Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1869
Views
0
Helpful
2
Replies

AnyConnect - Best Practice to download/distribute Profile XML's?

Eric Snijders
Level 1
Level 1

‎08-05-2019 04:46 AM - edited ‎02-21-2020 09:22 AM

Hi all,

 

We've been running different ASA profiles together with a LDAP Description to Profile mapping enabled. This works fine, but i've always had issue's on finding the right way to let people get their right .xml profile downloaded.

 

Every profile has it's own Custom URL which works fine through Internet Explorer 11 (with the site added to Trusted Sites) but every other browser fails. I know you can also enter your own URL directly in the AnyConnect box (where it normally shows your profiles) but if i enter one of the Custom URL's i'm getting a "Unknown IKEv2 Received" in the logging.

 

1. Is it even possible to enter a URL or something directly in AnyConnect to download the profile .xml that way

2. We're running AnyConnect 4.4 right now. If i would upgrade AnyConnect, will that make WebLaunch work again through Firefox and/or Chrome? Adding a site to Trusted Sites and using IE11 (in stead of Edge) is still really hard for some users.

 

Thanks in advance,

 

Kind regards,


Eric

0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-05-2019 09:09 AM - edited ‎08-05-2019 09:11 AM

Yes you can add a custom URL directly in AnyConnect. It can be a published or non-published alias.

You can also have people just use the common "top level" URL and then change their group-policy based on the LDAP map dynamically.

My colleague @Rahul Govindan mentions the alternatives in this thread:

https://community.cisco.com/t5/vpn-and-anyconnect/cisco-anyconnect-vpn-group-policy-and-connection-profiles/td-p/3206510

Oh and by the way FTD does a nice job at getting away from the issues that Firefox and Chrome have with the old style web launch on ASAs. It doesn't have 100% parity in all features but it does get that one right (finally!).

0 Helpful

Eric Snijders
Level 1
Level 1
In response to Marvin Rhoads

‎08-06-2019 12:34 AM - edited ‎08-06-2019 12:37 AM

Hi Marvin,

Thanks for the fast reply. I tried exactly what you said, and what was described in the linked topic, but without success. It might be cause we have a bit of a "exotic" configuration". Like i said, we use LDAP Description to Group Policy mapping to "force" people in the right Tunnel Profile:

ldap attribute-map AC_LDAP_AUTHORIZATION
  map-name  description Group-Policy

This is the configuration of one of the Tunnel Groups:

group-policy TESTCASE internal
group-policy TESTCASE attributes
 vpn-simultaneous-logins 2
 vpn-idle-timeout 30
 vpn-session-timeout 720
 vpn-filter value TESTCASE_FILTER
 vpn-tunnel-protocol ikev2
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TESTCASE_TUNNEL
 default-domain value testcase.com
 anyconnect-custom DeferredUpdateDismissTimeout value Time
 anyconnect-custom DeferredUpdateDismissResponse value Response
 anyconnect-custom DeferredUpdateAllowed value Allowed
 anyconnect-custom DeferredUpdateMinimumVersion value Version
 webvpn
  anyconnect profiles value TESTCASE_PROFILE type user
  
tunnel-group TESTCASE type remote-access
tunnel-group TESTCASE general-attributes
 address-pool AC_POOL
 authentication-server-group RSA
 authorization-server-group LDAP
 default-group-policy AC_NOACCESS
 authorization-required
 username-from-certificate CN
tunnel-group TESTCASE webvpn-attributes
 group-alias TESTCASE enable
 group-url https://testcase.com/test enable
 without-csd

I didn't build it, but i think i started understandig. What my former colleague wanted to do, is force everyone in the "AC_NOACCESS" policy first so that if someone somehow would get unauthorized access, you'll be forced in a group policy where you can do literally nothing. That's why we're also using LDAP, and the LDAP mapping to group policy.

The following happens when i manually enter a/the URL in AnyConnect:

  1. Entering "https://testcase.com" gets me a pop-up where i'm able to see all the different Tunnel Groups. I'm not being able to connect though. No error, the username/password window just pops-up again.
  2. Entering "testcase.com" gets me a pop-up where i'm able to see all the different Tunnel Groups. I'm not being able to connect though. Receiving "Login Failed" in AnyConnect.
  3. Entering "https://testcase.com/test" gets me a pop-up without showing the different Tunnel Groups. Just the username and password fields. Login fails though. No error, the username/password window just pops-up again.
  4. Entering "testcase.com/test" gets me a pop-up without showing the different Tunnel Groups. Just the username and password fields. Login fails though. Receiving "Login Failed" in AnyConnect.

I have a feeling this happens because everyone is "forced" in the AC_NOACCESS policy first. When i try one of the above 4 options, the ASA is logging the following error:

 

6	Aug 06 2019	09:32:06	113044					Client <PUBLIC_IP> User <testuser> requested tunnel protocol (ssl-client) not allowed by group-policy <TESTCASE> configuration.

Could it be that the group policy "TESTCASE" is only set to "vpn-tunnel-protocol ikev2" and initiating the connection directly through the address bar in AnyConnect by default initiates a "ssl-client" connection?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card