trusted network: chutomaticVPNPel icystrue C0. come / TrustednNSDonains> 144,124.+, 64,202,6.247 6/7: eteanNsserver ustediletworkPolicy>Disconnect ©2010 Cece Systems, ne, Depoymant of Caco ASA Adactve Sacurty Applanca AnyConnect Remote Access VPN Soldione 3:01Cisco AnyConnect Operating System Integration Options Task 2: (Optional) Configure SBL SLseStanBabraLogen LeerContlabie=tus">tue rt etc tet waar | Zcrartntiazaton® ‘configured in the Cisco AnyConnect XML profile. To enable SBL, you must first the SBL module name in a group policy on the Cisco ASA security appliance. fy SBL module name, follow these steps using Cisco ASDM: Step? Choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies (not shown in the Figure) Stop2 Select a group policy and click Ee displays (not shown in the figure). ‘The Edit Internal Group Policy window Stop3 Choose Advanced > SSL VPN Client in the navigation pane on the left. The SSL VPN settings window displays (not shown in the figure), Stop4 Uncheck the Inherit check box for the Optional Client Modules for Download setting (not shown in the figure), StopS Enable the Start Before Logon (SBL) feature by checking the vpngina check box. ‘This selection enables the security appliance to download a Graphical Identification and Authentication (GINA) for the Ciseo AnyConnect client VPN connection (not shown inthe figure), Click OK, and click Apply to save the configuration changes to the Cisco ASA. adaptive security appliance, ‘The XML profile configuration has to be changed end uploaded to the security appliance. To configure the XML profile using the Cisco AnyConnect Profile Editor to enable SBL, follow these steps: Stop1 Choose the Preferences tab. Stop2 Enable SBL by checking the Use Start Before Logon check box. Step Choose File > Save (Save As) to save the changes in policy Note ‘The user must reboot the remote computer before SBL cam iake effect. SHG2 Deploying Case ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreCisco AnyConnect Operating System Integration Options Task 3: (Optional) Configure Scripting se scot oreo Rerate Access VPN > Nets (Can Aaaasa > AnyCanoas, omasianicce aston > 2) ‘To enable scripting, follow these steps using Ciseo ASDM: Step Choose Configuration > Remote Access VPN > Network (Client) Access > AnyConneet Customization/Localization > Seript. Step2 Click Import. Step3 Specify the script name and script type. Then, select the remote computer operating platform for which the script is written, Stop.4 Select the script fileby filling in the path information. Stop5 Select Import Now to upload the seript to the security appliance, (©2010 Cece Syetems, ne, Dapoymant of Caco ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Solione 3303Cisco AnyConnect Operating System Integration Options Task 3: (Optional) Configure Scripting (Cont.) SU Staion te [eCientntiaizaton> eiswcamate | Enablaserstin UserCortrolable=“Yale’>ine ‘tasa tue SEnablePoe!SBLOnConnesiSerpt> SEnableSernting> ‘After the script is uploaded to the sccurity appliance, the XML profile has to be changed in order to execute the scripts ‘To configure the XML profile by using the Cisco AnyConnect Profile Editor to enable scripting, follow these steps: Stopt Choose the Preferences (Cont) tab. Step2 Enable scripting by checking the Enable Seripting check box. Stop3 Choose File> Save (Save As) to save the changes in policy. Step4 Upload the XML profiterfileto the deseribed in the previous topic. isco ASA adaptivesecurity appliance as SAU Deploying Case ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, Ireverving Cisco AnyConnect Operating System Integration Trusted Network Detection le Aen ew jee) ucl td enn dea won ews Daedtee Seve Oe tt] eas nce ati Since Bite ome De i ——————— ‘ aoe Siena [oy saocare FeNvewnes Fea Twas: EventVYaie > Agpicatona ang Sevoes » Clas AnySornest VPNCant To verily TNDon Windows operating systems, use the Event Viewer. Step1 Inthe Event Viewer window, choose Applications and Services Logs> Cisco AnyConneet VPN Client (the path may vary based on the operating system and version) Step2 Verily that the Cisco AnyConnect client will automatically initiate when a remote computer isin an untrusted network. If TND action is also configured for a trusted network, a separate event in Event Viewer verification should be recorded, (©2010 Cece Syatems, ne, Depoymant of Caco ASA Adectve Sacurty Aplanoa AnyConnect Remote Access VPN Soltone 3305Verifying Cisco AnyConnect Operating System Integration Scripting Be Asn. ore eel ser acm a we "Peano 1 Spaenon na reso ancerec fs seine Biterettlae Dheeitangenes | Bitetacenee Biome 1 ert oe feast ome tar ono sc fone a ined 38 = bem ae Taco Ne Evan Vaiar> Aspiatons ang Sareas> Caco AnjConnad VPN Oiert ‘You can also use the Event Viewer to verify seripting on Windows operating systems. Stop1 Inthe Event Viewer window, choose Applications and Services Logs> Cisco AnyConneet VPN Client (the path may vary based on the operating system and version). Stop2 —_Verifly that the Cisco AnyConnect client will automatically execute scripting after VPN connection. If scripting is also enabled upon VPN disconnection, a separate event in the Event Viewer should be created upon VPN disconnection. 34108 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreCustomizing the Cisco AnyConnect User Interface This topic describes how to configure and verify Cisco AnyConnect user interface customization. Customizing Cisco AnyConnect User Interface Overview ‘+ You can fully customize the isco AnyConnect client GUI ~ Graphical elements (bitmaps, icons) — Language strings Mos. customization tasks are easily performed using the Cisco ASDM, ne For more extensive ‘ine customization, replece the VPN GUl entirely and deploy custom GUI application integrated with Cisco AnyConnect API You can customize the Cisco AnyConnect client GUI elements and language sti example, you can configure it to display your own corporate image to remote users. Customization can be performed on the Cisco AnyConnect client that runs on Windows, Linux, and Mae OS X computers. Customization is not supported for the Ciseo AnyConnect client that runs on a Windows Mobile device. ‘You can use one of three methods to customize the elient: © Import individual client GUI and string components, such as the corporate logo, to the security appliance that deploys them to remote computers with the installer ‘© Import your own programs (Windows and Linux platforms only) that provide their own GULor CL! and use the Cisco AnyConnect application programming interface (API) ‘© Import atransform (Windows only) that you create, and enable the security appliance to deploy it with an installer ©2010 Cece Syetems, ne, Dapaymant of Caco ASA Aaactve Sacurty Applanioa AryConnect Remcte Access VPN Solutions 3307Customizing Cisco AnyConnect User Interface Configuration Tasks 1. (Optional) Customize Cisco AnyConneet GUI objects 2. (Optional) Customize Cisco AnyConnect GUI localization Both the GU! and string components of the Cisco AnyConnect elient can be replaced by customized versions. Most of customization tasks are easily performed using Cisco ASDM. In this configuration scenario, you will change the Cisco AnyConnect GUI client logo and. modify one of statusmessages. GUL customization can be performed on all graphical elements and icons that the Cisco AnyConnect client GUI contains. If you create your own custom images to replace the Cisco AnyConneet client icons, your images must be the same size as the original Ciscoimages. In addition, filenames must be the same to those used by Cisco. The Ciseo AnyConneet client uses different filenames for different operating systems, Default AnyConnect client English messages can also be customized and, if needed, translated 0 other languages, 08 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreCustomizing Cisco AnyConnect User Interface ‘Soeaty a7 Soa ser es nreengmnemneerecin meri enc fate ese poyconnen onary rm ean Se a a ‘contguiten » Renate Access VPN> Nation (Sen aazasa > ANVO=NRS To customize the client GUI by ASDM: Step Choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Resources, importing a new company logo, Follow these steps using Cisco Step2 Click Import. Stop3 Enter the name of the file to import. Stop4 Select an operating system platform and specify the fite to import. Your custom objects have to be the same size and use the same names as those objects that are used by default by the Cisco AnyConnect VPN client. You can find object names and sizes for all operating systems in the tables that follow, Step5 Click Import Now. The file appears in the table, StepS Repeat Steps? through 5 for all the files that you want to import to the Cisco ASA adaptive security appliance. Step7 Click Apply to apply the configuration changes to the security appliance, The following tables list the files that you canreplace for each operating system that supports the Cisco AnyConnect client, Note Ifyou ereate your own custom images to replace the clent icons, your images must be the same size as the original Cisco images. (©2010 Cece Syetems, ne, Dapoymant of Caco ASA Adectve Sacurty Aplanoa AnyConnect Remote Access VPN Solone 3308Microsoft Windows allt Clientires\ folder. for Windows are located in the %PROGRAMFILES% \Cisco\Ciseo AnyConnect VPN Note ‘The %4PROGRAMFILES% name refers to he environment variable by the same name. In most Windows installations, this is the C:\Program Files environment Microsoft Windows Files Filename in Microsoft | client GUI Area Affected Image Size Windows Installation \Phxols, L xH) AAbautTabica Icon that appears on the Abaut tb 1ext6 company_lage.bmp | Corporate igo that appears on each tab of theuser interface [142 x82 contectedica [Tray icon that cisplays when the cient i connected 16x16 ComectianTabico [lean that apasars on the Cannaction fab iexté isconsectingico | Tray ican that displays when the client i inthe process of [16x16 Jssconnecting Glico Icon that apaears on the Windows Vista SBL screen sex48 32x32 24x24 18x16 reconnectingico irray icon that feplaye when the cient win the process of [16x 16 reconnecting StaisTabico icon that apoears on the Statatics tab text6 uneonnecteaica [Tray icon that splays when the client S nateannected [16x 16 Linux All files far Linux are located in the /opUcisco/vpnipixmaps! folder Linux Files Filename in Linux Client Gul Area Affected Image size Installation (Pixels, L x H) company-logo.png Corporat loge that appears on each tab of he user interface| 142 x92 eve-abouteng icon that appears on the About tab hex ie cve-conneet ang icon that appears next io the Connect button, and on the [76x 16 Connection fa cvedisconnectong icon that appears next fo fhe Disconnect button 16x16 evento png Icon that appears on the Statistics tab exis systtay_connected.png [Tray icanthat displays when the clients connected 16x16 systray_rolconnected.prg [Tray ieonthat deplaya when the client wncteonnected [16x 16 systray_dsconnectirg png [Tray iconthat displays when the clients daconnecting [78x 16 systray_reconnectingpng [Tray iconthat displays when the client reconnecting [16x 16 wenuia8.png Main program icon jaa x08 30 2 ASA VEN Selene (VPN) v1.0 ©2010 Cass Systane, reMac OS X All files for Mac OS X are located in the /Applications/Cisco AnyConnect VPN Clien Contents/Resources folder. Mac OS X Files Filename in Mse OS X | Clisnt GUI Ares Affected Image Size Installation (Pixels, L x4) bubble.png NNotfication bubble that appears when the cient 142 x92 connects or disconnects ‘connected. ang Icon that displays under the disconnect button vinen the | 32x32 slientis connected logopng Logolcan that appears an main screen inthe topright | 50x33) menyconnected.eng | Connected state menu bar icon 16x16 menu_errar.ong Error state menu bar icon 16x16 menu _idle.png Disconnected idle menu bar ican 18x16 menu_reconnecting.png | Recannection in process menu bar ican 16x16 warning png) Icon that replaces lagin fields on variaus authentication | 40x40 ancenitcate warnings vpnaul.iens Mae OS X icon fle format thatis used for al icon 128x128 services, such as Dock, Sheets, and Finder Customizing Cisco AnyConnect User Interface Task 2: (Optional) Customize GUI Localization =a | You can make changes to the English messages displayed on the Cisco AnyConnect client GUL by adding an English translation table and by changing message text within an editing window of Cisco ASDM (@2010 Cisco Systems, Ine, Depoyment of Cisco ASA Atartve Securty Applance AryConnect Remote Access VPN Solutions anThe following procedure deseribes how to change the default English messages using Cisco ASDM Stop1 Choose Configuration > Remote Access VPN > Language Localization. Step2 Click Add. Stop3 The Add Language Localization Entry window appears. Choose AnyConnect asthe translation domain from the Translation Domain drop-down menu, Stop4 Click the Language drop-down menu, choose En-US for English. StopS To customize messages, edit each message separately. Text between the quotes in a line beginning with the siring msgid is, by default, English text and must not be changed. A customized ring must be entered between the quotes in a line beginning with the string msgsér. Enter ell custom string in correspond Step6 Click OK, and click Apply to save the configuration changes to the security appliance. For Windows, Linux, or Mac computers, you can deploy your own client that uses the Cisco AnyConneet client API. You can replace the Cisco AnyConnect GUI or the Cisco AnyConneet CLI by replacing the client binary file. Your executable ean call any resource files, such 4s logo images, that you import to the security appliance. When you deploy your own executable, any filename can beused for your resource files. Executable filenames must be exact for each operating system. Executable Filenames Client Operating System Client GUI Filename Client CLI Filename Microsoft Windows vpnul exe vpncl.exe Linux pou ven Mac Not supported for security vpn eppliance deployment In onder to import your executable to customize the client GUI, follow these steps using Cisco ASDM (not shown in the figure), Stop? Choose Configuration > Remote Access VPN > Network (Client) Access > Any Connect Customization/Localization > Binary Stop2 Choose Import. Stop3 Enter thename of the file wo import. Steps Choose an operating system platform and specify the file wo import. Stop5 Click Import Now. The file appears in the table. Stopé —_Repeat the previous four steps for all files that you want to import to the Cisco ASA adaptive security appliance. Stop7 Click OK. and click Apply to apply the configuration changes to the security appliance. 3412 Deploying O80 ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreSummary ‘This topic summarizes the key points that were discussed in this lesson. a Summary ‘+ DTLS consumes less bandwidth than TLS because it does rot cause retransmission on the TLS layer. DTLS is enabled by default = Cisco AnyConnect VPN Client configuration can be centrally ‘contalled using XIML profiles. * There are multiple options to install uninstall, and upgrade the Cisco AnyConnect VPN Client, Cent XML profiles allow you to control all client settings from the VPN gateway. + The Cisco AnyConnect client can integrate with the client ‘operating system to provide automatic initiation (TND), SBL, and scripting. + You can extensively customize the Cisco AnyConnect client Gul References For additional information, refer to these resources: Cisco ASA $500 Series Command Reference, 8.2 at hup://wwwciseo.comen/US/docs/security/aswasa82/command/reference/emd_ref htm! = Cisco AnyConnect VPN Client Administrator Guide, Release 2.4 ot hutp://www.ciseo.com’en/US/docs/security/ypn_elient‘anyconneet/anyconnect24/administe ation’guide'anyconnectadmin24.htmt (©2010 Cece Syetems, ne, Dapoymant of Caso ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Solione 31739 ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreLesson 3] Deploying Advanced Authentication in Cisco AnyConnect Full Tunnel SSL VPNs Overview When deploying virtual private networks (VPNs) in general, itis very important to use strong authentication options. This lesson describes several advanced authentication options that you have when implementing Ciseo AnyConnect full tunnel Secure Sockets Laye (SSL) VPNS on the Cisco ASA adaptive security appliance. These authentication options offer adequate security and scslability, as opposed to the basic local authentication that was described in the previous lesson. This lesson describes advanced password-based authentication using external authentication, authorization, and accounting (AAA) servers, certificate-based authentication using the local certificate authority (CA) of the security appliance, and options that are available to verify user certiticates for revocation. Objectives Upon completing this lesson, you will be able to deploy and manage the advanced authentication features of a Cisco AnyConneet full tunnel SSL VPN. This ability includes being able to meet these objectives: © Plan the deployment of advanced client authentication © Configure and verify the advanced password-based client authentication = Configure end verify the local CA on the Cisco ASA adaptive security appliance and on the Cisco AnyConnect client with client certificates that are provisioned by the security appliance = Configure end verify integration with supporting PKI entities = Configure end verify multiple elient authenticationsConfiguration Choices, Basic Procedures, and Required Input Parameters This topic provides an overview of how to plan the deployment of advanced client authentication, Deploying Advanced Authentication Overview of Advanced Authentication * Authentication methods other than local password-based authentication: ~ Centralized AAA authentication (possibily integrated with existing back-end databases) — Client certificate authentication ~ Double or triple authentication + Usually deployed to enhance manageability, integrate with existing databases, or increase the strength of credentials Authentication of Secure Sockets Layer (SSL) virtual private network (VPN) clients using the local database is the most basic authentication option. More-advanced authentication options for SSL VPN users inelude the following: = Centralized AAA authentication: You can authenticate clients with an existing external AAA database, such as a RADIUS or TACACS= user database. Such an external database can also be integrated with other back-end databases, such as Rivest, Shamir, and Adieman (RSA) SecurlD or Microsoft Active Directory. = Authentication with digital certi security appliance to require di the security appliance validat jeates: Youcan configure the Cisco ASA edaptive al certificates on clients. Before establishing connection, s the certificate of a client and allows connection dated using a public key that isstored on the = Double and triple authentication: Starting with Cisco ASA Software Version 8.2, the SSL VPN remote access (clientless and Cisco AnyConnect VPN Client) software supports double and triple authentication. You can combine certificate authentication with up to two AAA authentication methods that are performed in a row. The following examples are possible combinations that can be used: — _ RSA/Security Dynamics international (SD) ~ Lightweight Directory Access Protocol (LDAP) authentication — Certificates = RADIUS — Certificates = Radius~RSA/SDI 308 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreSuch types of client authenti integrate VPN deployments w of client authentication. tion are deployed to enhance the manageability of users, to ‘an existing user database infrastructure, or to increase strength Deploying Advanced Authentication Client Password and Server Certificate Authentication ei aes ‘The figure illustrates an example where the clients authenticate the security appliance by using its digital certificate, and the appliance authenticates the elienis by using usemames and passwords. The Cisco ASA adaptive security eppliance can validate usernames and passwords, on external authentication servers such as the following: = RADIUS authentication seever = TACACS=authentication server Kerberos authentication server = Windows authentication server = LDAP authentication server = RSA SecurlD authent tion server A RADIUS or TACACS~ authentication server can be configured to check the credentials of ‘auser in back-end authentication servers, Back-end authentication servers can inelude the following: © Windows authentication server © LDAP authentication server ‘© External Open DataBase Connectivity (ODBC) database RSA SccurlD authentication server ©2010 Cece Syetems, ne, Dapaymant of Caco ASA Aactve Sacurty Applanoa An/Connect Remcte Access VPN Soltone 3017Deploying Advanced Authentication Client Certificate and Server Certificate Authentication ‘The figure illusteates an example where the el appliance using its digital certificate, and the appliance authenticates the clients using their certificates. When each entity successfully validates the certificate of the other, the SSL VPN connection can be established. 3478 Deploying Caso ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, IreDeploying Advanced Authentication Server Certificate Authentication, Client Cerfficate, and AAA ‘Authentication NS) xe <= Sheen. NN Inthe third example, the Cisco ASA adaptive sceurity appliance again authenticates itself wo the client using a digital certificate. In this scenario, the client first authenticates itself to the security appliance using a digital certificate. Ifthe Cisco ASA adaptive security appliance successfully validates the client certificate, it prompts the user for a username and password. ‘The security appliance then validates the credentials of a user by using external AAA servers. This type of advanced authentication is the most secure, but also requires the most configuration effort (©2010 Cece Syatems, ne, Dapoymant of Caco ASA Adectve Sacurty Anplanca AnyConnect Remote Access VPN Solone 3178Deploying Advanced Authentication Server Certificate-Based Authentication Options Cisco ASA Adaptive Secutty Appliance anti Canfesta Ontions When you authenticate by using digital certificates, you have different deployment options. For server authentication, you can deploy the Cisco ASA adaptive security appliance identity certificate in two ways: = Self-signed certificate: This option is not recommended, but it isthe only approach if you do not use external public key infrastructure (PKI), = PKLobtained certificate: You can configure the Cisco ASA adaptive security appliance to obtain an identity certificate from the external PKL It you are usi locally to a PKL-obtained certificate, clients should have a CA certificate that is installed the identity certificate of a server. 3400 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreDeploying Advanced Authentication Client Certificate-Based Authentication Options Giant Identty canficata Options For different options icnt-side authentication, clients can obtain their identity certificates by using wo © You can enable a local CA on the Cisco ASA adaptive security appliance. In this case, the certificates of clients are issued and managed by the security appliance. The appliance still needs a self-signed or PK -provided certificate to authenticate itself to clients = You can use an external PKI to issue identity certificates to the Cisco ASA adaptive security appliance and clients. In this case, certificates are managed by an external PKI system. If you are using a PK -obtained certificate, the server should have @ CA certificate that is installed locally to verify the identity certificates of clients. Ir you are using a loeal CA on the security appliance, the appliance will create a self-signed certificate, which is used to sign certificates that are issued to clients, Note The local CA on the Cisco ASA adaptive security appliance can be used for SSL VPNs only. ©2010 Cece Systems, ne, Depoymant of Caso ASA Adactive Securty Applanca AnyConnect Remote Access VPN Solgione 3121Deploying Advanced Authentication Deployment Options + Deploy advanced password-based client authentication + Deploy certficate-based client authentication using the Cisco ASA adaptive security appliance local CA * Configure certificate-to-connection-profile mapping * Deploy certficate-based client authentication using external CAs = Deploy advanced PK\ integration * Deploy double client authentication tion for SSL VPNs: You have these options when deploying advanced euthent = Deploy advanced password-based client authertication = Deploy certificate-based client authentication using the Cisco ASA adaptive security appliance local CA = Configure certificate-to-connection-profile mappings = Deploy certificate-based client authentication by using an extemal CA = Deploy advanced PKI integration = Deploy double client authentication ‘When deploying advanced authentication for SSL VPN connections on the Cisco ASA adaptive security appliance, you need specific input parameters: m= Existing user databases and their location: This parameter is needed to integrate the Cisco ASA adaptive security appliance with the external user databases, = Strength of existing user eredentials: This parameter is needed to determine whether an existing database is suitable for remote access connections, = Existing authentication protocols: This parameter is needed to determine authentication protocol compatibility = PKI information: This parameter is needed to enroll the Cisco ASA adaptive security appliance and clients into a PKL = Time-synehronization options: This parameter is needed when you are using digital certificates. Time synchronization is very important to synchronize time on all entities that are involved in euthentication. HZ ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreDeploying External AAA Authentication ‘This topic describes how to configure and verily the external AAA client authentication, Configure External AAA Authentication Overview Native RADIUS or TACACS+ authentication: + Requires no special configuration LDAP authentication: * Requires login o LDAP + Requtes LDAP searcy parameters RSA SecuriD authentication: + Native and RADIUS protocol support SES ASN, + Supports the requirecfeatures (next PIN mode, PIN change, eta) + Requires ey fie to be imported GscoASA acentve secunty appliance + Mustbe fist in the AAA authentication chain When configuring password-based client authentication, the following options are recommended: © RADIUS or TACACS+ authentication: In this case, no special configuration is needed on the Cisco ASA adaptive security applisnce. You only need to provide the IP address and shared key of the authentication server. = LDAP authentication: When using authentication with LDAP server, you have to provide the IP address of the LDAP server on the Ciseo ASA adaptive security appliance, The security appliance has to log into the LDAP server. Therefore, you also have to add the Cisco ASA adaptive security appliance as a user that has enough privileges in order to search for users in the LDAP server. Additionally, you must provide LDAP search parameters, which include base distinguished name (DN) and scope of the search. © RSA SecurlD authentication: The Cisco ASA adaptive security appliance supports the native SDl or RADIUS protocol between the security appliance and the RSA Secur!D server. If'multiple AAA secvers are consulted in a row, the RSA SecurID host must be the first in the lis. (©2010 Cece Syetems, ne, Depoymant of Caco ASA Adectve Securty Aplanoa AnyConnect Remote Access VPN Solione 3123Configure External AAA Authentication Configuration Tasks 1. Configuie a remote authentication server. 2. Enable remote AAA authentication for @ connection profile. Rape seery a Aiberteaton ‘These are the configuration tasks when configuring advanced passwordsbased client authentication: 1. Configure a remote authentication server on the Cisco ASA adaptive security appliance, 2. Enable remote AAA authentis tion in a gonnection profile ‘The figure shows an example that will serve as the configuration stenario for ongoing configuration tasks. First, you will configure RADIUS, LDAP, and RSA SecurlD authentication servers. Then, you will enable remote AAA authentication using configured servers in a connection profile. 3428 Deploying Caso ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfigure External AAA Authentication Task 1: Configure a RADIUS Authentication Server ‘Contguiton > Revie Aatess VPN> AAALLoce Use > AAASna? Gras In the first configuration task in this sequence, you will configure a AAA group to include the RADIUS authentication server and the authentication protocols of the group. You may also reuse an existing AAA group that is defined on the Cisco ASA adaptive security appliance. ‘To configure a RADIUS authentication server using the Cisco Adaptive Security Device Manager (ASDM), fist create RADIUS server group and then configure an individual server in the AAA. server group. To create a AAA server group by using Cisco ASDM, complete the following steps: Step1 Inside the Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups. The AAA Server Groups panel is displayed (not shown in the figure). Stop2 Click Add in the AAA Server Groups area (not shown in the figure), The Add AAA Server Group window opens. Stop3 Enter name for the server group in the Server Group field. This example uses the name MY-RADIUS-SVRS to name the AAA server group. Stop4 From the Protocol drop-down list, choose the AAA protocol that the servers in the group support. You can choose RADIUS, TACACS=, Microsoft Windows NT Domain, SDI, Kerberos, LDAP, or HTTP form, Inthe figure, RADIUS is chosen, StepS Click OK. ‘To configure an individual authentication server in the RADIUS server group, complete the following steps Step 1 Choose a configured server group from the AAA Server Groups table in the AAA Server Groups panel (not shown in the figure), Step2 Click Add in the Servers in Selected Group area of the AAA Server Groups panel (not shown in the figure). The Add AAA Server window opens. Step3 From the Interface Name drop-down list, choose the interface where the AAA server resides, In the figure, the inside interface is chosen. Stop4 Enter the name or IP address of the AAA server in the Server Name or IP Address field, In the figure, 10.10.10.21 is ewered. (©2010 Cece Syatems, ne, Dapoymant of Caso ASA Adectve Sacurty Applanca AnyConnect Remote Access VPN Solone 3125Optionally, specily the server authentication and accounting ports. RADIUS packets use UDP port 1812 for RADIUS authentication messages and UDP port 1813 for RADIUS accounting messages. Some esrlier RADIUS implementations use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. In the figure, the default ports 1645 and 1646 are used. Stop6 Enter an alphanumeric value up to 64 characters in the Server Secret Key field, The server secret key is used for eryptographie protection of the session between the security appliance and the RADIUS (access control server [ACS]) server. The key must be the same on both the security appliance and the RADIUS (ACS) server. The key value is a case-sensitive. The Server Secret Key field displays only asterisks. Stop7 Click OK. Click Apply to apply the configuration. Configure External AAA Authentication Task 1: Configure an LDAP Authentication Server (Cont.) feat hates iirc SS ghee: eccente Wemay oar Greeiatt. immmem| bye onder a "| CContgursion > Renate sess VPN > AAALoue Ure >» AAASaver Greuce To configure an LDAP authentication server by using Cisco ASDM, first ereate an LDAP server group, and then configure individual servers in the AAA server group. To create a AAA server group by using Cisco ASDM, complete the following steps: Stop1 Inside the Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups. The AAA Server Groups panel is displayed (not shown in the figure). Stop2 Click Add in the AAA Server Groups area (not shown in the figure), The Add AAA. Server Group window opens. Stop3 Enter a name for the server group in the Server Group field. This example uses the name MY-LDAP-SVRS to name the AAA server group. Step4 From the Protoco! drop-down list, choose the AAA protocol that the servers in the group support. You ean choose RADIUS, TACACS-, Windows NT Domain, SDI, Kerberos, LDAP, or HTTP form. In the figure, LDAP is chosen. Step5 Click OK. 3126 Deploying Caco ASA VPN Solutons (VPN) vi.0 (©2010 Cece Systems, Ire‘To configure an individual authentication server in the LDAP server group, complete the following steps: Stop 1 Step 2 Step 3 Stop 4 Step 5 steps Stop7 Step 8 Step Step 10 Choose a configured server group from the AAA Server Groups table in the AAA Server Groups panel (not shown inthe figure), Click Add in the Servers in Selected Group area ofthe AAA Server Groups pane! (not shown in the figure). The Add AAA Server window opens. From the Interface Name drop-down list, choose the interface where the AAA server resides, In the figure, the inside interface is chosen. Enter the name or IP address of the AAA server in the Server Name or IP Address field, In the figure, 10.10.10,22 is entered. Optionally, check the Enable LDAP over SSL check box to enable secure communication between the Cisco ASA adaptive security appliance and the LDAP server, Ibis recommended to enable this option. Optionally, specify a nondefault port for communication between the Cisco ASA adaptive secu iance and the LDAP server by entering a number into the Server Port input field. By default, LDAP uses 389 and LDAP over SSL (LDAPS) uses 636 Choose an LDAP server type from the Server Type drop-down menu, You have the following options: = Detect Automatically/Lse Generic Type = Microsoft Novell = OpenLDAP = Sun Inthe example, the Microsoft server type is selected. Inthe Base DN input field, enter a base distinguished name (DN) or a location in the LDAP hierarchy where the server should begin searching when it receives an LDAP request. In the example, en=users,de-domain,de=com is entered as the base DN. Choose an option from the Scope drop-down menu to specify the extent to which the server should search the LDAP hierarchy when it receives an authorization request. ‘The available options include the following: = One Level: Searches only one level beneath the base DN. This option is, quicker. m= All Levels: Searches all levels beneath the base DN. This option tells the server to search the entire subtree hierarchy. This option takes more time, In the example, the All Levels option is selected, Enter a login DN into the Login DN input field. This name should be the DN of a user who has enough privileges to search for users in the LDAP server. In the example, en=vpngateway,crusers,de=domain,de=com is entered, (©2010 Cisco Systems, Ie, ‘Depoyment of Cisco ASA Adaptive Securty Appliance AnyComect Ramat Access VPN Souione 3.127Step 11 Enter a password for the login DN user account into the Login Password input field. Note ‘The Cisco ASA adaptive security appliance uses the login ON and login password to establish trust (bind) with an LDAP server. The login DN represents a user record in the LDAP sever that the administrator uses for binding Step 12 Optionally, enable Simple Authentication and Security Layer (SASL) authentication, by checking the SASL MDS Authentication or SASL Kerberos Authentication check box. Step13. Click OK. Stop 14 Click Apply to apply the configuration, 308 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfigure External AAA Authentication Task 1: Configure an RSA Authentication Server (Cont.) Gane S01 poe. (Gane REAR VETS ‘Contguiton > ReriteAzzess VPN> AAALLoce Uses > AAASana? Gras To configure an RSA authentication server by using Cisco ASDM, first create an RSA server group, and then configure an individual serverin the AAA server group. To create a AAA server group by using Cisco ASDM, complete the following steps Step1 Inside the Cisco ASDM, choose Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups. The AAA Server Groups panel is displayed (not shown in the figure). Step2 Click Add in the AAA Server Groups area (not shown in the figure). The Add AAA Server Group window opens. Step3 Enter name for the server group in the Server Group field. This example uses the name MY-RSA-SVRS to name the AAA server group, Step4 From the Protocol drop-down list, choose the AAA protocol that the servers in the group support. You can choose RADIUS, TACACS=, Windows NT Domain, SDI, Kerberos, LDAP, o HTTP form. In the figure, SDI is chosen. steps Click OK. To configure an indi following steps: {dual authentication server in the SDI server group, complete the Step1 Choose a configured server group from the AA Server Groups table in the AAA Server Groups panel (not shown inthe figure), Step2 Click Add in the Servers in Selected Group area ofthe AAA Server Groups panel (not shown in the figure). The Add AAA Server window opens. Step3 From the Interface Name drop-down list, choose the interface where the AAA server resides. In the figure, the inside interface is chosen Stop4 Enter the name or IP address of the AAA server in the Server Name or IP Address field, In the figure, 10.10.10,23 is entered. StepS Click OK. Step6 Click Apply to apply the configuration, (©2010 Cece Syetems, ne, Dapoymant of Caco ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Solone 3128Configure External AAA Authentication Task 2: Enable Remote AAA Authentication storey conigve Fe seat connacion pote wn rere Gases eortgurea AA Geacee [Snorer wessore rs oar camber [gras ravresornaraas You can enable remote A.A authentication for the default connection profile to ensure that @ strong authentication method is used by default. To enable remote AAA authentication from the default connection profile by using Step 1 Stop2 Stops Stops stops stops Stop? Stops isco ASDM, complete the following steps: Inside the Cisco ASDM, choose Configaration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. The AnyConnect Connection Profiles window is displayed (not shown in the figure). Choose the DefiaultWebVPNGroup connection profile from the Connection Profiles table. Click Edit (not shown in the figure), ‘The Edit SSL VPN Connection Profile window is displayed, as shown in the figure, Cheek the AAA radio button. Choose the configured AAA server group from the AAA Server Group drop-down menu. Inthe example, the MY-RADIUS-SVRS server group is selected. Optionally, check the Use Loeal If Server Group Fails check box to enable Fallback to the local database if. server group fails. This selection is generally not recommended. Click OK Click Apply to apply the configuration. 3420 Deploying Case ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfigure External AAA Authentication Task 2: Enable Remote AAA Authentication (Cont.) Tet sake a Oe = e i S| Crinratirs Rene Aces VEN Nineties) Anaemia Repeat the steps that are described in the previous figure to enable remote AAA authentic for any other connection profiles, In the example, the BASIC-ANYCONNECT-PROFILE is also configured for authentication with the authentication server in the MY-RADIUS-SRV server group. Configure External AAA Authentication CLI Configuration Conigve MOUS weeanrsscevas protocsl seaiue ove See Sieener seaasruslsvas lineise) be They AbssahogrPont a vencp? ‘To configure advanced password-based authentication using the command-line interface (CLI), use the following commands, ©2010 Cece Systems, ne, Depoymant of Caco ASA Adactve Sacurty Applanca AnyConnect Remote Access VPN Soldione 3931‘To create an AAA server group, use the aaa-server command, followed by a server group, name and authentication protocol. To add a server to the server group, use the aaa-server command, followed by a server group name, the interface through which the server is reachable, and the IP address of theserver. To configure a shared key that is used for communication between the Cisco ASA adaptive security appliance and the RADIUS server, use the key command in AAA server configuration mode, In the example, three server groups are configured. The MY-RADIUS-SVRS server group is configured as RADIUS server group, and the server at the 10.10.10.21 address is configured as a member of the MY-RADIUS-SVRS server group. The MY-LDAP-SVRS server group is configured as an LDAP server group, and the server at the 1010.10.22 address is configured as amember of the MY-LDAP-SVRS server group. The MY-RSA-SVRS server group is configured as an RSA server group, and the server at the 10.10.10,23 address is configured asa member of the MY-RSA-SVRS server group. To configure parameters inside the LDAP server group, use the following commands in server group configuration mode. Use the server-port command to specily the port that is used between the Cisco ASA adaptive security appliance and the LDAP server. Use the Idap-base- dn command to specify where the server should bezin searching when it receives an authentication request. Use the ldap-seope command to specify the extent of the search in the LDAP hierarchy. Use the ldap-naming-attribute command to specify the relative distinguished name attribute. Use the Map-login-dn and dap-login-password commands to specily the name and password that the Cisco ASA adaptive security appliance will use to search the LDAP directory. Use the sasl-mechanism command to enable SASL authentications, and use the ldap-over-ss! enable command to enable LDAPS. Use the server- typecommand to specify the LDAP authentication server type. he CLI, use the To enable AAA authentication for s connection profile (tunnel group) by usit authentication-server-group command, followed by the AAA server group name, in tunnel group configuration mode, In the example, the connection profile BASIC-ANYCONNECT-PROFILE is configured for authentication usingthe MY-RADIUS-SVRS server group. aaa-server ‘To create a AAA server group and configure AAA server parameters that are group-specific and common to all group hosts, use the aaa-server command in global configuration mode. To remove the designated group, use the no form of this command, aaa-server server-tag protocal sener-protocal aaa-server Parameters Parameter Description server-tag Specifies the server group name, which is matched by the name that is specified by the aaa-server host commands. Other AAA commands make reference ta the AAA server group name. protocol server- Specifies the AAA protocol that the servers in the group support: protocol 2 http-form + kerberos * Idap a ont radius * di + tacacet a2 ‘Deplaying Cece ASA VPN Soluions (VPN) v1.0. (©2010 Cece Systems, Ireaaa-server host ‘To configure a AAA server as part of @ AAA server group, and to configure AAA server parameters that are host-specitie, use the aaa-ser-ver host command in global configuration mode, When you use the aaa-server host command, you enter aaa-server host configuration mode, from which you can specify and manage host-specifie AAA server connection data, To remove a host configuration, use the no form of this command aaa-server server-tag [(interface-name)) host {server-ip | name} [key] [Umeout seconds) aaa-server host Parameters Description (Optional) Specifies the network interface vere the autientication server Fesices. The parentheses are required in this parameter. If you do nat specify an interface, the defautis the inside interface, favailable jey (Optional) Specifies a case-sensitive, alphanumeric keyword of up to 127 Characters that isthe same value as ihe key on the RADIUS or TACACS+ Berver. Any characters that are entarec past the 127-character maximum are ignored. The key is used between the adaptive security appliance and the server for encrypting data between them. The key must be the same an both the adaptive security appliance ard the server systems. Spaces are not permitted in the key, but other special characters are allowied. You can ‘2d or modify the key using the key command in host mode, ame Species the name of the server using either a name thal is assigned) locally using the name command or a Damain Name System (DNS) name, ‘The maximum number of characters is 128 for DNS names and 63 characters for names that are assigned using the name command, server-ip Specties the IP address of the AAA server. server-cag Specties a symbol name ot ine server group, which & matched by he ame that is spectied by the aaa-server command. timeout seconds | (Optional) The timeout interval for the request. This value is the time after whic the adaptive security appliance cives up on the request ta the rrimary AAA server. I'there is @ standby AAA server, the adaptive security appliance sends the request to the backup server, You can modify the imeout interval by using the timeout command in host mode. Idap-base-dn ‘To specify the location in the LDAP hierarchy where the server should begin searching when it receives sn authorization request, use the Idap-base-dn command in aaa-server host configuration mode. The aaa-server host configuration mode is aecessible from the aaa-server protocol configuration mode, To remove this specification, thus resetting the search to start at the top of the list, use the no form of this command, Idap-base-dn svring Idap-base-dn Parameters Parameter Description string ‘A.case-senstive string of up to 128 characters that specifies the location in the LDAP hierarcty where ine server should begin ‘searching when it receives an authorization request; for example, (QU=Cisco. Spaces are not permitted inthe string, but other special characters are allowed (©2010 Cece Syatems, ne, Dapoymant of Cc ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Soltone 3933Idap-scope To specify the extent to which the server should search the LDAP hierarchy when it receives an authorization reques, use the Mlap-scope command in aaa-server host configuration mode. The aaaserver host configuration mode is accessible trom the aaa-server protocol configuration mode. To remove this specification, use the no form of this commend. Idap-seope seope Idap-scope Parameters Parameter | Description ‘The rumber of levels in the LDAP hierarchy in which the server should search when it receives an authorization request. Valicvaiues include tre following: earch only one level bereath the base DN. Search all levels beneath the base DN, Idap-naming-attribute To specify the relative distinguished name attribute, use the Idap-naming-attribute command in aas-server host configuration mode. The aaa-server host configuration mode is accessible fromthe aaa-server protocol configuration mode. To remove this specification, use the no form of this command: Idap-naming-auribute sering Idap-naming-attribute Parameters Parameter | Description ‘stzing | The case-sensitive, alghanumeric relative distinguished rame altrbute, censisting of up to 128 characters, that uniquely identifies an entry on the LDAP server. Spaces are not permitted inthe string, but other special characters are alowed, Idap-login-dn To specify the name of the directory object with which the system should bind, use the dap- login-dn command in aga-server host configuration mode, The aae-server host configuration mode is accessible from the aaa-server protocol configuration mode, To remove th speci Idapdogin-da string sation, use the no form of this command, Idap-4ogin-dn Parameters Parameter | Description gcring | Acase-sensitive stringot up to 128 characters inat specties the name of ne alrectory ‘abject in the LDAP hierarchy. Spaces are nat permitted in the string, but aher special characters are allowed, Idap-login-password To specify the login password for the LDAP server, use the ldap-login-password command in aaa-server host conliguration mode. The aaa-server host configuration mode is accessible from the aus-server protocol configuration mode, To remove this password specification, use the no form of this command: Idapdogin-password string 3424 Deploying Caso ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreIdap-login-password Parameters Parameter _ | Description stvin ‘A case-sensitive, alphanumeric password, up to G¢ characters long, The password ccannat contain space characters. Idap-over-ssl To establish a secure SSL connection between the adaptive security appliance and the LDAP server, use the Map-over-sst command in aaaserver host configuration mode. To disable SSL. for the connection, use the no form of this command, Idap-over-ssl enable Idap-over-ss! Parameters Parameter _ | Description enable | Specifies that SSL secures a comection to an LDAP server sasl-mechanism ‘To specify a SASL mechanism for authenticating an LDAP client to an LDAP server, use the sisl-mechanism command in aaa-server host configuration mode. The SASL authentication mechanism options are digest-mdS and kerberos, ‘To disable an authentication mechanism, use the no form of this command, sasl-mechanism { digest-mdS | kerberos server-group-name| Note Because the adaptive security appliance serves as 2 client proxy to the LDAP server for VPN users, the LDAP client that is referred to here i the adaptive secutty appliance, sasl-mechanism Parameters Parameter Description digast-mas ‘The adaptive securty applance responds with @ Message Digest 5 (MDS) value that is computed irom the username and password karberos “The adaptive securly appiance responds by sencingthe username ard realmusing the Generic Security Services Application Programming Interface (GSSAPI) Kerberos mechanism server-group-name | Species the Kerbeos aaa-server group, up to 64 characters server-type ‘To manually configure the LDAP server model, use the server-type command in aaa-server host configuration mode. The adaptive security appliance supports the following server models: = Microsoft Active Directory ‘© Sun Microsystems Java System Directory Server, formerly named the Sun ONE Directory Server © Generic LDAP directory servers that comply with LDAP version 3 (LDAPv3) (no password management) ‘To disable this command, use the ne form of this command. (G2010 Cisco Systems, Ine, Depoyment of Cisco ASA Adartve Securty Applance AryConmect Remote Access VPN Solutions 3435server-type {auto-detect | microsoft |sum| generic | openidap | novell) server-type Parameters Parameter Description auto-detect Specifies that the adaptive security appliance determines the LAP server type through autodetection. generic Specifies LDAPy3-compliantcirectory servers other than Sun and Microsoft LDAP cirectory servers. Password management is not supporiea with generic LDAP servers. microsoft Specifies that the LDAP server isa Microsoft Active Directory server. epenidep Specifies that the LDAP server ia an OpenLDAP server novell Specifies that the LDAP server is @ Novell sewer. un Specifies that the LDAP server is @ Sun Micresystems Java System Directory Server authentication-server-group (tunnel-group general-attributes) To specify the AAA server group to use for user authentication fora tunnel group, use the authentication-server-group command in tunnel-group general-attributes configuration mode. To return this attribute to the default, use the no form of this command, authentication-seryer-group [{interface_name)] server_group [LOCAL | NONE] authentication-server-group (tunnel-group general-attributes) Parameters Parameter Description face_nat (Optional) Specifies the interface where the IP Securty (|Psec) tunne! terminates LOCAL (Optional) Requires authentication against the local user database if all of the serversin the server group have been desctivated cue to communication ‘ailures. If he server group rame is either LOCAL or NONE, do not use the LOCAL keyword here, NONE, (Optional) Specifies the server group name 2s NONE, indicating that authenticatan is not required server_group Identifies tre previously confgured authentication server or graup of servers, 13 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreVerify External AAA Authentication Implementation Guidelines Consider the following implementation guidelines: © Implement a redundant AAA infrastucture for critical remote- access services * When using static passwords, ensure that user credentials ae strong enough; consider using account lockouton remote AAA servers * Deploy one-time passwords if existing credentials are not adequately strong; also consider migrating to client certificates When implementing advanced password-based client authentication, consider the following implementation guidelines = Create redundant AA infrastructure for critical remote access services © When using static passwords, ensure that user credentials are strong enough; also consider Using account lockout on remote AAA servers © Deploy one-time passwords (OTPs) if existing credentials are not adequately strong; also consider migrating to client certificates ©2010 Cece Syetems, ne, Dapaymant of Caco ASA Aaactve Sacurty Applanoa Ar/Connect Remate Access VPN Solutone 3037Deploying Certificate-Based Client Authentication Using the Cisco ASA Adaptive Security Appliance Local CA ‘Thistopic describes how to configure and verify the local CA on the Cisco ASA adaptive security appliance and the Cisco AnyConnect client by using client certificates that are provisioned by the security appliance. Configure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Configuration Scenario 5 When you configure eertificate-based client authentication, you can configure the local certificate authority (CA) feature on the Cisco ASA adaptive security appliance. This local CA is capable of provisioning and mangging identity certificates for clients. However, the local CA cannot issue an identity certificate to the Cisco ASA adaptive security appliance. That is why the security appliance has to obtain an identity certificate from an external PKI system. This identity certificate is signed by the external CA. When you configure the local CA on the Cisco ASA adaptive security appliance, the appliance generates an additional self-signed certificate that is used to sign the identity certificates that are issued to the clients, When a client requests an identity certificate from the appliance, the appliance creates an identity certificate and signs it with its local CA root certifiewe. The identity certificate of the elient can then be downloaded by the client. However, before a user can download its identity certificate from the Cisco ASA adaptive security appliance, you have tw ereate user accounts on the applignce for users who will be eligible to obtain an identity certificate from the local CA of the security appliance. ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreWhen the client and the Cisco ASA adaptive security appliance want to establish an SSL VPN connection, they have to first exchange identity certificates, The security appliance sends a PKl-obtained identity certificate to the client, The client verifies the certificate of the Cisco ASA adaptive security appliance by using the certificate of the CA, which has to be installed on the client. The client also sends its identity certificate (which has been obtained from the Cisco ASA adaptive security appliance) to the security appliance. The appliance verifies the client identity certificate using its self-signed certificate, which was used to sign the identity ieate of the client in the first place. I both certificates can be verified, the client and the isco ASA adaptive security appliance establish the SSL VPN connection. ‘The figure shows an example that will serve asa configuration scenario for ongoing configuration tasks. First, you will configure a local CA on the Cisco ASA adaptive security appliance and create a user account for a user to download a certificate. Then, you will enable ROFILE, Lastly, you will configure mapping between the certificate and the connection profile to map users to the BASIC-ANYCONNECT-PROFILE connection profile. Configure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Configuration Tasks 4. Configure the local CA of the Cisco ASA adaptive security appliance. Create CA user aosounts. Provision client identity certificates. Insiall a client certificate on the Cisco AnyConnect client. Mep certificates toconnection profiles Enable client certificate authentication for a connection profile. Perform these cor the local CA of the juration tasks to configure certificate-hased client authenti isco ASA adaptive security appliance: tion by using 1. Configure the Cisco ASA adaptive security appliance local CA, 2. Create CA user accounts, 3. Provision client identity certificates. 4. Install a client certificate on the Ciseo AnyConnect VPN Client. 5. Map certificates to connection profiles 6. Enable client certificate authentication fora connection profile (©2010 Cece Syetems, ne, Dapoymant of Caso ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Solione 3930Configure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA ‘Task 1: Configure the Local CA of the Cisco ASA Adaptive Security Appliance ingens br "sat angie gre gene oe = ae coo 28" [apes joa oa teas ven feocnow? et Tagens aioe way renee. =o To configure the Cisco ASA adaptive sccurity appliance local CA by using Cisco ASDM, complete the following steps: Stop1 Inside the ASDM, choos: Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > CA Server (not shown in the figure). The CA Server panel is displayed. Stop2 Check the Create Certificate Authority Server check box Stop3 Click the Enable radio button to activate the local CA server. The default is disabled. After you enable the local CA server, the security appliance generates the local CA server certificate, key pair, and necessary database files. It then archives the local CA server certificate and key pair in a Public Key Cryptography Standard #12 (PKCS12) file, Stops When you enable the local CA for the first time, you must provide an alphanumeric ‘enable passphrase, which must have @ minimum of seven alphanumeric characters ‘The passphrase protects the local CA certificate and the local CA certificate key pair that is archived in storage. It also secures the local CA server from unauthorized or accidental shutdown. The passphrase is required to unlock the PKCS1? archive if the local CA certitieate or key pair is lost and must be restored, StopS Enter theissuer subject name into the Issuer Name input field in CN=FQDN format. ‘By default, this field is populated with CN=hostnamedomain_name, Stop6 From theCA Server Key Size drop-down list, choose the CA server key size of the key pair to be generated for the CA certificate, Key sizes ean be 512, 768, 1024, or 2048 bits per key. The default is 1024 bits per key Step7 _ From theClient Key Size drop-down lis, choose the client key size of the key pair to be generated for each user certificate that is issued by the local CA server. Key sizes can be 512, 768, 1024, or 2048 bits per key, The default is 1024 bits per key. 3440 Deploying Ceee ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreStop 8 Step 8 Step 10 Stop 14 step 12 Stop 13 Stop 14 Enter the CA certificate lifetime value into the CA Certificate Lifetime input field. This value specifies the number of days that the CA server certificate is valid. The default is 3650 days (10 years) Enter the client certificate lifetime value into the Client Certificate Lifetime input field. This value specifies the number of days that a user certificate that is issued by the CA server is valid, The default is 365 days (1 year) In the Simple Mail Transfer Protocol (SMTP) Server & Email Seuings area, you set up email access forthe local CA server by specifying the settings that follow. Local CA needs email access if you wantto send email notifications with instructions on how to obtain an identity certificate to users. Complete the following substeps to set up email access: m= Enter the SMTP mail server name or IP address. Alternatively, click the ellipsis (..) to display the Browse Server Name/IP Address dialog box, where you can choose the server name or IP address, Click OK when you are finished to close the Browse Server Name/IP Address dialog box. ‘= Enter the address from which to send email messages to local CA users, in adminname@host com format. Automatic emeil messages carry OTPs to newly enrolled users and issue email messages when certificates need to be renewed or updated, = Enter the subject, which specifies the subject line in all messages that are sent to users by the local CA server. Ifyou do not specify a subject, the default is Certificate Enrollment Invitation, Optionally, configure additional options by clicking the More Op! bar (not shown in the figure), ns drop-down Optionally, enter the certificate revocation list (CRL) distribution point location into the CRL Distribution Point URL input field, The default location is http: hostname.domain~CSCOCA™~/asa_ca.crl (not shown in the figure). Optionally, specify CA database storage by entering a database storage locat the Database Storage Location input field. The security appliance accesses and implements user information, issued certificates, and revocation lists by using @ local CA database. Alternatively, to specify an external file, enter the pathname to the extemal file or click Browse to display the Database Storage Location dialog box (not shown in the Click Apply to apply the configuration (©2010 Cisco Systems, Ie, ‘Depoyment of Cisco ASA Adaptive Securty Appliance AnyConect Rama Access YPN Soluions 3.181Configure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Task 2: Create CA User Accounts Sips temo tment 9 pt eta eergues rarest When you are finished ercating the local CA, you have to ereate user accounts on the Cisco ASA adaptive security appliance for all users who are eligible to obtain a certificate from the Cisco ASA adaptive security appliance. To create a user account on the local CA using Cisco ASDM, complete the following steps: Stop 1 step2 Step3 Steps steps stops Inside the ASDM, choose Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > Manage User Database (not shown in the figure). The Manage User Database pane! is displayed. Click Add in the Manage User Database panel. The Add User window opens Enter a valid username into the Username input field. Enter theemail address of a user into the Email ID input field. Enter thesubject name into the Subject (DN String) input field. This neme will be used in a certificate asa subject name, Click Add User, saz ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfigure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Task 3A: Provision Client Identity Certificates (Email) het ee det ek es ay ‘ona edna ne fea] ‘contguraten > Remote Access VPN Cartonte Maragamat> Loss Contents Auorty > Manage Use’ Cotoates When you are finished with creating user accounts, a user can obtain a certificate using a web browser or the Cisco AnyConnect client. When a user wants to connect to the Cisco AS. adaptive security appliance by using the Cisco AnyConnect client, and a certificate isneeded, the user will get an option to download the certificate. Before downloading the certificate, the user has to authenticate to the Cisco ASA adaptive security appliance by using a username (defined in the previous task when creating user accounts on the local CA) and an OTP, which are generated by the security appliance. A user can be notified about the username and OTP in two different ways, The first way is to allow the Cisco ASA adaptive security appliance to send aan email notification to the uses. Click the Email OTP button in the Manage User Database panel to send an email notification to the user. An example ofthe email notification that is, composed and sent to the user is shown in the figure. Note You have to configure email settings in the SMTP Server & Email Settings area of the CA Server pane! in order for the Cisco ASA adaptive secutty appliance to send email ratifications, (©2010 Cece Syetems, ne, Dapoymant of Caso ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Soltone 3143Configure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Task 3B: Provision Client Identity Certificates (Out-of Band) reine Paid: ‘contguraton> arate sess VPN > Crtsni Management » Lec Certiana Auman Shigrape une Covtctes Another way to notify the user about the username and OTP is to relay the username and OTP to the user manually (for example, using a phone). Choose a user from the username table and click the Verify/Re-generate OTP button to display the OTP for that specific user. You can then cut and paste the OTP and relay it to the user by using other communication channels, 34144 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfigure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Task 4A: Install Client Certificate (Portal) ‘The figure shows a procedure for how a user can obtain a certifi ty user by using an email notification, the user can click the link in the email. A web page will open where the user has to enter a username and OTP. When the user enters the correct username and password, the certificate witl be downloaded. After the user installs the jeate into the appropriate certificate store, the user can authenticate to the Cisco ASA adaptive security appliance by using the certificate. (©2010 Cece Systems, ne, Dapoymant of Cis ASA Adectve Sacurty Aplanoa AnyConnect Remote Access VPN Soltone 3145Configure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Task 4B: Install Client Certificate (Cisco AnyConnect) Temyeomactont ianghe OTF ‘A.user can also dowaload a ecttificate by using the Cisco AnyConnect client. If acertificate is required for a connection profile and a user does not have one, the Cisco AnyConnect client will display a Get Certificate button. When the user clicks the button, the Cisco AnyConnect window content changes. A user can then retrieve a certificate by entering a username and OTP and by clicking the Conneet button. After the user clicks the Connect button, the certificate will be downloaded and installed automatically into the appropriate certificate store. At that point, an SSL connection will establish automatically. Note Before a user can download a certificate using the Cisco AnyConnect client, you have to ‘enable cerificate-besed authentication fora specific connection profile. This process is shawn in the next, fourth task, 346 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreConfigure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Task 5: Map Certificates to Connection Profiles ‘Geen anian tet maps ‘ning a nes era iw ma cettestsa wn conan ||] Waydciesagytaclamaenteapenue pace aveameos. 9 aay eet ‘confgutson > Remote Access VPN> Aavancas > Cutan 2 SSLPN Connon In this task, you will enable cextficate-based authentication for a connection profile. You will first configure mapping between certificates and a connection profile to enable the Cisco ASA. adaptive security appliance to use the proper connection profile for users who are authenticating with a certificate. When the Cisco AnyConnect client is establishing & connection with the Cisco ASA adaptive security appliance, the Cisco AnyConnect client immediately triss to authenticate to the security appliance with the elient idertity certificate that is found in a certificate store (if there is one). The Cisco ASA adaptive security appliance can use the proper connection profile for that user based on the subject attributes in the received client identity certificate To configure centificate-to-connection-profile mapping by using Ciseo ASDM, complete the following steps: Step1 Inside the ASDM, choose Configuration > Remote Access VPN> Advanced > Certificate to SSL VPN Connection Profile Maps and click Add under the Certificate to Connection Profile Maps area, Stop2 Choose an existing map from the map droplown menu, Stop3 Alternatively, click the New radio button in the Map area and provide a name for the ‘connection profile map. Step4 Configure the rule rriority by entering a value into the Priority input field, A rule with a lower priority number will be consulted before a rule with e higher priority number. Step5 Choose the desired connection profile from the Mapped to Connection Profile drop- down menu. In the example, BASIC-ANYCONNECT-PROFILE is chosen. Step 6 Click OK to accept the profile map. ©2010 Cece Syetems, ne, Dapoymant of Caco ASA Aaactve Sacurty Applanca An/Connect Remate Access VPN Solutone 3047Configure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Task 5: Map Certificates to Connection Profiles (Cont.) Coser nenre atin note esc >| Ommamlig(ey)— +) ae ‘contguraton > Ramete Azcass VPN > Aasancea > Certaat © SSL VPN Cannecion Prote veos ‘After the profile map has been configured, configure the rule criterion to identify to the Cisco ASA adaptive security appliance what will be used to map the connecting users to the desired connection profile. Stop1 At the same Configuration > Remote Access VPN > Advanced > Certificate to SSL VPN Connection Profile Maps submenu, click the Add button under the Mapping, Criteria area. Stop2 Configure the Field, Component, Operator, and Value fields for the mapping criteria. Click OK to aceept the changes. ‘The following items ean be selected under the Mapping Criteria: m= Field: From the drop-down list, choose the part of the certificate that you want tw evaluate. — Subject: The person or system that uses the certificate, For a CA root certificate, the subject and issuer are the same. — Alternative Subject: The alternative subject names extension allows ‘additional identities to be bound to the subject of the certificate. — Issuer: The CA or other entity (jurisdiction) that issued the cenificate, = Component: (Applies only if Subject or Issuer is selected.) Choose the distinguished name component that is used in the rule: — Country (C): The two-letter country abbreviation. These codes conform, to ISO 3166 country abbreviations. — Common Name (CN): The name of a person, system, or other entity This component is the lowest (most specific) level in the identi hierarchy. — DN Qualifier (DNQ): A spesitie DN attribute, — Ermail Address (EA): The email address of the person, system, or entity that owns the certificate, 3448 Deploying O80 ASA VPN Soluions (VPN) v1.9 (©2010 Cece Systems, IreGenerational Qualifier (GENQ): A generational qualifier such as Jr, Se., oF Il Given Name (GN): The first name of the certificate owner. Initials (1): The first levers of each part of the name of the certificate owner. Locality (L): The city or town where the organization is located. Name (N): The name ofthe certificate owner. Organization (0): Thename of the company, institution, agency, association, or other entity. Organizational Unit (OU): The subgroup within the organization, Serial Number (SER): The serial number of the certificate. Surname (SN): The family name or last name of the certificate owner. State/Province (S/P): The state or province where the organization is locate Title (1): The title of the certificate owner, such as Dr. User ID (UID): The identification number of the certificate owner. Unstructured Name (UNAME): The name or names of a subject as en unstructured ASCH string. IP Address (IP): IP address field, = Operator: Choose the operator that is used in the rule: Equals: The distinguished name field must exactly maich the value Contains: The distinguished name field must include the value within it, Does Not Equal: The distinguished name field must not mateh the value. Does Not Contain: The distinguished name field must not include the value within it Value: Enter up to 255 characters to specify the object of the operator. Inthe example, if the subject organizational unit field of a certificate contains the “Engineering” string, a user with that certificate will be mapped to the BASIC- ANYCONNECT-PROFILE connection profile. Step3 Click Apply to apply the configuration, (©2010 Cece Syatems, ne, Dapoymant of Caco ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Soltone 3749Configure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA ‘Task 6: Enable Certificate Authentication in Connection Profile Finally, you have to enable certifieate-based authentication for a specific connection profile. To enable client-based authentication for a specific connection profileby using Cisco ASDM, complete the following steps: Stop1 Inside the ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. The AnyConnect Connection Profiles window is displayed (not shown in the figure). Step2 Choose aconneetion profile from the Connection Profiles table and click Edit. In the example, the BASIC-ANYCONNECT-PROFILE has been selected (not shown in the figure). The Edit SSL VPN Connection Profile window is displayed. Stop3 Click the Certificate radio button in the Authentication section of the window Stops Click OK. Step5 Click Apply to apply the configuration, Note ‘The Cisco ASA adaptive security appliance has supported certificate authentication per connection prafie since the Cisco ASA Software Release 6.21). SHE Deploying Case ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfigure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA CLI Configuration Seypss ca cerciticate agp Detacitcertisicacamap 10 [Eniqva atten Pibjectinane ess os oy Eepineericg | ema ‘mebentio Enabe auratasion yg oat To.use the CLito configure cenificate-based euthentication using the local CA, use the following commands. To configure the SMTP server that is used to send email notification, use the SMTP-server command. To enable the local CA server, first use the erypto ea server to enter CA server configuration mode. Inside CA server configuration mode, configure the CA name by using the issuer-name command. Specily the lifetime of issued certificates by using the lifetime certifieate command. Use the smtp from-address command to specily the email address that the Cisco ASA adaptive security appliance will use asa from address to send email notifications with certificate download instructions. Specify the size of the key that is used for the CA certificate and the size of the key that is used for the certificates of clients by using the keysize server and keysize commands, respectively. Specify the CRL distribution point that will be included in certificates using the edp-url command. Finally, enable the local CA server by using the no shutdown command, followed by passphrase keyword and a password to protect the CA certificate and key pair archive. ‘To create user secounts for users who are eligible to obtain a certificate, use the erypto ea server user-db add command, followed by the DN and email address of the user. To allow a user to obtain acertificate, usethe erypto ca sever user-db allow command, To create a certificate-to-connection-profile mapping using the CLI, use the following commands. First, create a certificate-to-connection-profile map by using the erypto ea certifieate map command, followed by a name and rule priority number, Then use the subject- name atrr command to specify which attribute in a subject name should contain which value. Finally, configure mapping between a connection profile and connection profile map using the certificate-group-map commend in webvpn configuration mode. In the example, if the Cisco ASA adaptive security appliance receives a certificate where the organizational unit field of & subject name contains “Engineering,” the Cisco ASA adaptive security appliance will use the BASIC-CONNECTION-PROFILE connection profile for that user. Finally, enable certificate-based authentication fora speeifie connection profile (tunnel group) using the authentication certificate command in tunnel group configuration mode. ©2010 Cece Systems, ne, Depoymant of Caso ASA Adactve Sacurty Applanca AnyConnect Remote Access VPN Soldione 318%smtp-server ‘To configure an SMTP server, use the smtp-server command in global configuration mode. To remove the attribute from the configuration, use the no form of this command. smtp-server {primary server} [backup_server] smtp-server Parameters Parameter Description ‘backup_se Identifies a backup SMTP server to relay event messages ifthe primary SMTP sever Is unavailable. Use either an IP adcress or DNS name, primary. Identifies the primary SMTP server. Use elther an IP address or DNS name. issuer-name To specify the issuer name DN of all issued certificates, use the issuer-name command in local CA server configuration mode. To remove the subject DN from the centificate authority certificate, use the no form of this command, issuer-name DN-string issuer-name Parameters Parameter Description ‘DN-string | Specifies the distnguished name of the cerlifcate, nhich is also the subject name DN of the sef-signed CA certificate. Use commas to separate attrbute-value pairs, Insert quotation marks around any value that contains a comma, An issuer ame must be less than $00 alphanumeric characters. lifetime (ca server mode) To specify the length of time that the local CA centfieate, each issued user certificate, or the certificate revocation list (CRL) is valid, use the lifetime command in CA server configuration mode. To reset the lifetime to the default setting, use the no form of this command. lifetime {ca-certificate | certificate | erl} time lifetime (ca server mode) Parameters Parameter Description ca-certificate | Specifies the lifetime of the local CA server certificate certificate ‘Specifies the lifetime ofall user cerificates that are issued by the CA server, ezl Specifies the lifetime of the CRL tine For the CA certifcate and al issued certificates, time specifies the number of Gays thal the certificate is valid, The valid range is from 1 to 3650 days. For the CRL, time specifies the number of hours that the CRL is valid. The valid range for the CRL is from 1 to 720 hr. smtp from-address To specily the email address to use in the E-mail From field forall emails that are generated by the local CA server (such as distribution of OTPs), use the smtp from-address command in CA server configuration mode. To reset the email address to the default, use the no form of this command, SAEZ Deploying Case ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, Irekeysize smtp from-address e-mail_address smtp fromaddress Parameters Doscriation Specifies the email address that appears in the Emall From field of al emai that are generated by the CA server. To specify the size of the public and private key’ that are generated by the local CA server at user certificate enrollment, use the keysize command in CA server configuration mode. To reset the key size to the default length of 1024 bits, use the no form of this command, keysize (512 | 768 | 1024 | 2048) keysize Parameters Parameter | Description 2 Specifies a size of $12 tits forthe public and private keys that are generated at ‘certificate enrolment 7168 Species a size of 768 bits for the public and private keys that are generated at ‘cettificale enraliment 3024 ‘Specifies a size of 1024 bits forthe public and private keys that are generated at certificate enrolment 2048 Specifies a size of 2048 bits for the public and private keys that are generated at certificate enrolment keysize server ‘To specify the size of the public and private keys that are generated by the local CA server to configure the size of the key peir of the CA, use the keysize server command in CA server configuration mode. To reset the key size to the default length of 1024 bits, use the no form of this command, keysize server($12 | 768) 1024 2048} keysize server Parameters Parameter | Description 512 Species a size of 12 bits for the public and privatekeys that are generated at ‘cerificate enrolment 768 ‘Specifies a size of 768 bits for the public and private keys thet are generated at cartificate enrolment 2024 Species a size of 1024 bits for the public and private keys that are generated at cetficate enrolment 2048 Species a size of 2048 bits for the public and private keys that are generated at certificate enrolment (G2010 Cisco Systems, ne, Depioyment of Cisco ASA Alartve Securty Applance AryConmect Remote Accoss VPN Solutions 3483edp-url To specify the CRL distribution point (CDP) to be included in certificates that are issued by the focal CA, use the edp-url command in CA server configuration mode. To revert to the default CDP, use the no form of this command, [no] cdp-url wt cdp-url Parameters Parameter | Description uri Specifies the URL wihere a validating party obtains revacaion status for certificates that are ss.ed by the local CA, The URL must be fewer than 500 alphanumeric characters, shutdown (ca-server mode) To disable the local CA server and render the enrollment interface inaccessible to users, use the shutdown command in CA server configuration mode. To enable the CA server, lock down the configuration from changes, and render the enrollment interface accessible, use the no form of this command. [no}shutdown crypto ca server user-db add To insert a new user into the CA server user database, use the erypto ea server user-db add command in privileged EXEC mode. crypto ca server user-db add user[dn dn] [email email-address] crypto ca server user-db add Parameters Parameter Description én dn Specifies 2 subject name cistinguished name for cetificates that are issued to the added user. If DN string contains a camma, enclose the valve string with double quotes (for example, (O="Company, Inc) email e-mail-address | Specifies the email address for the new user. user Specifies @ single user to whom erraliment privileges may be granted, The userame can be a simple username or an emall adoress crypto ca server user-db allow To permit a user or & group of users to enroll in the local CA server database, use the erypto ea server user-db allow command in privileged EXEC mode. This command also includes options to generate and display OTs or to email them to the users. erypto ca server user-db allow {ucername | all-unenrolled | all-certholders} [display-otp] [email-otp] [replace-otp | SHE Deploying Case ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, Irecrypto ca server user-db allow Parameters Parameter Description all-certholders | Speciies that enrollment privileges be ganted to all users in the database who have been issueda certficate, whether the certificate is currently valid or not This specification is equivalent to granting renewa privileges. all-unenrelled | Speciies that enrollment privileges be ganted to all users in the database who have not been issued a certificate enail-otp (Optional) Sends the specified users OTPs by email to ther configured eral adresses, replace-otp (Optional) Specifies thet OTPs be regenerated forall specified users who Criginally had valid OTPs. @laplay-otp (Optional) Displays the OTPs for all specified users to the console. username Species 2 single user to whom enrollment privileges may be granted. The Username can be 2 simple username or an email address, crypto ca certificate map To enter CA certificate map mode, use the erypto ea certificate map commend in global configuration mode. Executing this command places you in CA certificate map mode. Use this, group of commands to maintain a prioritized list of certificate mapping rules. The sequence umber orders the mapping rules, To remove a crypto CA certificate map rule, use the no form of the command. crypto ea certificate map {seguence-number| map-name sequence-number crypto ca certificate map Parameters Parameter Description map-name Speciies name for acertficate-to-group map. ‘sequence-number | Speciies anumber forthe certificate map rule that you are creating. The Fangeis t through 65,535. You can use this number vnen creating a tunnel group map, which maps a tunnel group toa certificate map rule, subject-name (crypto ca certificate map) To indicate that a rule entry is applied to the subject DN of the IPsee peer certificate, use the subject-name command in crypto CA certificate map configuration mode. To remove a subject name, use the no form of the command, subject-name [attr tag eq | ne | €0 | ne string’ ©2010 Cece Syetems, ne, Depoymant of Caco ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Solone 3485subject-name (crypto ca certificate map) Parameters Parameter | Description ‘attr ag | Indicates that only the specified attribute value from the certificate DN wil be compared to the rule entry string, The tag values are as follows: = C= Country © CN= Common name = DNO=DN qualifier = BAS Email adcress = GEN = GN= Given name Generational qualifier = l= Intials = P=IP address = L= Locality = N=Name = O= Organization name = OU= Organizational unit = SER= Serial cumoer = SN=Sumame = SP=StateiProvince = T=Titie UNAME = Unstructured name co Specfies thatthe rule entry string must de a substring inthe DN string or indicated attribute, eg Specfies that the DN string or indicated attribute must match the entire rule string. ne Specties thatthe rule entry string must not be a substring in the DN string or indicated) attribute, ne Specfies that the DN string or indicatedatiribute must net match the entire rule string ating | Speofies the value to be matched, certificate-group-map To associate a rule entry from a certificate map with a tunnel group, use the eertificate-group- map command in webypn configuration mode. To clear current tunnel group map associations, use the no form of this command, certificate-group-map certificate_map_name index tunnel_group_name certificate-group-map Parameters Parameter Description The name of a certificate map. Eicate_mal index ‘The numeric identifier for a map entry in the certificate map. The index value can be range from 1 10 65,535. tunnel_group_name The name of the tunnel group thatis chosen if the map entry matches the certiicate. The tunnel group name must already exist 53 Deploying Ceca ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, Ireauthentication-certificate ‘To request a certificate from a WebVPN client that is establishing a connection, use the authentication-certificate command in webvpn configuration mode. To cancel the requirement fora client certificate, use the no form of this command. authentication-certificate interface-name authentication-certificate Parameters Parameter Descriation ‘name | The name ofthe interface that is used to establish the connection. Avaliable Interfaces names include the following: Inside: Name of interface Gigabitétrernet 01 Outside: Name of interface GigabitEthernet 010 eT Configure Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA implementation Guidelines Consider the following implementation guidelines: + Do rat distribute OTPs over untrusted networks = Securely provision a CA certificate (the issuer of the identity certificate of the Cisco ASA adaptive security appliance) to the dient dnterfi When implementing certificate-based authentication, consider the following implementation wuidelines: © Ensure that you do not distribute OTPs thet are needed to obtain the client identity certificates, over untrusted networks. = The local CA is capable of provisioning and managing identity certificates for clients, However, the local CA cannot issue an identity certificate to the Cisco ASA adaptive security appliance. That is why the security appliance has to obtain an identity certificate from an external PKI system. This identity certificate is signed by the external CA. For the client to authenticate the Cisco ASA adaptive security appliance, you must still securely provision & CA ceniticate (the issuer of the identity cerificate of the security appliance) to the client. ©2010 Cece Syatems, ne, Dapaymant a Caco ASA Adactve Sacurty Applanca AryConnect Remcte Access VPN Solutone 3487Verify Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Verify Client Certificates ay beret Biporer»Teog> mét Optona > Conga» Certeatea You can verify obtained client certificates by choosing Tools > Internet Options> Content > Certificates in Internet Explorer. A Certificates window is displayed where you can review your certificates, In the example, you can see in the certificate store that there is acertificate that is issued to vpnuser, You can verify the detailsof the certificate, such as certificate validity, DN, and key length, by double-clicking the certificate. S488 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreVerify Certificate-Based Client Authentication Using the Cisco ASA Security Ap| Verify Authentication Policy \Yentorng>VPN> VPN Siatatse > Sansone > Datla To verify established SSL Cisco AnyConnect sessions using the Cisco ASDM, choose Monitoring > VPN > VPN Statisties > Sessions (not shown in the figure). Choose the SSL VPN Client option from the Filter By drop-down menu to show SSL Cisco AnyConnect connections (not shown in the figure). Select a specific connection from the table and click the Details button (not shown in the figure). The Session Details window is dispiayed. In the Session Details section of the window, verily which connection profile is used for the connection, In the example, the BASIC-ANYCONNECT-PROFILE is used for the connection. Click the Details tab to verily that certificates are used for authentication. (G2010 Cisco Systems, Ine, Depoyment of Cisco ASA Alartve Securty Applance AryConmect Remote Access VPN Solutions 3489Verify Certificate-Based Client Authentication Using the Cisco ASA Security Appliance Local CA Manage Certificates Rear oree ceay sues ntguraton > Ramete Acasa VPN > Certests Managemen > Loc! Certte Aun’ Shigrape une Covtctes When using the Cisco ASA adaptive security appliance as a local CA, you can use Cisco ASDM to manage certificates that are issued to a client. The management of certificates includes revoking and unrevoking of the certificates of users, To revoke or unrevoke a certificate using Cisco ASDM, complete the following steps: Stop1 Inside the ASDM, choose Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > Manage User Certificates. Stop2 Select a certificate from the table. Stop3 Click the Revoke button to revoke the certificate. Step Click the Unrevoke button to unrevokea revoked certificate, To revokea certificate using the CLI, use the erypto ea server revoke command, followed by the certificate serial umber. To unrevoke a certificate, use the erypto ea server unrevoked command, followed by the certificate serial number. crypto ca server revoke ‘To mark a certificate that is issued by the local CA server as revoked in the certificate database and the CRL, use the erypto ea server revoke command in privileged EXEC mode. erypto ca server revoke cert-serial-no. crypto ca server revoke Parameters Parameter Description cert -serial-no Specifies the serial number ofthe certificate to be revoked. Enter the serial number in hexadecimal format. 300 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, Irecrypto ca server unrevoke ‘To unrevoke a previously revoked certificate that is issued by the local CA server, use the erypto ea server unreyoke command in privileged EXEC mode. crypto ca server unrevoke cer-seri crypto ca server unrevoke Parameters Parameter Description cert-serial-no Specifies the serial numberof the certificate to be unvevoked, Enter the serial number in hecadecimal format. (©2010 Cece Systems, ne, Depoymant of Caso ASA Adectve Securty Applanca AnyConnect Remote Access VPN Soldione 3:61Deploying Advanced PKI Integration Thistopic describes how to configure and veri iniegration with supporting PKI entities. Configure Advanced PK! Integration Overview The Cisco ASA adaptive security appliance must provide revocation methods to reduce a risk of compromised credentials: + CRLs + ocsP + AAA authorization The appliance may need to provide a AAA per-user settings server for certificate users In some cases of certificate-based client authentication, advanced integration with existing PK! is needed. Advanced PKI integration includes configuring a revoeetion method to reduce a risk of compromised certificates, Certificates are considered compromised when a certificate was issued improperly by a CA or a private key matching a public key on the certificate is thought to becompromised. For example, if the laptop of a user that stores a certificate and a matching private key is lost, the certificate should be revoked. Another example would be revocation of certificates belonging to users who are no longer employed at an organization. A certificate revocation method can be implemented in the following ways: = Configuring certificate revocation lists (CRLs): A CRL isa list of serial numbers of certificates that have been revoked and are no longer valid. A CRL is generated and published by the CA that issues corresponding certificates and is updated periodically or immediately alter a certificate bas been revoked. You can configure the Cisco ASA adaptive security appliance to make CRL checks mandatory when authenticating a certificate. The Ciseo ASA adaptive security appliance needs & CRL location to verify the certificates of clients, A CRL location ean be found in a CRL distribution point (CDP) that is specified in an identity certificate. The security appliance ean download a CRL using HTTP, LDAP, or Simple Centficate Enrollment Protocol (SCEP).. = Configuring Online Certificate Status Protocol (OCSP): OCSP is a protocol for obtaining the revocation status of digital certificates. OCSP messages are usuelly communicated over HTTP. You can configure the Cisco ASA adaptive security appliance to make OCSP checks mandatory when authenticating a certificate. The location of the OCSP server on the Cisco ASA adaptive security appliance ean be configured as an OCSP. URL that is defined in a mateh cenilicate rule. The location can be statically conti sn OCSP URL, or it can be specified in the Authority Information Access (AIA) field of the authenticating certificate. SH€2__ Deploying Case ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreNote ‘The OCSP server is being termed as the OCSP responder. © Configuring AAA authorization of the certificate of a user: You can also revoke user authorization by deploying an external RADIUS server. When the Cisco ASA adaptive security appliance receives the certificate of @ user, it sends a predetined field from the certificate 8s a username and a predefined (common to all users) password to the RADIUS server, which authorizes the user. On the RADIUS server, users with proper usernames, (which match predefined fields in the user certificates) and passwords, have to be configured. If' you want to revoke user authorization, you have to delete or disable a user ‘account that corresponds to the certificate that you want to revoke. Configure Advanced PKI Integration Configuration Tasks 4. (Optional) Configure a certificate revocation checking policy 2. (Optional) Configure AAA authorization revocation. era Use this mated as the lastest, bare aro 3 ttle methods avaiable, ‘ocsP Use this method tyou have an OCSP server ‘valable and cantot use AAA. AAA Use this method you have AAA sever avaiable. Che tt younoado alse aseign AAAzeruter ot pergroup artes addresses, access contra) ‘sts ACLs}, and 65 on), ‘These are the configuration tasks that are involved in configuring advanced PKI integration: 1, Optionally, configure a centficate revocation checking polie 2. Optionally, or alternatively, configure AAA user authorization based on certificate identity. ‘These tasks are identical to those that are used in Cisco Easy VPN deployment, and are therefore not discussed here, (©2010 Cece Syetems, ne, Dapoymant of Caco ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Solone 3363Deploying Multiple Client Authentication ‘This topic describes how to configure and verify multiple client authentications Configure Multiple Client Authentication Overview cams OPS aoe Sains y a. off Bary apse Cisco AnyConneet VPN solutions offer multiple client authenticetion, With multiple authentications, clients ean be first authenticated ty using a certificate. After the Cisco ASA. adaptive security appliance validates a certificate, an SSL tunnel is established. Inside the SSL tunnel, users may have to authenticate again by using @ username and a password or @ one-time password (OTP). This AAA authentication can be performed against one or two separate databases, SHG Deploying Case ASA VPN Soluions (VPN) v1.0 (©2010 Cece Systems, IreConfigure Multiple Client Authentication Deployment Options * Client-side authentication options: ~ Certificate-based and one AAA authentication ~ Certificate-based and one AAA authentication with Usemame prefill ~ Certificate-based with one AAA authentication with hidden refilled hide * Double AAA authentication (no certficate) ~ With optional username reuse ‘You can deploy one of these multiple authentication combinations: © Certificate-based and one AAA authentication © Certificate-ased and one AAA authentication, where a username for AAA authentication «can be extracted from a certificate subject field (username prefill) © Certiticate-ased and one AAA authentication where a username for AAA authentication can be extracted from a certificate subject field and hidden from users = Double AAA authentication (no certificate) with optional username reuse ion. The security appliance All of these options are used to perform client-side authenti authenticates the clients by using any of these methods. ©2010 Cece Syatems, ne, Depoymant of Caco ASA Adectve Securty Aplanca AnyConnect Remote Access VPN Solione 3965‘To configure certificate-based and one AAA client authenti Configure Multiple Client Authentication Certificate and One AAA Authentication salve ‘cisco. [Era Bain centgure he tion, complete the following configuration steps in the Cisco ASDM: Stop Stop2 Step 1 Step2 Stops Inside the ASDM, choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles: Choose a connection profile and click Edit (not shown in the example). The Edit SSL VPN Connection Profile window is displayed. Make sure that the Basie option is selected from the menu on the left In the Authentication section ofthe Edit SSL VPN Connection Profile window, choose the Both radio button to enable authentication by using certificates and AAA From the AAA Server Group drop-down menu, choose either Local ora AAA server group to perform the AAA authentication ‘The figure shows the Ciseo AnyConnect interface in which the user must enter the username and password that isrequired for the AAA authentication. The AAA authentication is performed after the certificate authentication. 3185 Deploying Case /ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreConfigure Multiple Client Authentication Certificate and One AAA Authentication with Prefill vthealye cisco Crincatirs Rene Aces VEN Naber (ieAzen> AnfOoier Comes tos ‘The figure illusrates the configuration of the Presfill Username from Certificate feature. The security appliance can extract the username from the user identity certificate and use it for AAA authentication. Complete these steps to enable the username prefill feature: Step1 Choose Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles to edit the desired connection profile. Stop2 Choose the Authentication submenu. Stop3 Check the Pre-fill Username from Certificate check box to specify that the username field should be populated automatically om a specific field in a certificate. Step4 Click the Specify the Certificate Fields to Be Used as the Username radio button to select that a username will be derived from a specified certificate field. Multiple options exist: = Choose a value from the Primary Field list, This method is set by default to CN (Common Name). You can augment this selection by defining the secondary field that will be extracted if the primary field does not exist = Custom methods. Step5 Click OK in the Edit SSL VPN Connection Profile. Step6 Click Apply to apply the configuration. When the Cisco AnyConnect client connects to the SSL VPN and selects (otis assigned to) the connection profile that is configured for certificate-based and AAA authentication with the username prefill feature, the Username field in the Authentication tab is filled in and grayed. ut. The user esnnot modify it and is only prompted for the corresponding password. T password may be checked against either the local or an external AAA database, depending on the configuration of the connection profile. ©2010 Cece Syetems, ne, Dapaymant of Cece ASA Aaactve Sacurty Applanca An/Connect Remote Access VPN Solutone 3367Configure Multiple Client Authentication Certificate and One AAA Authentication with Prefill and Hide In addition to using the username prefill feature, you may enhance security by hiding the username from the authenticating users. This option improves security in situations when an unauthorized person tries to break into the VPN by using a stolen computer. ‘To enable the username hide feature, check the Hide Username from End User check box in the Authentication menu of the connection profile. When the username is extracted from the certificate and hidden from the end user, users are only prompted for a password when they connect by using the respective connection profile. por Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreConfigure Multiple Client Authentication Double AAA Authentication Crtnvaiirs Rene Aces VEN Nabe (ieee Anaemia Leeper ry er eras onme S Coanaty, waa | seerimneinnt emer ctenany — [Semaryusename Configure Multiple Client Authentication Double AAA Authentication (Cont.) Pema teoaey The figure shows the Cisco AnyConneet ured for double authenti conti ent connecting to a connection profile that is password and a secondary username and password. ‘You can also enable double AAA authentication. In this case, you should choose AAA instead of Both as the authentication method in the Basic menu of the connection profile configuration on. The user is prompted to enter a primary username and (©2010 Cisco Systems, Ie, ‘Dapoyment of Cisco ASA Adagtive Secunty Azpance AnyComect Remote Access YPN Solutions 3108Configure Multiple Client Authentication CLI Configuration + Cerificate and one AAA authentication with pre-fll and hide stificate and AAA client authent To configure vion using the CLI, use the following commands. First, enter tunne! group configuration mode by using the tunnel-group command, followed by the tunnel group name and the general-attributes keyword. Then, use the authentieation-server-group command to configure a AAA server group that will be used for primary authentication. Next, enter tunnel group configuration mode for WebVPN attributes using the tunnel-group command, followed by the tunnel group name and webypn-attributes keyword. Use the pre- fill-username sst-client hide command to specify that the username will be extracted from a certificate, Finally, enable AAA and certificate authentication by using the authentication certificate aaa command, To configure double AAA client authentication using the CLI, use the following commands. First, enter tunnel group configuration mode by using the tunnel-group command, followed by the tunne! group name and the general-attributes keyword. Then, configure AAA server groups that will be used for primary and secondary authentication by using the authentication- server-group and secondary-authentication-server-group commands, respectively Next, enter tunnel group configuration mode for WebVPN attributes by using the tunnel-group command, followed by the tunnel group name and the webypn-attributes keyword, Enable AAA authentication by using the authentication aaa command, tunnel-group general-attributes To enter the general-attributes configuration mode, use the tunnel-group general- attributes command in global configuration mode. This mode is used to configure settings that are common to all supported tunneling protocols, To remove all genera! attributes, use the no form of this command. tunnel-group name general-attributes 3470 Deploying C880 ASA VPN Solutions (VPN) v1.9 (©2010 Cece Systems, Iretunnel-group general-attributes Parameters Parameter Description ‘Specifies atributes for the tunnel group Specifies the name of the tunnel group authentication-server-group (tunnel-group general-attributes) ‘To specify the AAA server group to use for user authentication for a tunnel group, use the authentication-server-group command in tunnel-group general-attributes configuration mode, To return this attribute to the default, use the no form of this command, authentication-server-group [(interface_name)] server_group [LOCAL] authentication-server-group (tunnel-group general-attributes) Parameters Parameter Description interface_nama (Optional) Specifies the interiace where the IPsec tunne! terminates ica (Optional) Requires authentication against the local user alabase if al ofthe servers in the server group have been deactivated dve fo communication failures up Identifies the previously configured authenticaion server or group ofservers secondary-authentication-server-group To specify a secondary authentication server group to associate with the session when double authentication is enabled, use the secondary-authentication-server-group command in (unnel-group general-attributes mode, To remove the attribute from the configuration, us¢ the no form of this command, secondary-authentication-seryer-group {interface_name] {none | LOCAL groupname [LOCAL}} [use-primary-username)} secondary-authentication-server-group Parameters Parameter Description ane (Optional) Specifies the intertace where the IPsec tunne! terminates, 1ocAL (Optional) Requires authentication against thelocal user Galabase if all of the servers n the server group have bean ‘deactivated due to communication failures. If he server group ame is either LOCAL or NONE, do nat use the LOCAL keyword here. none (Optional) Specifies the server group name as NONE, incicating that authenteation is not required moan] Identifies the previously configured authenticaion server or group groupnan of servers. Optionally, this group can be the LOCAL group, use-primary-username | Usethe primary username as the username for the secondary authentication, (G2010 Cisco Systems, Ine, Depoyment of Cisco ASA Adaptive Securty Aplance AnyConmect Remote Access VPN Solutions 3471tunnel-group webvpn-attributes To enter webvpn-attributes configuration mode, use the tunnel-group webypn- attributes command in giobal configuration mode. This mode configures settings that are common to WebVPN tunneling, To remove all WebVPN attributes, use the no form of this command, tunnel-group name webypn-attributes tunnel-group webvpn-attributes Parameters Parameter Description webvpa-attribut Specifies WebVPN attributes for the tunnel group pane Specifies the name of the tunnel group pre-fill-username To enable extraction of @ username from a client certificate for usein authentication and authorization, use the pre-fill-username command in tunnel-group webypn-attributes mode. To remove the attribute from the contiguration, use the no form of this command, pre-fil-username {ssl-client | cientless} ll-username Parameters Parameter Description esl-client Enables this feature for Cisco AnyConnect VPN Client connections elientie: Enables this feature for clientiess connections hide Does not display he extracted username to the end user authentication To configure the authentication method for WebVPN, use the authentication command in various modes. To restore the default method, use the no form of this command, The adaptive security appliance authenticates users to verily their identity cate)) authentication {(aaa] [cert authentication Parameters Parameter Description ane Provides 2 username and a passviord that the adaptive security appliance checks against a previously configured AAA server certificate Provides 2 certificate during SSL negotiation ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfigure Multiple Client Authentication Implementation Guidelines Consider the following implementation guidelines * Deploy certificate with AAA authentication to provide separate machine and user authentication = When deploying double AAA authentication, consider implementing two-factor authentication: — Based on “something you know’ (password) and “something you have”(OTP token) — RSA SecuriD must be configured as primary AAA server ~ implement prefil feature to improve user experiance Consider the following configuration guidelines when implementing multiple client authentication: © Deploy “certificate ~ AAA” authentication to provide separate machine and user authentication = When deploying double AAA authentication (with or without certificates), consider implementing two-factor authentication: — Based on “something you know” (password) and “something you have” (OTP token). — RSA SecurllD must he configured as the primary AAA server. — Consider implementing the prefill or “use primary username” feature to improve user experience, (©2010 Cece Syatems, ne, Dapoymant of Caco ASA Adectve Sacurty Aplanca AnyConnect Remote Access VPN Solione 3473Summary Thistopic summarizes the key points that were discussed in this lesson. es Summary = To increase scalability and manageability, you can deploy centralized AAA password-based authentication * You can configure SSL VPN to support password authentication against extemal password databases. ‘Aull tunneling Cisco AnyConnect SSL VPN supports SSL/TLS authentication using client identity certificates. The Cisco ASA adaptive security appliance includes a local CA that can deploy and manage client identty certificates, = Consider an appropriate revocation checking methed. + Consider using multiple user authenticaton in specific environments to further reduce risk of identity theft References For additional information, refer to these resources: AS 8.x: AnyConnect SCEP Enrollment Configuration Example at tup:/ciseosystems.com/en/US /products/ps6120/products_configuration_example091 86400 80b2Sdel shim! ASA 8.x: AnyConnect SSL VPNCAC-SmartCanis Configuration for Windows at hup://www.ciseo.com/en/US products/ps6120/products_conti (0982693, shtm! aime ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, ration_example091 864008 (©2010 Cece Systems, IreModule Summary ‘This topic summarizes the key points that were discussed in this module. ee Module Summary * Abasic Cisco AnyConnect full tunnel SSL VPN allows users flexible client-based access to sensitive resources over a remote-access VPN gateway, implemented cn the Cisco ASA adaptive security appliance, + DTLS is an alternative VPN transport protocol to SSLITLS. + When you are deploying VPNs, itis very important to use strong authentication options, (G2010 Cisco Systems, Ine, Depoyment of Cisco ASA Adartve Securty Applance AryConmect Remote Access VPN Soutone 34753476 Deploying ©: 9 ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreModule 4| Deployment of Cisco ASA Adaptive Security Appliance Clientless Remote Access VPN Solutions Overview Clientiess Secure Sockets Layer (SSL) virtual private network (VPN) solutions provide browser-based access to resources behind the Cisco ASA adaptive security appliance. In clientless SSL VPNs, users can access resources without any special client software. Using clientless SSL VPNs, users can access web-based applications. Common Internet File System (CAFS) fite shares, and FTP servers. Using application plug-ins, port forwarding, and smart, ‘unnels, you can access almost any application that uses static TCP ports. The module describes deployment of the basic elientless SSL VPN, es well as advanced application access, and advanced authentication. This module also describes how to customize the clientless SSL VPN portal to the needs of the organization. Module Objectives Upon completing this module, you will be able to implement and maintain a Cisco clientless remote access SSL VPNs on the Cisco ASA adaptive security appliance VPN gateway according to policies and environmental requirements. This ability includes being able wo meet these obj ctives: © Deploy and manage basie clientless VPN features of a Cisco ASA adaptive security applianee clientless SSL VPN = Deploy and manage advanced elientless VPN application access features of a elientless SSL VPN © Deploy and manage advanced authentication features of a clientless SSL VPN © Deploy and manage advanced clientless VPN application access features of a clientless SSL VPN9 ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreLesson 1 | Deploying a Basic Clientless VPN Solution Overview A basic elientless Cisco SSL VPN solution allows users browser-based access to sensitive resources over a remote access Secure Sockets Layer (SSL) virtual private network (VPN) gateway that isimplemented on the Cisco ASA adaptive security appliance. A basic Cisco ASA clientless SSL VPN uses basic user authentication with usernames and passwords, basic SSL VPN portal features, and a single access control policy. This lesson enables you to configure, verify, and troubleshoot a basic clientless SSL VPN solution. Objectives Upon completing this lesson, you will be able to deploy and manage basic clientless VPN Features of a Cisco ASA adaptive security appliance clientless SSL VPN. This ability includes being able to meet these objectives: © Plan the configuration of actientiess SSL VPN solution © Configure and verify basic Cisco ASA adeptive security appliance gateway features for 4 clientiess SSL VPN solution © Configure and verify password-based local user authentication in a clientless SSL VPN solution © Configure and verify basic portal features and access control in a clientless SSL VPN solution © Troubleshoot VPN session establishment between a browser client and a Cisco ASA adaptive security appliance gatewayConfiguration Choices, Basic Procedure, and Required Input Parameters Thistopic describes how to plan the configuration of a clientless SSL VPN solution, Basic Cisco Clientless SSL VPN Solution Components In a basie Cisco ASA adaptive security appliance clientless SSL VPN solution, remote users use.a standard web browser to establish a Secure Sockets Layer or Transport Layer Security (SSLITLS) session with the Cisco ASA adaptive security appliance. The basic solution uses bidirectional authentication, where the client authenticates the Cisco ASA adaptive security ce with a certificate-based authentication method, and the appliance authenticates the user based on a username and password against its local user database. After authentication, the Cisco ASA adaptive security appliance applies a set of authorization rules to the user session, and presents the user with a web portal over which the user can access internal resources only using a browser. In the basic elientless solution, the client can only use some servives, such as web application access and browser-based file.share access to intemal resources, ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreBasic Cisco Clientless SSL VPN Deployment Tasks 1. Configure basic Cisco ASA gatenay features including SSLITLS server authentication Configure local user authentication. Configure basic portal features and access control. (Optional) Tune basic SSL VPN proxy operation, Use the following general deployment tasks te create a basic Cisco ASA elientless SSL VPN: I Configure the Cisco ASA adaptive security appliance with basic SSL VPN gateway features, including provisioning the identity certificate of the appliance to enable SSL/TLS server authentication. Configure basic user authentication by configuring the local user database on the Cisco ASA adaptive security appliance to create user accounts with static passwords, Configure basic SSL VPN portal features and basie access control, li ‘enterprise network iting access to the ‘Tune the configuration of the Cisco ASA adaptive security appliance SSL VPN proxy ‘operations 1o support potentially problematic applications. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Gleless Ramcte Access VPN Solione 4.5Basic Cisco Clientless SSL VPN Input Parameters \VPNgatesay addressing and Required to configura Cisco ASAIP interlace paring ‘nd DNS resolute for the VPN gatenay ‘Cantieat policy and satinge Required to enrol tha Cisco ASA into a Pl ‘User naming ard cradentiis Required to create the localuser database ‘Cryptographic foley ‘Requrad to enable ardisabe cnyptograpnic ajenthmswthin SSUTLS Assess palsies FRequred ts create sosarate prafiae and access conta policies for remota users Before implementing a basic Cisco ASA clientless SSL VPN, you will need to obtain and analyze several pieces of information that are related to the network and system environment. ‘These input parameters include the following: m= The IP addressing plan that will dictate the SSL VPN gateway IP addressing, and the enterprise naming plan that will dictate the name of the SSL VPN gateway. This data is needed to assign an IP address to the Cisco ASA adaptive security appliance VPN- terminating interface, and to assign a name inside the SSL VPN gateway SSUTLS identity certificate. m= Theenterprise certificate policy and certificate settings to include all relevant fields inside a PK -provisioned certificate, to enroll the Cisco ASA adaptive security appliance into a PKI m= The enterprise policy of user naming and the enterprise password policy, to ereate the local user database on the Cisco ASA adaptive security appliance. m= The enterprise cryptographic policy, to choose the optimal SSLTLS protocol versions and, gorithm bundles (cipher suites) for SSL/TLS sessions on theCiseo ASA adaptive security sppliance. m= Access policies that dictate which sensitive resources remote users can access. These policies are needed to configure an access control policy on the Cisco ASA adaptive security appliance that will be applied to elientiess SSL VPN sessions ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Basic Cisco ASA Adaptive Security Appliance SSL VPN Gateway Features This topic deseribes how to configure and verify basic Cisco ASA adaptive security appliance gateway features for clientless SSL VPN. Configuring Basic Clientless SSLVPN Features Configuration Tasks 1. Provision an identty server certiicate to the ASA 2. Enable SSL VPN termination on an interface. 3. Configure and optonally tune SSL/TLS settings (Optional) Createa DNS server croup. wre an in Ciao Anyonnect VP To configure basic Cisco ASA adaptive security appliance SSL VPN gateway features for clientless access, complete the following configuration tasks: 1. Provision an identity server SSLTLS certificate to the Cisco ASA adaptive security appliance. This task is performed in the same manner as the related task in SSL_ VPNs that are based on the Cisco AnyConnect VPN. 2. Enable SSL VPN termination on a Cisco ASA adaptive security appliance interface and, therefore enable the Cisco ASA adaptive security appliance SSL VPN server function. 3. Configure and optionally tune SSL/TLS settings of the SSL VPN server. 4. Optionally, create a DNS server group if you want to use hostnames instead of IP addresses, to access internal resources. The DNS settings enable the security appliance to resolve the hostnames that are specified in the user requests, ©2010 Cece Syetems, ne, Depoymant of Ceca ASA Adaptive Securty Applance Clarllaes Ramcta Accass VPN Soluione 4-7Configuring Basic Clientless SSL VPN Features Configuration Scenario This figure presents the configuration scenario that is used in upcoming configuration tasks. The Cisco ASA adaptive security appliance can either use a self-signed certificate or receive its identity certificate from an extemal or internal CA server. You will need to configure the external Domain Name System (DNS) infrastructure to resolve the name of the Cisco ASA adaptive security appliance (inside its identity certificate) to its VPN-terminating interface IP address (the IP address of the outside interface in this example). Additionally, you may need the IP addresses, of internal DNS servers for the SSL VPN portal to be able to resolve internal URLS. 3 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Basic Clientless SSL VPN Features Task 2: Enable SSL VPN Termination on an Interface opr 9 Mw te el ei hp i, Ning i le Lcontgutton > Rate Areas VPN> Ciantese SSLVEN Access > Connatin Proties For detailed configuration guidance on the first configuration task (provisioning the identity certificate), refer to the “Deploying a Basic Ciseo AnyConnect Full Tunnel SSL VPN Solutio Jesson of this course. In Task 2, you will globally enable the SSL VPN server function on the Cisco ASA adaptive security appliance, and select the interface or interfaces on which the appliance will accept SSL VPN sessions. Perform the following steps: Stop1 Inthe Cisco Adaptive Security Device Manager (Cisco ASDM), choose Conliguration > Remote Access VPN > Clientless SSL VPN Access> Comnection Profiles. Stop1 Inthe Enable Interfaces for Clientless SSL VPN Access field, check the Allow Access check box for the interface on which you want to terminate SSL VPN connections, In this example, these connections are enabled on the “outside” interface, step2 Click Apply, and click Save to save your configuration, if necessary. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Gleness Ramcte Access VPN Solione 4.8Configuring Basic Clientless SSL VPN Features ‘Task 3: Configure and Tune SSL/TLS Settings on Aine Sas, ‘eeore CContguraion > Rerate Azzeas VPN > Aavercea > S8L Sete In Task 3, you needto attach the installed identity certificate to an appropriate Cisco ASA adaptive security appliance network interface on which you will configure elientless SSL VPN termination. Perform the following steps: Stopt Stop2 stops stops stops Choose Configuration > Remote Access VPN > Advanced > SSL Settings. At the top of the SSL Settings window, you can select the SSL and TLS protocol versions that the appliance will support as the SSL/TLS server. For configuration ‘guidance on these settings, refer to this same topic in the “Deploying a Basie Cisco AnyConnect Full Tunnel SSL VPN Solution” lesson of this course. From the SSL Settings window, in the Encryption area, you can choose the cryptographic algorithm bundles (cipher suites) that the Ciseo ASA adaptive security appliance will accept in the initial SSL/TLS negotiation. If you need to change these settings based on a local eryptographie policy, you can enable or disable specific bundles here. Inthe SSL Settings window, where the interfaces are listed, click the Edit button to edit the interface or interfaces on which the Cisco ASA adaptive security appliance will accept SSL VPN connections. In the Select SSL Certificate dialog box, choose the Primary Enrolled Certificate drop-down list, and choose the installed identity certificate. The example in the figure is using a self-signed identity certificate. Click OK and Apply, and then click Save to save your configuration, if necessary. 210 Deploying Gsco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Basic Clientless SSL VPN Features Task 4: (Optional) Create a DNS Server Group In the optional Task 4, you will ereate a DNS server group thatthe Cisco ASA adaptive security appliance will use to resolve internal URLs that are requested by clientless SSL VPN users. ‘The significance of DNS in clientless SSL VPN is higher than in full tunnel VPNs (Cisco AnyConnect VPN Clients or Easy VPN Clients), because the VPN server resolves hostnames separately from the client. The client specifies the desired resources and the internal hostnames in the URLs that are sent to the gateway. The gateway rewrites the content and. resolves the hostnames to reach the internal servers. In full tunnel VPNs, only the VPN clients perform DNS lookup: You can create multiple DNS server groups, and assign a different DNS server group to each user group. To create a DNS server group, perform the following steps: Step1 Choose Configuration > Device Management > DNS > DNS Client Step2 Inthe DNS Setup area, click the Configure Multiple DD button. Server Groups radio step 3 Click Add to add a new DNS seryer group. Step4 Inthe Add DNS Server Group window, name the new DNS server group by entering the name in the Name field. (This example uses CLIENTLESS-DNS-SERVERS for the name.) Stop5 Enter the addresses of all required DNS servers in the Server IP Address to Add field, and click Add to adda server to the group. Step6 —Specifly the local domain suffix in the Domain Name field, Step7 Click OK and Apply, and then click Save to save your configuration, if necessary (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenless Ramcte Access VPN/Soltione 4-11Configuring Basic Clientless SSL VPN Features CLI Configuration ja) trust-peint MYTRUSTPOINT outeide dns sesver-group CLIENTLESS-DNS-seRVERS ‘The output in the figure shows the CL1 commands that are required to configure the basic Ciseo ASA adaptive security appliance SSL VPN gateway features using a preprovisioned certificate in the “MYTRUSTPOINT™ trustpoint. In the CLI, enter the SSL VPN server configuration submode on the Cisco ASA adaptive security appliance using the webypn command, and enable the SSL VPN server on the outside interface using the enable command. Next, assign the installed identity certificate of the Cisco ASA adaptive security appliance to the interface using the ssl trust-point command, Finally, ereate the optional DNS server group using the dns server-group command, and inside its configuration submode, use the domain-name command to specify the default local domain suffix and the name-server command or commands to specify all DNS servers that belong to this group. dns server-group ‘To enter the dns server-group mode, in which you can specify the domain name, name server, number of retries, and timeout values for a DNS server to use for atunne! group, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this eommand. dns server -group name dns server-group Parameters Parameter | Description mane Specfies the name of ihe DNS server Goup configuration thal should be wsed for ne tunne group 212 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, Iredomain-name (dns server-group) ‘To set the default domain name, use the domain-name command in dns server-groun configuration mode. To remove the domain néme, use the no form of this command. The Cisco ASA adaptive security appliance appends the domain name as a suffix to unqualified names, For example, if you set the domain name to “example.com,” and speciy a syslog server by the unqualified name “jupiter,” then the security anpliance qualifies the name to jupiter.example.com. domain-name name domain-name (dns server-group) Parameters Parameter | Description name Sels the domain same, up to 63 characters name-server ‘To identify one or more DNS servers, use the name-server command in das server-group conliguration mode. To remove a server or servers, use the no form of this command. The adaptive security appliance uses DNS to resolve server names in your SSL VPN configuration or certificate configuration. Other features that define server names (such as authentication, authorization, and accounting [AAA]) do not support DNS resolution. You must enter the IP address or manually resolve the name to an IP address by using the name command. 2862] [..] [ip_address6] name-server ip_address [ip_ad name-server Parameters Paramot Description ‘ip_adaveas | Specifies the DNS server IP actress, You can speciy up fo 6 addresses as separate ‘commands, or for convenience, up to & addresses in one command separated by ‘spaces. If youenter multiple servers in one command, the Cisco ASA adaptive ‘security appliance saves each server in.a separaie command in the configuration. The appliance then tes each DNS server in order untl it receives a response, (E2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Appliance Glentless Remcte Access VPNSoltone 4-13Configuring Basic Clientless SSL VPN Features Implementation Guidelines Most deployments need to support unmanaged clients. + Require web server certificate from a global PK\ provider. When you implement basic Cisco ASA elientless SSL VPN gateway features, consider this implementation guideline: = With clientless VPNs, you are likely to support unmanaged VPN clients, If you deploy a self-signed or private public key infrastructure (PK |) certificate, these clients have no built- in mechanism to be able to verily the identity certificate of the Cisco ASA adaptive security appliance, effectively negating all SSL/TLS protection and possibly exposing you to significant risk. IT'your Cisco ASA adaptive security appliance SSL VPN gateway is, aevessed by such users, you should install an identity certificate from a global PKI provider on the Cisco ASA adaptive security appliance. ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Local Password-Based User Authentication This topic describes how to configure and verify password-based local user authentication ina clientless SSL VPN, Configuring Local Authentication Password-Based User Authentication Overview All-clientiess password-based users will initially default to the (ea leer Databace DefautWebVPNGroup connection wsemametipasswodt profile usemamadipasswod2 * DefaultWebVPNGroup uses local AAA authentication by default Sa Alter configuring basic Cisco ASA adaptive security appliance SSL VPN gateway parameters, the next deployment task isto configure a user authentication method, and prepare the Cisco ASA adaptive security appliance with all the necessary configuration objects to enable later assignment of VPN policies. In this basic SSL VPN elientless solution, you will deploy simple password-based user authentication, using the local user database on the Cisco ASA adaptive security appliance. When SSL VPN clientless users connect to the Cis¢o ASA adaptive security appliance, the Cisco ASA adaptive security appliance will initially assign them to the DefaultWebVPNGroup connection profile, This connection profile is by default configured to use the local user database for user authentication (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glentless Ramcte Access VPNSoltone 4-18Configuring Local Authentication Configuration Tasks 1. Configure group policy. — Create @ custom group policy for clientless SSL VPN. or — Modify the default group policy (not recommended) (Optional) Create a connection profile for clientless SSL. VPN, and assign a group policy to it. (Optional) Define alias for a connection profile (Optional) Allow connection profile selection, Configure local users, and optionally, a connection profile lock, To configure local user authentication in a elientless SSL VPN solution, perform the following configuration tasks: 1. Configure a group policy using one of two options: — Create a eustom group poliey for clientless SSL VPN. — — Modity the default group policy. This approach is not recommended, beeause you may have problems with grouping users later on, Create a connection profile for clientless SSL VPN, and assign the configured group policy 3. Optionally, define-an alias for the connection profile. An alias makes a profile selectable to VPN users. 4. Optionally, allow connection profile selection, This option allows the VP! using a chosen connection profile, ifthe profile has an alias. users to connect 5. Configure local users and, optionally, a connection profile lock. This task is identical to the Ciseo AnyConnect and Easy VPN scenarios and will not be covered here. 16 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Local Authentication Configuration Scenario * Configuration procedure identical to Cisco AnyConnect and Easy VPNs = + Clentess pede srametrs fae tough Corguraion> emt noose VEN > Clemless SSL VPN Access menu ‘This figure presents the configuration scenario tha used in upcoming configuration tasks, On the Cisco ASA adaptive security appliance, you will create a custom connection profile named BASIC-CLIENTLESS-PROFILE, and related group policy named BASIC-CLIENTLESS. POLICY. A user named “ypnuser” exists in the local user database, ‘The configuration procedure that is shown here is identical to Cisco AnyConnect and Easy VPNs. It is presented to illustrate the reusability of configuration components for the various VPN types. The group policies and connection profiles can be configured and edited in either of the two configuration menus: © Configuration > Remote Access VPN > Clientless SSL VPN Access: This menu allows you to view and configure parameters that are specific to clientless SSL VPNs. The group policies and connection profiles that are defined in Configuration > Remote Access VPN > Network (Client) Access also appear here. © Configuration > Remote Access VPN > Network (Client) Access: This menu allows you to view and configure parameters specific to full tunnel VPNs (Cisco AnyConnect VPN and IPsec clients). The group policies and connection profiles that are defined in Configuration > Remote Access VPN > Clientless SSL VPN Access also appear here. (G2010 Cisco Systems, ne, Depoymant of GecoASA Adaptive Securty Applance Glenlass Remcte Access VPN Soltione | &:17Configuring Local Authentication Task 1A: Create a Custom Group Policy Lcontguraton» erate Azsess VPN > Cuertess SSLPNAccasa> Graus Potcies In the first configuration task, you will create a custom group poli that you will apply to VPN users. Perform the following steps Stop Stop2 Stop3 Stop 4 stops In Cisco ASDM, choose Configurs VPN Access > Group Policies. n> Remote Access VPN > Clientless SSL Click Adi to ereate a new poliey. Provide aname for the new group policy (BASIC-CLIENTLESS-POLICY in this, example) Uncheck the Inherit check box, check the Clientless SSL VPN check box in the ‘Tunneling Protocols option, and uncheck all other tunneling protocols, Click OK and Apply, and then click Save to save your configuration, if necessary. yer) Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Local Authentication Task 1B: Modify the Default Group Policy > Rarte esses VPN> Clantess S8LVPN Actass> Group Paces Alternatively, you may modify the default group policy to support elientiess SSL VPN connections. Perform the following steps Step _In Cisco ASDM, choose Configuration > Remote Access VPN > Clientless SSL. VPN Access > Group Policies, select the DfltGrpPoliey, and click the Edit button to editit, Stop2 Inthe Edit Internal Group Policy window, check the Clientless SSL VPN check box in the Tunneling Protocols seetion, and uncheck all other tunneling protocols. Note Ifyour Cisco ASA adaptive security appliance will support other VPN access options, you may need to leave some of ather tunneling protocols enabled. Step3 Click OK and Apply, and then click Save to save your configuration, if necessary (G2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Appliance Gleness Ramcte Access VPN Soltone 4-19Configuring Local Authentication Task 2: Create a Custom Connection Profile (nos tt rye) on cen > Rene Aanees VPN» Cirtens SSLVPN Acases > Connacion Prot In the second configuration task, you will ereate a custom connection profile, Perform the following steps: Stop Stop2 Steps Stops stops In Cisco ASDM, choose Configuration > Remote Access VPN > Clientless SSL. VPN Access > Connection Profiles, and click Add to add a new connection profile. Provide aname for the new connection profile (BASIC-CLIENTLESS-PROFILE in this example), In the Authentication area, leave the authentication method at its default settings (local AAA authentication). Inthe DNS section, select the configured DNS server group (CLIENT SERVERS) from the Server Group drop-down list -DNS- In the Default Group Policy area, select the custom group policy (BASIC- CLIENTLESS-POLICY in this example) from the Group Poliey drop-down list. 226 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Local Authentication Task 3: Define Alias for Connection Profile | om a ata ego Sg ee ea te Sete Clewneraetsetmmrre be EERE Res iceman pets eed te rela amen sot tomate eit Gos Contgueton > Revote Astass /PN> Clantess SSL VPN Accana >» Consaton Pots Next, you will ereate an alias for this new profile, using the following steps: Step 1 Step 2 Stop 3 Stop 4 stop 5 Inthe same connection profile edit window, navigate to the Advanced > Clientless SSLVPN subpane, and click Add in the Connection Aliases section ign a name to this connection profile. Use a user-friendly name, because this, name will be visible to your VPN users in their browsers. In this example, the name Basic_portal_profite is used. Click OK in the Add Conneetion Alias window. Click OK in the Connection Profile window. Click Apply, and click Save to save your configuration if necessary (©2010 Cisco Systems, Ie, ‘Depoymert of Cisco ASA Adaptive Securty Applance Cllertlass Remote Access VPN Soluione $21Configuring Local Authentication Task 4: Allow Profile Selection Gonensnisatiannsiien [Fonpaie a eons zu mato, Ccontguraton > Remote Aasess VPN > Clentess SSLVPN Access > Connacton Piotiss Finally, you will allow profile seleetion, and enable the configured profile for use in elientless SSL VPNs. Continue with the following steps Stop1 Inthe Connection Profiles pane, in the Login Page Setting area, check the Allow User to Select Connection Profile check box to allow users to select their connection profile at login. This setting is required. Later in this lesson, you will lock VPN users to a particular profile. Step2 Inthe Connection Profiles area, check the Enabled check box of the newly created connection profile (BASIC-CLIENTLESS-PROFILE here). Step3 Click Apply, and click Save to save your configuration if necessary. 