Solved: Can we deploy Anyconnect from a specific network ?

abdou.bekk1 · ‎03-29-2016

Hello,

I'm about to deploy a CISCO AnyConnect 4.2 solution using an ASA5505 (ASA 9.2 - ASDM 7.5) for my company.

The IT manager wants to see the deployment of AnyConnect for the first time on devices to occur only while connected to the company's network, not another. Do the ASA offer this possibilty ? Also, he wants to secure the mobility solution by doing double authentication, is it possible to do Radius + Certificate authentication ?

Thanks for helping me out because i don't find anything especially for the first question on Google.

Sincerly.

Marvin Rhoads · ‎03-29-2016

When you deploy AnyConnect it's over SSL. If you don't bind the SSL certificate to the ASA's outside interface, you could instead bind it to the internal interface and launch your VPN from there. While it probably doesn't make sense VPN-wise it would suffice to deploy a client. In the production configuration however, there's no option to restrict what network the clients are coming from.

Two factor is a common use case for VPN authentication. If you have a PKI that's issuing client certificates you can certainly combine that with RADIUS authentication. You can even prefill the username from the certificate and prevent end users from using anything else during the login process.

View solution in original post

Marvin Rhoads · ‎03-29-2016

When you deploy AnyConnect it's over SSL. If you don't bind the SSL certificate to the ASA's outside interface, you could instead bind it to the internal interface and launch your VPN from there. While it probably doesn't make sense VPN-wise it would suffice to deploy a client. In the production configuration however, there's no option to restrict what network the clients are coming from.

Two factor is a common use case for VPN authentication. If you have a PKI that's issuing client certificates you can certainly combine that with RADIUS authentication. You can even prefill the username from the certificate and prevent end users from using anything else during the login process.

abdou.bekk1 · ‎03-29-2016

Hi Marvin,

Thank you very much for the quick reply. That's what i tought so but to convince my boss I had to be sure.

Sincerly yours,

Abdel.

Marvin Rhoads · ‎03-29-2016

You're welcome. Please mark your question as answered if it has been.

zierhut.chris1 · ‎03-30-2016

With an controle plane acl you can restrict networks which can connect to your interface (tunnel endpoint).

So you can permit your internal network to connect with https to the interface wich is your anyconnect endpoint and deny any other

You can configure this in the ASDM under:
Configuration > Device Management > Management Access > Management Access Rules

Hope this helps you

abdou.bekk1 · ‎03-30-2016

Hi Zierut,

Thanks for answering.

The management access rules I think they apply only for ASDM and ASA logins, no ?. Plus, what they wanted in my company is that the first connexion to be able to Deploy AnyConnect in a device got to be from the company's network.

Example : If you're on ourcompany and you want to use AnyConnect (our VPN). To be able to deploy it for the firstime on your machine you have to be on the internal network and this without deactivating the Outside interface.

This is pretty complicated because on the ASA we can't shut the login portal (from where we download AnyConnect package) only on one interface and permit it on the other while the Clientless option stays activated. If we uncheck inside or outside in Options of AnyConnect or Clientless settings WE can't connect at all from the unchecked interface and if I shutdown the login portal it applies for both Inside and Outside.

If I can permit the login portal only from the inside and keep the possibility to connect with AnyConnect on the outside int. once deployed on a device, it would be the appropriate solution.

Sincerly yours.

Marvin Rhoads · ‎03-31-2016

What's the rationale for only wanting to deploy while on the inside network?

It seems like a lot of work to go through for what seems on the face of it to be a bit of an unusual requirement.

No matter where a client gets the AnyConnect software, the thing that governs how it behaves and what it allows is in the profile - an XML file whose master copy is stored on the ASA. The profile is checked and (if necessary) updated every time a remote client logs into the VPN.

Mark Bronson · ‎04-01-2016

For your use case, you can indicate to your users the trusted VPN address they need to enter in AnyConnect where you are configuring your ASA appliance, i.e.:

office.mycompanyVPN.com

And in the AnyConnect settings select:

“Block connections to untrusted servers”

For two factor authentication, you can use LoginTC and leverage your RADIUS authentication without the hassle of certificates. A complete guideline to enable a CISCO appliance with LoginTC can be found here:

https://www.logintc.com/docs/connectors/cisco-asa.html

abdou.bekk1 · ‎04-02-2016

Hi Mark,

Thanks for your reply.

My company don't want to pass by a Cloud services for the Two factor authentication. I saw some solutions with the managers like DUO and LoginTC and they don't want it. Now we are talking about the authentication, what about authorizations. By that I mean permitting or revoking the access to some servers by some employees according to Active Directory Groups.

Also, the manager now wants to deactivate the weblogin (web portal) on the outside interface but keep permitting AnyConnect Mobile and PC to connect. I tried to do that but when we disable the weblogin on the outside interface AnyConnect on Mobile and PC won't work. Can I do that by using ACLs ?

Thank you very much.

Sincerly