Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8362
Views
20
Helpful
21
Replies

ASK THE EXPERTS - ANYCONNECT SSL VPN CLIENT ON ASA THROUGH ASDM

ciscomoderator
Community Manager
Community Manager

‎12-14-2010 04:07 PM - edited ‎02-21-2020 05:01 PM

Welcome to the Cisco Networking Professionals Ask the Expert conversation.   This is an opportunity to learn about configuration basics of AnyConnect Secure Sockets Layer VPN Client on Adaptive Security Appliances through Adaptive Security Device Manager with Vikas Saxena. Vikas has been a customer support engineer at the Cisco Technical Assistance Center since 2003. Currently he is associated with the Security and VPN teams. His areas of expertise include VPN, firewalls, public key infrastructure, Cisco Security Manager, intrusion prevention systems, and Linux. He holds CCIE certification #19971 in Security.

Remember to use the rating system to let Vikas know if you have received an adequate response.

Vikas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the  unanswered questions in other discussion forums shortly after the  event. This event lasts through December 22, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

Labels:
0 Helpful
21 Replies 21

ciscobigcat
Level 1
Level 1
In response to Jay Young

‎12-21-2010 01:02 PM

Jay, this is good stuff. Thank you. I'll check that out.

0 Helpful

Jay Young
Cisco Employee
Cisco Employee
In response to ddawson

‎12-21-2010 02:35 PM

ddawson,

From my understanding of what you are asking it seems that you would like to check for the presence of something that was put on the computer by your IT department.  That way you can validate whether it is a corporate assest or a home user's computer.  There are various different ways to do this.

1)  You can use client certificate authentication.  You give each client computer a certificate and use that for an authentication method.

2)  You can use CSD/Host scan to search for the presence of either a registry key.

3)  You can use CSD/Host scan to search for the presence of a file on the system.

Hope that helps.

-Jay

0 Helpful

ddawson
Level 1
Level 1
In response to Jay Young

‎12-21-2010 03:23 PM

Jay,

Thanks for the reply.  I can't use certificate authentication since RADIUS w/ SecurID authentication is already mandated.  I had assumed I'd need to use CSD to check for files and/or registry entries, but my main question is what sorts of things are generally considered reliable and not easily bypassed by simply copying the correct file(s) or keys to what would otherwise be a non-authorized machine.  I'm guessing a registry entry would be more useful, but I'm curious what the current, if any, "best practice" is for such system watermarking.  I agree that certificates would probably be the best solution, but I don't think they're an option.

Thanks again!

Dana

0 Helpful

Jay Young
Cisco Employee
Cisco Employee
In response to ddawson

‎12-22-2010 07:16 AM

Dana,

Certificates pushed from your AD as non-exportable is really the only way to be sure.  The other ones are really "security by obsecurity", put a marker in an obsecure place.  You are correct, if users figure out what file needs to be put where they can definitely just copy over the file.

I can't use certificate authentication since RADIUS w/ SecurID authentication is already mandated.

You can do both!  You can require the use of certificate authentication and a user/password (which is checked against the RSA database).

tunnel-group TunnelGroupName webvpn-attributes

     authentication aaa certificate

Hope that helps.

-Jay

ddawson
Level 1
Level 1
In response to Jay Young

‎12-22-2010 09:12 AM

Thanks, Jay - yes that does help.  I don't have direct involvement in the imaging or configuration of the corporate systems, but I'll see if I can get something done with certificates.  There's a chance there's already an appropriate cert in these systems, so that might be another option.  If so, I guess I don't really need to use it for authentication per se, I just need to check to see if it's there.  As long as it's non-exportable I should be all set, as long as out IT folks don't make it available for installation to the general user population.

Thanks again!  You've given me great information to head in what I think is the best direction.

Dana

0 Helpful

breich3155
Level 1
Level 1

‎12-21-2010 02:36 PM

Hi all,

I hope this question is in the appropriate place. I'm trying to use my company's vpn service. Here's how the process should work:

1) Log on with username/password using Cisco AnyConnect VPN Client

2) Log-in to the portal. During this step the Cisco Clean Access Agent is supposed to automatically log-in. However I get the following error:

Run-time error '7':

Out of memory

My company's network services didn't seem to be much of a help so I was hoping one of you would have a good suggestion(s).

Please keep in mind that I'm not great with computers. I know how to use them and all that but I'm not familiar with the inner-workings at all (registry editing etc.)  I should add that the version of CCA is 4.1.10

Thanks in advance!

-Bill

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee
In response to breich3155

‎01-06-2011 01:52 AM

Hello William,

This looks like a software conflict between CCA and some software. I will suggest you to open up a TAC case so that a NAC engineer can take a look at this.

Thanks

Vikas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents