03-22-2013 10:09 AM - edited 02-21-2020 06:46 PM
With Ameet Kulkarni
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about AnyConnect Secure Mobility with Cisco expert Ameet Kulkarni. Learn about the various aspects of AnyConnect Secure Mobility such as HostScan, Client and Clientless based remote access, policies, and more.
Ameet Kulkarni is a product manager within the Secure Access and Mobility Product Group. His areas of expertise revolve around AnyConnect & ISE with a focus on posture assessment and profiler technologies. Kulkarni has managed multiple products over his career in VoIP and Security industries. He is an engineer by education with a Master of Science in Telecommunication. He has had a broad exposure in software development, solution architecture, program management and product management.
Remember to use the rating system to let Ameet know if you have received an adequate response.
Ameet might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub community shortly after the event. This event lasts through April 5, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
03-25-2013 11:04 PM
Objective is that anyconnect user dont have to select Group-alias, so when a user enters its username and password it should go to its specific tunnel-group and group-policy. as i have removed this command in webvpn "no tunnel-group-list enable". doing this i can not login (user does not authenticate).
1- My question is why its not happening ?
Solution:
If i keep only one tunnel-group default and make multiple group-policies and assign each user with its specific group-policy than it works. means in user attribute i only issue following commands than it works but if i put "group-lock value test-tunnel" than it does not login.
why is that so, can we have only one tunnel in this case ..
webvpn
enable outside
cache-fs limit 50
svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1
svc enable
group-policy test-gp internal
group-policy test-gp attributes
vpn-tunnel-protocol svc webvpn
address-pools value test-pool
username test password test
username test attributes
vpn-tunnel-protocol svc
group-lock value test-tunnel
vpn-group-policy test-gp
tunnel-group test-tunnel type remote-access
tunnel-group test-tunnel general-attributes
default-group-policy test-gp
tunnel-group test-tunnel webvpn-attributes
group-url https://192.168.168.2/test enable
03-27-2013 08:35 AM
Can the Cisco Adaptive Security Appliance be connected to a RADIUS infrastructure to authenticate users?
03-27-2013 04:06 PM
Yes, the ASA can be connected to a RADIUS server for authentication purposes. It is quite common.
03-27-2013 04:09 PM
hi
what are the requierd knowledges to achive ccnp security ? in which order should i start to study ? what comes first , ccnp r&s or ccnp security ? when can i start with ccna security ? i need some informations ? please do the needful for me , and tell me how to start. is it true that i need to know how to install before securing it ? i got some infos from some sources ,which told me that i need to study ccnp r&s before ccnp security because before securing ,it is necessary to know how to install.is it true ??
thanX
03-27-2013 04:13 PM
You can find the details of the certification here: http://www.cisco.com/web/learning/certifications/index.html
03-27-2013 11:03 PM
thanks ameet for enlightening me on the above issue. but still in user attribute if i map a user "testuser" with a tunnel-group "group-lock test-tunnel" and group-policy " vpn-group-policy test policy" than it does not login. if i remote group-lock it works. so why cisco has added group-lock in user-attribute what is th purpose .. ? i need to understand in details plz
03-28-2013 02:11 PM
John, what you are doing is locking the user to the tunnel group. So for the user to connect, you need to use group URL or pull down or certificate matching. When you remove the group-lock, the user goes into the default tunnel group and is probably hitting the default group policy that you have set up and hence is logging in.
Tunnel Group Lock is a simple check to validate if the Tunnel Group (aka. ASDM Connection Profile) you connect with matches what you have defined under the group-policy. If the Tunnel-Group-Lock value matches (true condition), the VPN remote access session is allowed to setup; otherwise the session is not allowed to establish.
03-30-2013 09:40 AM
On My ASA Firewall I have anyconnect-win-3.0.5080-k9.pkg image. Some of the users have installed AnyConnect 2.5.3051 software on their machine. I just wanted to know, if there would be some issue in connecting or accessing VPN or other programs.
03-30-2013 01:11 PM
Both versions should co-exist just fine. I would suggest tesint one 2.5 client if you are using csd/hostscan to ensure compatability.
The 2.5 clients software and profiles will be updated unless you do one of the following
A. Yes. Use one of these methods in order to turn off the automatic AnyConnect upgrade via the ASA:
Adjust the profile on the ASA to disable updates.
“false ”Use a local policy to disable the AnyConnect downloader.
BypassDownloader true The client does not check for any dynamic content present on the ASA, including profile updates, translations, customization, optional modules, and core software updates.
true Refer to
04-01-2013 09:53 AM
What pcarco is saying is true for ASA 9.0 and AnyConnect 3.1 and above. If you have a newer version of AnyConnect on the ASA, the end users will automatically get upgraded to that version. The ability for end users to defer updates to a later time comes about from ASA 9.0 and AnyConnect 3.1.
03-30-2013 10:04 AM
When configuring AnyConnect using ASDM it has two options for VPN protocol to be used. One is SSL and other is IPSec. Can we use IPsec as the protocol? can you please assist here.
03-31-2013 03:33 PM
hi mohd IPSec is for remote access vpn clients and SSL is for webvpn or anyconnect client.
04-01-2013 08:49 AM
Mohd, pcarco provides a good quick summary of what AnyConnect can do with IPsec and SSL.
03-31-2013 06:08 PM
Yes you can but just note it is IPSEC with IKEv2
"Optimized Network Access - VPN Protocol Choice SSL (TLS and DTLS), and IPsec/IKEv2
AnyConnect now provides a choice of VPN protocols, allowing administrators to use whichever protocol best fits their business needs
• Tunneling support includes SSL (TLS and DTLS) and next-generation IPsec (Internet Key Exchange Version 2 [IKEv2])
• DTLS provides an optimized connection for latency-sensitive traffic, such as VoIP traffic or TCP-based application access
• TLS (HTTP over TLS/SSL) ensures availability of network connectivity through locked-down environments, including those using web proxy servers
• IPsec/IKEv2 provides an optimized connection for latency-sensitive traffic when security policies require use of IPsec"
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide