How does a virtual private network [VPN] work?
A VPN extends a corporate network through encrypted connections made over the Internet. Because the traffic is encrypted between the device and the network, traffic remains private as it travels. An employee can work outside the office and still securely connect to the corporate network. Even smartphones and tablets can connect through a VPN.
What is secure remote access?
Secure remote access provides a safe, secure way to connect users and devices remotely to a corporate network. It includes VPN technology that uses strong ways to authenticate the user or device. VPN technology is available to check whether a device meets certain requirements, also called a device’s posture, before it is allowed to connect remotely.
Is VPN traffic encrypted?
Yes, traffic on the virtual network is sent securely by establishing an encrypted connection across the Internet known as a tunnel. VPN traffic from a device such as a computer, tablet, or smartphone is encrypted as it travels through this tunnel. Offsite employees can then use the virtual network to access the corporate network.
Remote Access VPN
Secure Firewall Threat Defense Remote Access VPN Overview
Secure Firewall Threat Defense provides secure gateway capabilities that support remote access SSL and IPsec-IKEv2 VPNs. The full tunnel client, AnyConnect Secure Mobility Client, provides secure SSL and IPsec-IKEv2 connections to the security gateway for remote users. AnyConnect is the only client supported on endpoint devices for remote VPN connectivity to Secure Firewall Threat Defense devices. The client gives remote users the benefits of an SSL or IPsec-IKEv2 VPN client without the need for network administrators to install and configure clients on remote computers. The AnyConnect mobile client for Windows, Mac, and Linux is deployed from the secure gateway upon connectivity. The AnyConnect apps for Apple iOS and Android devices are installed from the platform app store.
Use the Remote Access VPN Policy wizard in the Secure Firewall Management Center to quickly and easily set up SSL and IPsec-IKEv2 remote access VPNs with basic capabilities. Then, enhance the policy configuration if desired and deploy it to your Secure Firewall Threat Defense secure gateway devices.
You can configure the following settings using the remote access VPN policy:
Two-Factor Authentication
Secondary Authentication
Manage Password Changes over VPN Sessions
Send Accounting Records to the RADIUS Server
Override the Selection of Group Policy or Other Attributes by the Authorization Server
Deny VPN Access to a User Group
Restrict Connection Profile Selection for a User Group
You can use the following examples to allocate limited bandwidth to VPN users and to use VPN identify for user-id based access control rules:
How to Limit AnyConnect Bandwidth Per User
How to Use VPN Identity for User-id Based Access Control Rules
Remote Access VPN Features
The following section describes the features of Secure Firewall Threat Defense remote access VPN:
SSL and IPsec-IKEv2 remote access using the Cisco AnyConnect Secure Mobility Client.
Secure Firewall Management Center supports all combinations such as IPv6 over an IPv4 tunnel.
Configuration support on both management center and device manager. Device-specific overrides.
Support for both Secure Firewall Management Center and threat defense HA environments.
Support for multiple interfaces and multiple AAA servers.
Rapid Threat Containment support using RADIUS CoA or RADIUS dynamic authorization.
Support for DTLS v1.2 protocol with Cisco AnyConnect Secure Mobility Client version 4.7 or higher.
AnyConnect client modules support for additional security services for RA VPN connections.
VPN load balancing.
AAA
Server authentication using self-signed or CA-signed identity certificates.
AAA username and password-based remote authentication using RADIUS server or LDAP or AD.
RADIUS group and user authorization attributes, and RADIUS accounting.
Double authentication support using an additional AAA server for secondary authentication.
NGFW Access Control integration using VPN Identity.
LDAP or AD authorization attributes using Secure Firewall Management Center web interface.
Support for single sign-on using SAML 2.0.
Support for multiple identity provider trustpoints with Microsoft Azure that can have multiple applications for the same Entity ID, but a unique identity certificate.
VPN Tunneling
Address assignment
Split tunneling
Split DNS
Client Firewall ACLs
Session Timeouts for maximum connect and idle time
Monitoring
New VPN Dashboard Widget showing VPN users by various characteristics such as duration and client application.
Remote access VPN events including authentication information such as username and OS platform.
Tunnel statistics available using the threat defense Unified CLI.
AnyConnect Components
AnyConnect Secure Mobility Client Deployment
Your remote access VPN Policy can include the AnyConnect Client Image and an AnyConnect Client Profile for distribution to connecting endpoints. Or, the client software can be distributed using other methods. See the Deploy AnyConnect chapter in the appropriate version of the Cisco AnyConnect Secure Mobility Client Administrator Guide.
Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL or IPsec-IKEv2 VPN connections. Unless the security appliance is configured to redirect // requests to //, remote users must enter the URL in the form //address. After the user enters the URL, the browser connects to that interface and displays the login screen.
After a user logs in, if the secure gateway identifies the user as requiring the VPN client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure connection, and either remains or uninstalls itself [depending on the security appliance configuration] when the connection stops. In the case of a previously installed client, after login, the Secure Firewall Threat Defense security gateway examines the client version and upgrades it as necessary.
AnyConnect Secure Mobility Client Operation
When the client negotiates a connection with the security appliance, the client connects using Transport Layer Security [TLS], and optionally, Datagram Transport Layer Security [DTLS]. DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
When an IPsec-IKEv2 VPN client initiates a connection to the secure gateway, negotiation consists of authenticating the device through Internet Key Exchange [IKE], followed by user authentication using IKE Extended Authentication [Xauth]. The group profile is pushed to the VPN client and an IPsec security association [SA] is created to complete the VPN.
AnyConnect Client Profile and Editor
An AnyConnect client profile is a group of configuration parameters, stored in an XML file that the VPN client uses to configure its operation and appearance. These parameters [XML tags] include the names and addresses of host computers and settings to enable more client features.
You can configure a profile using the AnyConnect Profile Editor. This editor is a convenient GUI-based configuration tool that is available as part of the AnyConnect software package. It is an independent program that you run outside of the Secure Firewall Management Center.
Remote Access VPN Authentication
Remote Access VPN Server Authentication
Secure Firewall Threat Defense secure gateways always use certificates to identify and authenticate themselves to the VPN client endpoint.
While setting up the remote access VPN configuration using the wizard, you can enroll the selected certificate on the targeted Secure Firewall Threat Defense device. In the wizard, under Access & Certificate phase, select “Enroll the selected certificate object on the target devices” option. The certificate enrollment gets automatically initiated on the specified devices. As you complete the Remote Access VPN configuration, you can view the status of the enrolled certificate under the device certificate homepage. The status provides a clear standing as to whether the certificate enrollment was successful or not. Your Remote Access VPN configuration is now fully completed and ready for deployment.
Obtaining a certificate for the secure gateway, also known as PKI enrollment, is explained in Certificates. This chapter contains a full description of configuring, enrolling, and maintaining gateway certificates.
Remote Access VPN Client AAA
For both SSL and IPsec-IKEv2, remote user authentication is done using usernames and passwords only, certificates only, or both.
Note | If you are using client certificates in your deployment, they must be added to your client's platform independent of the Secure Firewall Threat Defense or Secure Firewall Management Center. Facilities such as SCEP or CA Services are not provided to populate your clients with certificates. |
AAA servers enable managed devices acting as secure gateways to determine who a user is [authentication], what the user is permitted to do [authorization], and what the user did [accounting]. Some examples of the AAA servers are RADIUS, LDAP/AD, TACACS+, and Kerberos. For Remote Access VPN on Secure Firewall Threat Defense devices, AD, LDAP, and RADIUS AAA servers are supported for authentication.
Refer to the section Understanding Policy Enforcement of Permissions and Attributes to understand more about remote access VPN authorization.
Before you add or edit the Remote Access VPN policy, you must configure the Realm and RADIUS server groups you want to specify. For more information, see Create a Realm and Realm Directory and Add a RADIUS Server Group.
Without DNS configured, the device cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames, it can only resolve IP addresses.
The login information provided by a remote user is validated by an LDAP or AD realm or a RADIUS server group. These entities are integrated with the Secure Firewall Threat Defense secure gateway.
Note | If users authenticate with RA VPN using Active Directory as the authentication source, users must log in using their username; the format domain\username or username@domain fails. [Active Directory refers to this username as the logon name or sometimes as sAMAccountName.] For more information, see User Naming Attributes on MSDN. If you use RADIUS to authenticate, users can log in with any of the preceding formats. |
Once authenticated via a VPN connection, the remote user takes on a VPN Identity. This VPN Identity is used by identity policies on the Secure Firewall Threat Defense secure gateway to recognize and filter network traffic belonging to that remote user.
Identity policies are associated with access control policies, which determine who has access to network resources. It is in this way that the remote user blocked or allowed to access your network resources.
For more information, see the About Identity Policies and Access Control Policies sections.
Understanding Policy Enforcement of Permissions and Attributes
The Secure Firewall Threat Defense device supports applying user authorization attributes [also called user entitlements or permissions] to VPN connections from an external authentication server and/or authorization AAA server [RADIUS] or from a group policy on the Secure Firewall Threat Defense device. If the Secure Firewall Threat Defense device receives attributes from the external AAA server that conflicts with those configured on the group policy, then attributes from the AAA server always take the precedence.
The Secure Firewall Threat Defense device applies attributes in the following order:
User attributes on the external AAA server—The server returns these attributes after successful user authentication and/or authorization.
Group policy configured on the Firepower Threat Defense device—If a RADIUS server returns the value of the RADIUS Class attribute IETF-Class-25 [OU= group-policy] for the user, the Secure Firewall Threat Defense device places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.
Group policy assigned by the Connection Profile [also known as Tunnel Group]—The Connection Profile has the preliminary settings for the connection, and includes a default group policy applied to the user before authentication.
Note |
Understanding AAA Server Connectivity
LDAP, AD, and RADIUS AAA servers must be reachable from the Secure Firewall Threat Defense device for your intended purposes: user-identity handling only, VPN authentication only, or both activities. AAA servers are used in remote access VPN for the following activities:
User-identity handling— the servers must be reachable over the Management interface.
On the Secure Firewall Threat Defense device, the Management interface has a separate routing process and configuration from the regular interfaces used by VPN.
VPN authentication—the servers must be reachable over one of the regular interfaces: the Diagnostic interface or a data interface.
For regular interfaces, two routing tables are used. A management-only routing table for the Diagnostic interface as well as any other interfaces configured for management-only, and a data routing table used for data interfaces. When a route-lookup is done, the management-only routing table is checked first, and then the data routing table. The first match is chosen to reach the AAA server.
NoteIf you place a AAA server on a data interface, be sure the management-only routing policies do not match traffic destined for a data interface. For example, if you have a default route through the Diagnostic interface, then traffic will never fall back to the data routing table. Use the show route management-only and show route commands to verify routing determination.
For both activities on the same AAA servers, in addition to making the servers reachable over the Management interface for user-identity handling, do one of the following to provide VPN authentication access to the same AAA servers:
Enable and configure the Diagnostic interface with an IP address on the same subnet as the Management interface, and then configure a route to the AAA server through this interface. The Diagnostic interface access will be used for VPN activity, the Management interface access for identity handling.
NoteWhen configured this way, you cannot also have a data interface on the same subnet as the Diagnostic and Management interfaces. If you want the Management interface and a data interface on the same network, for example when using the device itself as a gateway, you will not be able to use this solution because the Diagnostic interface must remain disabled.
Configure a route through a data interface to the AAA server. The data interface access will be used for VPN activity, the Management interface access for user-identity handling.
For more information about various interfaces, see Regular Firewall Interfaces.
After deployment, use the following CLI commands to monitor and troubleshoot AAA server connectivity from the Secure Firewall Threat Defense device:
show aaa-server to display AAA server statistics.
show route management-only to view the management-only routing table entries.
show network and show network-static-routes ro view the Management interface default route and static routes.
show route to view data traffic routing table entries.
ping system and traceroute system to verify the path to the AAA server through the Management interface.
ping interfaceifname and traceroutedestination to verify the path to the AAA server through the data interfaces.
test aaa-server authentication and test aaa-server authorization to test authentication and authorization on the AAA server.
clear aaa-server statisticsgroupname or clear aaa-server statistics protocol protocol to clear AAA server statistics by group or protocol.
aaa-servergroupnameactivehosthostname to activate a failed AAA server, or aaa-servergroupnamefailhosthostname to fail a AAA server.
debug ldap level, debug aaa authentication, debug aaa authorization, and debug aaa accounting.
License Requirements for Remote Access VPN
Threat Defense License
Threat Defense remote access VPN requires Strong Encryption and one of the following licenses for AnyConnect:
AnyConnect Plus
AnyConnect Apex
AnyConnect VPN Only
Requirements and Prerequisites for Remote Access VPN
Model Support
Threat Defense
Supported Domains
Any
User Roles
Admin
Guidelines and Limitations for Remote Access VPNs
Remote Access VPN Policy Configuration
You can add a new remote access VPN policy only by using the wizard. You must proceed through the entire wizard to create a new policy; the policy will not be saved if you cancel before completing the wizard.
Two users must not edit a remote access VPN policy at the same time; however, the web interface does not prevent simultaneous editing. If this occurs, the last saved configuration persists.
Moving a Secure Firewall Threat Defense device from one domain to another domain is not possible if a remote access VPN policy is assigned to that device.
Firepower 9300 and 4100 series in cluster mode do not support remote access VPN configuration.
Remote access VPN connectivity could fail if there is a misconfigured threat defense NAT rule.
Whenever IKE ports 500/4500 or SSL port 443 is in use or when there are some PAT translations that are active, the AnyConnect IPSec-IKEv2 or SSL remote access VPN cannot be configured on the same port as it fails to start the service on those ports. These ports must not be used on the Secure Firewall Threat Defense device before configuring Remote Access VPN.
While configuring remote access VPNs using the wizard, you can create in-line certificate enrollment objects, but you cannot use them to install the identity certificate. Certificate enrollment objects are used for generating the identity certificate on the Secure Firewall Threat Defense device being configured as the remote access VPN gateway. Install the identity certificate on the device before deploying the remote access VPN policy to the device.
For more information about how to install the identity certificate based on the certificate enrollment object, see The Object Manager.
The ECMP zone interfaces can be used in Remote Access VPN with IPsec enabled.
The ECMP zone interfaces cannot be used in Remote Access VPN with SSL enabled. Deployment of RA VPN [SSL enabled] configuration fails if all the RA VPN interfaces that belong to security zones or interface groups also belong to one or more ECMP zones. However, if only some of the RA VPN interfaces belonging to the security zones or interface groups also belongs to one or more ECMP zones, deployment of the RA VPN configuration succeeds excluding those interfaces.
After you change the remote access VPN policy configurations, re-deploy the changes to the Secure Firewall Threat Defense devices. The time it takes to deploy configuration changes depends on multiple factors such as complexity of the policies and rules, type and volume of configurations you send to the device, and memory and device model. Before deploying remote access VPN policy changes, review the Best Practices for Deploying Configuration Changes.
Concurrent VPN Sessions Capacity Planning [threat defense virtual Models]
The maximum concurrent VPN sessions are governed by the installed threat defense virtual smart-licensed entitlement tier, and enforced via a rate limiter. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the licensed device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.
threat defense virtual5 | 50 |
threat defense virtual10 | 250 |
threat defense virtual20 | 250 |
threat defense virtual30 | 250 |
threat defense virtual50 | 750 |
threat defense virtual100 | 10,000 |
Concurrent VPN Sessions Capacity Planning [Hardware Models]
The maximum concurrent VPN sessions are governed by platform-specific limits and have no dependency on the license. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.
Firepower 2110 | 1500 |
Firepower 2120 | 3500 |
Firepower 2130 | 7500 |
Firepower 2140 | 10000 |
For capacity of other hardware models, contact your sales representative.
Controlling Cipher Usage for VPN
To prevent use of ciphers greater than DES, pre-deployment checks are available at the following locations in the Secure Firewall Management Center:
For more information about SSL settings and IPsec, see Configure SSL Settings and Configure Remote Access VPN IPsec/IKEv2 Parameters.
Authentication, Authorization, and Accounting
Configure DNS on each device in the topology in to use remote access VPN. Without DNS, the device cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames; it can only resolve IP addresses.
You can configure DNS using the Platform Settings. For more information, see Configure DNS and DNS Server Group Objects.
Client Certificates
If you are using client certificates in your deployment, they must be added to your client's platform independent of the Secure Firewall Threat Defense or Secure Firewall Management Center. Facilities such as SCEP or CA Services are not provided to populate your clients with certificates.
Unsupported Features of AnyConnect
The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser.
The following AnyConnect features are not supported when connecting to a threat defense secure gateway:
AnyConnect Customization and Localization support. The threat defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.
TACACS, Kerberos [KCD Authentication and RSA SDI].
Browser Proxy.
Configuring a New Remote Access VPN Connection
This section provides instructions to configure a new remote access VPN policy with Secure Firewall Threat Defense devices as VPN gateways and Cisco AnyConnect as the VPN client.
Step 1 | Review the guidelines and prerequisites. | Guidelines and Limitations for Remote Access VPNs Prerequisites for Configuring Remote Access VPN |
Step 2 | Create a new remote access VPN policy using the wizard. | Create a New Remote Access VPN Policy |
Step 3 | Update the access control policy deployed on the device. | Update the Access Control Policy on the Secure Firewall Threat Defense Device |
Step 4 | [Optional] Configure a NAT exemption rule if NAT is configured on the device. | [Optional] Configure NAT Exemption |
Step 5 | Configure DNS. | Configure DNS |
Step 6 | Add an AnyConnect Client Profile. | Add an AnyConnect Client Profile XML File |
Step 7 | Deploy the remote access VPN policy. | Deploy Configuration Changes |
Step 8 | [Optional] Verify the remote access VPN policy configuration. | Verify the Configuration |
Prerequisites for Configuring Remote Access VPN
Deploy Secure Firewall Threat Defense devices and configure Secure Firewall Management Center to manage the device with required licenses with export-controlled features enabled. For more information, see VPN Licensing.
Configure the certificate enrollment object that is used to obtain the identity certificate for each Secure Firewall Threat Defense device that act as a remote access VPN gateway.
Configure the RADIUS server group object and any AD or LDAP realms being used by remote access VPN policies.
Ensure that the AAA Server is reachable from the Secure Firewall Threat Defense device for the remote access VPN configuration to work. Configure routing [at Devices > Device Management > Edit Device > Routing] to ensure connectivity to the AAA servers.
For remote access VPN double authentication, ensure that both the primary and secondary authentication servers are reachable from the Secure Firewall Threat Defense device for the double authentication configuration to work.
Purchase and enable one of the following Cisco Secure Client licenses: AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only to enable the threat defense remote access VPN.
Download the latest AnyConnect image files from Cisco Software Download Center.
On your Secure Firewall Management Center web interface, go to Objects > Object Management > VPN > AnyConnect File and add the new AnyConnect client image files.
Create a security zone or interface group that contains the network interfaces that users will access for VPN connections. See Interface.
Download the AnyConnect Profile Editor from Cisco Software Download Center to create an AnyConnect client profile. You can use the standalone profile editor to create a new or modify an existing AnyConnect profile.
Create a New Remote Access VPN Policy
You can add a new remote access VPN Policy only by using the Remote Access VPN Policy wizard. The wizard guides you to quickly and easily set up remote access VPNs with basic capabilities. Further, you can enhance the policy configuration by specifying additional attributes as desired and deploy it to your Secure Firewall Threat Defense secure gateway devices.
Before you begin
Ensure that you complete all the prerequisites listed in Prerequisites for Configuring Remote Access VPN.
Procedure
Step 1 | Choose . | ||
Step 2 | Click [Add [ You must proceed through the entire wizard to create a new policy; the policy is not saved if you cancel before completing the wizard. | ||
Step 3 | Select the Target Devices and Protocols. The Secure Firewall Threat Defense devices selected here will function as your remote access VPN gateways for the VPN client users. You can select the devices from the list or add a new device. You can select Secure Firewall Threat Defense devices when you create a remote access VPN policy or change them later. See Setting Target Devices for a Remote Access VPN Policy. You can select SSL or IPSec-IKEv2, or both the VPN protocols. Secure Firewall Threat Defense supports both the protocols to establish secure connections over a public network through VPN tunnels.
For SSL settings, see Configure SSL Settings. | ||
Step 4 | Configure the Connection Profile and Group Policy settings. A connection profile specifies a set of parameters that define how the remote users connect to the VPN device. The parameters include settings and attributes for authentication, address assignments to VPN clients, and group policies. Secure Firewall Threat Defense device provides a default connection profile named DefaultWEBVPNGroup when you configure a remote access VPN policy. For more information, see Configure Connection Profile Settings. For information about configuring,
A group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience for VPN users. You configure attributes such as user authorization profile, IP addresses, AnyConnect settings, VLAN mapping, and user session settings and so on using the group policy. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile. For more information, see Configuring Group Policies. | ||
Step 5 | Select the AnyConnect Client Image that the VPN users will use to connect to the remote access VPN. The Cisco AnyConnect Secure Mobility client provides secure SSL or IPSec [IKEv2] connections to the Secure Firewall Threat Defense device for remote users with full VPN profiling to corporate resources. After the remote access VPN policy is deployed on the Secure Firewall Threat Defense device, VPN users can enter the IP address of the configured device interface in their browser to download and install the AnyConnect client. For information about configuring AnyConnect client profile and client modules, see Group Policy AnyConnect Options. | ||
Step 6 | Select the Network Interface and Identity Certificate. Interface objects segment your network to help you manage and classify traffic flow. A security zone object simply groups interfaces. These groups may span multiple devices; you can also configure multiple zones interface objects on a single device. There are two types of interface objects:
| ||
Step 7 | View the Summary of the Remote Access VPN policy configuration. The Summary page displays all the remote access VPN settings you have configured so far and provides links to the additional configurations that need to be performed before deploying the remote access VPN policy on the selected devices. Click Back to make changes to the configuration, if required. | ||
Step 8 | Click Finish to complete the basic configuration for the remote access VPN policy. When you have completed the remote access VPN policy using the wizard, it returns to the policy listing page. Set up DNS configuration, configure access control for VPN users, and enable NAT exemption [if necessary] to complete a basic RA VPN Policy configuration. Then, deploy the configuration and establish VPN connections. |
Update the Access Control Policy on the Secure Firewall Threat Defense Device
Before deploying the remote access VPN policy, you must update the access control policy on the targeted Secure Firewall Threat Defense device with a rule that allows VPN traffic. The rule must allow all traffic coming in from the outside interface, with source as the defined VPN pool networks and destination as the corporate network.
Note | If you have selected the Bypass Access Control policy for decrypted traffic [sysopt permit-vpn] option on the Access Interface tab, you need not update the access control policy for remote access VPN. Enable or disable the option for all your VPN connections. If you disable this option, make sure that the traffic is allowed by the access control policy or pre-filter policy. For more information, see Configure Access Interfaces for Remote Access VPN. |
Before you begin
Complete the remote access VPN policy configuration using the Remote Access VPN Policy wizard.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Policies > Access Control. |
Step 2 | Select the access control policy assigned to the target devices where the remote access VPN policy will be deployed and click Edit. |
Step 3 | Click Add Rule to add a new rule. |
Step 4 | Specify the Name for the rule and select Enabled. |
Step 5 | Select the Action, Allow or Trust. |
Step 6 | Select the following on the Zones tab:
|
Step 7 | Select the following on the Networks tab:
|
Step 8 | Configure other required access control rule settings and click Add. |
Step 9 | Save the rule and access control policy. |
[Optional] Configure NAT Exemption
NAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections with your protected hosts. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption enables you to specify the real and destination addresses when determining the real addresses to translate [similar to policy NAT]. Use static identity NAT to consider ports in the access list.
Before you begin
Check if NAT is configured on the targeted devices where remote access VPN policy is deployed. If NAT is enabled on the targeted devices, you must define a NAT policy to exempt VPN traffic.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, click Devices > NAT. |
Step 2 | Select a NAT policy to update or click New Policy > Threat Defense NAT to create a NAT policy with a NAT rule to allow connections through all interfaces. |
Step 3 | Click Add Rule to add a NAT rule. |
Step 4 | On the Add NAT Rule window, select the following:
|
Step 5 | On the Advanced tab, select Do not proxy ARP on Destination Interface. Do not proxy ARP on Destination Interface—Disables proxy ARP for incoming packets to the mapped IP addresses. If you use addresses on the same network as the mapped interface, the system uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the device does not have to be the gateway for any additional networks. You can disable proxy ARP if desired, in which case you need to be sure to have proper routes on the upstream router. |
Step 6 | Click OK. |
Configure DNS
Configure DNS on each Secure Firewall Threat Defense device in order to use remote access VPN. Without DNS, the devices cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames. It can only resolve IP addresses.
Procedure
Step 1 | Configure DNS server details and domain-lookup interfaces using the Platform Settings. For more information, see Configure DNS and DNS Server Group Objects. |
Step 2 | Configure split-tunnel in group policy to allow DNS traffic through remote access VPN tunnel if the DNS server is reachable through VNP network. For more information, see Configure Group Policy Objects. |
Add an AnyConnect Client Profile XML File
An AnyConnect client profile is a group of configuration parameters stored in an XML file that the client uses to configure its operation and appearance. These parameters [XML tags] include the names and addresses of host computers and settings to enable more client features.
You can create an AnyConnect client profile using the AnyConnect Profile Editor. This editor is a GUI-based configuration tool that is available as part of the AnyConnect software package. It is an independent program that you run outside of the management center. For more information about AnyConnect Profile Editor, see Cisco AnyConnect Secure Mobility Client Administrator Guide.
Before you begin
Download the AnyConnect Profile Editor from Cisco Software Download Center.
Procedure
Step 1 | Choose Devices > VPN > Remote Access. | ||
Step 2 | Select a remote access VPN policy and click Edit. | ||
Step 3 | Select a connection profile on which you want to update the AnyConnect client profile and click Edit. | ||
Step 4 | Click Add to add a group policy or click Edit Group Policy > General > AnyConnect. | ||
Step 5 | Select a Client Profile from the list or click the Add icon to add a new one:
|
[Optional] Configure Split Tunneling
Split tunnel allows VPN connectivity to a remote network across a secure tunnel, and it also allows connectivity to a network outside VPN tunnel. You can configure split tunnel if you want to allow your VPN users to access an outside network while they are connected to a remote access VPN. To configure a split-tunnel list, you must create a Standard Access List or Extended Access List.
For more information, see Configuring Group Policies.
Procedure
Step 1 | Choose Devices > VPN > Remote Access. |
Step 2 | Select a Remote Access policy and click Edit. |
Step 3 | Select a connection profile and click Edit. |
Step 4 | Click Add to add a group policy, or click Edit Group Policy > General > Split Tunneling. |
Step 5 | From the IPv4 Split Tunneling or IPv6 Split Tunneling list, select Exclude networks specified below; and then select the networks to be excluded from VPN traffic. |
Step 6 | Click Standard Access List or Extended Access List, and select an access list from the drop-down or add a new one. |
Step 7 | If you chose to add a new standard or extended access list, do the following:
|
Step 8 | Click Save. |
Verify the Configuration
Procedure
Step 1 | Open a web browser on a machine on the outside network. | ||
Step 2 | Enter the URL of the threat defense device configured as a remote access VPN gateway. | ||
Step 3 | Enter the username and password when prompted, and click Logon.
| ||
Step 4 | Download AnyConnect if it is not installed already and connect to the VPN. |
Create a Copy of an Existing Remote Access VPN Policy
You copy an existing remote access VPN policy to create a new one with all the settings, including the connection profiles and access interfaces. You can then assign devices to the new policy and deploy the VPN on the assigned devices as required. You can use the VPN policy when you want to retain most of the settings or create a backup of a VPN policy.
Note | Users with read-only permission for remote access VPN cannot create a copy of the VPN. Users with read-only privileges in the domain can copy the remote access VPNs. |
Procedure
Step 1 | Choose . |
Step 2 | Select the policy that you want to copy from the list of available VPN policies. |
Step 3 | Click Copy to create a copy of the VPN policy configuration. |
Step 4 | Specify a Name for new [copy] of the remote access VPN. |
Step 5 | Click OK. See Setting Target Devices for a Remote Access VPN Policy. |
Setting Target Devices for a Remote Access VPN Policy
You can add targeted devices while you create a new remote access VPN policy, or change them later.
Procedure
Step 1 | Choose . |
Step 2 | Click Edit [ |
Step 3 | Click Policy Assignment. |
Step 4 | Do any of the following:
|
Step 5 | Click OK. |
What to do next
Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.
Associating a Local Realm with a Remote Access VPN Policy
When a local realm is created and local users are added, you can add it to a remote access VPN to enable local user authentication.
For information about creating and managing realms, see Manage a Realm.
For information about configuring local user authentication for remote access VPNs, see Configure AAA Settings for Remote Access VPN.
Procedure
Step 1 | Choose . |
Step 2 | Click Edit [ |
Step 3 | Click the link next to Local Realm. |
Step 4 | Select the Local Realm Server from the list, or click Add to add a new local realm and then select a realm. |
Step 5 | Click OK. |
What to do next
Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.
Additional Remote Access VPN Configurations
Configure Connection Profile Settings
Remote Access VPN policy contains the connection profiles targeted for specific devices. These policies pertain to creating the tunnel itself, such as, how AAA is accomplished, and how addresses are assigned [DHCP or Address Pools] to VPN clients. They also include user attributes, which are identified in group policies configured on the threat defense device or obtained from a AAA server. A device also provides a default connection profile named DefaultWEBVPNGroup. The connection profile that is configured using the wizard appears in the list.
Procedure
Step 1 | Choose . |
Step 2 | Select an existing remote access VPN policy in the list and click the corresponding Edit icon. |
Step 3 | Select a Connection Profile and click Edit. |
Step 4 | [Optional] Add multiple connection profiles. |
Step 5 | Configure IP Addresses for VPN Clients. |
Step 6 | [Optional] Update AAA Settings for remote access VPNs. |
Step 7 | [Optional] Create or update Aliases. |
Step 8 | Save the connection profile. |
Configure Multiple Connection Profiles
If you decide to grant different rights to different groups of VPN users, then you can configure specific connection profiles or group policies for each of the user groups. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Connection profiles and group policies provide the flexibility to do so securely.
You can configure only one connection profile when you create a VPN policy using the Remote Access Policy wizard. You can add more connection profiles later. A device also provides a default connection profile named DefaultWEBVPNGroup.
Before you begin
Ensure that you have configured remote access VPN using the Remote Access Policy wizard with a connection profile.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access VPN policy and click Edit. |
Step 3 | Click Add and specify the following in the Add Connection Profile window:
|
Step 4 | Click Save. |
Configure IP Addresses for VPN Clients
Client address assignment provides a means of assigning IP addresses for the remote access VPN users.
You can configure to assign IP Address for remote VPN clients from the local IP Address pools, DHCP Servers, and AAA servers. The AAA servers are assigned first, followed by others. Configure the Client Address Assignment policy in the Advanced tab to define the assignment criteria. The IP pool[s] defined in this connection profile will only be used if no IP pools are defined in group policy associated with the connection profile, or the system default group policy DfltGrpPolicy.