222 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Local Authentication CLI Configuration Hoppa icy OSI GImRESE REIS! eeeal Fowpipslicy sisreccurmmussn. source srevinst ‘ype suanelprotoral web ascites ieppalicy amreociesriees POLECY eas | Groping steric gore protlet es [eesisese To enable local authentication for elientless SSL_VPN conneations, use the following CLI commands. First, use the group-poliey internal command to create a new internal group ‘Then use the ypn-tunnel-protocol webypn command inside group-policy attributes configuration mode to specity allowed VPN protocols, Next, create a new, custom connection profile (BASIC-CLIENTLESS-PROFILE) using the tunnel-group command, and attach the custom BASIC-CLIENTLESS-POLICY group policy to this connection profile using the default-group-poliey command in its general-attributes, sction. Also, in the webvpn-aitributes section of the tunnel group, assign a user-friendly connection profile alias to this connection profile using the group-alias command, and enable it using the enable parameter. Use the dns-group command to specify the DNS group that will be used by the Cisco ASA adaptive security appliance to resolve domain names inside a clientless SSL request. Finally, enter webvpn configuration mode and enable user connection profile selection using the tunnel-group-list enable command, group-policy ‘To create or edit group policy, use the group-poliey command in global configuration mode. To remove a group policy from the configuration, use the no form of this command. group-poliey name {internal from group-palicy_name] | external server- group server_group password server_password} (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glentless Ramcte Access VPNSoltone 423group-policy Parameters Parameter Description external server-group _ | Specifies the group policy as external and identfies the AAA server server_group gfoup for the adaptive security appliance to query for attributes from group-policy_name | Initializes the attributes of this intemal group policy to the values of preexisting group palicy internal Identifies the group policy as internal ane Species the narre of the group poicy. The name can be up to 64 characters long and can contain spaces. Group names with spaces, must be encloseain double quotes, for example, “Saes Group” password Provides the password to use when retrieving attributes from the server password ‘external AAA server group. The password can be up fo 128 characters long and cannot contain spaces. group-policy attributes Yo enter group-policy configuration mode, use the group-policy attributes command in global configuration mode. To remove all attributes from a group policy, use the no version of this, command. In group-poliey configuration mode, you can configure attribute-value pairs fora specified group policy or enter group-poliey webvpn configuration mode to configure WebVPN attributes for the group. group-policy name attributes group-policy attributes Parameters Parameter Description mane Species the name of the graup palicy vpn-tunnel-protoco! To configure a VPNtunnel type (IP Security [1PSec], Layer 2 Tunneling Protocol [L2TP] over IPSee, SSL VPN client [SVC}, or WebVPN), use the ypn-tunnel-protocol command in group- policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command, ypn-tunnel-protocol {IPSec | Ltp-ipsee | sve | webvpn} vpn-tunnel-protocol Parameters Parameter Description Peace Nagotiates an IPsec tunnel belvieen two peers (a remote access client or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management, 12tp-ipsec _| Negotiates an IPsec tunnel for an L2TP connection ave Negotiates an SSL VPN tunnel wih an SSL VPN clent, webvpa Provides VPN services to remote users via an HTTPS-enabled web brovser, and ‘oes rot require cient. 228 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, Iretunnel-group ‘To create and manage the database of connection-speeifie records for IPsec and WebVPN tunnels, use the tunnel-group command in global configuration mode. To remove a tunnel group, use the no form of this command, tunnel-group name type spe tunnel-group Parameters Parameter | Description name Specifies the name of the tunnel group. This name can be any stringthat you choose. If the name is an IP address, itis usually the IP address of the peer. eype Specifies the type of tunnel group: © remote-access: Allovis 2 user to connect using either IPsec remote access or WebVPN (portal or tunnel cient) = Ipsecei2I: Specifies IPsec LAN-to-LAN, which allows tw sites or LANS to connect securely across a public network like the Internet, Note The follaving tunnel group types are deprecated in Cisco ASA Sofware Version 8.0(2): = ipsoc-ra: IPsec remote access = webypn: WebVPN ‘The adaptive security applance converts these to the remote access type. tunnel-group general-attributes ‘To enter genersl-attributes configuration mode, use the tnnel-group general attributes command in global configuration mode. This mode is used to configure setts are common toall supported tunneling protocols, that To remove all general attributes, use the no form of this command, tunn group rame general-attributes tunnel-group general-attributes Parameters Description ‘Specifies stributes far this tunnel group Specifies the name of the tunnel group default-group-policy To specify the set of attributes that the user inherits by default, use the default-group- poliey command in tunnel-group general-attributes contiguration mode. To eliminate a default group policy name, use the no form of this command, default-group-policy group-name default-group-policy Parameters Parameter _| Description group-name | Specifies the namie of the default group (@2010 Caco Systems, ne, Depoyment of Gi VPNSollione 4-25 ‘ASA Adaptive Sacurty Apolance Clierlass Remote Atunnel-group webvpn-attributes To enter webvpn-attributes configuration mode, use the tunnel-group webypn- attributes command in giobal configuration mode. This mode configures settings that are common to WebVPN tunneling, To remove all WebVPN attributes, use the no form of this command, tunnel-group name webypn-attributes tunnel-group webvpn-attributes Parameters Parameter Description webvpn-attributes | Specties WebVPN attributes for this tunnel group pane Specifies the name of the tunnel group group-alias To create one or more alternate names by which the user ean refer to a tunnel group, use the group-alias command in tunnel-group webvpn configuration mode. To remove an alias fromthe list, use the no form of this command. group-alias name [aiable | disable} Description Disaties the group alles Enables a previously deabled group siiss. ‘Specties the name ofa tunnel group alls, This can be ary string that you choose, except that ihe string cannot contain spaces. dns-group (tunnel-group webvpn configuration mode) To specify the DNS server to use fora WebVPN tunnel group, use the dns-group command in tunne!-group webvpn configuration mode. To restore the default DNS group, use the no form of this command, dns-group name dns-group (tunnel-group webvpn configuration mode) Parameters Parameter | Description mane Specifies the name of the DNS server group configuration to use forthe tunnel group. webvpn To enter webypn mode, in global configuration mode, enter the webvpn command. To remove any commands that are entered with this command, use the no webypn command, These ‘webypn commands apply to all WebVPN users, These webypn commands let you configure AAA servers, default group policies, default idle timeout, HTTP and HTTPS proxies, and NetBIOS Name Service (NBNS) servers for WebVPN, as well as the appearance of WebVPN screens that end users see. webypn 228 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Local Authentication Implementation Guidelines * Only use static passwords in small, single-device low-risk environments, + Stricly set the service type of local VPN user accounts to prevent these accounts from using management access. + You can use the DefaullWebVPNGroup instead of a specific group: however, this choice will make it more difficult to differentiate users leter on. Similar to full tunneling SSL VPNs, consider the following implementation guidelines when implementing local AAA authentication in a clientless SSL VPN solution: © Only use user authentication with static passwords and the local database in small, single gateway, low-risk environments because these passwords are reusable and typically easy to guess, = Always strictly set the service type of the user to only allow VPN access. This policy is extremely important to prevent unauthorized access to Cisco ASA adaptive security appliance management functions ‘© Inthis topic, all examples used a custom connection profile and a custom group policy. If all of Your users share the same authentication method, and access policies, you could also implement local AAA authentication by using only the DefaultWebVPNGroup connection profile and the default group policy (G2010 Cisco Systems, ne, Depoymant of GecoASA Adaptive Securty Applance Glenlass Remcte Access VPN Solione 427Verifying Local Authentication Verify Access alias aie ahuil gst ven serv e Atthis point, you shoule be able fp access the SSL VPN portal, without access restrictions to internal resources, At this point in your configuration flow, you shoul already be able to access basic features of the SSL VPN, without any access restrictions for authenticated users On your elient system, open a browser and navigate to the HTTPS URL of the Cisco ASA adaptive security appliance outside interface. In this configuration example, the outside interface of the appliance is reachable at https://vpn.domain.com, and vpn.domain.com is also the canonical name ( that is used inside the Cisco ASA adaptive security appliance identity certificate, The browser should open the SSL VPN login page without any certificate warnings if the Ciseo ASA adaptive security appliance is using an identity certificate from a global PKI provider. If you observe certificate warnings, it is imperative that you remedy this problem before production use. On the login page, enter the username and password (ypnuser‘password) to log into the SSL VPN portal. You can se¢ that the alias of the connection profile is listed in the GROUP drop-lown box. 228 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreVerifying Local Authentication Default Portal User Interface sluts ssi ven Service ‘This figure shows the default SSL VPN portal interface as is seen by the elientiess SSL VPN user. You can fully customize this page, as you will leam in the upcoming lessons in this course (On the left side of the default portal, you can se application tabs that invoke specific views of the portal. The Web Applications view will invoke a portal view that only displays the preconfigured links (bookmarks) to web applications. The Browse Networks view will invokea portal view that only displays the preconfigured links (bookmarks) to file shares and the file- share browsing interface. By default, the portal will include a URL entry field, which allows users to enter a URL of their choice. By clicking Browse, the Cisco ASA adaptive security appliance SSL VPN portal will retrieve the requested resource and display it in the browser window. Note The prefix to the URL path in the browser changes depending on whether you require authentication. The security appliance uses /+CSCOE*/ for objects that require authentication, and /+CSCOU+/ for objects that do nat. The security appliance displays JC3COE?/ objects on the portal page only, while /+CSCOUF/ objects are visible and Usable in either the login or the portal pages. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glentless Ramcte Access VPN Soltone 4.29Verifying Local Authentication Portal User Interface Wales athe company Tea tt When you navigate to a resouree over clicntless SSL VPN, the browser will display navigation icons as a floating toolbar at the top of its content window. You can use these icons anytime to return to the home page, open an URL over the clientless SSL VPN session (if allowed), move the toolbar to the other side of the content window, or close (logout) your SSL VPN session. Note Never use the nome page button of the browser curing a Gentiess session because this action will cause you to navigate away from the SSL VPN paral 230 Daploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreCisco ASDM entaeng> VPN> VENStataie > Seasons Verifying Local Authentication displayed in the main pane. Verifying Local Authentication To verify the elientless connection for your elient on the Cisco ASA adaptive security appliance, use Cisco ASDM, and navigate to the Monitoring> VPN > VPN Statisties > Sessions pane. Choose Clientless SSL VPN in the Filter By field. The VPN session should be cul | sstesse nvpernenvee wae tapiog 17a mae Inthe CLI, use the show ypn-sessiondb webypn command to obtain information that is similar to the information from Cisco ASDM (©2010 Cisco Systems, Ie, ‘Depoymet of Cisco ASA Adaptive Secutty Applance Cllerlass Remote Access VPN Solutions rershow vpn-sessiondb To display information about VPN sessions, use the show vpn-sessiond command in Privileged EXEC mode. The command includes options for displaying information in full or in detail, lets you specify type of sessions to display, and provides options to filter and sort the information, The syntax table and usage notes organize the choices accordingly show ypn-sessiondb (detail) [full] {remote | 121 index indexnumber| webypn |email-proxy | sve} [filter {nameusername | ipaddress /Paddr |ipaddress [Paddr| pipaddress !Paddr tunnel-group groupname | protocdl protacol-name| encryption excryption-algo| inactive }] [sort {name | ipaddress | a-ipaddress | p-ipaddress | tunnel-group | protocol | encryption. inactivity) ndb Parameters show vpn-ses Parameter Description detail (Qptional) Displays extended detais about a session. For example, using the detail option for an IPsec session displays scsitions! detaia auch oa the Internet Key Exchange (IKE) hashing algorithm, authentication mode, and rekey interval Ifyou choose detail, and the full cption, the adantive security, appliance aispiays the detailed output in a machine-eadable format filter filcer ori (Optional) Fiters the output to display only the information that you specify by using one oF more of the iter options fall (Qptional) Dispiays streamed, untruncated output. Output is Selineated by | characters and a || string between records. session_type (Optional) To show data for 2 specific session type, enter one of the following keywords: 2 amallsproxy: Displays emal-proxy sessions 2 index indexrumber: Displays 2 single session oy index number. Specify the index number for the session, 1=750. 2 I2I: Displays VPN LANsto-LAN session information, ‘© ratio: Displays VPN session protocol ar encryption ratios, remote: Displays IPsec remote access sessions. 2 summary: Dsplays the VPN session summary. sve: Displays SSL VPN lien! sessions 1 ypmlb: Displays VPN Load-Balancing management + webvon: Disolas information about cientess SSLVPN sore sort_criteria (Optional) Sons fe ouput according othe sort opton that you eect 232 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Basic Portal Features and Access Control This topic describes how to configure and verify basie portal features and access contro! in a clientless SSL VPN. Configuring Basic Portal Features URL Entry and Bookmarks foo Ge mee wer By default, the Cisco ASA adaptive security appliance SSL VPN portal will not restrict users and allows authenticated users access to all internal resources, It also provides several ease-of use interface features. You can use basic portal tuning to contro! basic portal appearance by enabling or dissbling some of its user interface functions. This figure shows two main basic features of the Ciseo ASA adaptive security appliance SSL VPN portal. The first feature is the URL entry, which allows users to specify the URL of the resource they want to access, and the sécond is user-defined bookmarks, with which the administrator can specify a listof often-used resources for users to navigate too quickly. When user logs in to the SSL VPN portal, all bookmarks that are enabled in the group policy of the user are displayed on the portal home page. In addition to the bookmark list, the URL entry field is displayed at the top of the interface, By tuning portal functions, you can enable or disable either of these two features. ‘These are the protocols that can be used to access resources using URL entry or bookmarks: HTTP, HTTPS, CIFS, and FTP. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenless Ramcte Access VPN Soltone 4.33Configuring Basic Portal Features Network File Server Access "sl seu senice Gin, sone one (paceen|o ek SeOe ween SSS Another basic SSL VPN portal feature is the ability to allow usersto access Common Internet File System (CIFS) file shares, and browse a CIFS network using # browser interface. This ability allows for easy interoperability with Microsoft Windows Server file servers, by presenting a Windows Explorer-ike user interface within the browser. Using portal tuning features, you ean permit or deny access to this fite browsing interfece. ‘The same user interface is also presented when you access an FTP server using FTP protocol. 232 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Basic Access Control Webtype ACLs Webtype ACLs control proxy access to resources: * Webtype ACLs are assigned in use profiles or aroup policies + Based on allowed o: denied URL patterns + First match, implicit deny access ptilosophy The Cisto ASA clientless SSL VPN feature does not use the Cisco ASA adaptive security appliance interlace aceess contro! lists (ACLs) and Cisco Modular Policy Framework (MPF) access control model, but enforces its own access control by using webtype ACLs. Webtype ACLs are per-user or per-group ACLs that permit or deny access to URLs reachable over the SSL VPN portal. You can use URL patterns te specily the allowed or denied URLs, and use multiple rules inside a webtype ACL. Webtype ACLs use the same evaluation logic as classic Cisco ASA adaptive security appliance ACLs: the first matched rule dictates the permit or deny action, and there is an implicit deny-all statement at the end of the ACL. Note Note that enabling or isabling portal features such as URL entry and bookmarks does nat prevent the user from accessing internal resources, but only removes the relevant user interface options. ifusers know how to properly construct the rewritten internal URL and center it in the broviser Address field, ey can stil access the resource behing the Cisco ASA adaptive securiy appliance, f properly authenticated. Therefore, you must deploy webtype ACLS if youwant to reliably control access to internal resources. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glenless Ramcte Access PN Soltone 4.35Configuring Basic Access Control Direct Access via Rewrite Disable It is possible to redirect the client outside the SSL VPN session for specific protected content links. * Can be used with problematic applications of to increase performance = Does notprovide any VPN protection « Ifthe redirected resource is behind the Cisco ASA, you must allow this using classic firewall ACLs or Cisco Modular Policy Framework SE © ¥ Just as full tunnel VPNs can be configured to allow some traffic to bypass the tunnel, you can configure clientless SSL VPNs in asimilar manner. You can use such direct access for servers that are hosting problematic content that the Cisco ASA adaptive security appliance has problems rewriting. You can also use direct access to increase performance by avoiding access via the proxy. Note Note that in clientiess SSL VPNs, you can always bypass the SSL VPN session to access resources in the transport network (that is, nat behind the Cisco ASA adaptive security appliance) by just opening anather broviser session and navigating directly to the resources. Direst access via rewrite disable is useful for clientless VPNs to directly access resources that are linked to protected content that is retrieved over the portal. Normally, any links in documents that you retrieve over the SSL VPN portal will be rewritten by the Cisco ASA. adaptive security appliance, which will force the browsing session of the user to always access these links over the SSL VPN portal. You can specify that certain links should not be rewritten, causing the browser of the client to directly access the destination server, bypassing the SSL VPN gateway proxy function, Note Note thai resources that you access directly are not protected by the SSL VP encapsuiation, If the bypassed resouree is located in the network outside the Cisco ASA adaptive security appliance SSL VPN gateway, access to that resource requires no further configuration, However, if the resource that is configured for direct access is behind the Cisco ASA adaptive security appliance SSL VPN gateway, you will have to modily Cisco ASA adaptive security appliance interface ACLs or MPF rules to enable such direct access. This direct access is no different from any other access through the Cisco ASA adaptive security appliance, and itis subject to the classic firewall access policy. 238 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Basic Portal Features and Access Control Configuration Tasks 1, (Optional) Configure basie poral features. 2. (Optional) Configure portal per-profie and per-user ACLs. 3. (Optional) Configure direct access via rewrite disable ‘To configure busie tal features and access control in a basic clientless solution, you will perform some of the following configuration tasks: 1. Optionally, you can enable, disable, and tune the basic SSL VPN portal user-interface features, 2. Optionally, configure per-user or per-group-poli per-group secess policies. webtype ACLS to implement per-user or 3. Optionally, configure direct aocess via rewrite disable feature to enable remote clients to directly access specific resources (G2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Appliance Gletess Remote Access VPN SolutionsConfiguring Basic Portal Features and Access Control Configuration Scenario This figure presents the configuration scenario thatis used in upcoming configuration tasks. Remote users will only be allowed to access a single web server (hitp:/intranet.domain.com) in the protected network, and a single file server (cifs:/W2K3S), You should create predefined bookmarks to access the web server home page and the file share named “share” on the W2K3S file server. To browse the W2K3S server and possibly therest of the Windows domain, you will configure the Ciseo ASA adaptive security appli Mierosoft Windowsname server (WINS/NetBIOS name service) to resolve CIPS hostnames. ce to consult the internal You will also configure direct access to all servers in the Ciseo.comdomain, disabling the rewrite if links to Cisco.comare present in the content that is retrieved over the SSL VPN portal 238 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Basic Portal Features and Access Control Task 1: (Optional) Configure Basic Portal Features Contgueton > Rerote Aztans VPN Clantess SEL VPN Acasa >GrousPoteas In the first task, you will control some basic SSL VPN portal user interface features, namely, the presence of predefined bookmarks on the portal home page for a specific user group, the ability for usersto freely enter URLs on the portal, and file share access features. Complete the following steps: Stop In Cisco ASDM, choose Configuration > Remote Access VPN > Clientless SSL. VPN Access> Group Policies, and click Edit to edt the group policy that applies to auser group (in this ease, the BASIC-CLIENTLESS-POLICY) Stop2 _Inside the Edit Internal Group Poliey window, navigate to the Portal subpage. Step3 If you want to create a bookmark list for this policy, click Manage in the Bookmark List row. The process of bookmark list creation is explained in the next pages of this topic. Step4 If you want to enable or disable URL entry for thispoliey, click the Enable or Disable radio button in the URL Entry row Step5 —_If'you want to enable or disable the possibility for users to enter a path to an internal file share in the SSL VPN portal Browse Networks view, click the Enable or Disable radio button in the File Server Entry row Step6 If you want to enable or disable the possibility for users to browse the file server network in the SSL VPN portal Browse Networks view, click the Enable or Disable radio button in the File Server Browsing row. Stop7 _If'you want to allow or deny access to hidden CIPS shares (shares whose name ends in the $ characters), click the Enable or Disable radio button in the Hidden Share Acceess row. Step8 Click OK in the Edit Internal Group Policy window. Step9 Click Apply, and click Save to save your configuration, if needed. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glentless Ramcte Access VPN Soltone 4.39Configuring Basic Portal Features and Access Control Task 1: (Optional) Configure Basic Portal Features << aval eonemnem pots pastel] open seg. LContguraton» RevateAzsess VPN > Cuertess SSL/PNAicasn> Gave Poca A bookmark list is a set of URLs that is configured to be displayed in the elientless SSL VPN portal for a group of users sharing the same group policy. By default, there are no configured bookmark lists, and the network administrator must configure them, ‘To create a bookmark list inside a group policy, complete the following steps Stop1 __ Inside the Edit Internal Group Policy window, click Manage to create anew bookmark lst. Step2 Click Add to add a bookmark list. Step3. Configure the bookmark list name (MY-BOOKMARKS in this example) and click Add to create individual bookmarks for this list. The Add Bookmark Entry window appears. The ereation ofa bookmark entry is covered next. To create a web application (HTTP or HTTPS) bookmark in the bookmark list, complete the {llowing steps: Step1 Configure a name for the bookmark in the Bookmark Title field, Step2 Configure the URL value for the bookmark as HTTP or HTTPS. Step3 Configure the server HTTP or HTTPS URL to be used with the bookmark entry Steps Optionally, configure the bookmark subiitle. The subtitle will appear under the bookmark entry on the web portal StepS Optionally, configure the thumbnail picture to be used with this bookmark entry Stepé Click OK, OK, and Apply, and click Save to save your configuration, if needed, Note ‘To use thumbnails with bookmarks, they must first be uploaded to the Cisco ABA adaptive security appliance. In this figure, a web application bookmark named “Internal server” has been created. The bookmark has been given an URL of http://intranetdomain.com. 249 Deploying Ceca ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, Ire‘To create. file share (CIFS) bookmark in the bookmark list, complete the following steps: td. Step1 Configure a name for the bookmark in the Bookmark Title Step2 Configure the URL value for the bookmark as CIES, Step3 Configure the server CIFS URL tobe used with the bookmark entry Step4 Optionally, configure the bookmark subtitle, The subtitle will appear under the bookmark entry on the web portal. Stop Optionally, configure the thumbnail to be used with this bookmark entry. StepS Click Ok, Ok, and Apply, and click Save to save your configuration, if needed. In this figure, a CIFS bookmark named URL is ef: W2K3S/share. Je server share” has been created. The target CIFS Ir you are using CIFS file share access, especially if you are not using bookmarks and want users to browse the network, you must configure appropriate CIFS name servers that the Cisto ASA adaptive security appliance will consult to obtain a list of file servers ina domain, together with their IP addresses. To configure a list of CIFS name servers, you should edit the relevant connection profile to which your users belong. Perform the following steps (not shown in the figure): Step1 _Editthe connection profile to whieh your users belong, Step2 _Inside the Edit Clientless SSL VPN Conneetion Profile window, navi Advanced > NetBIOS Server subpane, te to the Step3 Click Add to add a CIFS name server. Stop4 Inthe Add NetBIOS Server window, specify the IP address of the CIFS name Note Itis recommend that you add more than one CIFS name server for redundancy, Step5 Click OK, OK, and Apply, and click Save to save your configuration, if needed, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenless Remcte Access VPN/Soluione 4-41Configuring Basic Portal Features and Access Control Task 2: Configure per-Group and per-User ACLs LContguraton > Remote Azsess VPN > Clantue SSL PN Access > Anances > ab ACL In the second task, you will configure a webtype ACL to limit access to internal resourees, and apply the webtype ACL to a group policy that applies to your user group (connection profile). To create a new webtype ACL, perform the following steps: Stop1 In Cisco ASDM, choose Configuration> Remote Access VPN > Clientless SSL. VPN Access > Advanced > Web ACLs. An ACL manager window for webtype ACLs will open, Step2 Choose Add > Add ACL to add anew webtype ACL. Step3 Inthe Add ACL window, choose a unique name for the new webtype ACL. 242 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Basic Portal Features and Access Control ‘Task 2: Configure per-Group and per-User ACLs (Cont.) Contgueton > Rerota Astans VPN> Coantess SEL VPN Accta >Aciancnd >» WD AGLA Stop 4 Step 5 Step 6 Choose the newly created ACL in the ACL pane, and choose Add> Add ACE to add arule (access control entry [ACE]) to the new webtype ACL, Inthe Add ACE window, enter the conditions that will control access to internal resources: = Click the Permit or Deny radio button in the Action ares. m= Inthe Filter area, click the Filter on URL radio button, and specify the URL pattern that you want to filter on, You can use the * character fo make a resource wildcard. in this example, the first ACE will allow all access to the intranet.domain.com web server, and the second ACE will allow access to any share on the W2K3S CIFS server. m= Inthe Logging area, you ean enable specific logging for this ACE, similarly to the process for classic Cisco ASA adaptive security appliance ACLS. Click OK and Apply, and click Save to save your configuration, if necessary (©2010 Cisco Systems, Ie, ‘Depoymert of Cisco ASA Adaptive Securt) Applance Clentass Remote Access VPN Soltine 443,Configuring Basic Portal Features and Access Control Task 2: Configure per-Group and per-User ACLs (Cont.) pees one EGER To apply the newly ereated webtype ACL to a group poliey (and therefore one or more connection profiles), or toa user account, perform the following steps: Stop1 Choose Configuration > Remote Access > Clientless SSL VPN Access > Group Policies and edit a group policy that you want to assign the webtype ACL to (in this ‘example, this is the BASIC-CLIENTLESS-POLICY group policy), Step2 Expand the More Options area, uncheck the Inherit check box, and select the newly created webtype ACL in the Web ACL field. Step3 Click OK and Apply, and click Save to save your configuration if needed, Altematively, if you need to apply’ this ACL only to a specific user, edit the profile of the user by choosing Configuration > Remote Access > A AA/Local Users > Local Users> Edit, and navigating to the VPN Policy > Clientless SSL VPN > More Options section of the profile of the user. Uncheck the Inherit check box, and select the newly crested webtype ACL in the Web ACL field. ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Basic Portal Features and Access Control Task 3: Configure Direct Access via Rewrite Disable iis na iO me Na >in lee nt rn. rs In the optional Task 3, you can configure direct access and speci that the Cisco ASA adaptive security appliance SSL VPN proxy-rewriting engine should not rewrite specitie URL patterns that are found inside protected content. In this example, any content referenci sites should not have these links rewritten. This configuration allows elientless users to click these links inside their SSL VPN session, and open direct connections to these sites. ‘To configure such direct access by disabling specific content rewriting functions, perform the following steps Stop1 _ Choose Configuration > Remote Access > Clientless SSL VPN Access> Advanced > Content Rewrite, Step2 Click Add to add a rewriting exception rule. Step3 Inthe Add Content Rewrite Rule window, uncheck the Enable Content Rewrite check box, specify arule number (if you have multiple rules, they are evaluated in order according to their sequence number), and assign the rule a user-friendly name. Step4 Inthe Resource Mask field, specif the URL pattems that the Cisco ASA adaptive security appliance should not rewrite. In this example, the URL pattern is, “#,/ciseo.com/*”, meaning that any link using any protocol to the Cisco.com domain inside protested content should be left unmoditied, StepS Click OK and Apply, and click Save to save your configuration if needed, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glentless Remcte Access VPN Soltone 4-45Configuring Basic Portal Features and Access Control CLI Configuration cemack 11 //oteca.cm/* sane econo ‘This output shows the CLI commands that are required to configure the basic portal features and secess control in clientless SSL VPNs. Enter group-policy attributes configuration mode, and enter its webypn submode. In this, submode, use the url-list command to assign a bookmark list to the group policy. Use the hidden-shares command to allow or deny access to hidden CIFS shares and the file-entry command to allow or deny users to freely enter CIES URLs in the Browse Networks view. Use the file-browsing command to allow free browsing of file servers and shares and the url-entry command to allow or deny free entry of URLs on the portal home page. Note “The bookmark lists cannot be configured ising the CLI, because they are saved as XML files in the Cisco ASA adaotive security appliance flash file system (FFS). To configure webtype ACLs and apply them to a group policy, first configure a webtype ACL using the aecess-list name webtypecommand. You can apply this webtype ACL to a group policy by using the filter value command in the webvpn submode of the group-poliey attributes configuration mode. To configure direct access by making content rewriting exceptions, enter the SSL VPN server configuration submode on the Cisco ASA adaptive security appliance using the webypn command, Use the rewrite command to specify a new content rewriting exception rule, with particular sequence number, specifying a resource mask, and using a user-friendly rule name. url-list (group-policy webypn) To apply a list of Web VPN serversand URLs to a particular user or group policy, use the url- list command in group-policy webvpn configuration mode or in username webvpa configuration mode. To remove a list, including a null value that is created by using the url-tist none command, use the no form of this command. The no option allows inheritance of a value fromanother group policy. To prevent inheriting a URL list, us¢ the url-list none command, Using the command a second time overrides the previous setting. url-list {value name | none} [index} $48 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, Ireurl-list (group-policy webvpn) Parameters Parameter Description index Indicates the display priority on the home page none Sets 2 null value for URL lists. Prevents inheriting 2 list from a default or specifies ‘group paiicy value name | Specifies the name of a previously configured ist of URLs. To configure such lis Use the urlist command in global configuration made, hidden-shares file-entry ‘To control the visibility of hidden shares for CIFS files, use the hidden-shares command in group-policy webypn configuration mode. To remove the hidden shares option from the configuration, use the no form of this command, hidden-shares {none | isible) hidden-shares Parameters Parameter Description none Specifies thet no configured hidden shares are visible or accessible to users visible Reveals hidden shares, making them accessible to users ‘To enable or disable the ability of a user to enter file server names to access, use the file-entry command in group-policy webypn configuration mode. file-entry {enable | disable) file-entry Parameters Parameter Description enable | disable | Enaties or disables the ablity to enter fle server names to access file-browsing url-entry To enable or disable CIFS or FTP file browsing for file servers or shares, use the file-browsing command in group-policy webypn configuration mode. file-brow 2 {enable | disable} file-browsing Parameters Parameter Description enable able Enables or disables the ability to browse for fle servers or shares To enable or disable the ability to enter any HTTP or HTTPS ur-entry command in group-policy webypn configuration mode, ‘L on the portal page, use the url-entry {enable | disable} (@2010 Caco Systems, ne, Depoyment of Gi VPNSollione 4.47 |ASA Adoptive Securt) Applance Clertess Remete Afilter url-entry Parameters Parameter Description eneble | disable | Enables or disables theabily to browse or file servers or shares To specify the name of the access list to use for WebVPN connections for this group policy or username, use the filter command in group-policy webvpn configuration mode. To remove the access list, including a null value that is created by issuing the filter none command, use the no formof this command. filter {value 4CLname | none} filter Parameters Parameter Description mane Indicates that here is no weblype access list. Seis a null value, which disallows an access list Prevents inheriting an access list fom another Group policy. value ACiname | Provides the name of the previeusly configured access list access-list webtype To add an access list to the configuration that supports filtering for elientless SSL VPN, use the access-list webtype command in global configuration mode. To remove the access list, use the no form of this command access-list id webtype {deny | permit} url [url string) any] log| {disable | default] | level} [interval sees] [time_range name]) access-list webtype Parameters Parameter Description any (Optional) Specifies al URLS: deny Denies excess if the conditions are maiched id Name ornumber of an access list. interval (Optional) Specifies the time interval at which to generate system log Message 108 100. Vaid velues are from 1 fy 600 sec log [[disable (Optional) Specifies that system og message 106100is generated or the default! ACE, See the log command for information. oper Compares ja_ddress pors, Possible operands include it (ies than), ot (greater than}, eq (equal), neq (not equal), and range (inclusve range). pemit Permits access ifthe conations are matched. tine range name | (Gplional) Specifies @ keyword for attaching the time-range option to this access list element. uel Specifies the use of a URL for filtering (Optional) Specifies the URL that's tobe fiterea. ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, Irerewrite To disable content rewriting of a particular application or type of traffic over a WebVPN connection, use the rewrite command in webvpn mode. To eliminate a rewrite rule, use the no form of this command with the rule number, which uniquely identifies the rule, To eliminate all rewriting rules, use the no form of the command without the rule number. By default, theadaptive security appliance rewrites, or transforms, all WebVPN traffic. rewrite order integer {enable | disable} resource-mask string [name resource name] rewrite Parameters Parameter Description dlaable Defines this rewrite rule as rule that isables content rewritng for the specified traffic. Wen you disable content revriting, raffic does nat go thraugh the security appliance. enable Defines itis rewrite re as a rule that enables content rewriting forthe specified traffic intege: ‘Sets the order ofthe rule among all the corfigured rules. The ranges t= 65534 name (Optional) Identifies the name of the application or resaurce lo which the rule applies. ocder Defines the order in which the adaptive security appliance applies the rule. resource-mask |entifies the application or resource for thervie, (Optional Specifies the application or resource to which the rule applies. Maximum, 128 bytes, etring ‘Specifies ihe name of the application or resource to match that can contain a regular expression, You can use the following wildcards = *—Natches everything, You cannot use this wildcard by itself. It must accompany an alpharumeric string, = ToNaiches any single character. + [tseq]—Metches any character not in sequence. = [sogh-Matches any character in sequence. Maximum, 300 bytes (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appiance Glentless Ramcte Access VPN Soltone 449Verifying Basic Portal Features and Access Control User Portal Verification sual ss. ven serves e1sco ene = Home View Ss # vidal ‘didy) ssevmeseves [EET Web | gion Applications View (Gomer glues, hi To verily portal Feature configuration and access control, you can start elientless SSL VPN session and log in tothe portal ‘The top portion of the figure shows the default, Home view of the portal, displaying the two preconfigured web spplication and CIFS bookmarks. The URL entry function is also enabled. ions view of the portal, displaying 250 Deploying Gsco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreVerifying Basic Portal Features and Access Control User Portal Verification (Cont.) all su yew serves Browsing KR SE RESW Cree Interface Se — [sb a [D2 cent teeseimdsee ta Fo ioc meede taunts va re BoP leaaleeetaetitins ut) he ‘The Browse Networks view shows the preconfigured CIPS bookmark, as well as allowing CIFS URL entry and the browsing functionality through the Browse Entire Network link. Lr you access a share by clicking its CIFS bookmark, entering a CIFS path inthe CIFS URL entry field, or navigating to a share through the network share browser, the Cisco ASA adaptive security appliance will open a file share interface as seen on the right side of the SSL VPN iow in the lower portion ofthe figure. This interface allows users to flexibly manipulate files, offering the following menu buttons: Up One Level Favorites Delete File Copy File Cut File Paste File New Folder Upload File Network Web Folder (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Clenless Remcte Access VPN'Soluione 4-81Verifying Basic Portal Features and Access Control Access Control Verification [a erionrg »Laggng > Raa-Tme Lop Vener You can verify the correctness of your webtype ACLs by attempting to access URLs that should be allowed or denied. The Cisco ASA adaptive security appliance will, by default, log all resource accesses through the SSL VPN portal. In this example, the Cisco ASDM Real- ‘Time Low Viewer shows accounting records that show a successful (GRANTED) and unsuccessful (DENIED) attempt to access the webtype-ACL-proteeted internal network. 252 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreVerifying Basic Portal Features and Access Control Implementation Guidelines ‘+ Turing off portal features does not deny access to resources; use ACLs instead. + Bookmark contents are not saved in the Cisco ASA main configuration file but as XML files in a special folder. + The Cisco ASA does not validate certificates in HTTPS portal links You should avoid creating proxy HTTPS links to sites reachable over untrusted networks, When you implement basie Cisco ASA adaptive security appliance elientless portal functions and access control, consider the following implementation guidelines: © Disabling portal user interface functions does not prevent access to internal resources if the user has bookmarked a link, or knows how to construct a rewritten URL. Webtype ACLs are the only reliable method to restrict access to internal resources, Bookmark list contents are not saved in the Cisco ASA adaptive security appliance main configuration fite, but inside separate XML files. If you need to back up the Cisco ASA adaptive security appliance configuration or migrate the configuration toa different appliance, you will need to migrate these XML files as well. © IFyou access HTTPS resources over the SSL VPN portal, the Cisco ASA adaptive security appliance SSL VPN proxy does not validate the certificate of the HTTPS server against a root certificate, Although this lack of validation is usually not an issue if the connection between the Cisco ASA security appliance and the target server is over a trusted network, accessing HI TPS servers over untrusted networks ean expose the HTTPS session to significant risk The risk is significant because man-in-the-middle attacks cannot be detected by the user. ‘Therefore, svoid allowing clientless SSL VPN users to access HTTPS sites over the SSL VPN portal, if these sites are reachable over untrusted transport networks, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Gleess Ramcte Access VPN Solone 4.53Troubleshooting Clientless SSL VPNs Thistopic describes how to troubleshoot VPN session establishment between a browser client and a Ciseo ASA adaptive security appliance clientless SSL VPN gateway Troubleshooting Clientless SSL VPNs Visual Troubleshooting Aid ‘When troubleshooting clientless SSL VPN session establishment, you should perform troubleshooting tasks on both the client and the Cisco ASA adaptive security appliance, if possible. This figure shows some most useful troubleshooting commands and actions that you can use on involved components. On the client, you can use operating system utilities to determine the reason for connectivity or name resolution issues. Here are some examples of these utilities = The ping utility to determine Leyer 3 reachability of the Cisco ASA adaptive security appliance from the client = The traceroute utility to troubleshoot Layer 3 path problems between the client and the Cisco ASA adaptive security appliance = Thenslookup and dig utilities to troubleshoot name resolution, i the browser cannot resolve the URL for the SSL VPN portal Note that the Cisco ASA adaptive security appliance will extensively log all issues into its syslog subsystem, Debug commands are generally not required, except for in-depth troubleshooting of complex issues. 254 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreTroubleshooting Clientless SSL VPNs Troubleshooting Flow eye aces Sy awearsees pisses Ir you are encountering clientless session establishment issues, you may follow the: troubleshoot the issue: steps to Step1 First, check that the SSL/TLS session initially establishes, and that there are no negotiation problems that are related to the use of incompatible protocol versions or cipher suites. You can observe these issues in the browser GUI, but you will obtain more detailed and specific information by examining Ciseo ASA adaptive security appliance syslog messages, Step2 If the SSL/TLS negotiation completes with no errors, check iff user authentication works and the user is supplying the correct credentials. The Cisco ASA adaptive security appliance will clearly indicate these issues in its syslog messages. Step3 Next, check whether the connection profile and the associated group policy allow clientless SSL VPN connections. The Cisco ASA adaptive security appliance will clearly indicate these issues in its syslog messages. Pthese steps do not resolve your issue, you may need to deploy troubleshooting tools that are beyond the scope of this course. (E2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Gleless Ramcte Access VPNSoltone 4.55If you your SSL VPN session establishes, but ther Troubleshooting Clientless SSL VPNs Troubleshooting Flow (Cont.) Besoin la ae 's no connectivity over the SSL VPN portal, you may follow these steps to troubleshoot the issue: Stop Step2 stops Verify that the Cisco ASA adaptive security appliance is not denying traffic from the SSL VPN tunnel. Examine the Cisco ASA adaptive security appliance syslog to see messages about permitted or denied packets, Next, if you are using direct access through content rewriting, check that your content rewriting rules are not too general, which would force access to internal resources outside the SSL VPN session. You can observe this in the browser, which will attempt to contact internal hosts directly, instead of over the SSL VPN session. Finally, you ean verily the HTML content that is returned to the browser by the SSL VPN portal IP these steps do notresolve your issue, you may need to deploy troubleshooting tools that are beyond the seope of this course. 258 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreTroubleshooting Clientless SSL VPNs Client-Side Issues: Certificates + Acettficate warning can appear because of: ~ Unventiable Cisco ASA identity certificate — Aname mismatch between certificate CN and VPN URL inthe browser — An expired Cisco ASA identity certificate « You should never see this issue in production use As with Cisco AnyConnect full tunneling VPN, the most common client issus that you may encounter in a clientless SSL VPN is a certificate warning at VPN session establishment. You should never see these issues appearing during production use of the network. Refer to the “Deploying a Basic Cisco AnyConnect Full Tunnel SSL VPN Solution” lesson in this course to obtain guidelines for resolvingthese issues. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenlass Remcte Access VPN Sollione 457Troubleshooting Clientless SSL VPNs Gateway-Side Issues: Access Control = linen "al SSL vPN serves I you have misconfigured your webtype ACLs to deny traffic that should not be denied, you can observe denied access in the Cisco ASA adaptive security appliance logging output, Another, even simpler method of ACL verification s to observe the predefined bookmarks in the SSL VPN portal. If you have misconfigured your ACLs, the bookmarks that are not reachable because access to these resources is not permitted are dimmed in the portal. 252 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreSummary ‘This topic summarizes the key points that were discussed in this lesson. a Summary + Abasic clientless SSL VPN involves basic gateway configuration, User authentication, address assignment, and access control configuration, * Inbasic gateway configuration, you should enable the SSLITLS server and provision the Cisco ASA adaptive security appliance idenity certificate, * Basic user authentication uses the local user database. + You can implement general or per-user or per-profile access control. + Use various show end debug commands to troubleshoot the operation of clientless SSL VPNs. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glenless Ramcte Access VPNSolione 4.899 ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreLesson 2| Deploying Advanced Application Access for Clientless SSL VPN Overview Many enterprise applications are not web-based, and use other standard or proprietary protocols, fo communicate over IP networks. Clientless Secure Sockets Layer (SSL) virtual private etwork (VPN) gateways must therefore provide some alternative possibilities for users to access these application resources, This lesson discusses application plug-ins, Cisco smart tunnels, port forwarding, and the Secure Sockets Layer and Transport Layer Security (SSL/TLS) email proxy features of the Ciseo ASA adaptive security appliance SSL VPN gateway, whieh provide clientless access to a wide range of thin- and thick-client applications in the lesson, you will learn how to configure, verify, and troubleshoot these access Features, Objectives Upon completing this lesson, you will be ableto deploy and manage advanced clientless VPN application access features of a clientless Cisco SSL VPN. This ability includes being able to meet these objectives Plan the deployment of clientless SSL VPN application access features = Configure epplication plug-ins Configure and verify smart tunnels in clientless SSL_VPN Configure and ver fy port forwarding in clientless SSL_VPN = Troubleshoot advanced application accessin clientless SSL VPNConfiguration Choices, Basic Procedures, and Required Input Parameters This topic describes how to plan the deployment ofelientless SSL VPN application access Features. Advanced Application Access Solution Components The SSL VPN rewriting proxy in the Cisco ASA adaptive security appliance provides clientless, transparent access to web and Common Internet File System (CIFS) resources behind the Cisco ASA adaptive security appliance to clients only using a web browser. To provide access to other enterprise applications, including terminal access, database clients, or instant messaging applications, the Cisco ASA adaptive security appliance provides several methods of relaying data over the SSL VPN gateway without the requirement for an SSL VPN client installation, To enable such advanced application access methods, the Ciseo ASA adaptive security appliance loads some additional software in the weo-browsing session of the client. This software acts as a lightweight client or a helper relay agent that enables additional communications over an SSL VPN session. The Cisco ASA adaptive security appliance does not require any other components te enable advanced application access, $22 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreAdvanced Application Access Deployment Options + Application plug-ins — Access from the browser — Recommended approach ~ Limited range of applications + Smert tunnels: — Support for native application clients — Recommended for all applications without plugin * Port forwarding: ~ Older technology — Use for Linux and earlier Cisco ASA software versions ‘You can choose several options when deploying advanced application access ‘© Application plug-ins provide users with thin application client access to enterprise resources. This is the recommended approach but it supports only a limited set of applications, = Cisco Smast Tunnels provide users with native application client access to enterprise resources, This approach isthe recommended approach for all applications that do not have a plug-in. © Port forwarding provides users with native application client access to enterprise resources. ‘This method should only be used if smart tunnels cannot be deployed, such as on Linux workstations or when running older Cisco ASA adaptive security appliance software versions, (G2010 Cisco Systems, ne, Depbymert of Cisco ASA Adaptive Secunty Applance Glantlass RamcteAccess VPN Soltone $63Advanced Application Access Input Parameters “Typeat remot application Raguired to determine compatibiliy wth remote andappleatonpriacel——aecess methods Local prvieges ofthe remote ‘Operating system of the remo user Requrementfor native clent Raqured to choose tatween native appleatione applications ad applets Before you deploy advanced application access, you will need to gather some input parameters about remote systems that are being used by the remote user. Gather the following information: = The type of applications and application protocols that are used by remote users, that you ill need to support over a clientless SSL VPN session. = The local privileges of the remote user, who may use a limited account without aaiministrative rights on the remote system. = The operating system that is used by remote users. “These three pieces of information will allow you to determine the application and operating system compatibility with advanced acess methods. They will allow you to choose the most optimal method for a particular environment. = The requirement for the use of native applications, versus thin applications with reduced fanetionality, which can be provisioned by the SSL VPN gateway. Some users may require advanced application features (such as a specific terminal emulation) that thin application clients do not prov ‘£84 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Application Plug-Ins This topic describes how to configure application plug-ins on the Cisco ASA adaptive security appliance SSL VPN gateway Configuring Application Plug-Ins Overview of Application Plug-ins Application plug-ins are lightweight client applications that run inside the browser. « Java or ActiveX applets downloaded from the SSL VPN gateway on demand + Executed inside the browser SSL VPN session * Provided by Cisco and downloadable from Cisco.com Application plug-ins are light-client applications that provide basic application functionality inside the browser of a user. These plug-ins are downloaded on demand from the SSL VPN gateway, and all their communications with internal protected resources is transparently encapsulated within the SSL VPN session. The user does not have to use any local applications, but instead uses the thin application plug-ins only. This figure illustrates plug-in-based application access: 1. A.user connects and authenticates to the SSL. VPN portal and then runs an application plug~ in that allows access to a server that is ruming on the internal network. 2. The application plug-in runs inside the browser, and reuses the SSL session of the browser with the SSL VPN gateway to forward a TCP connection inside it 3. The SSL VPN gateway extracts the TCP session from the SSL VPN session, establishes a ‘TCP connection with the destination server, and acts as a data relay between the two TCP sessions, ‘The application plug-ins are distributed by Cisto through the Ciseo ASA adaptive security appliance (remote access plug-ins) software download page, and need to be imported into the appliance, Eack plug-in contains multiple files that are packed into a JAR (Java Archive) file (G2010 Cisco Systems, ne, Depbymert of Cisco ASA Adaptive Secunty Appliance Clantlass RamcteAccess VPN Solone 6.65Configuring Application Plug-Ins Benefits and Limitations [Senet unison et eee nr cine Cava aT alern Soret iain, Das aTuse USING hy ies tna a oe ‘Do not require administrator Not supported on Windows Mobile privileges on remote system platform The beneti ‘of application plug-insare as follows: = They do not require any installation on the remote system, because they run as Java or ActiveX applets inside the browser. m= They are easy to use for the remote user, because they start virtually automatically and are preconfigured for use. = They do not require administrator privileges on the remote system. (Microsoft ActiveX. applets may require additional privileges, but aJava alternative can be used instead.) The timitations of application plug-ins are as follows: = There is only a limited number of plug-ins available, mostly to support interactive terminal access = The plug-ins do not contain all the functionality that their thick-client equivalents include, and may not support some features that are required by your users. ‘= Application plug-ins are not supported on the Windows Mobile platform, and generally not supported on pletforms that do not support Java, Note Per the GNU General Public License (GPL|, Cisco redistributes the plug-ins without having made any changes to them. Per the GNU GPL, Cisco canna directly enhance these plug- Ins. Cisco does not provide direct support for or recommend any partcular plugens that are not redistributed by Cisco, 228 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Application Plug-Ins Available Plug-ins CE So Teinel, SSH servers Microsoft Terminal Services servers Newer Microsoft Terminal Services (Windows 2003 R2, Wingows Vista, Windows 7) servers Citrix OA servers VNC servers Cisco provides the following application plug-ins for download on Cisco.com: The SSH plug-in provides a standard terminal emulator with support for the Telnet and Secure Shell (SSH) (version | and 2) protocols. You ean control the SSH version by providing command-line parameters to the application plug-in in its URL. = The RDP plug-in provides a Microsoft Remote Desktop Protocol (RDP) client to connect to older versions of Microsoft Terminal Services servers = The RDP2 plug-in provides a Microsoft Remote Desktop Protocol (RDP) client to connect to newer versions of Mierosoft Terminal Services (Windows 2003 Server R2, Windows sta, and Windows 7) servers. The ActiveX version of the plug-in also supports advanced functionality, such as sharing of remote drives or printers on the terminal server. You can ‘contro! this functionality by providing command-line paremeters to the application plugin in its URL, Note You can import ROP and ROP2 plug-ins to make both of them avalableto cients users. © The ICA plug-in provides an Independent Computing Architecture (ICA) client to connect to Citrix WinFrame, XenApp, and XenDesktop terminal services. ‘The VNC plug-in providesa Virtual Network Computing(VNC) client to connect to VNC display servers. The VNC plug-in does not support encryption over the internal network, (@2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Appliance lentes RemcteAccess VPN Solione &87Configuring Application Plug-Ins Configuration Tasks 1. Download and import application plug-ins from Cisco.com tothe Cisco ASA FFF. 2. Enable application plug-in access on SSL VPN portal 3. (Optional) Control access to intemal resources. To configure application plug ss through a Cisco ASA adaptive security appliance SSL VPN gateway, you will perform the following configuration tasks: 1. Download and import application plug-in files from Cisco.com to the Cisco ASA adaptive security appliance flash file system (FFS). 2. Enable application plug-in access on the SSL VPN portal, using optional application plug- in bookmarks. 3. Optionally, deploy access control features on the Cisco ASA adaptive security appliance SSL VPN gateway to control access from application plug-ins to internal resources, 228 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Application Plug-Ins Configuration Scenario ‘This figure presents the configuration scenario that is used in upeoming configuration tasks. ‘You will impor all required application plug-ins on the Cisco ASA adaptive security appliance and configure an RDP2 bookmark, which the elient will select after fogin. The client will then load the RDP2 plug-in, and access a terminal server (10.10. 1.1) in the internal network. You ‘will also configure the Cisco ASA adaptive security appliance to limit access to the protected network using « webtype access control list (ACL), whieh will only allow the specific RDP connection to the internal network. ‘The configuration scenario assumes that the Cisco ASA adaptive security appliance is already configured with a basic clientless SSL VPN geteway functionality as was discussed in the previous lesson, “Deploying a Basic clientless VPN Solution.” (E2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Appliance Giantess RemcteAccess VPN Soltone 4.69Configuring Application Plug-Ins Task 1: Download and import Application Plug-Ins ‘The first configuration step in the application plug-ins configuration sequence is to download the needed application plug-ins from Cisco.com, and install them on the Cisco ASA adaptive security appliance. You can find the application plug-ins in the Cisco.com Cisco ASA adaptive security appliance software download section, or download them as part of the Cisco ASA adaptive security appliance client bundie, which includes the Cisco AnyConnect client, Cisco Secure Desktop, and all application plug-ins. The Cisco ASA adaptive security appliance elient bundle ean be found at butp:/www.ciseo.com ogi-bin/tablebuild pl/asa-manufacturing. You can either unpack the client bundle yourself, and install the relevant files manually, or have the Ciseo ASA adaptive security appliance automatically install them. The Ciseo ASA adaptive security appliance client bundle is a zip file and if you transfer to the Cisco ASA adaptive security appliance flash, the appliance will automatically decompress it and install all icluded software upon reboot. The file that is downloaded from Cisco.com must be renamed “client_bundle.zip” for the auto install to work. 470 Deploying Ceca ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Application Plug-Ins Task 1: Download and Import Application Plug-ins teeicetes prea on ‘Contguraton sRerate Ascent VPN> Clantens S8L VPN Areas > Pore > Cant Sana Pugins ‘To manually impost plug-ins into the security appliance, complete the following steps Step Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Client-Server Plug-Ins. Step2 Click the Import button Step3 Choose the type of plug-in that is to be imported trom the Plug-in Name (Protoco!) drop-down menu. Stop4 Click the Browse Local Files button to choose any plug-ins that are downloaded from Cisco.com on your local machine. StopS After the plug-in has been chosen, click import Now to import the plug-in for use by the security appliance. In this figure, the RDP2 plug-in is being imported to the security appliance for use with the SSL VPN. The Cisco ASA adaptive security appliance will unpack the JAR plug-ins file and \write the unpacked files to the appropriate Cisco ASA adaptive security appliance After you haveimported all the desired plug-ins, they will be listed in the main Cli Plug-ins window. To remove a plug-in that has been imported tothe Cisco ASA adaptive security appliance, select the plug-in, and then click the Delete button. (@2010 Cisco Systems, ne, Depbymert of Cisco ASA Adaptive Secunty Applance Clantlass RamcteAccess VPN'Soluione 4.71Configuring Application Plug-Ins ‘Task 2: Enable Application Plug-In Access * Create bookmarks with plug-in-related URL protocols. + Enter plug-in-related URLs with free URL entry. sie After the plug-ins have been imported to the Cisco ASA adaptive security appliance, you do not need to authorize their use in group policies. If you are using SSL VPN portal bookmarks, you now have the option of choosing additional protocols—as supported by plug-ins—in the bookmark URL specification. If you allow free URL entry on the SSL VPN portal, users ean now enter URLs with protocols that are supported by imported plug-ins. In this second task, you will create bookmarks that use application plug-ins and allow users to start these plug-ins fromthe SSL VPN portal \ portal bookmarks to us To configure SSL VI steps: imported plug-ins, complete the following Stop _ Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks and click Add to add anew bookmark list. Configure the bookmark list name and elick Add to create individual bookmarks for this list. The Add Bookmark window appears as shownin the figure. Stop2 To configure a bookmark title named “Internal server” in this example, choose the desired plug-in protocol, and then configure the target server address. In this, example, the RDP2 plug-in using the RDP2 protocol is used, connecting to the intranet.domain.com internal server. An optional subtitle of “Terminal access to internal server" is also defined for this bookmark. Step3 Click OK todd the bookmark to the sevurity appliance configuration and then click Apply to send the configuration to the security appliance, Save your configuration if necessary, Afier the bookmark list with the RDP2 bookmark is configured, apply the bookmark list to the desired group policy as shown in the previous lesson, 272 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreSpecifying Applet Settings Some of the plug-ins allow you to specify additional settings in the URL, which the plug-in will interpret as a set of parameters for the current plug-in session. For example, you can specify the SSH plug-in to use a specific SSH version in the following manner: ® Specifying the bookmark or free entry URL as ssh:// will default to SSH version 2 (SSHy2). ® Specifying the bookmark or free entry URL as ssh://?version=1 will use SSH version | (SSHv1). Other plug-ins that are not discussed in this lesson support single sign-on (SSO) to internal resources. They are covered in a later lesson of this module. Configuring Application Plug-Ins Task 3: Control Access to Internal Resources Webtype ACLs ‘can use URL syntax. ‘contguiion > erie Ascoss VPN > Cientese @RL VON Acces >Asianced > Web ACLS Inthe third task, you can optionally contro! access to internal resources by creating or modifying your webtype ACLs to permit or deny plug-in-based URLs. To control access, you should create access control entries (ACEs) in your webtype ACLs and apply the webtype ACLs to the desired group policies, as shown in the previous lesson, to allow the appropriate URLs based on the plug-ins protocol. In this example, you will add an ACE toan existing webtype ACL to allow RDP? access to the intranet domain.com internal server. (G2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Securty Apphance Clantlass RamcteAccess VPNSolione 4:73Configuring Application Plug-Ins CLI Configuration Tapert wane plugii= proracal Sap Flash sq aplagin SORE ‘This output shows the CLI commands that are required to configure application plug-in access, In the CLI, enter theprivileged mode of the Cisco ASA adaptive security appliance and use the import webypn plug-in protocol command to manually import application plug-ins that are located in the flash file system or from a remote URL. This configuration will automatically enable all access to URLs that are managed by the plug-in protocol, Next, optionally ereate or modily the webtype ACL by creating an ACE that allows access to plug.in-based resources, using the access-list name webtype command. “274 Daploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, Ireimport webvpn plug-in protocol ‘To install a plug-in to the adaptive security appliance, enter the import webypn plug-in protocol command in privileged EXEC mode. import webypn plug-in protocol protocol URL import webvpn plug-in protocol Parameters Parameter: Description protocol 1 rdp: The Remote Desktop Protocol (RDP) plugin lets the remote user connect toa computer running Microsoft Terminal Services. Cisco redistributas this plugsin without any changes. The website containing the original is hitp://properjavardp aourceforge.net 1 ssh, telnet: The Secure Shell(SSH) plugrin jes the remote user establish a secure channel ta 2remote computer or lets the remoie user use Teinetto connectio a remote computer. Cisco recistibutes this plugsn without any changes. The website containing tre original is htp:javassh. org) Caution The import wabvpn plug-in protocol ssh,telnet URL command installs both the SSH and Telnet plug-ins. Do net enter this command once for SSH and once for Telnet. When you type the sshytelnet string, do not insert a space. Use the revert webvpn plug-in protocol command to remove ary import webvpn plug-in protocol commands that deviate from these requirements, = vnc: The Virtual Network Computing (VNC) plugsin lets the remote user use 2 monitor, keyboard, and mouse to view and control a computer with remote desklep sharing turned on. Cisco redisributes this plug-in without any changes. The ‘website containing the origina is hitp:wwtigntvne.com. Remote path to the source of the plugin. ©2010 Cece Systems, ne, Depioymert of Cisco ASA Adaptive Securty Applance Clentlats Ramate Acoass VPN Solutone “78Configuring Application Plug-Ins Implemeniation Guidelines = Use plug-in access as the preferred method for non-HTTP and non-CIFS resource access: — Unless native application functionality is required + Enforce strict access control: — Plug-ins can allow interactive terminal access When you are implementing application plug-in aczess in clientless SSL VPNs, consider the following guidelines: ‘= Use application plug-ins as the preferred method of access to non-HT'TP and non-CIFS resources, unless your businessprocess requires the use of features not available in the lightweight clients inside application plug-ins ‘= Most plug-ins provide interactive terminal access to resources in the protected network. Because such powerful resource access can lead to serious security incidents, limit the required access to a minimum using webtype ACLs, especially from unmanaged, and less trustworthy, remote clients 276 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreVerifying Application Plug-Ins Verify Access The SSL VPN portal will automatically change: © Plugrin-related views * URL entry for plug-in access sults su veu service 2 herons SEE at fa ac [tei @ cre eee To verify the availability of application plug-ins and their proper operation, log in to the SSL VPN portal. You should see additional plug-in-related views on the left side of the SSL VPN portal home page. These views—if selected—will display all plug-in-related bookmarks on the right side of the portal page. By default, all bookmarks are listed. In this example, the newly created RDP2 bookmark is available in the right pane of the portal window. Users can also use the URL entry control (if allowed) to select URLs for protocols that are enabled by imported plug-ins. This example is also showing other imported plug-ins like Teinev SSH, Citrix MetaFrame, VNC, and so on. (G2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Appliance Glantlaes RemcteAccess VPN Solione 4:77Verifying Application Plug-Ins Verify Access (Cont.) Click the plug-in bookmark, or enter a plug-in-related URL to start an application plugsin. The portal will start a plug-in in a new window. In this example, selecting the RDP2 plug-in resulted in starting the RDP2 application plug-in, which opened a Java RDP2 client ina new window, showing the login page of an internal server. ‘278 Deploying Ceca ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Smart Tunnels ‘This topic describes how to configure and verify smart tunnels in clientless SSL VPN. a Configuring Smart Tunnels Smart Tunnels Overview Smart tunnels allow for relaying of arbitrary TCP applications over the clientless SSL VPN session. «Native applications an the elient unaware of the VPN session * Alightweight connection broker applet, downloaded from the SSL VPN gateway, intercepts sessions from designated applications and forwards them across the SSL VPN session * No reconfiguration on the client ‘Smart tunnels enable users to use native client applications without the need for administrative rights or application reconfiguration. They work by downloading a smart tunnel agent (connection broker) applet to the client system. This applet intercepts all local socket calls (that is, connection requests of the application to the operating system kemel) from Window Sockets, 2 (Winsock2) TCP applications, and automatically redirects them into the SSL VPN session, ‘This figure illustrates smart-tunnel-based application access: 1. A user connects and authenticates to the SSL VPN portal. A smart tunnel configuration is in place for that user and automatically downloads and executes the smart tunnel agent on the client system. For example, the user starts the Lotus Sametime instant messaging client. 2, The smart tunnel applet intercepts the TCP connection ofthe IBM Lotus Sametime client to the real server and forwards it over the existing SSL VPN session. 3. ‘The SSL VPN gateway extracts the TCP session from the SSL VPN session, establishes a ‘TCP connection with the reat target server, and acts as a data relay between the two TCP sessions, As long as the clientless SSL VPN session of the user is established, specific local applications can access protected resources, with the agent relaying their communicationsthrough the session of the browser. (G2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Applance Clantlass RemcteAccess VPNSolione 4.79Configuring Smart Tunnels Benefits and Limitations [Senet Ltiatins ‘Support native clent applications Only simple static-port TCP over SSL VPN ‘applications are supported Easy touse forthe remote user Bypass advanced CiscoASA ‘pplication controls and SSiis ‘Do not require administrator ‘Supportedion Windows and Mac privileges on remote system osx ‘The benefits of smast tunnels are as follows. = They support the use of fully featured, native applications thatare already installed on the remote system of the user. = They are easy to use for the remote user because users use their local network applications Just as they do in the protected network or any other non-VPN location. = They do not require administrator privileges on the remote system. ‘The limitations of smart tunnels are as follows = Only Winsock2, TCP-hased applications are eligible for smart tunnel access, ‘= Smart tunnels only support simple, static-port TCP applications. Most client-server spplications operate in this manner and are therefore supported by smart tunnels, = Access to the internal network bypasses the advanced Cisco ASA adaptive security appliance application layer controls and security services modules. However, you can ‘contro! the resources that are available to smart tunnel users by destination server and pplication (por). = Smart tunnels are supported only on the Microsoft Windows and Apple Mac OS X platforms, $80 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Smart Tunnels Configuration Options + For applications with native clients: ~ Create smarttunnel ist ~ Assign smart tunnel list to @ group policy or user profile + For web-based appications: ~ Add bookmark te bookmark list ~ Enable bookmark for smart tunnel access ~ Bind bookmark Ist to group polley or user profile * Control access to internal resources You have several options when deploying smart tunnel access through a Ciseo ASA adaptive security appliance SSL VPN gateway: © For applications with native clients: — Crete a smart tunnel list — Assign the smart tunne! list to a group policy or user profile. © For web-based applications — Adda bookmark to the bookmark list — Enable a bookmark for smart tunnel access: — Bind a bookmark lis to a group policy or user profile = Control access to internal resources, (G2010 Cisco Systems, ne, Depbymert of Cisco ASA Adaptive Securty Applance Clantlass RamcteAccess VPN Soluione 4-81Configuring Smart Tunnels Configuration Scenario “This figure presents the configuration scenario thatis used in upeoming configuration tasks, You will configure the Cisco ASA adaptive security appliance to download and enable the smart tunnel applet to the client, and relay all traffic of the native Microsoft Windows RDP client to the internal network. The remote user will use the native Microsoft Windows RDP client to connect to the internal terminal server at 10.10.1.1. You will also configure the Cisco ASA adaptive security appliance to limit access to the protected network using a webtype ACL, which will only allow the specific RDP connection to the internal network As with the previous configuration scenario, this configuration scenario assumes that the Cisco ASA adaptive security appliance isalready configured with a basic clientless SSL VPN gateway functionality. Italso is assumed that the configuration is using local authentication, authorization, and accounting (AAA) authentication and a verifiable identity certificate and that all local users are assigned the BASIC-CLIENTLESS-POLICY group policy. 382 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Smart Tunnels Create Smart Tunnel List (Native Application Access) let bs eae Uf you want to cnable smart tunnel access for applications with a native client, you create a list of applications that are subject to smart tunnels relaying on the remote client. ‘To configure a smart tunne! lis, complete the following steps Step Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal> Smart Tunnels, and click Add to add a new smart tunnel list. Stop2 Configure a list name (MY-SMART-TUNNELS in this example), and then. Add to add a smart tunnel list entry (that is, application). Stop3 Inthe Add Smart Tunnel Entry window, specify the properties of the application on the remote system of the user: = Application ID: Thisis a user-friendly name that will be displayed on the portal, informing users which applications are relayed to the eentral site. = OS: Specity the operating system on which this entry will be active (Windows or OS X). In this example, Windows is used. m= Process Name: Specify the name of the application exceutable that performs network connedtions. You ean only specily the executable name, or the entire pathname, if you require uniqueness. In this example, the MSTSC.EXE executable name of the Microsoft Windows native RDP client is used. m= Hash: Optionally, specify the cryptographic Secure Hash Algorithm 1 (SHA-1) hash of the executable to uniquely identify it. Use this option if there are many executables with the same name, if you want w allow only a specific build or version of the executable to be included in smart tunnels, or to lower the risk of rogue executables being included in smart tunnels, Hashes are only supported on Step4 Click OK twice to accept the new smart tunnel listentry and smart tunnel list, (G2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Appliance Glantlass RemcteAccess VPN Soltone 4.83Application Image Hashing To obtain the hash value for an application, enter the checksum of the application (that is, the cheeksum of the executable file) into a utility that calculates a hash using the SHA-I algorithm. Checksum Integrity Verifier (FCIV), which One example of such a utility is the Microsoft Fil is available at http:/support. microsoft.com/kb/841290/. After installing FCIV, place a temporary copy of the application to be hashed on a path that contains no spaces (Jor example, etempimstsc.exe). then enter feiy.exe -shal application at the command line (for example, iv.exe -shal e:\temp\mstse.exe) to display the SHA-I hash Configuring Smart Tunnels Bind Smart Tunnel Listto Group Policy or User Profile rca ‘Seaay reset on > RavataAccass VPN > Cuntens SSL VPNAccess > Grous Patoea > Est> Ports ‘To enable smart tunnel access for applications witha native client, you will apply a smart, tunnel policy to a group policy or user profile To modify an existing clientless SSL VPN group policy, complete the following seps Stop1 Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies and choose the previously configured clientless SSL VPN group policy (not shown), Stop2 Click Edit to edit the clientless SSL VPN group policy. Stop3 Choose the Portal option from the menu in the left pané and uncheck the Inherit check box next to the Smart Tunnel List field in the Smart Tunnel area. From the dropdown box, select the configured smart tunnel list—in this example, the MY- SMART-TUNNELS list. Stop4 Optionally, check the Auto Start check box to configure the smart tunnel to start ‘automatically for this group policy. Step5 Click OK and Apply to apply the changes to the Cisco ASA adaptive security appliance. Click Save to save the configuration, if needed. ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Smart Tunnels Enable Bookmarks for Smart Tunnel Access * Bookmarked application will display in a separate web browser * All traffic from that browser will pass over smart tunnel * Used for web-based application access ‘contguiton > Rants Azcese VPN> Clantans SSL VPNAncens> Pon > Beoumacia ‘To deploy smart tunnels for web-based application access, enable a bookmark for smart tunnel by completing these steps: Step Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks, and create abookmark list or edit an existing one. Step2 Adda bookmark or edit an existing bookmark. In the example, a bookmark for a custom web-based epplication running on port 3333 is configured, Stop3 Check the Enable Smart Tunnel check box. Only HTTP and HTTPS bookmarks can be configured for smart tunnel access, Step4 Click OK and Apply to apply the configuration ‘The bookmarked application will appear in a separate web browser, not in the SSL VPN portal. All traffic from that browser will pass over the smart tunnel (G2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Appliance Clantlass Remote Access PN Solione $85Configuring Smart Tunnels Control Access to Internal Resources Webtype ACES support address and service syntax. aren Lcontguision > arate Aseas VPN> Clantase SSL VPN Assess» Aaveroes > WeD AOL You can optionally control access to internal resources by ereating or modifying your webtype ACLs to permit or deny smart tunnel access to specific resources. To control access, you should create ACEs in your webtype ACLs that are applied to the desired group policies, and click the Filter on Address and Service radio button in the webtype ACE. In this example, the webtype ACE only allows aezess to the 10.10.1.1 server on TCP port 3389 (RDP). 288 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Smart Tunnels CLI Configuration pletion window ‘Seat sane Ee es secenneennpmreomeersd SEES ‘output shows the CLI commands that are required to configure smart tunnel access on the isco ASA adaptive security appliance. Inthe CLI, enter SSL VPN server configuration submode on the Cisco ASA adaptive security appliance using the webypn command, and configure smart tunnel application lists using the smart-tunnel list command. In the example, 8 smart tunnel list named MY-SMART- TUNNELS, which specifies the RDP Windows applications, is defined. Next, assign the configured smart tunnel application list to‘ group policy by entering group- poliey attributes mode and then switching to its webvpn submode. Use the smart-tuninel command to assign the smart tunnels list. Use the optional auto-start argument to automatically download and siart the smart tunnel agent. In the example, the MY-SMART-TUNNELS smart tunnel list is applied to the BASIC-CLIENTLESS-POLICY group policy Finally, you may create a webtype ACL and ACEs that govern smart tunnel access using the access-list name webtype command. In the example, the webtype ACL will only permit access tothe 10.10. 1.1 server over port 3389 (RDP), smart-tunnel list ‘To populate alist of applications that can use a clientless (browser-based) SSL VPN session to connect to private sites, use the smart-tunnel list command in webypn configuration mode. To remove an application from a list, use the no form of the command, specifying the entry. To remove an entire list of applications from the edaptive security appliance configuration, use the no form of the eommand, specifying only the list [no] smart-tunnel list list application path (platform OS) (hash) (@2010 Cisco Systems, Ine, Depoymert of Cisco ASA Adaptive Secunty Appliance Glentlaes RemcteAccess VPN Solione &87smart-tunnel list Parameters Parameter platform 05 smart-tunnel auto-start Description Name of 2 ist of appications or programs. Use quctation marks around the name if includes a space. The CLI creates the lst if itis not present in the canfiguration. Otherwise, the CLI adds the entry to the list Name of the application to be granted smart tunnel access. The string can be up 1064 characters For Mac OS, thefull path tothe application. For Windows, the flename of the application: or a complete or partial path to the appication, including its flename. The string can be up to 128 characters. (Optional ifthe operating system is Microsoft Windows) Enter windows or mac to specify the host of the application, (Optional and applicable only for Windows) Enter the hash of the application, The SHA+t hash is always 40 hexadecimal characters, ‘To start smart tunnel access automatically upon user login in a clientless (browser-based) SSL VPN session, use the smart-tunnel auto-start command in group-policy webypn configuration mode or username webvpn configuration mode. To remove the smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group policy, use the no form of the command. smart-tunnel auto-start list smart-tunnel auto-start Parameters Parameter | Description ‘The rame of a smart tunnel ist that is aready present inthe adaptive security appliance webvpn configuration. ‘Ta view any smart tunnel list entries already presentin the SSL VPN configuration, enter the show running-config webypn command in priilages EXEC mace 288 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreVerifying Smart Tunnels Manual Start (Smart Tunnel List) “lal ssu vi serie Be To verify the availability of smart tunnels anditheie proper operation, log intothe SSL VPN portal, You should see an Application Access view on the left side of the SSL VPN portal home page, If you have configured smart tunnels to start automatically, the browser will automatically a ‘he peat als ciara ered Doyumnt orate aaa nate coves as waco meric: << oore2 y Sas Se download and execute the smast tunnel relay agent. You will be prompted to inspect and accept, digitally signed smart tunnel relay applets from the SSL VPN gateway IF you have not configured smert tunnels to start automatically, select the Application Access view, and click the Start Smart Tunnel button. The browser will download and execute the smart tunnel relay agent on demand, (©2010 Cisco Systems, Ie, ‘Dephyment of Git ASA Adaptive Secunty Applance Clenties Ramcte-Access VPN Solutions 389Verifying Smart Tunnels Manual Start with RDP Example (Smart Tunnel List) ae ‘After the smart tunnel relay agent isrunning, you ean now start the native applications that are present in the smart tunnel list of your group policy and aecess internal resources directly (from an end-user perspective). In this example, the native Microsoft Windows RDP client is used as it were started in a non-VPN environment (or a full tunneling Cisco AnyConnect session), displaying the login page of an intemal server. Verifying Smart Tunnels Statistics (Smart Tunnel List) In the Application Access view, you can also observe basic smart tunnel statistics and settings, such as the list of applications that are enabled for smart tunneling and the amount of data that is exshanged through the smart tunnel session since its start. 280 Deploying Csco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreVerifying Smart Tunnels Bookmark ull: seu pn see Cisco Secure ACS v4.2 Adonis en tm ‘This figure illustrates smart tunnel access using a bookmark. When you select the bookmark, the application will display in ¢ separate browser window. You must accept the smart tunnel applet that is signed by Cisco before using the application, (G2010 Cisco Systems, ne, Depbymert of Cisco ASA Adaptive Securty Apphance Clantlass RamcteAccess VPN/Soluione 4.91Verifying Smart Tunnels Implemeniation Guidelines = Use smart tunnels when application plug-ins do not provide the required application functionality * Use bookmarks enabled for smart tunnel aocess to relay data to problematic sites that do not work using SSL VPN proxy rewriting When you implement smart tunnel a guidelines: cess in clientless SSL VPNs, consider the following, = Use smart tunnel access as the preferred method to support native remote user applications, especially when you cannot support a businessprocess with application plug-ins, = You can also use smart tunnels as a remedy for applications that have issues with the SSL VPN proxy rewriting engine. Use bookmarks enabled for smart tunnel access to relay data to problematic sites. 282 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Port Forwarding ‘This topic describes how to configure and verify port forwarding in elientless SSL VPN. Configuring Port Forwarding Port-Forwarding Overview Port forwarding allows for relaying of arbitrary static TCP applications over the clientless SSL VPN session. * Appications on the cient connect to a local port + fa in-browser Java relay listening on this socket forwards all data to the SSL VPN gateway. » The SSL VPN gateway forwards all data to a preconfigured host or port + Requires client application and operating system name resolution reconfiguration Port forwarding is a legacy technology for supporting TCP-based applications over a clientless SSL VPN conneetion. Port forwarding isan alternative to smart tunnels, and makes use of & local Java helper applet to provide access to certain applications that are not supported by clientless SSL VPN by default, The Java helper application requires local applications to make ‘4 connection tothe local host to provide port-forwarding functionality, and hence require some modification of application settings or user actions This figure illustrates the port forwarding process to access an internal Telnet server: 1. After SSL VPN portal login, a port-forwarding Java applet that was downloaded from the SSL VPN portal is started inside the browser. The applet dynamically modifies the local hosts file, and listens on the loopback address of the remote host at port 3001 to forward any incoming connections over the SSL VPN session. 2. A user opens.a Telnet client and attempts to connect to an internal server, on port 3001, 3. The local hosts file, which is dynamically modified by the Java applet, is analyzed. It has an entry for the internal server, which points to 127.0.0.1. The Telnet client connects to the focal host on port 3001. The Java applet forwards this connection over the SSL VPN session to the SSL VPN geteway 4. The VPN gateway extractsthe TCP session from the SSL VPN session, establishes a TCP connection with the destination on the standard Telnet port (23), and acts as a data relay between the two TCP sessions. (G2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Appliance Glantlass Remote Access VPNSolone $83Configuring Port Forwarding Benefits and Limitations [Sette unison Siieh oa entra! OYE alee TO ae eee crate Bypasses advanced Cisco ASA ‘pplication contro's and SSIs Requites presence of rativeciient ‘applications on the remote system Requires users to change their ‘pplication settings Requires aiministratorrights to change host files ‘The benefits of port forwarding arc as follows = They support the use of fully featured, native applications thatare already installed on the system of the remote user. ‘The limitations of port forwarding are as follows: = Port forwarding only supports simple, statie-port TCP applications, m= Access to the internal network bypasses the advanced Cisco ASA adaptive security eppliance application ayer controls and security services modules. However, you can control the resources that are available to port forwarding users by destination server and pplication (port = Icrequires preinstalled native applications on the remote system. ‘= It requires users to change their application settings (for example, the destination port of the server), and even their application usage (ifa different application profile is needed for non-VPN and VPN use). Port forwarding requires administrative rights because it changes the local hoss fil. 28: Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Port Forwarding Configuration Tasks 1. Specify client protocols (ports) subject to port forwarding, 2. Enable port forwarding in @ group policy. 3, (Optional) Contro! access to intemal resources. ‘To configure port forwarding access through a Cisco ASA adaptive security appliance SSL VPN gateway, you will perform the following configuration tasks: 1. Specify the client application protocols (ports) that are subject to port forwarding after SSL VPN login, 2. Enable port forwarding in group policy, and optionally specify that the port-forwarding applet should start automatically after SSL VPN login, 3. Optionally, deploy access control features on the Cisco ASA adaptive security appliance SSL VPN gateway to contro! access from applications using port forwarding to internal (G2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Appliance Giantess Remote Access PN Solione 4.85Configuring Port Forwarding Configuration Scenario This igure presents the configuration scenario that is used in upcoming configuration tasks. You will configure the Cisco ASA adaptive security appliance to download and enable the Java port- forwarding applet tothe elient. The lava port-forwarding client listens for ineoming TCP connections from the local host, on the local TCP port of 3001, and relays these connections to the internal terminal server at 10.10.11. The remoteuser uses the native Microsoft RDP client to connect to the local port, which relays the RDP session to the internal terminal server. You will also configure the Cisco ASA adaptive security appliance to limit access to the protected network usinga webtype ACL, which only’allows the specifie RDP connection to the internal network. As with the previous configuration scenario, this configuration scenario assumes that the Cisco ASA adaptive security appliance isalready configured with a basic clientless SSL VPN gateway functionality. Iris also assumed that the configuration is using local AAA authentication and a verifiable identity certificate, and that all local users are assigned the BASIC-CLIENTLESS-POLICY group policy. 298 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreInthe Configuring Port Forwarding Task *: Specify Client Protocols for Port Forwarding Seach sor used on ve tis ean en, sess extet st 1 a ce tlc ‘contguiton > Rerate Azcess /PN> Clantans SSL VPN Ansasa> Pon > Por Feriateng st configuration task of this configuration sequence, you will ereate a list ef remote application ports and internal resources that ar¢ subject to port forwarding on the remote client. You can specily a single list of ports and internal resources for each group policy, which you can apply to one or more connection profiles. ‘To configure a port-forwarding list, complete the following steps: Stop1 Choose Configuration > Remote Access VPN > Clientless SSLVPN Access> Portal > Port Forwarding. and click Add to add anew port-forwarding list Step2 Configure a list name (MY-PORT-#ORWARDING in this example) and then click Add to add a port-forwarding entry. Step3 Configure the port-forwarding list entry with the Following information: = Local TCP Port: The port that the Java applet will listen on for port forwarding of this entry. Inthis example, TCP port 3001 is used. To avoid conflicts with existing services on the local host, use a port number greater than 1024. m= Remote Server: The address of the target server in the protected network, You can also provide the name of a remote server. If you provide the name, the Java applet will modify the local host file, Recall that administrator privileges are needed to change the local host file. = Remote TCP Port: The port that the target server in the protested network will listen on for network connections m= Description: User-friendly description of the port-forwardingentry. Step4 Click OK twice to accept the new port-forwardingentry and port-forwarding list. Note Remember thatthe connection is only cryptogrephicaly protected between the remote user and the Cisco ASA adaptive secury appliance. Ifa protocol such as Teinetis used with port forwarding, the traffic leaving the security appliance wil not be encrypted, (@2010 Cisco Systems, Ine, Depoymert of Cisco ASA Adaptive Secunty Appliance lantlaes RemcteAccess VPN Soltione — &87Configuring Port Forwarding Task 2: Enable Port Forwarding in a Group Policy fete son > Ramis Ascess VPN > Ciartess SSL VPN Assess > Grave Paice» Eat > Pata In the second configuration task, you will apply a port-forwarding policy to a group policy, \which will in turn enable port forwarding on one or more connection profiles. ‘To modity the existing Clientless SSL VPN group policy, complete the following steps: Stop Step2 Step3 Stops Stops Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies, and choose the previously configured Clientless SSL VPN group, policy. Click Edit to edit the Clientless SSL VPN group policy Choose the Portal option from the menu in the left pane and uncheck the Inherit ‘check bor from the Port-Forwarding List and Applet Name fields Choose the configured port-forwarding list (MY-PORT-FORWARDING) from the drop-down menu, and check the Auto Applet Download check box. The Auto Applet Download option will automatically start the configured port-forwarding configuration after the user logs into the SSL VPN portal Optionally, configure an applet name for the application to be used with the Port- Forwarding SSL VPN. Click OK and Apply to apply the changes to the Cisco ASA adaptive security appliance. Click Saye to save the configuration, if necessary 292 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Port Forwarding Task 3: (Optional) Control Access to internal Resources \Weblype ACES suppor address and service syntax. ‘contguiton > Renate Azcese VPN > Clantesa SSL VPN Access > Aciarcad > Web ACLS Inthe third task, you can optionally contro! access to internal resources by ercating or modifying your webtype ACLs to permit or deny port-forwarding. access to specific resources, ‘The configuration of these rules is the same as with the smart tunne! feature. (E2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Appliance Glantlass Remote Access VPN Soltone 4.39Configuring Port Forwarding CLI Configuration ‘This output shows the CLI commands that are required to configure port forwarding on the Cisco ASA adaptive security appliance. In the CLI, enter SSL VPN server configuration submode on the Cisco ASA adaptive security appliance using the webypn commend, and create a port-forwarding list and its entries using one or more port-forward commands. Next, assign the port-forwarding list to a group policy, in its group-poliey aitributes mode end webypn submode, using the port-forward name command. Optionally, configure the Cisco ASA adaptive security appliance to automatically start the port-forwarding applet using the port-forward auto-start command. Finally, you may create a webtype ACL and ACEs that govern port forwarding access using the access-list name webtype command. In the example, a por forwarding list named MY-PORT-FORWARDING, which specifies a local port of 3001, with the remote server IP address of 10.10, 1.1 and a remote port of 3389 is defined. A description about this port-forwarding list is also configured. ‘The MY-PORT-FORWARDING port-forwarding list is applied to the BASIC-CLIENTLESS- POLICY group policy. Autostart is cnabled and a name that identifies the port forwarding to the users is also configured, The webtype ACL will only permitaccess to the 10.10.1.1 server ever port 3389 (RDP), port-forward To configure the set of applications that users of a clientless SSL VPN session can access over forwarded TCP ports, use the port-forward command in webvpn configuration mode. port-forward {list_name local_port remote_server remote_port description ‘To configure accessto multiple applications, use this command with the same list_name multiple times, once for each application, ‘To remove a configured application from a list, use the no port-forward list_name local_port command (you do not need to include the remote_server and remote_port parameters) no port-forward lisiname localport “2100. Daploying Caco ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreTo remove an entire configured list, use the no port-forward list_name command, no port-forward list_name port-forward Parameters Description Provides the application name or shart description that dpleys on the end-user Port Fonvarsing Java applet screen. Maximum 64 characters Groups the set of applications (forwarded TOP ports) that users of clientless SSL VPNsessions can access. Maximum, 84 characters ‘Specifies the local port that istens for TCP traffic for an application. You can tse a local port number only ance for a fst_neme. Enter @ port number in the range 1~85,536, To avoid conficts with existing services, use 2 port number (greater than 1024 Specifies the port to connect to for this appication on the remote server. This the actua port that the application uses. Eréer a port number in the range T= 65,535 01 port name. 2 server | Provides the DNS name oriP adaress of the remote server for an application. If you enter the IP adcress, you may enter itineither IP version 4 (|Pv4) or IP version 6(IP\6) format. Cisca recommends using a hostname so that you do not have to contigure the client applications for @speciic IP address. The dns sorve group name-server command must resalve the hostname to an IP address, port-forward-name ‘To configure the display name that identifies TCP port forwarding to end users for a particular user or group policy, use the port-forward-name command in webypn mode, which you enter from group: olicy or username mode. To delete the display name, including 4 null value that is created by using the port-forward-name none commands use the no form of the command. ‘The no option restores the default name, Application Access. To prevent a display name, use the port-forward none commend. port-forward-name {value name | none} port-forward-name Parameters Parameter Description Indicates that there is no display name. Sets 2 rull value, which disallows a display name Preverts inherting a value value name Describes port forwarding to end users. Maximum of 255 characters. (G2010 Cisco Systems, ne, Depbymert of Cisco ASA Adaptive Securty Applance Clantlass RamcteAccess VPN/Soluione 4101Verifying Port Forwarding Autostart Bester aan ovaya fee ‘To verify the availability of port forwarding and its proper operation, log into the SSL VPN portal. You should see an Application Access view on the left side of the SSL VPN portal home page. if'you have configured the port-forwarding applet to start automatically, the browser will automatically download and execute the Java applet, which will use a separate popup window. In most browsers, you have to authorize this popup window separately. 2402 Deploying Osco ASA VPN Solution (VPN) v1.0 (©2010 Cece Systems, IreVerifying Port Forwarding Manual Start I ssu-ven service ppuainahaanass I you have not configured port forwarding to start automatically, select the Application Access view, and click the Start Applications button. The browser will download and execute the Jaya port-forwarding applet ondemand Verifying Port Forwarding ROP Example After the port forwarding Java applet is running, you can start a native application and access internal resources by either connecting to a local host port (as shown in this figure) or by connecting to the real hostname of the internal server. You connect over the local port (300) this example) of the Java applet because the Java applet will also modify the hosts file. In th example, the native Microsoft Windows RDP client connects to the local host port, where itis Forwarded to an internal RDP internal server. (G2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Applance Clantlass RemcteAccess VPN Soltone 4103Verifying Port Forwarding Implementation Guidelines = Use port forwarding when you cannot use application plug- Ins or smart tunnels. = Linux ~ Older Cisco ASA code Whea you implemect port forwarding in clientless SSL VPNs, corsider the following guideline: m= Use port forwarding to support native remote-user applications when smart tunnels are not available or cannot be deployed. Examples include Linux workstations or deployments of ‘older Cisco ASA adaptive security appliance code. “$108 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreTroubleshooting Advanced Application Access ‘This topic describes how to troubleshoot advanced application access in clientless SSL VPN. Troubleshooting Application Access Visual Troubleshooting Aid aa a! : Cam ASDW = Casas va Sacurty Daven Manager When you troubleshoot advanced application access in elientless SSL VPNs, you should perform troubleshooting tasks on both the client and the Cisco ASA adaptive security appliance, if possible, This figure shows some most useful troubleshooting commands and ‘tions that you can use on the involved components. On the client, you ean use operating system utilities to determine the reason for connectivity or name resolution issues. Here are some examples of these utilities: © The ping.utility to determine Layer 3 reachability of the Cisco ASA adaptive s appliance from the client uurity © The traceroute utility to troubleshoot Layer 3 path problems between the client and the Cisco ASA adaptive security appliance © The nslookup and dig utilities to troubleshoot name resolution, if the browser or application cannot resolve the URL for the SSL VPN portal or an internal resource Note that the Cisco ASA adaptive security appliance will extensively log all issues into its syslog subsystem. The debug commands are generally not required, except for in-depth troubleshooting of complex issues. (E2010 Cisco Systems, ne, Depbymert of Cisco ASA Adaptive Secumty Appliance Clantlass Remote Access VPN Soltone 4105Troubleshooting Application Access Application Plug-ins If you are encountering access issues with application plug-ins, you may follow these steps to troubleshoot the issue: Stop1 First, check that the URL type you are trying to access is available on the Cisco ASA adaptive security appliance (for example, in the free URL entry field). If they are not, you may have forgotten to impoct a specitic application plug-in into the Cisco ASA adaptive security appliance. Stop2 If URLsare available, but the application plug-ins do not start, you may have a client configuration or compatibility issue. Verify that the SSL VPN gateway is added to the list of trusted sites, that the elient system has a supported release of the Java Runtime Environment, or that it supports ActiveX control execution: Step3 Finally, if the application plug-ins start but cannot conneet to the target server, verily webtype ACLs on the Cisco ASA adaptive security appliance to see if they permit or deny the connection. Additionally, verify that the SSL VPN gateway has a route to the target server, the target server has a route to the SSL VPN gateway, and there is hho access control between them that could impair communications. IPthese steps do not resolve your issue, you may need to deploy troubleshooting tools that are beyond the seope of this course. “$108 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreTroubleshooting Application Access Smart Tunnels Sa Red omer ioshgent ican nea Syaasewes = je SESS If you are encountering accessissues with smart tunnels, you may follow these steps to troubleshoot the issue: Step1 First, check that the smart tunnel agent starts. IPit does not, verify that the client system has a supported release of the Java Runtime Environment, or that it supports, ActiveX control execution, Stop2 If the agent starts, but your application does not connect, verify that you have specified the correct application name (for example, using the Windows Task Manager or Explorer on a remote Windows system) or hash. Also, verity webtype ACLs on the Cisco ASA adaptive security appliance to see if they permit or deny the connection. Additionally, verily that the SSL VPN gateway has a route to the target server, the target server has a routeto the SSL VPN gateway, and there is no access control between them that could impair communieations Step3 Finally, ifother applications that are not included in the Smart Tunnels potiey on your system are experiencing connectivity problems, ensure that you have not Specified additional, unwanted applications in the smart tunne! list using wildcarding. Additionally, if you have problems accessing only specific destinations, verify that the Cisco ASA adaptive security appliance is not blocking them, for example, by preventing sime-security-level communication. IPthese steps do not resolve your issue, beyond the scope of this course. ‘ou may need to deploy troubleshooting tools that are (@2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Appliance Glantlass RemcteAccess VPN Soldione 4107Troubleshooting Application Access Port Forwarding od Senseo If you are encountering access issues with port forwarding, you may follow these steps to troubleshoot the issue: Stop1 First, check that the portforwarding Java applet starts. IPit does not, verily that the client system has a supported release of the Java Runtime Environment, Stop2 Verily that the Java applet has correctly configured the elient system: = Onthe client PC, open a command prompt window and use the netstat —an command to verify that Local listening ports have been opened by the Port Forwarding applet m= Verify that the hoststfle on the elient computer hasbeen updated to support ‘TCP port forwarding. Examine the hosts file in the Windows system32\drivers\ete subfolder to see if entries witha local host address have been added after the applet starts, Step3 If the agent starts, but your application does not connect, verily that you have specified the correct ports in the application, that names are correctly resolved to local host, and that the user has administrative rights. Next, verily webtype ACLs on the Cisco ASA adaptive security appliance to see if they permit or deny the connection, Additionally, verify that the SSL VPN gateway has a route to the target, server, the target server has a route to the SSL VPN gateway, and there is no access control between them that could impair communications, If these steps do notresolve your issue, you may need to deploy troubleshooting tools that are beyond the scope of this course. “E108 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreSummary ‘This topic summarizes the key points that were discussed in this lesson, Summary ' You can choose several options when deploying advanced application access: application plug-ins, Cisco Smart Tunnels, or port forwarding, Use application plug-ins as the simplest method todeploy access to nonweb and non-CIFS resources. Use smart tunnels to provide access using native pplication dierts. Deploy port forwarding when application plug-ins or smart tunnels are not avaliable. Troubleshooting involves tools that are available on the security appliance end the remote computer. (E2010 Cisco Systems, ne, Depoymert of Cisco ASA Adaptive Secunty Applance Clantlass Remote Access VPN Soltone 41089 ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreLesson 3] Deploying Advanced Authentication and SSO ina Clientless SSL VPN Overview Most enterprises need scalable authentication schemes, in which the network devices offload the authentication process to back-end user databases, such as Lightweight Directory Access Protocol (LDAP), TACACS=,or RADIUS. In elientless SSL VPNs, public key infrastructure (PKI) offers a scalable and secure authentication method. This lesson discusses the various authentication approaches that should be evaluated when designing a clientless SSL VPN solution, including the option of combining multiple authentications in a single process. In the lesson, you will learn how to provide user-friendly authentication strategy, by requiring only a single sign-on (SSO) when accessing various resources, Objectives Upon completing this lesson, you will be ableto deploy and manage advanced authentication features of a clientless Cisco SSL VPN. This ability includes being able to meet these objectives: = Plan the deployment of advanced client authentication in clientless SSL VPNs © Configure and verify the local CA or integrate with an external CA and provision client certificates © Configure and verify integration with supporting PKI entities and verify external certificate authorization © Troubleshoot advanced client authentication in clientless SSL VPNs © Configure and verify clientless VPN SSO methodsConfiguration Choices, Basic Procedures, and Required Input Parameters jentless SSL VPN authentication, Thistopic describes how to design Advanced Clientless SSL VPN Authentication Solution Components Sewae wheter Fe Sbheta sett, A key aspect of a SSL VPN is secure user authentication, You should consider these features as you design the authentication system: m= Security: This espect is related to the seeurity of the authentication protocol and the trustworthiness of the user credentials. SSL is considered a trusted protocol, but the security depends on the strength of user credentials, In general, static passwords are considered a weaker authentication means than certificates or one-time passwords (OTP), Highest security is obtained by combining various authentication methods together. = Scalability: This design consideration is related to how easy it is to provision new users and maintain the authentication system. Maintenance involves such tasks as credential revocation, high availability, and accountability. = Integration: This design consideration involves integration with existing user databases, Authentication in an SSL VPN occurs in two stages: = Server-side authentication, in which the client verifies the authenticity of the server = Client-side authentication, in which the server verifies the authenticity of the clients £712 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreAdvanced Clientless SSL VPN Authentication Server-Side Authentication Options [Auerteston | Pros Cee ‘Seskiied Gees Usdulorieslngorvery/emiet General iat commended, ASAadapine Seploymens ‘Gena be varied in a scalaie securty vay Issuer and subject are Cisco apntance ‘ASAIP address. Not useul for conifess hieret weske Lenttycatfiate Recommerdadfor cents that Ceca ASAmustenrall wth an stled ivan senolmaraged ncudng. etemal CAtosolan an dently GtemalCa —_[temat Kiosks, Gian bowser: cotfcatethatcan Oa verfed by hava a lett pansialed oct fe clans cates hat a used for ‘esicaton Server-side authenti tion of acticntless SSL VPN session can be based on these two things: © Self-signed Cisco ASA adaptive security appliance certificate: This certificate is generated automatically by the security appliance and is not verifiable by any external ‘entity. The issuer and subject of the self-signed certificate are set to the IP address of the security appliance. It should be used only in testing or very small deployments. You can install the self-signed certificate into the certificate store of the client computer using the ‘manual import procedure. In this process, the client should compare the fingerprint of the ‘obtained Cisco ASA adaptive security appliance certificate with the original fingerprint received out-of-band (OOB) from the security appliance administrator. The self-signed Cisco ASA security appliance certificates should be avoided in production environments © Identity certificate that is issued by an external CA: In this scenario, the Cisco ASA adaptive security appliance enrolls with an extemal certificate authority (CA) to obtain an identity certificate that canbe verified by the clients. The clients ean verily the server identity certificate, because they have a lis of trusted CA root certificates in their browsers, IF the security appliance enrolls with a CA from that preinstalled certificate list, the client uses the appropriate root certificate to authenticate the SSL VPN server. This soluti recommended for unmanaged clients, including Internet kiosks, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glentess Ramcte Access VPN Soltone 4113Advanced Clientless SSL VPN Authentication Client-Side Authentication Options mS a Seat apeaetornana i eterna cer an nn ee ss ea = Pe eee oe aera ogee Samsaeaa San coivene — TATRA Soo oc Tee oe saucer aoe | cutee cen Se a) eee Sees | eoeaenas Clicut-side authentication of clientless SSL_VPN session can be based on authentication methods: = Certificates that are issued by internal CA of Cisco ASA adaptive security appliance: ‘These certificates are instalted on the client computer at the first client connection to the SSL VPN server. This approach is recommended for managed clients only. = Certificates that are issued by external CA: in this deployment mode, the VPN users enroll with the same external CA as the SSL VPN server. The SSL VPN server has an identity certificate that is issued by the same external CA. The SSL VPN server authenticates client certificates using the root certificate. The SSL VPN server must be in possession of the root certificate before its own enrollment. This approach is typically deployed in enterprise-wide environments, where the enterprise maintains its own CA. Otherwise, the cost of user certificates may be an issue. = Passwords: Passwords can be stored either in the local user detabase or on an external AAA server. They can be static in nature, or dynamic, as in the case of OTPs, Password- based authentication is recommended for usersaccessing the SSL VPN from unmanaged computers, such as public kiosks. The level of trust that is placed on the password-based authentication ean be increased by implementing two-factor authentication, waich relies on something you know (password) and something you have (OTP token). = Multiple sequential authentications: In thismethod, the authentication strength is enhanced by combining two or more independent authentications, which must jointly succeed before # user can access the VPN. Theauthentications can either be performed against separate databases or bea combination of certificate and authentication, authorization, and accounting (AAA) authentications, Double authentication using different user databases with static passwords is not very common, as itean be argued that static password authentication is not significantly strengthened by another static password. “E194 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreAdvanced Clientless SSL VPN Authentication Deployment Guidelines * Combine independent authentication methods to provide strong, multifactor authentication ~ Certificates with static passwords. — OTP tokens with static passwords. — Static passwords on two AAA servers do not significantly ‘enhance authentication strength, * Balance authentication strength with ease of use ~ Using certificates with OTP and static passwords is cumbersome for most users, The security appliance offers a wide set of authentication options, but only some combinations of the authentication methods significantly increase the level of trust that is put in the authentication process, These combinations are the most recommended combinations: © Certificates with static passwords for managed client computers: This option is not feasible for Internet kiosks © OTP tokens with static passwords for managed or unmanaged endpoints: This method can be implemented either as a single authentication using an AAA server that offloads authentication to a back-end OTP server, or as two daisy-chained authentications, one against a static database, and one against an OTP server. In general, you should make the system as use--friendly’as possible, if the security policy obeyed. Combining too many authentications and requiring the users to enter too many passwords may place a heavy burden on their shoulders. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glentless Ramcte Access VPN Soltone 4178Deploying Client Certificate-Based Authentication Thistopie describes how to deploy client-side certificate-based authentication, 1 Client Authentication Using Local CA Configuration Tasks Configure the Cisco ASA local CA.* Create CA user accounts” Enable client certificate authentication fora connection profile. (Optional) Configure mapping of certificates to connection profiles, Provision client identity certificates to clientiess users. To configure client authentication using the local CA, you will perform the following configuration tasks: 1. Configure the Cisco ASA adaptive security appliance local CA (discussed in previous lessons and not discussed here egain). 2. Create CA user accounts (discussed in previous lessons and not discussed here again). 3. Enable client certificate authentication for a connection profile 4. Optionally, configure mapping of certificates to connection profiles, Provision client identity certificates to clientless users. ‘These tasks are described in the next pages, E116 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreClient Authentication Using Local CA Configuration Scenario ‘This figure presents the configuration scenario that is used in upeoming configuration tasks. You will enable the local CA function on the security appliance and create CA user accounts. ‘The fully qualified domain names (FQDNs) of the users will include the organizational unit io which they belong. When the users connect to the SSL VPN, the Cisco ASA adaptive security appliance will check the organizational unit information to apply the correct connection profile to the user session, BASIC-CLIENTLESS-PROFILE in the example. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Clenlass Remcte Access VPN Solutions 4117Client Authentication Using Local CA Input Parameters Een Snr Connection protias thal ue Authentication iype iscaifigured in tha ‘arifeate-based ‘comectonprofie stings. Amoxed set tyoes “authenteation ‘Ssupporiad ona single Gico ASA Lecal CA eatinge Iseuername, CAand clent key sizes are CA ‘aud cient certficalaletimes, Seorel passphrase required to activate local CA lncalcenifeatausere and Paper naming, using le FGON elamants CN, tier FODN names ‘04, 0, 6 atows a granular binding poey of usargioups to connection profes. ‘OTP enrolimantcredentias Users must pevide tte OTP credentials nen ining keys and antty carttieatas. OTP ‘Gedentialedlstntutedvia emai or OOB, Mapping ta connection [Definition af eubjoct FODNE that are mazped ts poles ‘aver connection profi, You have to gather these input parameters prior implementing eertificate-based client authentication usingthe local CA: = Connection profiles that use certificate-based authentication: The authentication type is, configured in the connection profite settings. To authenticate users using local CA certificates, the appropriate connection profiles must be configured for certificate-based authentication. = Local CA settings: These parameters include the issuer name, key sizes of the CA and the clients, and CA and client certificate lifetimes. The key size of the client defines the length of the private- and public-key pair that the appliance generates for each client. All these parameters have default values that can be used for most environments, Only the secret passphrase must be explicitly entered to activate the local CA feature, = Local certificate users and their FQDN names: The FQDN elements, such as common name (CN), organizational unit (OU), organization name (O), and country (C), allow a granular policy of binding user groups to connection profiles. An example of such a policy could match the country of the SSL VPN user (C attribute) and assign a connection profile that uses a localized customization, = OTP enrollment credentials: OTP enrollment credentials must be generated by the security sppliance local CA and distributed to the users belore they can connect to the SSL VPN. ‘These credentials must be distributed OOB, for example by emailing them to the users. = Mapping to connection profiles: If you want to assign users to connection profiles based con their FQDN attributes, you must gather the mapping criteria that will define the binding, “E118 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreClient Authentication Using Local CA ‘Task 3: Enable Client Cerificate Authentication for a Connection Profile Contguaton > Rerota Astass > Clantess SSL VPN Access > Comatton Pratias ‘The configuration procedure sarts with the enabling of the local CA and ereating CA user accounts, but these tasks are omitted here because they have been explained sufficiently in an earlier lesson. The first two tasks are identical to Cisco AnyConnect client authentication seenarios, In the third configuration task, you will enable certificate-based authentication in the required connection profiles. To enable certificate-based authentication, complete the following steps Stop 1 Step 2 Stop 3 step 4 step 5 Choose Configuration > Remote Access > Clientless SSL VPN Access> Connection Profiles. Choose a desired connection profile and click the Edit button, In the Authentication area of the window, click the Certificate radio button as the authentication method. Cliek OK. Click Apply to apply the configuration (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Gleness Ramcte Access VPN Soltone | 4179Client Authentication Using Local CA Task 4: (Optional) Configure Mapping of Certificates to Connection Profiles ees ‘contguaton > Renate Aacans VPN> Aavancns > Gurtene 2 S$LVPN Goonaston Poaiiecs In the optional fourth task, you can define the mapping of client certifi connection profiles by completing these steps: tes to the appropriate Stop1 Choose Configuration > Remote Access VPN > Advanced > Certificate to SSL VPN Connection Profile Maps Stop2 Click Add to create a new map. A new window opens (not shown in the figure). Stop3 Inthe Certificate to Connection Profite Map configuration window, enter the map name and the rule priority and select the connection profile that is used for the binding, The rule priority defines the order in which multiple maps are evaluated ‘when searching for a connection profile that will be used for a user session. This step is not shown in the example. Stop4 Select amap from the lis of entries in the Certificate to Connection Profile Maps area and click Add in the Mapping Criteria area, The Add Certificate Matching Rule Criterion window opens, Define your matching criteria by choosing appropriate parameters from the Field, ‘Component, and Operator drop-down lists and enteringthe required value in the Value field. Ithe map consists of multiple matching rules, all conditions must be met to bind the user certificate to the connection profile (the rules are combined using thelogieal AND operator), Steps — Click OK. Stop7 Click Apply to apply the configuration, ‘You may have multiple Certificate to Connection Profile Maps, each containing several matching rules. In this scenario, one map is defined: Salesmap. The salesmap consists of one rule that matches certificates where the organizational unit (OU) attribute in the subject field is, set to “Sales” and maps them to connection profile BASIC-CLIENTLESS-PROFILE. 2120 Deploying Gsco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreClient Authentication Using Local CA ‘Task 5: Provision Client Identity Certificates to Clientes Users oie tet acareues cnt ese) Sz 7 Boa Inthe filth task, the users haveto obtain the private- and public-key pair, and their identity certificate from the security appliance. The enrollment occursin several steps 1. The Cisco ASA adaptive security appliance points the users to a connection profile or the users select a connection profile that is configured for certificate-based authentication. ‘The users receive an authentication failure notification and a link for obtaining a new certificate and the keys, 3. After choosing the link, the security applignce prompts users to submit their username and OTP, which they should have already obtained using an 0OB method, 4, When the username and OTP combination is correct, the security appliance sends the user @ Personal Information Exchange (or Public Key Cryptography Standard #12 [PKCS #12}) file that the user ean open or save. The file has the username as its name and extension .p12 and contains the private- and public-key pair and user identity certificate, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Gienless Remcte Access VPN/Soluione 4121Client Authentication Using Local CA ‘Task 5: Provision Client Identity Certificates to Clientes Users oie tet acareues cnt ese) Sz 7 Boa Inthe filth task, the users haveto obtain the private- and public-key pair, and their identity certificate from the security appliance. The enrollment occursin several steps 1. The Cisco ASA adaptive security appliance points the users to a connection profile or the users select a connection profile that is configured for certificate-based authentication. ‘The users receive an authentication failure notification and a link for obtaining a new certificate and the keys, 3. After choosing the link, the security applignce prompts users to submit their username and OTP, which they should have already obtained using an 0OB method, 4, When the username and OTP combination is correct, the security appliance sends the user @ Personal Information Exchange (or Public Key Cryptography Standard #12 [PKCS #12}) file that the user ean open or save. The file has the username as its name and extension .p12 and contains the private- and public-key pair and user identity certificate, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Gienless Remcte Access VPN/Soluione 4121Client Authentication Using Local CA CLI Configuration eat) natoeg ora SV cnigae ates ‘The figure shows the CLI command that is used to enable client authentication using the local CA. Local CA configuration and local CA user ereation are not shown in the figure, because it has been already discussed in the “Deploying Advanced Authentication in AnyConnect Full ‘Tunnel SSL VPNs” lesson, ‘To create a certificate-to-connection profile mapping using the CLI, use the following commands, First, ereate a certificate-to-connection profile map using the erypto ea certificate ‘map command, followed by @ aame and rule priority number. Then use the subject-name atrr command to specify which attribute in a subject name should contain which value. Finally, configure mapping between a connection profile and connection profile map using the certificate-group-map command in webvpn configuration mode. In the example, if the Cisco ASA adaptive security appliance receives a certificate where the organization unit (OU) field of a subject name contains “Sales,” the security appliance will use the BASIC-CONNECTION- PROFILE connection profile for that user. Finally, enable certificates-baséd authentication for a specific connection profile (tunnel group) using the authentication certificate command in tunnel-groun configuration mode crypto ca certificate map To enter CA certificate map mode, use the erypto ea certificate map commend in global configuration mode, Executing this command places you in CA certificate map mode. Use group of commands to maintain a prioritized list of certificate mapping rules. The sequence umber orders the mapping rules, To remove a erypto CA certificate map rule, use the no form of the command, crypto ca certificate map {seguence-number| map-name sequence-number (G2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Appliance Gleness Ramcte Access VPNSoltone 4123crypto ca certificate map Parameters Parameter Description map Specifies a name for a certificate-to-group map. Specifies 2 number for the certificate map rule you are creating. The range is ‘through 65535, You can use this number when creating a tunnel-group- imap, which maps a tunnel g‘oup to a certificate map rue. subject-name (crypto ca certificate map) To indicate that rule entry is applied to the subject distinguished name (DN) of the IPsec peer certificate, use the subject-name command in erypto CA certificate map configuration mode. To remove a subjectname, use the no form of the command. subject-name [attr rag eq | ne | eo | ne string] subject-name (crypto ca certificate map) Parameters Parameter | Description ‘attr ag | Indicates that only the specified atribute value from the certificate DN will be compared to the rule entry string, The tag values are as follows: = DNQ=DNaualifier = GEN = Generational qualifier intials = GN=Givenname = N= Name = SN=Sumame = IP=1P accross = SER= Serial numter © UNAME = Unstructured name = EA= Email adcress = TTite = O= Organization rame = L= Locality = SP= State and province = C= Country = OU= Organizational unit = CN= Common name co ‘Specifes that the rule entry string must be @ substring inthe DN string or indicated attribute, eg Specifies that the DN sting or indicated atribute must match the entire rule string ne Specifies that the rule entry string must rot be a substringin the DN string or indicated attribute ne Specifies that the DN sting or indicated attribute must not match the entire rule string string _ | Specifies the value to be matched. certificate-group-map To associate a rule entry from a certificate map with a tunnel group, use the certificate-group- ‘map command in webypn configuration mode. To clear current tunnel-group map associations, use the mo form of this command, certificate-group-map cevtificate_map_name index tunnel_group_name 12 Deploying Ceca ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, Irecertifi cate-group-map Parameters Parameter Description ‘The name of acertiicate map. index ‘The numeric identifier for a map entry in the certificate map. The tune. Index value can be in a range of 1~65,535, ‘The name of the tunnel group that chosen ifthe map entry matches the certificate. The tunnel-graup name must already exist authentication-certificate To request a certificate from a WebVPN client that is establishing a connection, use the authentication-certificate command in webypn configuration mode. To cancel the requirement for a client certi authent ate, use the no form of this command, tication-certificate interface-name Parameter Description interface-name ‘The name of the interface that is used to establish the connection, ‘Available interfaces names are: = nai lame of interface Gigabitétharnet 0” outside: Name of interface Gigabitéthernet 0/0 Client Authentication Using Local CA Verify Connection Profile Assignment When certificate-to-profile mapping does not exist, user sees Login page and selects appropriate profile. + When mapping exists, user immediately enters the portal Gin sate we salute ‘SSLVPN Service | “geen | To verity security fy the certificate-based client authentication, you will connect to the SSL VPN. If the appliance has a Certificate to Connection Profile Map that binds the user certificate to 4 connection profile, the specified connection profile will be chosen automatically. If the maps do not match, the users may have the option te select a connestion profile, as shown in the left half of the figure. This figure depicts a successful certificate-based authentication in which the ot prompted for any eredentials, as shown in the right half of the figure. (©2010 Cisco Systems, Ie, Depoyment of GecoASA Adaptive Securty Applance Glenless Ramcte Access VPN'Soltione 4125Client Authentication Using Local CA Verify Connection Profile Assignment (Cont) To view the user sessions parameters, including the selected connection profile, you may choose Monitoring > VPN > VPN Statistics > Sessions, and selest Clientless SSL VPN from the Filter By drop-down menu to view the session parameters. This verification will show ifthe correct profite has been activated by the Certificate to Connection Profile Map. 2426 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreClient Authentication Using External CA Configuration Tasks 41, Import the external CA certificate (file-based, manual, SCEP) tothe Cisco ASA." Enroll clients into the PKI." Enable client certificate authentication for a connection profile.* ‘To configure client authentication using an external CA, you will perform the following tasks 1. Import the external CA root certificate to the security appliance. The CA root certificate ‘can be installed using file import, manual (cut-and-paste), or Simple Certificate Enrolment Protocol (SCEP). 2. Enroll elients into the PKL 3, Enable client certificate authentication fora connection profile. (@2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Clenlass Remcte Access VPN Soluione 4127Client Authentication Using External CA Configuration Scenario wy see “This figure illustrates the configuration scenario for deploying browser (client) cestificates using an external CA, ‘The security appliance receives the root certificate of the external CA and enrolls with it to obtain its identity certificate ‘The users may have the root certificate preinstalled in their browsers, depending on which CA provider is selected in a particular enterprise environment. Alternatively, the enterprise may manage its own CA. In either ease, the users must erroll with the CA to obtain theiridentity certificates, Both server authentication and client authentication are certifieate-based. The entities use the self-signed root certificate to verify the authenticity of the peer certificate. Once the peer certificate is validated, the entities extract the embedded public key to verily the peer signature. You have to gather some input data before deploying browser (client) certificates using an extemal CA. The parameters belong to three areas = Data for external CA enrollment procedure: Enrollment procedure varies based on the CA provider. The enterprise may choose to install and manage its own CA. CA root, certificate can be imported to the Ciseo ASA adaptive security appliance using a file import, a cut-and-paste process, or SCEP. = Glient authentication policy: Optionally, you may combine certificate-based client authentication with AAA that uses passwords to authenticate the users, = Mapping to conneetion profiles: Optionally, use the definition of FQDNs mapped to given connection profiles, Thhis method is required only if client-side authentication is certificate-based and users should be directed to various connestion profiles based on their X.500 subject names. 2128 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreDeploying Advanced Gateway PKI Integration, External Certificate Authorization, and Double Authentication This topic describes how to integrate the SSL VPN server in « PKL environment, deploy ‘external certificate authorization, and implement double authentication. a Advanced Gateway PKI Integration and External Certificate Authorization Configuration Tasks 1. (Optionel) Configure a ceriticate revocation checking palicy.* 2. (Optional or as an alternative) Configure AAA certificate authorization” To configure client authentication using an external CA, you will perform the following tasks 1. Optionally, configure a cenificate revocation checking policy 2. Optionally, or as an alternetive, configure AAA certificate authorization. These steps are the same as for full tunneling SSL VPNs and are not repeated here, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Gleess Ramcte Access VPN Soltone 4129Multiple Client Authentication Deployment Options Client-side authentication options: * Certiicate-based and one AAA authentication * Certificate-based and one AAA authentication with usemame refi and optionally hide * Double AAA authentication (no certificate) — With optional username reuse You can deploy oneof several multiple authentication combinations. The multiple elicnt-side authentication options in clientless SSL VPN are identical to the ones in Ciseo AnyConnect, VPN Clients and include these: = Certificate-based and one AAA authenti = Certifieate-based and one AAA authentication where username for AAA authentication ean be extracted from certificate subject field and hidden from users = Double AAA authentication (no certificate) with optional username reuse ‘This topic presents how to configure multiple client authentications for elientless SSL VPN. connections, “£120 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Multiple Client Authentication Overview Tapeanee OTP dhsiae 2 OTF This figure presents the configuration scenario that is used in upcoming configuration tasks, First, you will configure certificate-based authentication with a single AAA password-based. authentication using the RADIUS server. Then you will configure double authentication, where primary authentication witl be performed on the LDAP server and secondary on the RADIUS server. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Gienless Remcte Access VPN/Soluione 4131Certificate-Based and AAA Authentication Certificate and One AAA Authentication ‘contguraton > erate Azseas VPN > Clantess SSL VPN\ Acces > ConnactonPistias You will configure the respective connection profiles for both authentication types. Complete the following steps: Stop Stop2 Step3 Stop 4 steps Stops Choose Configuration > Remote Access VPN > Clientless SSL V. Connection Profiles. N Access > Select the desired connection profile and click Edit, Click the Both radio button in the Authentication section of the window Select the appropriate primary AAA server group from the AAA Server Group drop- down menu. In this example, MY-RADIUS-SVRS server group will be used. Click OK. Click Apply to apply the configuration. #122 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreCertificate-Based and AAA Authentication Certificate and One AAA Authentication with Prefill neeenctaenen — re ena] Contguston > Revote Astans VPN> Coantene SSL VPN Accana >» Conaiten Proties Next, you may configure the username prefill feature. Complete the following steps: Step + Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Comection Profiles Step2 Select the desired connection profile and click Edi Step3 Expand the Advaneed option in the menu and choose Authentication in the submenu. Stop4 Check the Pre-fill Username from Certificate check box. Stop5 Optionally, you may hide the username from the end user by checking the Hide the Usemame from End User check box. This feature increases the security by not showing the username to users logging into SSL VPN. Step Optionally, modify the default method of extracting the username from the certificate. You may define the primary and secondary fields, choose to use the entire distinguished name (DN) embedded in the certificate, or define a custom script for selecting the username. Step7 Click OK, Step8 Click Apply to apply the configuration, (G2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Applance Gleness Ramcte Access VPN Solone 4133Certificate-Based and AAA Authentication Verification aPanei wen Auer! alusls st VPN service (een Serene [Geren Peet ‘To verify double authentication that uses certit esis a cates and a primary AAA method, you use a browser to connect to the SSL VPN. I'you have a correct certificate installed in the certificate store, the browser submits it for certificate-based authentication. In the second step, the SSL VPN server requests user credentials If the username prefill feature is enabled, the username field is filled in and grayed out. Ifthe field is grayed out, the elient cannot alter the username. After the user submits the correct stat password, secess to the SSL VPN portal is granted. a3 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreDouble AAA Authentication Double AAA Authentication Contguaton > Rerota Astass /PN> Clantese SSL VPN Accana > Consaton Pots ‘To implement the double AAA scenario, you configure the respective connection profile for AAA authentication and configure the primary AAA server group, Complete the following steps Step 1 Stop2 Stop 3 Stop 4 Step 5 step 6 Step 7 Stop 8 Step 8 Step 10 Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Comection Profiles Select the desired connection profile and Click Edit, ‘To configure primary authentication, click the AAA radio button in the Authentication area of the window. Select the appropriate primary server group from the AAA Server Group drop-down menu. In this example, the primary authentication will be offloaded to an external LDAP database. To configure secondary authentication, expand the Advaneed option from the menu on the left and choose the Secondary Authentication submenu. Choose the appropriate secondary AAA group from the Server Group drop-down menu. In the example, the MY-RADIUS-SVRS server group is selected, Optionally, enable fallback to local database by checking the Use LOCAL if Server Group Fails check box. Optionally, reuse the username from the primary authentication by checking the Use Primary Username (Hide Secondary Username on Logon Page) check box. Click OK. Click Apply to apply the configuration. (G2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Applance Gletless Remote Access VPN Soltone 4135Double AAA Authentication Verification To verify double AAA authentication, you use a browser to connect to the SSL VPN. Depending on the username reuse option for the secondary authentication, the login prompt that js associated with the appropriate connection profile may contain one or two username fields. Ifyou have a correct certificate installed in the certificate store, the browser will submit certificate-based authentication, In the second step, the SSL VPN server requests user eredentials. Ifthe usrname prefill feature is enabled, the username field will be filled in and grayed out. Ifthe field is grayed out, the client cannot alter the username. After the user submits the correct static password, access to the portal is granted, for “$136 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreTroubleshooting PKI Integration ‘This topic describes how to troubleshoot the integration of a clientless SSL VPN with PKI, Troubleshooting PKI Integration Visual Troubleshooting Aid PK] offers strong authentication capabilities but requires that you understand the principles of certificate operations. To integrate the SSL VPN system successfully with the PK, you should know how to identify and resolve potential problems. ‘This figure presents a typical SSL VPN integration with PK1, The CA may issue certificates to the VPN server and optionally to users, The users obtain their identity certificates either from the local CA that is based on the Cisco ASA adaptive seeurity appliance or from the external CA server. A number of verification and troubleshooting tools exist on the user computer, on the security appliance, and on the external servers (AAA, CA). This section focuses on the troubleshooting methods that are available on the security appliance. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenlass Remcte Access VPN Solione 4437Troubleshooting PKI Integration PKI Troubleshooting Flow ithe certifi steps Stop Stop2 Stop4 stops te-based elicntless SSL VPN authentication fails, perform these troubleshooting First, check the certificates that are installed on the client and on the security appliance. Ifthe certificates are missing, ensure that theenroliment is completed. Check the current time oa the user computers and the security applianes. Although the time does not need to be synchronized, it must fall within the certificate validi range of the peer certificate. For example, if Ciseo ASA adaptive security appl identity certificate validity range is January 1, 2011 to January 1, 2012, and the current date on user computer is in 2010, the client will consider the Ciseo ASA adaptive security appliance certificate invalid. The security appliance performs the same validity cheek for user certificates, Cheek if certificates have been revoked. Revocation is supported for certificates that are issued by the Cisco ASA adaptive security appliance internal CA and external CA. The revoked Cisco ASA adaptive security appliance internal certificates ean be viewed and unrevoked in the menu Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > Manage User Certificates. Check certificate-to-profile mapping in the menu Configuration > Remote Access VPN > Advanced > Certificate to SSL VPN Connection Profile Maps. If the mateh criteria are missing or configured incorrectly, the binding feature will either fail or point to a wrong connection profil. Verify AAA operations, This step should be performed if AAA-based authentication is attached to the certificate-based authentication or is configured as the stand-alone client authentication mechanism. Basic AAA connectivity should be verified on the security eppliance. For advanced examination of activity logs, you should use appropriate tools on the AAA server. “$138 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreTroubleshooting PKI Integration Time Synchronization Issues + Currenttime outside of certificate validity period GAGK-7-72501a; Device chooses cipher + ROW SHA For the SED lon with €2 :netary/1340 jubject nan ing.cem, ents. ‘Seuatpoint LOCAL-CA-SERVER to This figure illustrates the security appliance console output when the current time on the security appliance lies outside of the user certificate validity range. You must enable logging on the security appliance to view these messages, Instead of monitoring the operations via the console, you may use the realtime log viewer that is available in the Cisco Adaptive Security Device Manager (Cisco ASDM) menu Monitoring > Logging > Real-Time Log Viewer. ‘The relevant message in this output reports thet the certificate validation failed due to an out-of range condition. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Gleness Remcte Access VPN Soltone 4139Troubleshooting PKI Integration AAA Authentication Problems * Authentication requires that useris presentin database This figure illustrates the logging output that is generated as a result of an authorization failure. In this example, the security appliance is configured for a very rudimentary authorization—to authorize users who exist in the AAA database. The user authenticates using certificates. Even ifthe users exist in the local CA user database (Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > Manage User Database), they do not need to exist in the AAA user database. If they are not configured as AAA users, the authorization setting “Users must exist in the authorization database to connect” will eause the session to fail. You will see the message “AAA user authorization Rejected : reason = User was not found” as seen in the figure, “#140 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreDeploying Clientless SSL VPN SSO ‘This topic describes the single sign-on (SSO) feature of clientless SSL VPNs Clientless SSL VPN SSO Overview + SSO enables users to access internal services without entering username or password twice + Five independent features: ~ $SO with HTTP Basic, NTLM, and FTP authenteation ~ Dedicated SSO servers (CA SiteMinder, SAML Browser Post Profile) — Macro substitution ~ 880 for plug-ins ~ SSO for smart tunnels (Microsoft Internet Explorer on Microsoft Windows only) SSO is a clientless SSL VPN feature that enables users to access different services on internal servers without entering a username and password more than once. The SSO functionality can be implemented using four independent features: © SSO with HTTP Basic, NTLM, and FTP authentication: This feature configures the adaptive security appliance to automatically pass clientless SSL VPN user login eredentials (username and password) on to internal se-vers that are using HTTP Basic, NT LAN Manager (NTLM), and FTP authentication ‘© Dedicated SSO servers: In this method, one of two dedicated SSO servers is deployed in the internal network: — Computer Associates SiteMinder SSO server — Security Assertion Markup Language (SAML), Version 1.1, Browser Post Profile SSO server © Macro substitution: This feature can be used for web-based applications in combination with bookmarks and allows dynamic parameters, such as username and password, to be inserted into an HTTP request © SSO for application plug-ins: This method enables SSO for users who use application plug-ins to access internal resources. © SSO for smart tunnels: This is a simplified SSO method that you ean use for web-based applications that use smart tunnels. This feature is supporied only on Microsoft Internet Explorer running on Microsoft Windows operating systems, This topie briefly describes all five SSO methods. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Gienless Remcte Access VPN/Soluione 4141Note ‘Another SSO feature avaiable on the Cisco ASA adaptive security appliance's SSC authentication using HTTP Form, but itis not described in the course, Clientless SSL VPN SSO HTTP Basic, NTLM, and FTP SSO Authentication « HTTP Basic SSO can be used to access web pages thet require authentication using HTTP Basic authentication + NTLM SSO can be used to access CIFS file shares thatrequire authentication + FTP SSO can be used toaccess FTP servers that requre FTP authentication * You can configure either one of mentioned methods or all of them. You can use the HTTP Basic authentication feature to access web pages that require authentication using the HTTP Basic authentication method. NTLM SSO ean be used to access web pages and Common Internet File System (CIFS) file shares that require NTLM authentication, FTP authentication can be used to access FTP servers, which require authentication. When configuring SSO, you can enable either one of the mentioned methods or all of them. “£742 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreClientless SSL VPN SSO Configure HTTP Basic, NTLM, and FTP SSO Authentication + Canfigure $80 in group poey or inuser prfie To enable SSO using HTTP Basic, Saye rae Saw rat Contguaton > Rerota Aztans VPN> Clantese SEL VPN Acass > Grous Po NTLM, and FTP authentication using Cisco ASDM, complete the following steps: Step 1 Stop 2 Step 3 Stop 4 Step 5 step 6 Step 7 Stop 8 Step 8 Step 10 Inside Cisco ASDM, choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies (not shown inthe figure). The Group Policies pane appears, Select a group policy for whieh you would like to enable SSO and click Edit. The Edit Internal Group Policy window appears Expand the More Options menu and select the Single Signon submenu. Click Add in the Auto Signon Servers area of the window. The Add Auto Signon Entry window appears. Enter the IP address of the server that requires authentication into the IP Address field. In the example, the server at 10.0.0. 11 is specified. Altematively, click the URI radio button and enter the server that requires authentication in the URI form, Selevt the authentication type by checking appropriate check box. In the example, HTTP Basic, NTLM, and FTP authentication is selected. Make sure that the Use Username!Password that User Logins the Portal check box is checked. Click OK twice. Click Apply to apply the configuration. (©2010 Cisco Systems, Ie, ‘Depoymert of Cisco ASA Adaptive Securt) Applance Clertess Remote Access VPN Solutions 4.143,Clientless SSL VPN SSO Dedicated SSO Servers + CA SiteMinder and SAML Browser Post Profile server supported * Cisco ASA acts as a proxy — Atuser logon, Cisco ASA sends an SSO authentication request (username and password) ~ Receives an SSO authentication cookie — Keeps cookie on bebalf of the user and uses cookie to authenticate the user to secure websites within the domain protected by the SSO server ‘The security appliance supports two dedicated $SO platforms = Computer Associates Trust SiteMinder (formerly Netegrity iteMinder) = SAML, Version 1.1 Browser Post Profile. ‘The SSO mechanism invokes after successful user authentication to.ither an AAA server (SiteMinder) or a SAML Browser Post Profile server. In these cases, the clientless SSLVPN server running on the adaptive security appliance acts as a proxy forthe user to the authenticating server. When a user logs in, the clientless SSL VPN server sends an SSO authentication request, including username and password, to the authenticating server using HTTPS. | the authenticating server approves the authentication request, it returns an SSO authentication cookie to the elientless SSL VPN server. This cookie is kept on the adaptive security appliance on behalf of the user and used to authenticate the user to secure websites within the domain that is protected by the SSO server. ‘The SSO process occurs in these steps: Stop 1 Stop2 Stop3 tops User logs into the elientless SSL VPN portal Security appliance authenticates the user on the external AAA database After successful authentication, the security appliance submits user profile to the SiteMinder server. SSO server returns an authentication cookie. The appliance associates the cookie \with the elient sessions and stores it for the duration of the session, ‘When the user requests access to an intemal server that would normally require repeated authentication, the security appliance delivers the authentication cookie on behalf of the user. “2148 Deploying Gaeo ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreClientless SSL VPN SSO Dedicated SSO Servers Configuration * You have to assign configured SSO server to group policy or userprofile. ‘contguraton > Ramate seas VPN> Cventaae SSLVPN Access» Agwanead > Sage Spongeves ‘To setup SiteMinder $SO for a user or group, you must first configure an AAA server (RADIUS, LDAP, or others). After the AAA server authenticates the user, the clientless SSL VPN server uses HTTPS to send an authentivation request to the SiteMinder $SO server. ‘To add an SSO server, choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Single Signon Servers, choose Add, and enter these parameters for & SiteMinder server: © Server Name: If adding a server, enter the name of the new SSO server. Ifediting aserver, this field is display only: it displays the name of the selected SSO server. © Authentication Type: Displays the type of SSO server. The types that are currently supported by the Cisco ASA adaptive security appliance are SiteMinder and SAML Browser Post Profile, © URL: Enter the SSO server URL to which the adaptive security appliance makes SSO authentication requests, a Secret Key: Enter the secret key that is used to encrypt authentication requests to the SSO server. It isconfigured on the security appliance, thé SSO server, and the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme, © Maximum Retries: The number of times the security appliance retries a failéd SSO authentication attempt before the authentication times-out. The range is from | to 5 retries inclusive, and the default is three retries. © Request Timeout: The number of seconds before a failed SSO authentication attempt times out. The range is from | to 30 seconds, the default is 5 seconds. In addition to configuring the Ciseo ASA adaptive security appliance, the SiteMinder Policy Server must be configured for Cisco authentication scheme. This configuration is not covered in this lesson. ‘The SAML Browser Post Profile server requires a different set of parameters, which is not shown in the figure. (E2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Gleness Ramcte Access VPN Soltone 4145Clientless SSL VPN SSO Macro Substitution * Used for SSO authentication to web-based applications (HTTP, HTTPS) * Allows certain variables to be injected in bookmarks ~ Username, password, domain, domain password, or other input parameters — Internal password can be also used 2s a variable. Internal password is provided separately by a user when authenticating to SSL VPN Macco substitution allows for certain variables w be injected in bookmarks for substituting dynamic values, such as the username, password, domain, domain password, or other input parameters. ‘This functionality provides SSO functionality when you access web-based services through the web interface (such as Microsoft Web Access). One of the most frequently used variables for SSO is the internal password. The internal password is entered by the VPN user separately from the user password or passwords. The security appliance eaches the internal password and uses it for authenticating the user to the internal services, The internal password enables SSO in situations when the VPN users are authenticated based on certificates or OTP eredentials, In these situations, there is no user password (certificates), or the password keeps changing (OTP). The internal password is used for SSO and not AAA. The primary and optionally secondary password is used for AAA and not for SSO. ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreClientless SSL VPN SSO Macro Substitution (Cont.) (CScO_WeaeN_USERANE SEVPNisarag © (CSEoLWERIAY TERNAL PASSWORD ‘SCOLWERIN_NACROT Sela RADUSLOAPverdanessc arouse (CSEa_ WER PRANARY_UsERANE aie a Fa mee ‘C800_WERIEN_ PRIMARY. PASSWORD ay negra oe ‘CS00LWVEB/PN:SECONDARY.USERNAVE _ Sesttaysastgh'D Grass aUbertantan Variable and macco substitution is configured in the bookmark settings. ‘The following variables can be used for substitution: © CSCO_WEBVPN_USERNAME: Username from login page © CSCO_WEBVPN_PASSWORD: Password from login page © CSCO_WEBVPN_INTERNAL_PASSWORD: Internal password from login page © CSCO_WEBVPN_CONNECTION_PROFILE: Connection profile from login page ‘The following macros ean be used for substitution in http, https, and cifs URL types: © CSCO_WEBVPN_MACROL: Radius and LDAP attribute © CSCO_WEBVPN_MACRO?: Radius and LDAP attribute ‘The following variables can beused for substitution when double AAA authentication is used: © CSCO_WEBVPN_PRIMARY_USERNAME: Primary username from login page © CSCO_WEBVPN_SECONDARY © CSCO_WEBVPN_PRIMARY_PASSWORD: © CSCO_WEBVPN_SECONDARY | SSWORD: Secondary password from login page rimary password from login page SSWORD: Secondary password from login page You need to enable the VPN users to enter the internal password. The internal password field is disabled by default, To enable the internal password field, perform these steps: Step1 Navigate to the Configuration > Remote Access VPN > Clientless SSL VPN Aceess> Connection Profiles menu (not shown in the figure). Step2 Check the Allow User to Enter Internal Password on the Login Page check box (not shown in the figure). Step3 Click Apply to apply the configuration, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Clenlass Remcte Access VPN Solione 4147Clientless SSL VPN SSO Macro Substitution Configuration + Example for Microsoft Outlook Web Access LContguraton > RerateAzsess VPN > Clantase SSL PN Atcesa > Pons > Boounaraa This figure shows an cxample of a bookmark that was created to provide SSO functionality for Outlook Web Access based on username an ermal password. Complete the following steps to configure macro substitution for a bookmark: Step 1 Step 2 step3 Steps steps steps stop7 Stope stop9 Step 10 Step 11 Stop 12 Step 13 Step 14 Inside Cisco ASDM, choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks (not shown in the figure), Selecta bookmark list where you would like to create a macro-substitution- enabled bookmark and elick Edit. The Edit Bookmark List window appears (not shown inthe figure). Click Add to add new bookmark. The Add Bookmark window opens. Enter the bookmark title nto the Bookmark Title window. Enter thebookmark URL into the URL input field, Expand the Advanced Options. Click the Post radio button to specily that the HTTP POST method will be used to send parameters toa web server. Click Add. The Add Post Parameter window appears, Enter a parameter name into the Name input field. Select a yariable or macro from the Value drop-down menu, You can also manually center an arbitrary parameter value. Click OK, Repeat the previous four steps to add all parameters, Click OK two times, Click Apply to apply the configuration. “2148 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreClientless SSL VPN SSO SSO for Plug-Ins * Canbe used to enable SSO for application plug-ins * No support for macro substitution = Enabled with parameter esco_sso=1 in the URL field — For the required plug-in protocol ‘contgaaton > Remote Azzase VPN> Clartana SSL VPN Acsaa > Pons >Baacrisrce When you access internal applications using client-server plug-ins, you ean deploy SSO functionality by configuring bookmarks using the appropriate URL type. The application plug ins are Java applets that do not support the variable and macro. The SSO functionality is enabled by embedding the esea_sso=1 parameter in the URI field next to the URL protocol, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glentless Remcte Access VPN Soltone 4149Clientless SSL VPN SSO SSO for Plug-ins (Cont) + String eniered in the textbox next to the URL value — Multiple parameters allowed + Two sting formats: — server/?Parameter=value&csco_ss0=1 ~ server!?esco_sso=18Parameter=value ‘piled. ‘servat!?DasredColor4aDestadhRes=1024&Desred Ras=7688ceco_sso=t kealietra-sorvar?InitiaiProgam=#Micrsot Offca Word OSKTWIMada=ahesco s50=1 ‘ehilshveaneresce_ erate Azsess VPN > Clentess SSLPNAtcase > Por» Stat Sines You will complete the following steps to configure a list of smart tunnel auto sigmon servers: Stop Stop2 Steps Stop 4 Steps Stops stop7 Stops Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal >Smart Tunnels (not shown in the example). Click Add in the Smart Tunnel Auto Sign-on Server List area. The Add Smart ‘Tunnel Auto Sign-on Server List appears (not shown inthe example). Enter theauto sign-on fist name into the List Name field (not shown in the example) Click Add. The Add Smart Tunnel Auto-Sign-on Server window appears. Click the 1P Address radio button and enter the IP address of the server requiring authentication. Optionally, select a subnet mask from the Subnet Mask (Optional) drop-down menu. Click OK twice. Click Apply to apply the configuration. ‘2182 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreAuto Sign-On with Smart Tunnels for Internet Explorer Apply Feature to Users or Policy Groups * You have to assign smart tunnel listand SSO list to a group policy or user profile er Contgueton > Remote Access VPN Clantess SEL VPN Acsss >Grous Poca You have to apply the auto siga-on server list to @ user profile feature on the group policy level is recommended because it off group policy. Configuring the rsa more sealable approach ‘Toapply the auto sign-on server list to the group policy, complete these steps: Step Choose Configuration > Remote Access VPN > Clientless SSLVPN Access > Group Policies. Stop2 Choose Portal and locate the Smart Tunnel section. Stop3 Apply the appropriate Smart Tunnel Server List by either selecting it from the drop= down menu in the Auto Sign-on Secver section or have it inherited from a higher level poliey. Step4 Make sure that a smart tunnel application for Microsoft Internet Explorer is also activated for the specific user or user group because the auto-sign feature works only in combination with smart tunnels for Internet Explorer. In the example, the smart tunnel application list that is named SmartTunnelList, which enables the Internet Explorer smart tunnel, is selected, and the Auto Sign-on Server List that is named InternalServer is selected for the policy-group. Feature Support ‘This table shows the availability of the auto sign-on feature on Cisco ASA adaptive security appliances, as well as the software release that introduced this feature. Feature Platform Software Release ‘Auto sign-on wih'emart | All Gisco ASA agartive Version 8.1.2 tunnele for IE security appliance platiorme Variable and macra ‘All Cisco ASA adaptive Version 8.21 substitution ‘security appliance platforms (©2010 Cisco Systems, Ie, Depoyment of GecoASA Adaptive Securty Applance Glenless Remcte Access VPN/Solione 4483Summary Thistopic summarizes the key points that were discussed in this lesson. Summary ‘= The two recommended PKI deployment models include local CA implementation and extemal CA enrollment, * In local CA deployment, clients obiain identity certificates and private and public keys that are generated by the SSL VPN server. * Client-side cerificate-based authentication can be augmented by ‘AAA-based authentication and authorization. = Common authentication issues include cifferent root CAs, time synchronization problems, revocation issues, and AAA failures, * SSO allows access to diferent services on different servers after a Single authentication, Several SSO methods exist on the Cisco ASA adaptive security appliance. “184 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreLesson 4| Customizing the Clientless SSL VPN User Interface and Portal Overview Many enterprises wish to customize the user interface that is presented to elientless Secure Sockets Layer (SSL) virtual private network (VPN) clients. Typical needs include language localization that ensures that users navigate through pages that are written in their own language. This lesson discusses basic and advanced customization of portal navigation pages, help pages, and application integration. It explains how to implement language localization end describes the integration options with the Cisco AnyConnect client. Objectives Upon completing this lesson, you will be able to deploy and manage advanced clientless VPN application access features of a Cisco clientless SSL VPN. This ability includes being able to meet these objectives: © Configure end verify basic customization of the VPN portal navigation pages Configure end verify full portal HTML customization Configure and verily portal localization Configure end verify portal help customization Configure and verily integration of the Cisco AnyConnect client with the clientless portalDeploying Basic Navigation Customization Thistopic describes how to configure and verify the basic customization of the VPN portal navigation panes. Basic Portal Customization Overview + SSL VPN page customization provides flexibility when designing the portal appearance and design Two customization approaches: Cisco ASDM and full (without using Cisco ASDM) Ty Cerny Pn Ponce Bacod on odiing Batad on imparting et reconfigured customization made HTML and XML abects ‘orfant into the appliance Eating SSLVPNCustemieation Thie-paty HTML and XML Editor (Cisco ASOM woe ‘eomponent) Cuntomastion Test, mages, RES feuds, Tew, mages, RSS fonts, scape aT tu The web portal that is accessed by users who connect via clientiess SSL VPN can be customized to reflect the requirements that are defined by the enterprise policy or by the local language. The Cisco ASA adaptive security appliance uses customization objects to define the appearance of user screens, The clientless SSL VPN end-user interface consists of a series of HTML panels, A user logs in to theclientless SSL VPN by entering the IP address or Domain Name System (DNS) name of the Cisco ASA adaptive security appliance. The first panel that displays is the login window. The user then navigates through the remaining panels, Both the login window and the subsequent panels can be customized. ‘There are two general approaches to portal customization: = ASDM-driven customization: In this basic approach, the administrator uses Cisco Adaptive Seeurity Device Manager (Cisco ASDM) to edit customization objects that correspond to the elements that are visible in the portal. Cisco ASDM automatically launches the SSL VPN Customization Editor, which includes the necessary graphical features to complete the task Basic customization is simple to configure and allows the customization of mos. portal elements, such as text, images, RSS feeds, and HTML content. = Full customization: This method allows administrators to create their own HTML or XML content and import it into the appliance, This approach is useful for enterprises that want to use advanced third-party tools to create complex portal content, “E186 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreBasic Portal Customization On-Screen Keyboard + Provides protection against key loggers + Requires that users enter password using Java keyboard * Can appear for VPN login or any time that authentication is required * Avaliable for Cisco ASDM and full customization ‘The Cisco ASA security applisnee supports the use of a Javacbased on-screen keyboard to provide an additional layer of security and helps protect users from security threats such as key loggers. The on-screen keyboard is enabled on the Object Customization page. It can be configured to show only when someone is logging in to the SSL VPN system, or anytime thet network authentication is required. The on-screen keyboard feature is available for both basic and full portal customization, (@2010 Cisco Systems, ne, Depoymant of GecoASA Adaptive Securty Applance Clenlass Remcte Access VPN Soliione 4487Configuring Basic Portal Customization Configuration Tasks Createa new customization object. (Optional) Update the default DfltCustomization object. Edit the customization object. Associate the customization object wih a connection profile ‘The adaptive security appliance uses customization objects to define the appearance of user sereens, A customization object is compiled from an XML file, which contains XML tags for all the customizable soreen items that are displayed to remote users, ‘To perform basic portal customization, you will perform the following configuration tasks: 1. Create anew customization object. The administrator may decide to ereate a new customization object without manipulating the preconfigured DfitCustomization object. ‘The new customization object is created with the settings of a default template, which is identical to the default configuration of the DMiCustomization object. 2. Optionally, update the default DltCustomization object. This. the alternative approach, in ‘which the administrator updates the default cusomization object. 3. Edit customization objeot. Editing the object launches the SSL VPN Customization Editor. 4. Associate customization object with connection profile. VPN users view the customized pages after they’ access their connection profile. The clients may connect to a connection profile using one of two methods: m= By selecting theappropriate connection profile from the drop-lown list that is visible in the logon page = By connecting to a URL that is associated with the specific connection profile “188 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Basic Portal Customization Configuration Scenario ‘Cusamision ojec Monietocier comenoreute Veblen ‘This figure presents the configuration scenario that is used in upcoming configuration tasks. ‘The table lists the input parameters that are required to achieve this goal. Before you perform basie portal customization, you will need to gether the required portal parameters. Those parameters include the following: = Name of the customization object. In this example, the name is MobileWorker. © Name of the connection profile that must be associated with the customization object. In this scenario, its name is identical to the customization object. ‘The customization object includes three components: logon page, portal, and logout page. All three elements witl be customized in this scenario, Initially, when a user first connects, the default customization object (named ‘DfltCustomization) that is identified in the connection profile (tunnel group) determines how the logon page appears. Ifthe connection profile list is enabled, and the user selects a different profile that hasits own customization, the sereen changes to reflect the customization object for that new profile Alter the remote user is authenticated, the screen appearance is determined by the customization object that has been assigned to the connection profile. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glentless Ramcte Access VPN Solutone 4189Configuring Basic Portal Customization Task 1: Create a New Customization Object ote ‘contguision > Rariate eas VPN> Ciartese SSL VPN datas > Pare > Custmizaton ‘The first configuration task in the basic customization sequence isto ereate a new customization object. It is optional, because you may alternatively edit the existing DfltCustomization object that is preinstalled withinthe image bundle. To create a customization object and configure the on-sereen keyboard, complete the following steps: Stop1 Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Configuration and elick the Add button Step2 Enter theobject name and elick OK. Step3 Configure the on-screen keyboard settings by clicking the appropriate radio button at the bottom of the main customization pane. The on-screen keyboard configuration applies toall customization objects, independently of the connection profile that the user connects to. The available choices are as follows: = Do Not Show Onsereen Keyboard (default setting) = Show Only for the Login Page = Show for All Portal Pages Requiring Authentication Stops Click Apply to apply the configuration, The new customization object cannot be ‘edited uniil it has not been committed to the appliance. 2180 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Basic Portal Customization Task 3: Edit the Customization Object Note: Saving of configuration isrequied fer acoass to newly ceated ‘usiomeation objet ‘contguiton > Rarte Azcess VPN> Clantans SSL VPN Ansan > Pon» Customaaton Next, make sure that the appropriate object is highlighted and click Edit. This step launches the SSL VPN Customization Editor in a secondary web-browser window. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenless Remcte Access VPN/Soluione 4181Configuring Basic Portal Customization Task 3: Ecit the Customization Object (Logon Page) ‘allie 991 yen cusonznon tor = Fe ea ae ‘After you have chosen the newly created customization object and clicked Edit, the main user interface customization window forthe SSL VPN Customization Editor will appear. The SSL VPN Customization Editor is split into three distinet areas for user interface configuration: = Logon page = Portal page = Logout page This figure displays the configuration options that sre available in the togon page. Those options include the displayed text, logo URL, and graphic parameters. Note Ifyou want to use custom elements (such as images) on the portal, you haveta upload them first to the Cisco ASA adagtive security apgliance. You can upload them using Cisco ASDM by navigating to Configuration > Remate Access VPN > Clientless SSL VPN Access > Portal > Web Contents and clicking the Import button. When you make changes to the template pages using the SSL VPN Customization Editor, Click the Save button to save the changes to the appropriate page. 2162 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Basic Portal Customization Task 3: Edit the Customization Object (Portal) + Page text, graphics, and colors can be modified for each page. + Title panels can algo be modified by using siyle sheets (CSS). slits gs ven cunoniznon tor ‘isco oan. be ht be _ 18 =————wal ae Smet 2@ Raa ———femra y tom 2Q) ea [rs as oe 1 neces feos a Se When one of the customization submenus is chosen on the left side of the editor window, the corresponding configuration menu for that selection is displayed on the right side. From these configuration menus, the user can change page text, graphics, and colors. You can modify colors by usinga color selector that is available wherever colors can be modified. Title panels also have the option of being configured using cascading style sheets (CSSs). ‘This figure presents the configuration options that are available in the Portal section. Those options include browser window, title panel, toolbar, navigation panel, applications, home page, custom panes, and columns. Choosing the Applications link displays the available types of applications You can reorder the application types or disable any of them. All types are enabled by default. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glentless Ramcte Access VPN Soltone 4163Configuring Basic Portal Customization Task 3: Edit the Customization Object (Logout Page) BAS oatie dy Ban ‘The customization of the logout page involves @ single clement. The logout form defines the text and colors that are to be displayed in the logout page. Note Remember to save the changes to the customized user interface so that it will reflect the desired modifications, “2168 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Basic Portal Customization ‘Task 4: Assign Customization Object to Connection Profile me) (eat ota ge Inthe fourth task, you must assign the customization ol profile, Perform the following steps: to the respective connection Step Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles. Step2 Choose the desired connection profile and click the Edit button. Anew window opens. Stop3 Choose Advanced > Clientless SSL VPN and select the customization object from the Portal Page Customization drop-down list. Step Click OK. Step5 Click Apply to apply the configuration. In this figure, the newly defined customization object MobileWorker is being assigned to the connection profile MobileWorker. (©2010 Cisco Systems, Ie, ‘Depoymet of Cisco ASA Adaptive Secutty Applance Cllerlass Remote Access VPN Solutions 405Verifying Basic Portal Customization Logon Page Verification This figure shows acustomized portal logon page. The figure illustrates which configuration elements can be found in the logon page. Specifically, the logon page includes these elements = Browser Window: Changes the text that is shown in the main browser title bar, m= Title Panel: Changes the title that is shown on the main page of the SSL VPN logon page 8 well as available colors, m Languages: Selects the default language that is used for the logon page. m= Language Selector: Provides adrop-down selector for other available languages to the logon page. = Logon Form: Changes the text and colors that are displayed in the Logon box. = Information Panel: The information panel is an optional panel that can be enabled and placed to either side of the logon form. The information panel can include required text and graphics as needed for the logon page. = Copyright Panel: Adds copyright information to the logon page. = Full Customization: Configures the security appliance to use a fully customized web page that you can choose from previously uploaded media that is found in the Web Contents, submenu, “E16 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreVerifying Basic Portal Customization Portal Page Verification ‘This figure shows a sample customized web portal page. In addition to customized headers, & custom column has been added to provide room for additional information on the web portal. ‘The following items can be modified when configuring a portal page’ © Browser Window: Changes the text that is shown in the main browser title bar. = Title Panel: Changes the title that is shown on the main page of the SSL VPN portal page as well as available colors. © Toolbar: Configures the text that is shown for the address bar and the floating toolbar that is shown when you navigate pages. = Applications: Configures the order and name of available application buttons. Application buttons can also be disabled from this menu. © Home Page: Configures the use ofa custom page for the web portal © Custom Panes: Allows the creation of custom panes to provide additional functionality to the web portal, The following panes are available — Text — HTML — Image — RSS Feed © Columns: Configures the number of columns to be displayed on the web portal (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glentlass Remcte Access VPN Solutions 4167Verifying Basic Portal Customization Logout Page Verification ne en oe til Warr ‘This figure shows a customized logout page. The figure illustrates the correspondence between the configuration options and the logout page elements, “E168 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreDeploying Full Portal Customization ‘This topic describes how to configure and verify full portal HTML customization. Full Portal Customization Overview * Full customization is based on importing self-made XML components * Must follow XML-based customization file structure + Twoapproaches: ~ Replacing the logon page ~ Using a custom XML portal Logon Page Replacement eee ‘Requires special Cisco HTML code Available template contains all curently that creates the logon form andthe employed tags with corresponding Language Selector drop-down list comments that describe haw to use them Uses specific area of cache memory that contain files that are displayed to remote users before authentication, referenced as /CSCOUr/ Full portal customization allows you to ereatethe HTML and XML pages using external tools instead of the SSL VPN Customization Editor, and then import them as portal pages. The self= made content must follow the XML-based cusomi file structure that is used by Ciseo. Optionally, you may choose one of two methods to simplify the full portal customization © You can export an XML file to a local computer or server, make changesto the XML tags, and reimport the file to the Cisco ASA adaptive security appliance. The security appliance includes a template that contains all currently employed tags with corresponding comments, that describe how to use them. © You can replace only the logon page and leave the remaining panels unchanged. The self made logon page must include special Cisco HTML code that creates the logon form and the Language Selector drop-lown list. If you do not simplity the customization process using any of these methods, you can create your own page and import it to the adaptive security appliance for full customization. Either method ereatesa customization object that you apply to-a connection profile or group policy. In all methods, files that are displayed to remote users before authentication must reside in a specific area of the adaptive security appliance cache memory, which is represented by the path =CSCOU~!. Therefore, the source for each image in the file must include this path. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appiance Glentless Ramcte Access VPN Soltone 4169Configuring Logon Page Replacement Configuration Tasks 1. Create a custom logon file 2. Importthe file and images to Cisco ASA adaptive security appliance. 3. Configure a customization object to replace the logon page. Attach the customization abject to a connection profile ‘To replace the logon page, perform the following configuration tasks: 1. Create @ custom logon page file and name it logon.ine (path to images must be “CSCOU=/). The file must include the function eseo_ShowLoginF orm ‘Iform’, which injects the Logon form, It may optionally include the function esco_ShowLanguageSelector(‘selector" that injects the Language Selector, if language customization is desired, 2. Import the file and images to the Cisco ASA adaptive security appliance as Web Content The Web Content corresponds to the space in the appliance flash memory that stores the files that are relsted to the SSL VPN portal. 3. Configure the customization object to replace the login page. 4. Associate the customization object with connection profile. “E170 Deploying Caco ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Logon Page Replacement Configuration Scenario [ter eee ne Replace ne dafault Nepietlrter gon page wih the ‘aistem bgon.ne fia ‘This figure presents the configuration scenario that is used in upcoming configuration tasks. ‘The table lists the input parameters that are required to achieve this goal. Before you replace the logon page, you will need to gether the required portal parameters. Those parameters include the following: = Name of the customization object. In this example, the name is MobileWorker. ‘© Name of th connection profile that must be associated with the customization object. In this ease, its name is identical to the customization object, © Name of the self-made logon page file. The name must be logon ine. = Directory, where the images are placed. The direotory is referenced as /~CSCOU~/. When the clients connect to the SSL VPN portal using the MotileWorker connection profile, they will see the pages that are defined by the customization object MobileWorker. This customization object will be configured to replace the default logon page by’a self-made logon page. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenless Remcte Access VPN Soluione 4171Configuring Logon Page Replacement Task 1: Create a Custom logon. inc File (Example) “mais hb equ Goner- Type" coneetewaihim; haretnandoue-t282> sco ego gt wate" nantes eowatcer> “foniscrt ee Snap TC coor tFPicPP auee"T>arcanetenpe ces ‘SSL VPN Senes ay ne Cass ASAE salgnmto signs ctveroeu a grences veges plnase J emer capeypeianerane >: In the first task of this configuration sequence, you ereate the code for the logon page. This figure illustrates a semple logon. ine file that contains the key elements that are necessary to provide the key logon functionality. The path to images is set to ~CSCOU=/, which represents a special area of the adaptive security appliance cache memory. Files that reside in this special memory can be displayed to remote users before completed authentication. In addition, the logon.ine file invokes two functions: esco_ShowLoginForm, and esco_ShowLanguageSelector, that display the logon form and the language selector, respectively This logon.ine example contains this code: e/boe/ise/p> | cnlcads"caco_Showloginvovn | !lfoen!) jeaes shovLanguagedelector (selector!) "s Les sai i epoenbsp epolcading...

“E172 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Logon Page Replacement Task 2: Import logon.ine and Images to Cisco ASA. Destwey nase react cp cm a on zm aan Crm) eer [ee ‘contguiton > Renate Azress VPN> Cuantans SSL VPNAncans> Pons > Wen Conteris Inthe second tesk, you will import the logon.ine file and the images it references into the special area of cache memory. Complete the following steps for the logon. ine script and each file that is referenced in it: Stop1 Choose Configuration > Remote Access VPN > Clientless SSLVPN Access> Portal > Web Contents, Stop2 Click the Import button, Stop3 Click the appropriate radio button to point to the source from which to import the files and either locate the file or enter the required URL in the Path field. Step Inthe Destination area, click the No. For Example, Use This Option to Make the Content Available to Logon or Portal Page radio button. Optionally, you may specify a subdirectory Step5 Click Import Now. (E2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Gleless Ramcte Access VPN Solitons 4173Configuring Logon Page Replacement Task 3: Configure Replacement of Logon Page a timaarsinty | cammoccrre -— In the third task, you will configurethe customization object to use thi Complete the following steps tustom logon.ine file. Step? Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Customization, Stop2 Select the appropriate customization object and click the Edit button. The SSL VPN, Customization Editor opens. Stop3 Within the SSL VPN Customization Editor, navigate to Logon Page> Full Customization. Step4 Choose Enable from the Mode drop-down menu StopS Choose the +CSCOU=/logon.ine entry from the HTML Content dropslown menu. Stop6 Save the customization object (not shown in this figure). “Ei7& Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Logon Page Replacement Task 4:Attach Customization Object to Connection Profile coe te Pe nance entesce Sa SS Teeer| Hoc tonetienamnecioriten | “Gnedt ‘Kinng | Eero se ‘ina | Pass Pisceneerednipentsilane pet scence arent Pe Toptisengnbenanroc ener scenira, Sessa Chetan) © Inthe fourth task, you will assign the previously configured customization object to a connection profile. Complete the following steps Step Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Comnection Profiles. Stop2 Selecta desired connection profile and click Edit. Stop3 Choose Advanced > Clientless SSL VPN and choose the required customization object from the Portal Page Customization drop-down menu. Step4 Click OK. StepS Click Apply to apply the configuration. (G2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Appliance Glentless Ramcte Access VPN Soltone 4175Verifying Logon Page Replacement Logon Page Verification ‘To verify the replaced logon page, connect to the SSL VPN portal using the connection profile that has the configured customization object associated with it. You should see a customized logon page that includes the previously configured elements, such as text, images, and the logon form, The language selector is not displayed, because it must be enabled using a procedure that is discussed in a later topic. “2176 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreFull XML Portal Customization XML Customization Template + The template contains all currently employed tags with corresponding comments that descibe how to use them. Fan ean TUTE Sooyrgnte) 2008-2228 0) Case Syaame, Sicgra earias Nowa wnseanaces ng Waves ae sgrtcantana pressned ‘DaBote Rast custonaaton Teg esstlanguages Doncrsan:Coraia sat ofanguapes recognized Sy ASA Vaue: sing couiing conmaseserana arguege cues, E50 anguage toe ssnu'acer fo stamina an arc. “oan ngua30~8) ‘The security appliance allows you to perform a full portal customization using a completely self-made XML page. Cisco offers a customization template that will help you create a properly formatted page. The template contains all currently employed tags with corresponding comments that describe how to use them, An initial fragment is shown here: encodings "UTE-a" ?> 2006-2008 by Cigco systems, 2 vights reserved. Not! preserved. waitespaces tag values aze cant and Tag: custom Description: Reot customization tag Tag: custom/languages bescyiption: Contains Value: string ¢ language code etarted with ages, vecognized by ASA taining comma-separated Language codes. Each is a set dash-separated alphanumeric chavacters, (©2010 Cisco Systems, Ie, Depayment of GecoASA Adaptive Secunty Applance Clentess Remate Access VPN Solutions 4:77Full XML Portal Customization Configuration Tasks 1. (Optional) Export the customization template. 2. Create an XML file using third-party tools (optionally based ‘on the exported template). 3. Importthe XML file as a customization object. 4, Altach the customization object with a connection profile. ‘To perform ¢ full poctal customization using a completely self-made XML page, perform the following configuration tasks: 1. Optionally, export the customization template. 2. Create an XML file using third-party tools. This page may be based on the exported template, Import the XML page as a customization object. 4, Associate the customization object with a connection profile “SATE Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreFull XML Portal Customization Configuration Scenario (Gusomizatonaniect enietlorier oanacton sre Menta oncer Epon ihe Setmace XM page Tenpae_canmes ‘enpiate, ban ‘Suomes, import, ‘Sannacton profi ‘This figure presents the configuration scenario that is used in upcoming configuration tasks. ‘The table lists the input parameters that are required to achieve this goal. Before you perform the full portal customization, you will need to gather the required portal parameters. Those parameters include the following: = Name of the customization object. In this example, the name is Mobile Worker. © Name of the connection profile that must be associated with the customization object. In this scenario, its name is identical to the customization object. = Name of the selfmade XML page. In this example, it is Template_customized, as it has been created hased on the exported template When the elients connect to the SSL VPN portal using the MebileWorker connection profile, they will see the pages that are defined by the customization object MobileWorker. This, customization abject has been ereated by importing the self-made XML page ‘Template_customized and saving it under the name MobileWorker. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glentess Remcte Access VPN Solitons | 4179Full XML Portal Customization Task 1: Export the Customization Template |e ne ‘te omen tte ey pe i aS tse ea erat) ‘contguision > Rarate eas VPN> Ciantase SSL VPN Aozase > Pong >Custmizaton In the first task, you will export the customization template by completing these steps: Step? Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Customization, Stop2 Select the template and click the Export button. Identily the destination file by clicking the appropriate radio button and entering the path in the Path field. Step3 Click the Export Now button. ‘2180 Deploying Gsco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreFull XML Portal Customization ‘Tasks 2-3: Edit Template and Import File sone ro Tpessuas a Sor ra a te ooton [sone rate ‘contguiton > Renate Azcess VPN> Clantana SSL VPN Ansan > Pons’ > Customaaton Inthe second tesk, you will create the custom XML page using a third-party tool. This task is rot depicted here. This figure illustrates the third task, which imports the custom file named, template_customized. Import the file by completing these steps: Stop1 Choose Configuration > Remote Access VPN > Clientless SSLVPN Access > Portal > Customization. Stop2 Click the Import button. The Impoct Customization Object window appears. Stop3 Provide the intended name of the customization object in the Customization Object Name field (MobileWorker in this example). Stop 4 Select the source file far import and click Impart Now (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Clenless Remcte Access VPN/Soluione 4181Full XML Portal Customization Task 4: Attach Customization Object to Connection Profile aes rca OE Set ay ada ep hen asta Seiten) Genietnmeemn) © Ccontguision > arate Aneas VPN Clantase SSL VPN Assets > Connaston Protas In the fourth task, you will associate the imported customization object with the connection profile by completing these steps: Stop Stop2 Step3 Stop 4 steps Choose Configuration > Remote Access VPN > Clientless SSL V. Connection Profiles. N Access > Select a desired conncetion profile and click the Edit button, A new window opens. ‘Choose Advanced > Clientless SSL VPN and select the customization object from the Portal Page Customization drop-down list. Click OK. Click Apply to apply the configuration, In this figure, the imported customization object MobileWorker is being assigned to the connection profile Basie-profile. 102 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreDeploying Portal Localization ‘This topic describes how to configure and verify portal language localization. as Language Localization Overview Cisco ASA provides language translation for the portal and screens for: * Cllentiess SSL VPN connactions * Screens associated wth optional plgsins ‘User interface of Cisco AnyConnect VPN client Based on language translation tables * Dictionary containers «+ Partioned in 11 translation don'ains based on functional areas, * Can te edited, imported, and exported * Preconfigured for three languages: French, Russian, and Japanese ‘The Cisco ASA adaptive security appliance provides language translation for the portal and the sereens that are displayed to users, The screens include browser-based, clientiess SSL VPN connections, sereens that are associated with optional plug-ins, and the interface that is, displayed to Ciseo AnyConnect VPN client users. To improve the manageability of the language localization, the language support is based on multiple translation tables that correspond to functional areas of the SSL VPN portal. A translation domain covers its functional area and the messages that are visible to remote users There are 11 translation domains, and each of them can be edited, imported, and exported. This modular approgch offers users the flexibility to modify the desired subsets ofthe dictionary. Several translation domains have three preconfigured languages in addition to English. The preconfigured languages are French, Russian, and Japanese, (G2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Appiance Glentless Ramcte Access VPN Soltone 4183Language Localization Language Tanslation Domains ‘AnyConnect cso ‘ustomization keopout urttint webvpn pluginica plugin-rap Plugindainetssh pluginvne Massages that ar displayed an thauiser interface o AnyCanectVPN alent Messages torte Cisco Secure Desktop ‘Messajecoi th logon and logout pages, portal page and al the massages customiaabla ty the user Message that is displayed to remote users when VPN access ened Massages iat are Usplayed t putonarding users “ext that user specifies for URL bookmarks on the poral page ‘Alte tayer7, AAA, and poral miscéageethat ate nat ‘customizable Messages or the Ctmxplug-in Massages forte Remote Desktop Protcol plugs Massages forte Tenat and SSH plug-in Meseage8 forthe VNC plugsh ‘This table lists the available translation domains and provides their description, Translation Domains ‘Translation Domain Functional Areas Translated “AnyGonnect ‘Messages that are displayed on the user interface ofthe Gisco AnyConnect VEN client 80 Messages forthe Cisco Secure Desktop customization ‘Messages on the logon and logout pages, portal page, and all he messages customizable by be user keepout Message that is displayed to remote users when VPN access is denied Porforwarder Messages that are displayed to port-forwarding users unist “Text that user specifies for URL bookmarks o1 the portal page: websen ‘All the Layer 7, AAA, and poral messages that are not custom Zable plugineica Messages forthe Citix plugin pluginerdp ‘Messages for the Remote Desktop Protacal (ROP) plug-in plugin-teinet ssh Messages forthe Telnet ang SSH plugsin pluginevne Messages for the VNC plugin The software image package for theada e security appliance includes a language localization template for each domain that is part of the standard functionality. The templates {br plug-ins are included with the plug-ins and define their own translation domains, “18s Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Language Localization Configuration Tasks +. View, export, import, or edit language translation tables. 2. Enable customization language selector. 3. Configure customization languages. 4. Associate customization object with connection profile. To configure language localization, you will perform the following configuration tasks: 1. View, export, import, or edit language translation tables, 2. Enable a customization language selector. 3. Configure customization languages, 4. Associate a customization object with conection profile. (E2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glentless Remote Access VPN Soltone 4185Configuring Language Localization Configuration Scenario ‘ansialontables andenable the Bnguage acer ‘This figure presents the configuration scenario thats used in upcoming configuration tasks, ‘The table lists the input parameters that you will need to gather before deploying language localization. Those parameters include the following: = Name of the customization object: In this example, the name is MobileWorker. = Name of the connection profile that must be associated with the customization object: inthis scenario, its name is identical to the customization object. = Required languages: In this example, the languages include English (available by default) and French. You will associate aconnection profile with a specific customization object and configure that object to use a logon page with a language selector. VPN users connecting to the MobileWorker connection profile will see a language selector drop-down box and will be able tw select their own language. 86 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Language Localization Task 1A: View, Import, Export Translation Tables SS See es a ‘contguiton > Rerate Azcess VPN> Language Leeizaton In the first configuration task of this configuration sequenee, you will verify the list of preconfigured translation tables and either import or export them into or from the security appliance, These options can be selected if you navigate to the Configuration > Remote Access VPN > Languaze Localization submenu. The language translation tables are identified by their language code, and the functional area they describe. The lower area of the window contains translation templates that can be exported to ereate new translation tables on demand. You ean export the template for a translationdomain, which ereates an XML file of the template at the URL you provide, The message fields are empty in this file. You can customize the messages and import the template to create a new language localization table that resides in flash memory. You can also export an existing language localization table. The XML file that is created displays the messages that you edited previously. Reimporting this XML file with the same language name creates a new version of the language localization table, overwriting previous messages. (@2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenass Remcte Access VPN Soluione 4187Configuring Language Localization Task 1B: Edit Predefined Translation Table Sere eran apne te gc te ae $s ae coe woot ae Tastee Doeaiiees oes Pacaioas roaainn Bee . Shy io.engs overs, foe cannes Biles Sorteonag weston > Rerote Antees VPN > Lnigaage Leseaat> As an optional part of the first configuration task, you can edit oneor more of the existing translation tables. ‘To modity the Step? Choose Configuration > Remote Access VPN > Language Localization and select the desired translation table, sting translation table, complete the following steps Step2 Click Edit to edit the translation table. Stop3 Update the required records. The translation records include an entry identifier, the English text, and the translated text Step4 Click OK. ‘2188 Deploying Osco ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreConfiguring Language Localization Task 1C: Export Template Seooi ae ce hacen om 9m ‘centguaten > Rerta Asses VPN > Language Lose'zaton As an optional part of the first configuration task, you ean export @ language localization template. In the same menu, select 8 template from the Templates area and click Export to sive the template asthe specified destination file. ‘This figure depicts how the View button is used to display the contents of a language localization template for the Customization domaii After the template is exported, you will edit itand then reimport it into the Cisco ASA adaptive security appliance. The importprocedure is invoked using the Import button and requires thet you specify the language and functional area that is described by the given translation table. Some templates are static, but some change based on the configuration of the adaptive security appliance, Because you can customize the logon and logout pages, portal page, and URL bookmarks for clientless sessions, the adaptive security appliance generates the customization and url-list translation domain templates dynamically, and the template automatically reflects your changes to these functional areas, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glentless Remcte Access VPN Soltone 4189Configuring Language Localization Task 2: Enable Customization Language Selector ‘contguraton > arate seas VPN» Clgntess SSL VPN Asuess > Par! > Custemiznion Set ‘After you ereate language localization tables, they are available to customization objects that you create and apply to group policies or user attributes. A language localization table has no affect and messages are not translated on user screens until you create the customization object, identify a language localization table to use in that object, and specify the customization for the group poliey or user. In the second configuration task, you enable the customization language selector by completing these steps: Step Choose Configuration > Remote Access VPN > Clientless SSL VPN Access Stop2 Highlight the desired customization object and click Edit to start the SSL VPN Customization Editor. Stop3__ Inthe SSL VPN Customization Eulitor, choose Logon Page > Language Selector and choose Enable from the Mode drop-down menu, Stops Edit the languages list by deleting unnecessary languages by clicking the Detete button oradding new ones by clicking the Add button. “£180 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Language Localization Task 3: Configure Customization Languages [aaa aisesi ove adores anaiaae Sisitgisges at scents pees tee eee ieee miasing fom t Te delat aeting ee rn) ‘confguiten > Rants Access VPN > Clantata SEL VPN Access > Pons!» Customization Sen In the third configuration task, you configure the languages that are used in the customization object by completing these steps: Step1 Inthe SSL VPN Customization Euitor, choose Logon Page> Languages and add at feast one language code in addition to the default English language (code: en), Us: a comma to separate the language codes. This list does not need to include all languages that you want to activate. Step2 Save the settings of the customization object. Note ‘The customization object must be associated with a connection profile, This task is omitted ere because it as been shown in earlier configuration procedures, (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenless Remcte Access VPN/Soluione 4191Verifying Language Localization Logon Page Verification “aay Mobile Worker tense | consti bab ayes Signa ungiaie ‘To verify language localization, connect to the SSL VPN portal using the connection profile that isassociated with the tuned customization object, The language selector appears in the upper right corner. After a language is selected, al functional test fields are translated using the appropriate translation tables. This figure illustrates the logon page that is transleted into French Verifying Language Localization Portal Verification i Regie: Page comme Disses soa7e ‘clara cae When the users successfully authenticate, they see the text fields in the portal also translated into their local language. The content of the HTML pages is presented in the language in which itis written “2182 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreDeploying Portal Help Customization ‘This topic describes how to configure and verify portal help customization. [arena Portal Help Customization Overview Customization areas * Customization of help files provided by Cisco = Creating help files for languages net provided by Cisco “dja Mobile Worker SSL. Sia | ae St meron Bec) Mel | ces “Caner ‘The Cisco ASA adaptive security appliance displays help content on the application panes during, clientiess sessions. Each clientless application pane displays itsown help file content using a predetermined filename, For example, the help text that is shown in the figure eomes from th rip-hip.ine because t displays information thatis related to the Terminal Servers plug-in. You can modity the help files that are preinstalled on the security appliance and create new help files for languages that are not predefined (©2010 Cisco Systems, Ie, Depoyment of GecoASA Adaptive Securty Appliance Glentless Remcte Access VPN Solutions 4193Portal Help Customization Areas of Help Customization Cer bt Standard ApplicationAccess app-access-hipine Browse Nebiorks — fle-access-hip.ine ‘AnyConneci Client netaccess-hip.ine Web Access web-access-hip.inc MataFrameAccass ice-ipine Terminal Servers rap-hipine TelnetiSSH Servers schjtelnethip inc VNC Connections vne-hipine The help files are organized into functional areas, just as language translation tables are. The tuble shows the cliertless application panels and predetermined filenames for the help content. Clientless Application Panels and Predetermined Filenames for the Help Content Application Type Panel Filename Standard ‘Apalicaton Access ‘eppraccess-Aipine Browse Networks fileaccess-hipine ‘AnyCannect Client retaccess-hipine Web Access web-eccess-hipine Plugin MetaFrame Access icathipine Terminal Servers ‘epchip.ine TenetiSSH Severs ‘sshteinethip ine ‘VIG Connections voeshipine ‘You can display the help file for an application pane! by accessingthe SSL VPN server using the help file URL in the format hutps://~CSCOE-/help/language’, where language is the language code “2184 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreConfiguring Portal Help Customization Configuration Tasks (Cisco Help Files) 1. Display the help file in a browser by accessing the help fle URL. — Requires that user is authenticated to SSL VPN 2. Seve the help file on local computer. 3. Customize the hep file 4. Import the customized help file into the security appliance. To customize Cisco help files, you will perform the following configuration tasks: 1 Display the help file in a browser by accessing the help file URL. Accessto that URL requires thet user is successfully authenticated. Save the help file on the local computer. Customize the help file. Import the customized help file into the seourity appliance. (G2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Appliance Gletess Remote Access VPN Solutions 4195Configuring Portal Help Customization Configuration Scenario Functensiaesot spe nepeumonaston language cine Exgian Been, susemiga, and ‘mimport the hap fe ‘This figure presents the configuration scenario thats used in upcoming configuration tasks, ‘The table lists the input parameters that you will need to gather before performing help file customization. Thost parameters include the following: ‘= Functional area of help customization. In this scenario, you customize the help information for the RDP plu; = Language of help customization, In this scenario, you customize the help file in Engtish. You obtain the RDP-related help file by connecting to the SSL VPN and then accessing the help file URL. You download the help file to the user PC, modify it, reimpor ASA adaptive security appliance, and verity the results. into the Cisco 2196 Deploying Osco ASA VPN Solutions (VPN) v1.0, (©2010 Cece Systems, IreConfiguring Portal Help Customization ‘Tasks 1-2: Display Help File in Browser and Save Pee ee se [Sivan stccarsneme wrene PC Gos ie ems. ha) sisi ts nese moet Con meen [alee eee Tein Seay Novia Comes * Capa lng one sass be ‘a ae —_a=| Inthe first task, you display the desired help file in the elient browser by connecting to the URL: https://server-addressCSCOE~/help/lenguage/. In this example, the URL was https://172.31.0.1/“CSCOE-/help/en/rdp-hip.ine In the second task, you save the help file on the client computer by completing these tasks: Stop1 _In the browser, choose File > Save As. (This menu may differ depending on the browser you use.) Stop2 Set the file type to Webpage, HTML only (*.htm, *.html) and seve, In the third task (not shown in the figure), you modify the help file according to the requirements (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glentlass Remcte Access VPN Soluione 4187Configuring Portal Help Customization eer ‘contguraton > fants Aseaa VPW> Centaue SSL VPN aszene > Pans > He Cusnaston In the fourth task, after the help file has been customized, you will import the file into the security appliance: Stop Choose Configuration > Remote Access VPN >Clientless SSL V! Portal > Help. N Access > Step2 Choose the appropriate language code from the Language drop-down menu, Step3 Choose the appropriate panel from the File Name drop-lown menu Stop4 Locate the customized using a suitable option and click Import ‘2438 Deploying Ceca ASA VPN Solutions (VPN) v1.0 (©2010 Cece Systems, IreVerifying Portal Help Customization Portal Help Verification samen na ESS, peter SIP eS rin Paper = Eire |) neers sonra ‘contguiten > Rarate Access VPN > Giantess te Gustmaaten To verify the help file customization, you will first validate that the import procedure was successful by completing these steps: Step 1 Choose Configuration > Remote Access VPN > Clientless SSLVPN Access > Portal > Help, Stop2 Verily that an entry was created in the help file list. t should specify the configured language code and filename. ‘To verify the results that are visible to the client, connect to the SSL VPN portal, optionally select the local language, access the appropriate panel, and view the help text. It should reflest, the changes that you applied during the file customization. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appiance Glentless Ramcte Access VPN Soltone 4199Configuring Portal Help Customization Configuration Tasks (Custom Languages) + Create the help file. — Save as Webpage, HTML only (*.htm* htm) + Importthe help file into the security appliance. ~ Specify the correct language and filename that is related tothe panel Specific configuration guidance is outside the scope of this course. “The procedure for creating help files in other languages, not provided by Cisco, represents @ subset of the help file customization, because you do not need to obtain the existing help file before customizing it. ‘Therefore, it consists of two tasks: 1. Create the help file, The file should be saved as Webpage, HTML only (htm, *.htm). 2. Inport the customized help file into the security appliance. The import procedure requires that you select the appropriate language code and panel-related filename. This configuration procedure is not discussed further here, because it contains tasks that have been performed when the help files provided by Cisco were customized. 2200 ‘Deplying Cece ASA VPN Soluions (VPN) v1.0, (©2010 Cece Systems, IreCisco AnyConnect Portal Integration ‘This topic describes how to configure and verily the integration of the clientless SSL VPN portal with the Cisco AnyConnect client. Cisco AnyConnect Portal Integration WebLaunch * Clientiess SSL VPN access can be combined with AnyConnect dient. * AnyConnect panel appears automatically when beth access types are enabled. * Client software can be installed from the portal Sarre resem] Bee SSL VPN portal includes the Cisco AnyConnect pane! that allows the clients to start the Ciseo AnyConnect client from the clientless session that is initiated from the browser. The pane appears in the portal automatically when Cisco AnyConneet access has been enabled on the security appliance, When users click the Ci of two actions: AnyConnect button in the Cisco AnyConneet pane, they trigger one ‘© The Cisco AnyConnect client software is launched if't is installed on the client computer. ‘The Cisco AnyConnect tunnel is established while the clientless session remains active. Only a single SSL VPN license is consumed in this approach. © IF the Ciseo AnyConnect client software is not installed on the elient computer, the installer is downloaded from the security appliance and the installation procedure begins. When the installation procedure completes, the Cisco AnyConnect tunnel is set up. Also, in this situation, the elientless session remains active and only one license unit is consumed. (@2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Applance Glenless Ramcte Access VPN/Soluione 4201Cisco AnyConnect Portal Integration Configuring WebLaunch Configurable behavior after user logs into clientless portal * Group policy or per-user setting » By default, the user remains connected tothe cilentless portal. * When the user starts Cisco AnyConnect, the clientiess session isactive pega seg ts Argan VPN> Cuartans SSLVPN Aasees > Qtoue Poa conneets to the SSL VPN portal. To configure the postlogin behavior, complete these steps: Stop Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies. Note “To assign a pastiogin behavior to an individual user, choose Configuration > Remote ‘Access VPN > AAA/Local Users > Local Users. Stop2 Stop3 Stops stops stop7 Select a desired group policy and click Edit. Choose More Options > Login Setting Locate the Post Login Setting area and either leave the default option Do Not Prompt User to Choose or choose the option Prompt User to Choose and configure the timeout (in seconds) after which the postlogin selection will be made automatically Locate the Default Post Login Selection area and leave the default option Go to Clientless SSL VPN Portal or click the Download SSL VPN Client radio button. The latter starts the Cisco AnyConnect tunnel, if the client software is siready installed on the client computer. Click OK. Click Apply to apply the configuration. 2202 Deploying Caco ASA VPN Solutons (VPN) v3.0 (©2010 Cece Systems, IreCisco AnyConnect Portal Integration Verifying WebLaunch See ee Bowe oes In| ul se acon ¢ You can verify the Cisco AnyConnect WebLaunch feature by accessing the SSL VPN portal and clicking the Ciseo AnyConnect button that is available in the Ciseo AnyConnect pane. If the Cisco AnyConneet client is already installed on the client computer, the Cisco AnyConneet, ‘unne! will be established. You can verify the tunnel status by examining the Statistics tab of the Cisco AnyConnect client. The browser, from which the clientless SSL VPN was started, displays an indication that the tunnel connection is established. For the license count, itis important that only one session is active ata time, You ean verify that only one Cisco AnyConneet session is active in the Monitoring > VPN > VPN Statistics > Sessions submenu. The clientless session does not appear in the session database, Only one license unit is consumed when the Cisco AnyConneet WebLaunch feature is used. (G2010 Cisco Systems, ne, Depoyment of GecoASA Adaptive Securty Appliance Glentess Ramcte Access VPNSoltone 4203Summary Thistopic summarizes the key points that were discussed in this lesson. aS Summary + Basic VPN portal customization uses the SSL VPN Customization Editor that is embedded in Cisco ASDM to customize login, portal, and logout ages. + Full porte! customization is based on self-made XML pages uploades to the security appliance. * Porta localization involves language trarsiaton tables that present all portal components in the desired language. + Help customization requires that either Cisca help files be modified or ‘selemade language-specif files are loaded + SSLVPN CiscaAnyConnect WebLaunch feature consumes only a single license when 2 Cisco AnyConnect session is started from the clientes. portal 2208 Deploying Caco ASA VPN Solutions (VPN) v3.0 (©2010 Cece Systems, IreModule Summary ‘This topic summarizes the key points that were discussed in this module, Module Summary ' Abasic clientless Cisco SSL VPN solution allows users browser-based access to sensitive resources over a remote access SSL VPN gateway, implemented on the Cisco ASA adaptive security appliance. ‘The SSL VPN rewriling proxy in the Cisco ASA adaptive security appliance provides clientiess, transparent access to web and CIFS resources behind the Cisco ASA adaptive secur appliance to clients using only a web browser. P&\ offers scalable and secure authentication method for the network devices to officad the authentication process to back- ‘end user databases, such as LDAP. TACACS+, or RADIUS. ‘The web portal accessed by users who connectusing a dientless SSL VPN can be customized to reflect the requirements that are defined by the enterprise policy or to use the local language. (G2010 Cisco Systems, ne, Depoyment of GscoASA Adaptive Securty Applance Glentless Ramcte Access VPN Solutions 4205