Cisco VPN :: Adding User Profiles In AnyConnect VPN 2.5
Feb 15, 2012
I recently upgraded to Windows 7 in my company and the OS came bundled with Anyconnect VPN client version 2.5.
In the earlier version I used to add user profile using a .pcf file by importing it into the client to access customer LAN.
But in the Anyconnect VPN client I dint find any option to import the file. The IT support has told to edit the xml file to add it. The problem is I even after i edit the anyconnect-cert.xml with changes in host name and host address tags I am not able to start a connection. I dont knw know exactly what address must be given in Host address tag. I copied the host address from .pcf file which i used earlier.
Whether I will be able to add a user profile in this way or any correction is to be done in the whole process of adding the user profile,
I use a Cisco ASA 5510 with the AnyConnect VPN for remote workers. Now we want to give access to a select group of consultants who only need access to one sever and block everything else.
I was thinking this could be done by creating a separate AnyConnect Connection Profile on the ASA. From that new connection will come a new GroupPolicy with a ACL to only allow access to the one system. That GroupPolicy will point to the Radius Server looking for an account in a specific MemberOf group.
My question is - Could you explain how the ASA knows what Connection Profile to use when a user tries to authenticate? Does it automatically hunt down each Connection Profile until there is a username match via RADIUS in the Connect Profile?
I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
If at all possible, I do not users to have to pick a conenction profile or use different URL's.
I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:ACS 5.3 group hierarchy:VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles),VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A),VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
Is there a way that i can associate one user with two VPN profiles. Now here is the scenario.Our company has bought a win 7 64 bit pc for some of the employees , so i had to create anyconnect. But the same users are also connecting via normal cisco vpn client. they will give away these old pc but for the time being my need is that both users shall connect to anyconnect profile and ipsec profile.
I tried ti to assign same profile with both ipsec and svc so that they could use single profile but anyconnect didn't work. I am having cisco ASA 5510 as VPN gateway.And How many licenses does cisco asa have by default for anyconnect users. Here is the configuration for anyconnect
group-policy Broad_Anyconnet internalgroup-policy Broad_Anyconnet attributes dns-server value 4.2.2.2 vpn-tunnel-protocol svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value Nit_Broadcast_Network_Tunn_ACL address-pools value Broadcast_AnyPool webvpn svc ask none default svc [Code]...
We have 2 ASA 5510's running in a Active/Standby configuration. It appears that most of the changes we make on the active unit are replicated to the standby unit. However, there are 3 AnyConnect Client Profiles on the active unit and none of them show up on the standby, the standby has no AnyConnect Profiles. We also have 1 OnConnect script on the active unit and it does not appear on the standby unit either.
I was under the assumption that all config items on the active unit would replicate to the standby. Is this not correct? Do I need to do something extra to get everything replicated? Are there other items that do not replicate?
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
I am setting up Clientless Anyconnect on ASA 5520. I have a Verisign Cert but when I go to Certificate Management-->CA Certificates-->Add, I put everything in and click "install certificate" I get an error. FYI I have the Primary Cert Authority Installed already?
I have two sets of local users who access internal networks vai the Anyconnect application on a Cisco ASA 5505.One user needs to access 1 ip address while about 7 users access abotu 4 addresses.
I have a group called xyz1 which currently has the one user in the connection profile. I guess to reaffirm my thought, If I create another connection entry called xyz2, can I assign the other 7 or 8 users to it?
If I can do this, how can I ensure that each connection entry only has access to specific IP addresses on the internal network?
I currently have 1 cat 5 jack at my tv/entertainment area and will be needing additional jacks to add gaming consoles,streaming video player and internet ready tv at the same location.The current jack installed at that location is coming from a D-Link 8 port Gigabit switch installed in a different room.The switch is at capacity,all ports are full,so no additional availability there.My question is how to expand port availability at the entertainment area.Is it possible to put another switch or hub at that connection?Would there be a conflict with cascading a switch from one to another? I have a 25 meg fiber optic incoming service,so there is plenty of speed and bandwith available to handle these componets.
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group. 2) Add the AAA server to this group (here its RADIUS). 3) create an LDAP-cisco ASA group mapping (for authorization) 3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here). 4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.)
Prior to version 8.4(1) Cisco called their licensing name for SSL/VPN users AnyConnect Premium SSL VPN and currently the new name of the licensing is simply AnyConnect Premium. Also, the IOS display name for the amount of SSL/VPN users enabled via your licensing (ex. 2, 10, 25, 50, ...) by running a 'show activation-key' was changed from SSL VPN Peers to AnyConnect Premium Peers.With that said, my question is if the license for upgrading 10 users to 25 users (L-ASA-SSL-10-25= - ASA 5500 SSL VPN 10 to 25 Premium User Upgrade License) on an ASA prior to 8.4(1) and an ASA with 8.4(1) is still valid and the correct part number to peform these upgrades for both ASAs. The description of this part number is throwing me off because it says SSL VPN to Premium User, which was the name prior to 8.4(1). I could not locate any documentation regarding this part number or upgrading 10 users to 25 users for both ASAs.
I am trying to setup a VPN with AnyConnect on my ASA5510 and it works fine. I have setup an AAA server group for my Active Directory with the "NT Domain" protocol". Right now, every user is able to connect with their Active Directory credentials. I would like to restrict access to the Anyconnect VPN to only a few users in AD.
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication. I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account. How do I restrict this so that the user can only use one profile? Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks. Is there a sample configuration guide to handle multiple profiles with different levels of access?
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem.
The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
I have a Cisco ASA5510 firewall that has SSL Web VPN functionality and is utilizing AD Server as Authentication server for users.However, we have a policy to change password at certain point of time. Users in the office have no problem. They just login their PC and change password. Users outside of office is a pain when their password is expired. Is it posible for them to change their AD password thru VPN using Cisco Anyconnect?
I have a Cisco ASA5510 firewall that has SSL Web VPN functionality and is utilizing AD Server as Authentication server for users. However, we have a policy to change password at certain point of time. Users in the office have no problem. They just login their PC and change password. Users outside of office is a pain when their password is expired. Is it posible for them to change their AD password thru VPN using Cisco Anyconnect? If yes, can you show me how?
I've searched the release notes for 7.2+, but I haven't found a documented number of how many active RF Profiles a 5508 can support. Any limitation of how many RF Profiles they can have?
I need to disable approxematly 40 different VPN profiles in our ASA5550`s without deleting them (need the ability to quickly activate them again if needed). I thought maybe i could disable IPSec for those profiles, but since the IPSec is an attribute for Group Policy, i cant do it - as many other profiles are sharing the same policy.
We've set our WCS up to do AAA through our ACS 5.3 which works great. So in order to log into the WCS for Administration or as a Lobby Ambassador (to create guest users etc) the AAA is all done by the ACS, GREAT!
I have assigned a set of users the Lobby Ambassador role as passed that back through TACACS to the WCS, so those users have their role setup as Lobby Ambassador and are limited from doing anything else, as expected.
What I want to know is: With normal local AAA on the WCS, when you created a Lobby Ambassador account, you could give the account a set of defaults for any guests accounts created by that Lobby Ambassador account, which was good, so Lobby Ambassadors couldn't set up unlimited time accounts and stuff like that.
What I want to know now is that since I'm now doing all the AAA on the ACS, is there an attribute I can pass to the WCS in the Shell Profile, along with the roles etc telling the WCS what the guest user creation defaults for the Lobby Ambassador account is, so that we can continue to limit the defaults of any guest account that the Lobby Ambassador accounts create, as it used to be? We'd really like different lobby ambassadors to be able to do different things as well. i.e., Lobby Ambassador X can only create accounts for one region. Lobby Ambassador Y can create Unlimited time accounts where the others can not. We used to do this by assigning different guest user creation defaults to different lobby ambassador accounts on the WCS.
In regards to QoS profiles on the WLC. I have applied a profile to a newly created WLAN and set the Per User Bandwidth to 512k and it seems to be kicking in on the ingress only, this is supposed to work ingress AND egress or is it just designed to work one way? I have a 4402-25 with Cisco 3500 AP's and am running the 7.0.98 code. If it is designed to work one way only is there a different way to apply it ingress and egress simultaneously off the WLC?
Customer has a WLC 4402 and 21 AP's LAP1131AG, there is a PDA wlan created to give PDA's and wireless Phones access to the webmail. This is done by access lists and firewalls. Now the customer wants more access to the internet in this PDA wlan, maybe in a later phase to the other vlans, can we use an ISE server and make profiles, is this the only additional server that we need or is an upgrade of the WLC and ÄP's also needed.
I just bought new 942L (HW Rev3, 1.12 FW) and the only profile which is used to stream to iPhone or Web browser in mydlink is profile 3 which is limited to JPEG. Is there some way how to change the profile to be used for streams or is there a way how to make to profile 3 something else then JPEG?
For ACS 5.4: In Network Access -> Authorization Profiles there is a Permit Access profile. If you try to edit it a message pop's up that says: "The profile you have selected is reserved and cannot be deleted or modified". What this profile contains in its rule base? If I wanted to create a similar profile what Common Tasks, or Radius Attributes would I need to use? The same would go for a Deny Access profile. I have looked at the Common Tasks and Radius Attributes for a new profile and it doesn't seem very intuitive.
In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.
We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
1. Employees and clients will access the URL 2. They will select the appropriate group on where they should login. 3. Enter credentials, etc. 4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.
i have recently added to a domain. The initial setup is a server running windows 2003 and several xp machines which logon to the domain using mandatory profiles. However, after adding windows 7 machines and logging them on to the system it doesnt load the profiles. (which is fine as I understand you cannot use the same profiles with windows 7+xp)The problem is it automatically creates a roaming profile when logging off and saves it back to the same path as the other profiles under user.V2 which is growing considerably and causing huge logoff and logon times.How can I get the windows 7 machines to not attempt roaming profiles back to the server and instead to just save the profiles locally when logging off.
I have recently installed acs5.2 evaluation on a vmware and i can't launch common task on authorization profiles when i click on it i have the bellow message javascript:cuesToggleTab('NetworkAccess',1,false,false
Is it possible to have one netflow export profile (may not be the right word...) to send all the flow information to one collector and another profile to only send traffic to and from centain IP addresses to another collector? If it is possible on the hardware and software, any quick sample config?
#sh ver Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXH4,
#sho module 7 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 7 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL1115LJBR
Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 7 0017.9444.9814 to 0017.9444.9817 5.3 8.4(2) 12.2(33)SXH4 Ok
Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 7 Policy Feature Card 3 WS-F6K-PFC3B SAL1115L2NH 2.3 Ok 7 MSFC3 Daughterboard WS-SUP720 SAL1115LH7W 2.6 Ok
Mod Online Diag Status ---- ------------------- 7 Pass
