cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18868
Views
15
Helpful
42
Replies

ASK THE EXPERT : Secure Mobility with AnyConnect 3.0

ciscomoderator
Community Manager
Community Manager

Read the bio

With

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to implement Secure VPN Mobility using Cisco AnyConnect with Cisco expert Naman Latif. Naman is a technical support engineer at the Cisco Technical Assistance Center for VPN and security technologies. His area of expertise includes configuration and troubleshooting for Cisco’s security product portfolio including VPN, PKI and firewall technologies as well as Client and Cisco Adaptive Security Appliance (ASA).
 
Remember to use the rating system to let Naman know if you have received an adequate response.
 
Naman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security, VPN discussion forum shortly after the event. This event lasts through May 20, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

42 Replies 42

mulatif
Cisco Employee
Cisco Employee

Welcome Everyone to the discussion regarding Security Mobility with AnyConnect 3.X.

Cisco AnyConnect is an important part of the Cisco Borderless Networks and can be used to provide Identity based Secure access in 802.1X networks. It also provide Secure Remote Access using SSL VPN or IKEv2 and Posture Assessment to enforce compliance before an End host is allowed access to corporate network.

Please see below links to get familiar with various components of AnyConnect 3.0

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/at_a_glance_c45-653057.pdf

http://www.cisco.com/en/US/partner/netsol/ns1049/index.html

Good day Latif,

We are in the process of testing out the AnyConnect3.0 with the ASA & WSA.

Would like to seek ur advise regarding the host scan feature on the AC


We Managed to get basic host scan(prelogin assessment) up and running with the anyconnect 3.0.
  Quick query regarding the endpoint assessment for the scan for antivirus, firewall, antispyware.
 
Enabled(tick) the endpoint assessment at the HostScan setting.
On Anyconnect remote client side, how can i determine that the  endpoint assessment has indeed checked my antivirus,firewall,etc?
  Is there any log on my AC client that indicates i have passed the endpoint assessment?
  As we did a test VPN login, it logs me in successfully after the prelogin assessment.
 
  So we're not too sure if it did really checks the AV,Firewall etc, as we do not see it at the ASDM logs too.
  We have only the Microsoft Security Essential installed on the AC client PC
 

Please advise
 
  Regards: Jocelyn

Hi Jocelyn,

There are two ways you can check \ get the information on the Host Assessment.

1. You can enable "debug dap trace" on the ASA and it will give you a detail of what was checked on the Client PC.

2. You can enable "CSD" debugging in ASDM

     Configuration -> Remote Access VPN --> Secure Desktop Manager --> Global Settings

     After enabling the logging the logs are stored at the below location

     C:\Users\cisco123\AppData\Local\Cisco\Cisco HostScan\log

Please note that when using Option 2, the logs should only be enabled during troubleshooting. As the logs are in Clear-text and can be read by the User.

Thanks,

Naman

Thanks Naman for your info,

We have tested the options and came up with the following results in the log

[cscan][info][scan_software_basic] performing basic software scan.
[cscan][info][scan_software_basic] searching for firewall products.
[cscan][info][scan_software_basic] searching for antivirus/antispyware products.
[cscan][info][scan_perform_scan] scanning complete.

We have the "Endpoint Assessment ver 3.4.17.1" enabled on our ASA, however we do not have the advance endpoint assessment.

From the above log can we conclude that the AC client has passed the AV,Anti-spyware?

On a side note: is there any chance to obtain a trial license for the advance endpoint assessment.

Please advise

Regards: Jocelyn

Hi Jocelyn,

The below log shows that CSD\Host Scan is active, however to get more detailed results you can look at "debug dap trace" on the ASA and that should provide you more details on what was discovered.

As for the "Advanced Endpoint Assessment License", it depends if you need remediation capabilities.  If you only need to test for compliance and then User can initiate the AV update manually then you don't need the Advanced License.

