Re: ASK THE EXPERT : Secure Mobility with AnyConnect 3.0 - Page 3

ciscomoderator · ‎05-06-2011

With

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to implement Secure VPN Mobility using Cisco AnyConnect with Cisco expert Naman Latif. Naman is a technical support engineer at the Cisco Technical Assistance Center for VPN and security technologies. His area of expertise includes configuration and troubleshooting for Cisco’s security product portfolio including VPN, PKI and firewall technologies as well as Client and Cisco Adaptive Security Appliance (ASA).

Remember to use the rating system to let Naman know if you have received an adequate response.

Naman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security, VPN discussion forum shortly after the event. This event lasts through May 20, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

mulatif · ‎05-15-2011

Hi Joceyln,

Did you change the "DfltAccessPolicy" action in DAP to 'terminate' ? If the User doesn't match the Custom DAP , which you created then it will go to the Default Policy and its action should be set to terminate.

I would also need to see the output from "debug dap trace" from the ASA, when you connect. This will give us some useful information on what is being detected by CSD.

Please note that you might want to open a TAC case to troubleshoot this , if you are un-comfortable in posting your network configuration\debugging on the Public forum.

Thanks,

Naman

conleya · ‎05-16-2011

Naman,

Any word on when AnyConnect will support Windows 7 Network Location Awareness? I had heard this would be available in the spring, but haven't seen anything in the recent release notes to indicate this has been added.

mulatif · ‎05-16-2011

Hi,

Thanks for participating in this session.

Can you describe in a little more detail on what will be the purpose\objective for this ?

AnyConnect already supports TND (Trusted Network Detection), which when used with Always-On enables a Client to automatically connect to the Headend ASA when the PC is not on the trusted network.

The trusted network detection is based on assigned DNS suffix (e.g. domain.com etc) Or DNS Server's IP address.

Are you looking something further than this ? Where anyconnect decides on the trusted network by not looking at DNS information but instead getting that information from Windows 7 Location services ?

Thanks,

Naman

conleya · ‎05-16-2011

The reason Windows Network Location Awareness is neady, is for remote support. Without Network Location Awareness, Windows firewall blocks remote desktop sessions into the client, because it applies the public network firewall policy. With Network Location Awareness, as soon as the AnyConnect Client connected, Windows would switch the firewall policy to the domain policy, instead of the public network policy.

There is an existing enhancement request for this: CSCtf56523 Windows Network Location Awareness (NLA)

mulatif · ‎05-16-2011

Hi,

The bug\enhancement for this issue is shown to be fixed. It should be available in the next release of AnyConnect (Release after the current 3.0.1047 version).

The current schedule shows this to be released end of this month. You can also contact your Cisco Account and they might be able to provide more detailed information.

Thanks,

Naman

m.vandooren · ‎05-16-2011

Hi,

I have some questions about the NAM module of the AnyConnect 3.0 client.

Are there any best practice settings?

Connection Settings:

Should a Connection attempt be made before or after user logon?, and what is the effect of both on GPOs, logon scripts? Especially when using different vlans for computers and users.

Default connection timeout X secs?

Time to wait before user logon X secs?

Are there settings that you have to take in account when also having a wireless network configured?

mulatif · ‎05-16-2011

Hi,

The connection attempt from NAM is not user initiated. After you have configured the profiles for NAM the connection is attempted when network is available (E.g. LAN cable plugged-in Or Wireless Network available etc)

If you have a valid connection before logon (E.g. When user is at a corporate location) then User logs-on to the domain and all scripts\GPO should work as in a normal logon.

If you are at a remote location then you can either logon using "Cached" domain credentials , since the domain is not going to be available

OR

You can also use the AnyConnect SBL (Start before Log-On) feature alongwith NAM so you are connected to the ASA and have VPN connectivity to the domain before log-on to the PC.

More information on NAM it at

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html

AnyConnect SBL at

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1134595

Thanks,

Naman

tonyhong · ‎05-18-2011

Hi

Does AnyConnect with AD do monitoring meaning:

1. A user connects and are we able able to report:

a. On the time they connected and logoff?

b. and the specific servers they connect to, actions they performed while authorized? If not, is there another product or solution or workaround?

2. Is there a idle timeout, we can create?

Thanks

mulatif · ‎05-19-2011

Hi Tony,

Thanks for participating in the discussion.

1. AnyConnect connection reporting\accounting is done at the ASA. You can configure RADIUS accounting on the ASA and you will be able to tell when\how long the AnyConnect client stayed connected etc. More information on configuring RADIUS accounting is at

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1047241

Please note that you will also need to use RADIUS Authentication for VPN Users in order to user Accounting.

As for keeping track of the Users on what Servers they access etc, this cannot be done on the ASA. However you can use VPN-Filters to restrict Users to only specific servers etc.

2. You can definitely configure idle time-out for Users. This can be configured on a Per-Group Policy basis. More information below

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/vpn_groups.html#wp1140327

(See Section 'Configuring the Idle Timeout' )

Hope this helps.

Thanks,

Naman

dimitri.smit · ‎05-20-2011

Hi - we're setting up a POC using AnyConnect 3.0, using ipsec. [Migration project from previous cisco vpn client]:

1 - is it possible to set a network connection preference order? Ie, prefer Wired over wireless, and dynamically switch to wired if you were on wireless?

2 - We use Symantec Endpoint Protection [SEP] as the client personal fw/AV. This used to be a Sygate product, but we can't seem to get that element of host-checking to work. For SEP, do we need to select a Sygate product from the list [which?], or create a custom entry?

3 - We haven't purchased any SSL licenses, and intend to use ipsec only. [I believe that our ASA comes with a couple of SSL licenses free]. When using Anyconnect for ipsec, is there still a reliance on SSL licensing, for example to get profile updates, initial connection, deploy software etc etc? We intend to get over 200 ipsec concurrent connections, without buying ssl licenses - can you foresee any issues with this?

thanks

mulatif · ‎05-20-2011

Hi Dimitri,

1. You can use "Network Access Manager" for preferring a Wired connection over Wireless. AnyConnect itself doesn't have any control over selecting the adapater and will just use the Windows routing table for sending traffic.

Usually the Metric for WLAN adapter's default router is higher than Wired, so a Wired connection is preferred in any case. See below for more information on NAM

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html

2. For Symantec Endpoint Protection, you will still select Symantec. I have seen this working , so there might be a mis-configuration OR Maybe "Cisco Secure Desktop" is unable to detect the presence of Symantec product.

This can be confirmed by running "debug dap trace" on the ASA.

Please Note that Cisco Secure Desktop need to be enabled for this to work.

3. With AnyConnect 3.0 the licensing information is as below

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html

(See section 'Cisco AnyConnect Secure Mobility Client Licensing Options' )

The license is based on Simultaneous AnyConnect Client (And doesn't rely on SSL or IKEv2 as the underlying transport mechanism).

Also note that HTTPS need to be enabled on the Headend (Even when using IKEv2) for pushing Profiles, Host Scan Checks etc.

Thanks,

Naman

jbuenomocisco · ‎05-20-2011

Can you helpme

How can I configure the wireless not to be shown for users,but used by tham? On a Cisco 1242AG

I mean when someone do a wireless discovery not see my wireless name, but typing the name be able to connect it.

mulatif · ‎05-20-2011

Hi Juarez,

This forum is for AnyConnect issue but your question is more related to configuring the Access Point.

As per my knowledge, this can be done by "Not Broadcasting the SSID", which is a feature\configurable option in the Wireless Access Point GUI.

However if you still have any questions then I will suggest to post your question in the "Wireless - Mobility" forum.

Hope this helps.

Thanks,

Naman