With Ameet Kulkarni
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about AnyConnect Secure Mobility with Cisco expert Ameet Kulkarni. Learn about the various aspects of AnyConnect Secure Mobility such as HostScan, Client and Clientless based remote access, policies, and more.
Ameet Kulkarni is a product manager within the Secure Access and Mobility Product Group. His areas of expertise revolve around AnyConnect & ISE with a focus on posture assessment and profiler technologies. Kulkarni has managed multiple products over his career in VoIP and Security industries. He is an engineer by education with a Master of Science in Telecommunication. He has had a broad exposure in software development, solution architecture, program management and product management.
Remember to use the rating system to let Ameet know if you have received an adequate response.
Ameet might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub community shortly after the event. This event lasts through April 5, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Objective is that anyconnect user dont have to select Group-alias, so when a user enters its username and password it should go to its specific tunnel-group and group-policy. as i have removed this command in webvpn "no tunnel-group-list enable". doing this i can not login (user does not authenticate).
1- My question is why its not happening ?
If i keep only one tunnel-group default and make multiple group-policies and assign each user with its specific group-policy than it works. means in user attribute i only issue following commands than it works but if i put "group-lock value test-tunnel" than it does not login.
why is that so, can we have only one tunnel in this case ..
cache-fs limit 50
svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1
group-policy test-gp internal
group-policy test-gp attributes
vpn-tunnel-protocol svc webvpn
address-pools value test-pool
username test password test
username test attributes
group-lock value test-tunnel
tunnel-group test-tunnel type remote-access
tunnel-group test-tunnel general-attributes
tunnel-group test-tunnel webvpn-attributes
group-url https://192.168.168.2/test enable
what are the requierd knowledges to achive ccnp security ? in which order should i start to study ? what comes first , ccnp r&s or ccnp security ? when can i start with ccna security ? i need some informations ? please do the needful for me , and tell me how to start. is it true that i need to know how to install before securing it ? i got some infos from some sources ,which told me that i need to study ccnp r&s before ccnp security because before securing ,it is necessary to know how to install.is it true ??
thanks ameet for enlightening me on the above issue. but still in user attribute if i map a user "testuser" with a tunnel-group "group-lock test-tunnel" and group-policy " vpn-group-policy test policy" than it does not login. if i remote group-lock it works. so why cisco has added group-lock in user-attribute what is th purpose .. ? i need to understand in details plz
John, what you are doing is locking the user to the tunnel group. So for the user to connect, you need to use group URL or pull down or certificate matching. When you remove the group-lock, the user goes into the default tunnel group and is probably hitting the default group policy that you have set up and hence is logging in.
Tunnel Group Lock is a simple check to validate if the Tunnel Group (aka. ASDM Connection Profile) you connect with matches what you have defined under the group-policy. If the Tunnel-Group-Lock value matches (true condition), the VPN remote access session is allowed to setup; otherwise the session is not allowed to establish.
On My ASA Firewall I have anyconnect-win-3.0.5080-k9.pkg image. Some of the users have installed AnyConnect 2.5.3051 software on their machine. I just wanted to know, if there would be some issue in connecting or accessing VPN or other programs.
Both versions should co-exist just fine. I would suggest tesint one 2.5 client if you are using csd/hostscan to ensure compatability.
The 2.5 clients software and profiles will be updated unless you do one of the following
A. Yes. Use one of these methods in order to turn off the automatic AnyConnect upgrade via the ASA:
Adjust the profile on the ASA to disable updates.“
Use a local policy to disable the AnyConnect downloader.BypassDownloader true The client does not check for any dynamic content present on the ASA, including profile updates, translations, customization, optional modules, and core software updates.
What pcarco is saying is true for ASA 9.0 and AnyConnect 3.1 and above. If you have a newer version of AnyConnect on the ASA, the end users will automatically get upgraded to that version. The ability for end users to defer updates to a later time comes about from ASA 9.0 and AnyConnect 3.1.
When configuring AnyConnect using ASDM it has two options for VPN protocol to be used. One is SSL and other is IPSec. Can we use IPsec as the protocol? can you please assist here.
Yes you can but just note it is IPSEC with IKEv2
"Optimized Network Access - VPN Protocol Choice SSL (TLS and DTLS), and IPsec/IKEv2
AnyConnect now provides a choice of VPN protocols, allowing administrators to use whichever protocol best fits their business needs
• Tunneling support includes SSL (TLS and DTLS) and next-generation IPsec (Internet Key Exchange Version 2 [IKEv2])
• DTLS provides an optimized connection for latency-sensitive traffic, such as VoIP traffic or TCP-based application access
• TLS (HTTP over TLS/SSL) ensures availability of network connectivity through locked-down environments, including those using web proxy servers
• IPsec/IKEv2 provides an optimized connection for latency-sensitive traffic when security policies require use of IPsec"