However you can contact your Cisco Account team to get you an Avanced License (Trial) and you can test in your environment, if that is something , which might be beneficial.

Thanks,

Naman

How I can load a license in a home agent (modulo SAMI), which is installed in a 7606-S router?.

Hi,

I believe that you posted this in the wrong forum by mistake, as I can see your posts in other relevant forums. I hope that you will get an answer from the other forums and if you don't get a reply, you can always open a TAC case to address the issue.

Thanks,

Naman

Repost from my own thread, but maybe you have some info which may be of use to me.

I have a Cisco ASA 5500 Series appliance.

I'd like to use the Embedded CA
There’s no documentation which states an AnyConnect Essentials license will suffice, over an AnyConnect Premium.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html hints at Essentials being enough, as it specifically mentions some features require Premium, but I really need to be sure.

gthjohansson
Level 4
Level 4

Hello Latif

I have two questions today

1. Is there an option for administrators to restrict updates of the client software, for instance if a company has deployed Anyconnect VPN and NAM version 3.0 one of the employees then connects with Anyconnect to a customer location which has a newer Anyconnect client set up but only distributes VPN and not the NAM ?

2. When using Anyconnect always on, is there anyway to provide only basic connectivity by default but be able to user authenticate for more access.

For instance: By default the computer would have access for the WSA integration and Unified communications environment, but would need to authenticate to get access to business applications ?

Regards

Gudmundur Thor Johannsson

Hi Gudmundur,

1. You can restrict the updates (Client, Profiles etc) from an Un-Authorized ASA by using the below feature

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac08localpolicy.html#wp1099961

2. For Always-On VPN , the exception can be made where Users are allowed access to Non-Corporate resources. More information on this is at

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1230226

Let me know, if you need any further information.

Thanks,

Naman

mulatif
Cisco Employee
Cisco Employee

Hi Jagex,

You will need "AnyConnect Mobile" license in addition to the Premium or Essentials license.

But as for the original question, the Essentials license will Work as long as you also have the "AnyConnect Mobile" license also installed.

Thanks,

Naman

Jonathan Tomlin
Level 1
Level 1

Sorry! I thought this covered all anyconnect questions, so I'm removing my post.

Feel free to delete this posting.

Thanks!

Hi Jonathan,

Not a problem. I can try to answer your question.

I just tested this in lab and the procedure that you are trying to follow works. However you are changing the Secondary Username and Password and you will only be able to view those changes, if using "Secondary Authentication" ?

Also after making the changes through ASDM, you will need to make sure

1. You connect to the ASA atleast once. Then the transform will be downloaded and applied to the AnyConnect GUI.

2. Also make sure that the ASA is Authorized (if using AnyConnect 3.X) by editing the "preferences_global" file

(Location: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client  --> On Windows XP

Location: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client --> On Vista \ Win 7)

This can be done by specifying the domain name in the "defaultdomain' field. E.g. If you access your ASA using myasa.domain.com then you can specify domain.com

3. After a successful connection, you should see a Transform set downloaded. This will be a folder named similar to "l10n" (etc) in the same location as above in Step 2.

4. Now close AnyConnect GUI and connect again. You should see the changes.

Thanks,

Naman

J_Vansen_S
Level 3
Level 3

Hi Naman,

We are in the process of testing AC on mobile/tablet devices: iPad/iPhone

A few doubts that we would like to enquire about.

  1. Once connected via VPN to the enterprise network, is the iPad capable of access windows shared folder within the enterprise? aka file server access. If so, what/which sort of app do we need to install. I believe RDP isnt an issue.
  2. Since we have the AC mobile license, are we able to restrict down to which users is entitled to utilitze his/her ipad/iphone for vpn access and which users are denied mobile access, PC access only?
  3. Is Anyconnect supported on Andriod devices? eg Galaxy Tab, if so; are they readily available for download from the Andriod Market

Please advise

Regards: Joceyln

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: