Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about configuration basics of AnyConnect Secure Sockets Layer VPN Client on Adaptive Security Appliances through Adaptive Security Device Manager with Vikas Saxena. Vikas has been a customer support engineer at the Cisco Technical Assistance Center since 2003. Currently he is associated with the Security and VPN teams. His areas of expertise include VPN, firewalls, public key infrastructure, Cisco Security Manager, intrusion prevention systems, and Linux. He holds CCIE certification #19971 in Security.
Remember to use the rating system to let Vikas know if you have received an adequate response.
Vikas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 22, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
From my understanding of what you are asking it seems that you would like to check for the presence of something that was put on the computer by your IT department. That way you can validate whether it is a corporate assest or a home user's computer. There are various different ways to do this.
1) You can use client certificate authentication. You give each client computer a certificate and use that for an authentication method.
2) You can use CSD/Host scan to search for the presence of either a registry key.
3) You can use CSD/Host scan to search for the presence of a file on the system.
Hope that helps.
Thanks for the reply. I can't use certificate authentication since RADIUS w/ SecurID authentication is already mandated. I had assumed I'd need to use CSD to check for files and/or registry entries, but my main question is what sorts of things are generally considered reliable and not easily bypassed by simply copying the correct file(s) or keys to what would otherwise be a non-authorized machine. I'm guessing a registry entry would be more useful, but I'm curious what the current, if any, "best practice" is for such system watermarking. I agree that certificates would probably be the best solution, but I don't think they're an option.
Certificates pushed from your AD as non-exportable is really the only way to be sure. The other ones are really "security by obsecurity", put a marker in an obsecure place. You are correct, if users figure out what file needs to be put where they can definitely just copy over the file.
I can't use certificate authentication since RADIUS w/ SecurID authentication is already mandated.
You can do both! You can require the use of certificate authentication and a user/password (which is checked against the RSA database).
tunnel-group TunnelGroupName webvpn-attributes
authentication aaa certificate
Hope that helps.
Thanks, Jay - yes that does help. I don't have direct involvement in the imaging or configuration of the corporate systems, but I'll see if I can get something done with certificates. There's a chance there's already an appropriate cert in these systems, so that might be another option. If so, I guess I don't really need to use it for authentication per se, I just need to check to see if it's there. As long as it's non-exportable I should be all set, as long as out IT folks don't make it available for installation to the general user population.
Thanks again! You've given me great information to head in what I think is the best direction.
I hope this question is in the appropriate place. I'm trying to use my company's vpn service. Here's how the process should work:
1) Log on with username/password using Cisco AnyConnect VPN Client
2) Log-in to the portal. During this step the Cisco Clean Access Agent is supposed to automatically log-in. However I get the following error:
Run-time error '7':
Out of memory
My company's network services didn't seem to be much of a help so I was hoping one of you would have a good suggestion(s).
Please keep in mind that I'm not great with computers. I know how to use them and all that but I'm not familiar with the inner-workings at all (registry editing etc.) I should add that the version of CCA is 4.1.10
Thanks in advance!