Solved: AnyConnect and Aladdin eToken authentication

Vadim Gavrilov · ‎03-15-2010

Hi all!

Part One

I have successfully setup Anyconnect VPN into our c2821 using MS Active Directory & Cisco Secure ACS v.4.2 Radius Server authentication for windows clients.

I have successfully setup authentication into Windows using Aladdin eToken and Samrtcard Logon Certificate (Microsoft CA Connector).

I have successfully got User Certificate from Microsoft CA into eToken store.

I would like someone to answer the following: how can I use this certificate to authenticate the VPN session over AnyConnect?

Part Two

I have tried to customize local AnyConnect profile by using Cisco AnyConnect Profile Editor. The only result: changed Default Username and Default Host. All other customizations were ignored.

Here is my profile:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile>
    <ClientInitialization>
        <DefaultUser>one</DefaultUser>
        <DefaultSecondUser></DefaultSecondUser>
        <ClientCertificateThumbprint>omitted</ClientCertificateThumbprint>
        <ServerCertificateThumbprint>omitted</ServerCertificateThumbprint>
        <DefaultHost>omitted</DefaultHost>
        <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
        <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
        <ShowPreConnectMessage>false</ShowPreConnectMessage>
        <CertificateStore>All</CertificateStore>
        <CertificateStoreOverride>true</CertificateStoreOverride>
        <ProxySettings>Native</ProxySettings>
        <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
        <MinimizeOnConnect UserControllable="true">false</MinimizeOnConnect>
        <LocalLanAccess UserControllable="false">false</LocalLanAccess>
        <AutoReconnect UserControllable="true">true
            <AutoReconnectBehavior UserControllable="true">DisconnectOnSuspend</AutoReconnectBehavior>
        </AutoReconnect>
        <AutoUpdate UserControllable="true">false</AutoUpdate>
        <RSASecurIDIntegration UserControllable="false">HardwareToken</RSASecurIDIntegration>
        <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
        <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
        <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
        <PPPExclusion UserControllable="true">Automatic
            <PPPExclusionServerIP UserControllable="true"></PPPExclusionServerIP>
        </PPPExclusion>
        <EnableScripting UserControllable="true">false</EnableScripting>
    </ClientInitialization>
</AnyConnectProfile>

Have anyone any ideas?

ksirupa · ‎03-17-2010

Hi,

You can control the AnyConnect session parameters only if the administrator enabled/checked "User Controllable" for each individual XML attribute. For those that are User Controllable, user should be able to click on the "Settings button" very next to the Server drop-down box.

On the other hand, if you manually edit the XML file on the client's local PC, the next time AnyConnect connect, it will download the original version from the ASA and compares with local XML file. If the checksum don't match, it will overwrite the local XML file with the newly downloaded XML file.

You can modify the preferences.xml file, and as you found out, AnyConnect will honor your changes. But the profile has most of the security settings such as Local Lan Access, Start Before Logon, Auto Reconnect etc.

Thanks,

Kiran

View solution in original post

Vadim Gavrilov · ‎03-16-2010

Hi all!

I was completely wrong in Part Two: this profile is one great mistake.

But.

I know about three locations, where AnyConnect places configuration files.

C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile - ac-profile.xml
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client - preferences.xml
C:\Documents and Settings\LOCAL_USER_NAME\Local Settings\Application Data\Cisco\Cisco AnyConnect VPN Client - preferences.xml

Third location unambiguously contains current user pfofile - I can edit it and see differences while AnyConnect starts. But any manipulations with any profiles in 1-st and 2-nd locations do not change anything. So I cannot control AnyConnact parameters via profiles.

Please tell me - is it possible to control AnyConnect parameters locally?

ksirupa · ‎03-17-2010

Hi,

You can control the AnyConnect session parameters only if the administrator enabled/checked "User Controllable" for each individual XML attribute. For those that are User Controllable, user should be able to click on the "Settings button" very next to the Server drop-down box.

On the other hand, if you manually edit the XML file on the client's local PC, the next time AnyConnect connect, it will download the original version from the ASA and compares with local XML file. If the checksum don't match, it will overwrite the local XML file with the newly downloaded XML file.

You can modify the preferences.xml file, and as you found out, AnyConnect will honor your changes. But the profile has most of the security settings such as Local Lan Access, Start Before Logon, Auto Reconnect etc.

Thanks,

Kiran

Vadim Gavrilov · ‎03-18-2010

2 ksirupa:

Thanks a lot - I've understood the profile situation. Profile is really controllable only on ASA under administrator's account.

Confirmed.

Vadim Gavrilov · ‎03-18-2010

Part One

It cannot be solved on C2821. At all.

But I've tried to do it using ASA 5500 with ASDM and after a couple of hours was completely successful.

Part Two

AnyConnect configuration profile cannot be controlled locally. Any modifications must be done on ASA and than client can download profile and use it.

Thanks to all.