I'm reading through all the Anyconnect documentation I can find online and feel like I'm missing the fundamentals still.
I'm following through the configs and managing to get a "half" working remote access setup. I'm really just following the examples without much understanding behind what is being done.
Regarding Anyconnect Client Profiles / Connection / Group Policies etc.. What is each for, how do these tie together with each other to give the desired end result of a successful working VPN solution? I'm just being shown how to configure each, but I'm trying to understand what each is and why it's needed.
Could someone explain in an easy to follow maner who has a bit of experience with the ASA? Routing and Switching I can handle, but the ASA / Anyconnect is just something I'm learning as I go along..
to add to the confusion, the CLI and ASDM sometimes use different terminology
But in short, the basics are as follows:
1) a tunnel-group (connection profile in ASDM) is what a user connects to and which defines how AAA is done.
User-to-TG mapping depends on what type of VPN is used and can range from trivial (everyone connects to the default TG) to rather complex (users with certificates can get mapped to a TG based on a field in the cert, users can select a TG, etc.)
2) a group-policy is basically a set of policy attributes that is applied to a connection. Includes attributes that get pushed to the client (ip address, dns server etc.) and things like what time of day a user is allowed to connect, for how long, etc.
By default, the TG config specifies which GP is applied.
In a more advanced setup, user-specifc config or external AAA (e.g. Radius or LDAP) can override which GP is used, or can override specific attributes in the GP.
3) a client profile (aka XML profile) is a set of client configuration settings that is pushed down from the ASA, i.e. the ASA admin can use this to e.g. configure the client to auto-connect on startup, or to block all network traffic when disconnected, etc.
The group-policy defines which client profile is pushed down (if any).
This is just a very basic and incomplete description with very limited examples but I hope this gives you a starting point.
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the SecureX regio...
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use.
Learn about Cisco Remote Secure Worker solutions that verify workers, secu...
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the Secur...
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...