IPv4 Address Pools—SSL VPN clients receive new IP addresses when they connect to the Secure Firewall Threat Defense device. Address Pools define a range of addresses that remote clients can receive. Select an existing IP address pool. You can add a maximum of six pools for IPv4 and IPv6 addresses each.
Note |
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. | ||
Step 2 | Select a remote access VPN policy click Edit. | ||
Step 3 | Select the connection profile that you want to update and click . | ||
Step 4 | Select the following for Address Pools:
| ||
Step 5 | Select the following for DHCP Servers:
| ||
Step 6 | Click Save. |
Configure AAA Settings for Remote Access VPN
Before you begin
Ensure that the required machine and user certificates are deployed on the endpoints. For information about Secure Firewall Threat Defense certificates, see Managing Threat Defense CertificatesManaging VPN Certificate.
Configure AnyConnect profiles with required certificates. For more information, see Cisco AnyConnect Secure Mobility Client Administrator Guide.
Procedure
Step 1 | Choose . | ||||
Step 2 | Select an existing remote access VPN policy in the list and click the corresponding Edit icon. | ||||
Step 3 | Select a connection profile to update AAA settings, click . | ||||
Step 4 | Select the following for Authentication:
Fallback to LOCAL Authentication— The user is authenticated using the local database and the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured.
| ||||
Step 5 | Select the following for Authorization:
| ||||
Step 6 | Select the following for Accounting:
| ||||
Step 7 | Select the following Advanced Settings:
| ||||
Step 8 | Click Save. |
RADIUS Server Attributes for Secure Firewall Threat Defense
The Secure Firewall Threat Defense device supports applying user authorization attributes [also called user entitlements or permissions] to VPN connections from the external RADIUS server that are configured for authentication and/or authorization in the remote access VPN policy.
Note | Secure Firewall Threat Defense devices support attributes with vendor ID 3076. |
The following user authorization attributes are sent to the Secure Firewall Threat Defense device from the RADIUS server.
RADIUS attributes 146 and 150 are sent from Secure Firewall Threat Defense devices to the RADIUS server for authentication and authorization requests.
All three [146, 150, and 151] attributes are sent from Secure Firewall Threat Defense devices to the RADIUS server for accounting start, interim-update, and stop requests.
Connection Profile Name or Tunnel Group Name | 146 | String | Single | 1-253 characters |
Client Type | 150 | Integer | Single | 2 = AnyConnect Client SSL VPN, 6 = AnyConnect Client IPsec VPN [IKEv2] |
Session Type | 151 | Integer | Single | 1 = AnyConnect Client SSL VPN, 2 = AnyConnect Client IPsec VPN [IKEv2] |
Access-Hours | Y | 1 | String | Single | Name of the time range, for example, Business-hours |
Access-List-Inbound | Y | 86 | String | Single | Both of the Access-List attributes take the name of an ACL that is configured on the threat defense device. Create these ACLs using the Smart CLI Extended Access List object type [select Device > Advanced Configuration > Smart CLI > Objects]. These ACLs control traffic flow in the inbound [traffic entering the threat defense device] or outbound [traffic leaving the threat defense device] direction. |
Access-List-Outbound | Y | 87 | String | Single | |
Address-Pools | Y | 217 | String | Single | The name of a network object defined on the threat defense device that identifies a subnet, which will be used as the address pool for clients connecting to the RA VPN. Define the network object on the Objects page. |
Allow-Network-Extension-Mode | Y | 64 | Boolean | Single | 0 = Disabled 1 = Enabled |
Authenticated-User-Idle-Timeout | Y | 50 | Integer | Single | 1-35791394 minutes |
Authorization-DN-Field | Y | 67 | String | Single | Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name |
Authorization-Required | 66 | Integer | Single | 0 = No 1 = Yes | |
Authorization-Type | Y | 65 | Integer | Single | 0 = None 1 = RADIUS 2 = LDAP |
Banner1 | Y | 15 | String | Single | Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL |
Banner2 | Y | 36 | String | Single | Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string , if configured. |
Cisco-IP-Phone-Bypass | Y | 51 | Integer | Single | 0 = Disabled 1 = Enabled |
Cisco-LEAP-Bypass | Y | 75 | Integer | Single | 0 = Disabled 1 = Enabled |
Client Type | Y | 150 | Integer | Single | 1 = Cisco VPN Client [IKEv1] 2 = AnyConnect Client SSL VPN 3 = Clientless SSL VPN 4 = Cut-Through-Proxy 5 = L2TP/IPsec SSL VPN 6 = AnyConnect Client IPsec VPN [IKEv2] |
Client-Type-Version-Limiting | Y | 77 | String | Single | IPsec VPN version number string |
DHCP-Network-Scope | Y | 61 | String | Single | IP Address |
Extended-Authentication-On-Rekey | Y | 122 | Integer | Single | 0 = Disabled 1 = Enabled |
Framed-Interface-Id | Y | 96 | String | Single | Assigned IPv6 interface ID. Combines with Framed-IPv6-Prefix to create a complete assigned IPv6 address. For example: Framed-Interface-ID=1:1:1:1 combined with Framed-IPv6-Prefix=2001:0db8::/64 gives the assigned IP address 2001:0db8::1:1:1:1. |
Framed-IPv6-Prefix | Y | 97 | String | Single | Assigned IPv6 prefix and length. Combines with Framed-Interface-Id to create a complete assigned IPv6 address. For example: prefix 2001:0db8::/64 combined with Framed-Interface-Id=1:1:1:1 gives the IP address 2001:0db8::1:1:1:1. You can use this attribute to assign an IP address without using Framed-Interface-Id, by assigning the full IPv6 address with prefix length /128, for example, Framed-IPv6-Prefix=2001:0db8::1/128. |
Group-Policy | Y | 25 | String | Single | Sets the group policy for the remote access VPN session. You can use one of the following formats:
|
IE-Proxy-Bypass-Local | 83 | Integer | Single | 0 = None 1 = Local | |
IE-Proxy-Exception-List | 82 | String | Single | New line [\n] separated list of DNS domains | |
IE-Proxy-PAC-URL | Y | 133 | String | Single | PAC address string |
IE-Proxy-Server | 80 | String | Single | IP address | |
IE-Proxy-Server-Policy | 81 | Integer | Single | 1 = No Modify 2 = No Proxy 3 = Auto detect 4 = Use Concentrator Setting | |
IKE-KeepAlive-Confidence-Interval | Y | 68 | Integer | Single | 10-300 seconds |
IKE-Keepalive-Retry-Interval | Y | 84 | Integer | Single | 2-10 seconds |
IKE-Keep-Alives | Y | 41 | Boolean | Single | 0 = Disabled 1 = Enabled |
Intercept-DHCP-Configure-Msg | Y | 62 | Boolean | Single | 0 = Disabled 1 = Enabled |
IPsec-Allow-Passwd-Store | Y | 16 | Boolean | Single | 0 = Disabled 1 = Enabled |
IPsec-Authentication | 13 | Integer | Single | 0 = None 1 = RADIUS 2 = LDAP [authorization only] 3 = NT Domain 4 = SDI 5 = Internal 6 = RADIUS with Expiry 7 = Kerberos/Active Directory | |
IPsec-Auth-On-Rekey | Y | 42 | Boolean | Single | 0 = Disabled 1 = Enabled |
IPsec-Backup-Server-List | Y | 60 | String | Single | Server Addresses [space delimited] |
IPsec-Backup-Servers | Y | 59 | String | Single | 1 = Use Client-Configured list 2 = Disable and clear client list 3 = Use Backup Server list |
IPsec-Client-Firewall-Filter-Name | 57 | String | Single | Specifies the name of the filter to be pushed to the client as firewall policy | |
IPsec-Client-Firewall-Filter-Optional | Y | 58 | Integer | Single | 0 = Required 1 = Optional |
IPsec-Default-Domain | Y | 28 | String | Single | Specifies the single default domain name to send to the client [1-255 characters]. |
IPsec-IKE-Peer-ID-Check | Y | 40 | Integer | Single | 1 = Required 2 = If supported by peer certificate 3 = Do not check |
IPsec-IP-Compression | Y | 39 | Integer | Single | 0 = Disabled 1 = Enabled |
IPsec-Mode-Config | Y | 31 | Boolean | Single | 0 = Disabled 1 = Enabled |
IPsec-Over-UDP | Y | 34 | Boolean | Single | 0 = Disabled 1 = Enabled |
IPsec-Over-UDP-Port | Y | 35 | Integer | Single | 4001- 49151. The default is 10000. |
IPsec-Required-Client-Firewall-Capability | Y | 56 | Integer | Single | 0 = None 1 = Policy defined by remote FW Are-You-There [AYT] 2 = Policy pushed CPP 4 = Policy from server |
IPsec-Sec-Association | 12 | String | Single | Name of the security association | |
IPsec-Split-DNS-Names | Y | 29 | String | Single | Specifies the list of secondary domain names to send to the client [1-255 characters]. |
IPsec-Split-Tunneling-Policy | Y | 55 | Integer | Single | 0 = No split tunneling 1 = Split tunneling 2 = Local LAN permitted |
IPsec-Split-Tunnel-List | Y | 27 | String | Single | Specifies the name of the network or ACL that describes the split tunnel inclusion list. |
IPsec-Tunnel-Type | Y | 30 | Integer | Single | 1 = LAN-to-LAN 2 = Remote access |
IPsec-User-Group-Lock | 33 | Boolean | Single | 0 = Disabled 1 = Enabled | |
IPv6-Address-Pools | Y | 218 | String | Single | Name of IP local pool-IPv6 |
IPv6-VPN-Filter | Y | 219 | String | Single | ACL value |
L2TP-Encryption | 21 | Integer | Single | Bitmap: 1 = Encryption required 2 = 40 bits 4 = 128 bits 8 = Stateless-Req 15= 40/128-Encr/Stateless-Req | |
L2TP-MPPC-Compression | 38 | Integer | Single | 0 = Disabled 1 = Enabled | |
Member-Of | Y | 145 | String | Single | Comma-delimited string, for example: Engineering, SalesAn administrative attribute that can be used in dynamic access policies. It does not set a group policy. |
MS-Client-Subnet-Mask | Y | 63 | Boolean | Single | An IP address |
NAC-Default-ACL | 92 | String | ACL | ||
NAC-Enable | 89 | Integer | Single | 0 = No 1 = Yes | |
NAC-Revalidation-Timer | 91 | Integer | Single | 300-86400 seconds | |
NAC-Settings | Y | 141 | String | Single | Name of the NAC policy |
NAC-Status-Query-Timer | 90 | Integer | Single | 30-1800 seconds | |
Perfect-Forward-Secrecy-Enable | Y | 88 | Boolean | Single | 0 = No 1 = Yes |
PPTP-Encryption | 20 | Integer | Single | Bitmap: 1 = Encryption required 2 = 40 bits 4 = 128 bits 8 = Stateless-Required 15= 40/128-Encr/Stateless-Req | |
PPTP-MPPC-Compression | 37 | Integer | Single | 0 = Disabled 1 = Enabled | |
Primary-DNS | Y | 5 | String | Single | An IP address |
Primary-WINS | Y | 7 | String | Single | An IP address |
Privilege-Level | Y | 220 | Integer | Single | An integer between 0 and 15. |
Required-Client- Firewall-Vendor-Code | Y | 45 | Integer | Single | 1 = Cisco Systems [with Cisco Integrated Client] 2 = Zone Labs 3 = NetworkICE 4 = Sygate 5 = Cisco Systems [with Cisco Intrusion Prevention Security Agent] |
Required-Client-Firewall-Description | Y | 47 | String | Single | String |
Required-Client-Firewall-Product-Code | Y | 46 | Integer | Single | Cisco Systems Products: 1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client [CIC] Zone Labs Products: 1 = Zone Alarm 2 = Zone AlarmPro 3 = Zone Labs Integrity NetworkICE Product: 1 = BlackIce Defender/Agent Sygate Products: 1 = Personal Firewall 2 = Personal Firewall Pro 3 = Security Agent |
Required-Individual-User-Auth | Y | 49 | Integer | Single | 0 = Disabled 1 = Enabled |
Require-HW-Client-Auth | Y | 48 | Boolean | Single | 0 = Disabled 1 = Enabled |
Secondary-DNS | Y | 6 | String | Single | An IP address |
Secondary-WINS | Y | 8 | String | Single | An IP address |
SEP-Card-Assignment | 9 | Integer | Single | Not used | |
Session Subtype | Y | 152 | Integer | Single | 0 = None 1 = Clientless 2 = Client 3 = Client Only Session Subtype applies only when the Session Type [151] attribute has the following values: 1, 2, 3, and 4. |
Session Type | Y | 151 | Integer | Single | 0 = None 1 = AnyConnect Client SSL VPN 2 = AnyConnect Client IPSec VPN [IKEv2] 3 = Clientless SSL VPN 4 = Clientless Email Proxy 5 = Cisco VPN Client [IKEv1] 6 = IKEv1 LAN-LAN 7 = IKEv2 LAN-LAN 8 = VPN Load Balancing |
Simultaneous-Logins | Y | 2 | Integer | Single | 0-2147483647 |
Smart-Tunnel | Y | 136 | String | Single | Name of a Smart Tunnel |
Smart-Tunnel-Auto | Y | 138 | Integer | Single | 0 = Disabled 1 = Enabled 2 = AutoStart |
Smart-Tunnel-Auto-Signon-Enable | Y | 139 | String | Single | Name of a Smart Tunnel Auto Signon list appended by the domain name |
Strip-Realm | Y | 135 | Boolean | Single | 0 = Disabled 1 = Enabled |
SVC-Ask | Y | 131 | String | Single | 0 = Disabled 1 = Enabled 3 = Enable default service 5 = Enable default clientless [2 and 4 not used] |
SVC-Ask-Timeout | Y | 132 | Integer | Single | 5-120 seconds |
SVC-DPD-Interval-Client | Y | 108 | Integer | Single | 0 = Off 5-3600 seconds |
SVC-DPD-Interval-Gateway | Y | 109 | Integer | Single | 0 = Off] 5-3600 seconds |
SVC-DTLS | Y | 123 | Integer | Single | 0 = False 1 = True |
SVC-Keepalive | Y | 107 | Integer | Single | 0 = Off 15-600 seconds |
SVC-Modules | Y | 127 | String | Single | String [name of a module] |
SVC-MTU | Y | 125 | Integer | Single | MTU value 256-1406 in bytes |
SVC-Profiles | Y | 128 | String | Single | String [name of a profile] |
SVC-Rekey-Time | Y | 110 | Integer | Single | 0 = Disabled 1-10080 minutes |
Tunnel Group Name | Y | 146 | String | Single | 1-253 characters |
Tunnel-Group-Lock | Y | 85 | String | Single | Name of the tunnel group or “none” |
Tunneling-Protocols | Y | 11 | Integer | Single | 1 = PPTP 2 = L2TP 4 = IPSec [IKEv1] 8 = L2TP/IPSec 16 = WebVPN 32 = SVC 64 = IPsec [IKEv2] 8 and 4 are mutually exclusive. 0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values. |
Use-Client-Address | 17 | Boolean | Single | 0 = Disabled 1 = Enabled | |
VLAN | Y | 140 | Integer | Single | 0-4094 |
WebVPN-Access-List | Y | 73 | String | Single | Access-List name |
WebVPN ACL | Y | 73 | String | Single | Name of a WebVPN ACL on the device |
WebVPN-ActiveX-Relay | Y | 137 | Integer | Single | 0 = Disabled Otherwise = Enabled |
WebVPN-Apply-ACL | Y | 102 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-Auto-HTTP-Signon | Y | 124 | String | Single | Reserved |
WebVPN-Citrix-Metaframe-Enable | Y | 101 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-Content-Filter-Parameters | Y | 69 | Integer | Single | 1 = Java ActiveX 2 = Java Script 4 = Image 8 = Cookies in images |
WebVPN-Customization | Y | 113 | String | Single | Name of the customization |
WebVPN-Default-Homepage | Y | 76 | String | Single | A URL such as //example-example.com |
WebVPN-Deny-Message | Y | 116 | String | Single | Valid string [up to 500 characters] |
WebVPN-Download_Max-Size | Y | 157 | Integer | Single | 0x7fffffff |
WebVPN-File-Access-Enable | Y | 94 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-File-Server-Browsing-Enable | Y | 96 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-File-Server-Entry-Enable | Y | 95 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List | Y | 78 | String | Single | Comma-separated DNS/IP with an optional wildcard [*] [for example *.cisco.com, 192.168.1.*, wwwin.cisco.com] |
WebVPN-Hidden-Shares | Y | 126 | Integer | Single | 0 = None 1 = Visible |
WebVPN-Home-Page-Use-Smart-Tunnel | Y | 228 | Boolean | Single | Enabled if clientless home page is to be rendered through Smart Tunnel. |
WebVPN-HTML-Filter | Y | 69 | Bitmap | Single | 1 = Java ActiveX 2 = Scripts 4 = Image 8 = Cookies |
WebVPN-HTTP-Compression | Y | 120 | Integer | Single | 0 = Off 1 = Deflate Compression |
WebVPN-HTTP-Proxy-IP-Address | Y | 74 | String | Single | Comma-separated DNS/IP:port, with http= or https= prefix [for example http=10.10.10.10:80, https=11.11.11.11:443] |
WebVPN-Idle-Timeout-Alert-Interval | Y | 148 | Integer | Single | 0-30. 0 = Disabled. |
WebVPN-Keepalive-Ignore | Y | 121 | Integer | Single | 0-900 |
WebVPN-Macro-Substitution | Y | 223 | String | Single | Unbounded. |
WebVPN-Macro-Substitution | Y | 224 | String | Single | Unbounded. |
WebVPN-Port-Forwarding-Enable | Y | 97 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-Port-Forwarding-Exchange-Proxy-Enable | Y | 98 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-Port-Forwarding-HTTP-Proxy | Y | 99 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-Port-Forwarding-List | Y | 72 | String | Single | Port forwarding list name |
WebVPN-Port-Forwarding-Name | Y | 79 | String | Single | String name [example, “Corporate-Apps”]. This text replaces the default string, “Application Access,” on the clientless portal home page. |
WebVPN-Post-Max-Size | Y | 159 | Integer | Single | 0x7fffffff |
WebVPN-Session-Timeout-Alert-Interval | Y | 149 | Integer | Single | 0-30. 0 = Disabled. |
WebVPN Smart-Card-Removal-Disconnect | Y | 225 | Boolean | Single | 0 = Disabled 1 = Enabled |
WebVPN-Smart-Tunnel | Y | 136 | String | Single | Name of a Smart Tunnel |
WebVPN-Smart-Tunnel-Auto-Sign-On | Y | 139 | String | Single | Name of a Smart Tunnel auto sign-on list appended by the domain name |
WebVPN-Smart-Tunnel-Auto-Start | Y | 138 | Integer | Single | 0 = Disabled 1 = Enabled 2 = Auto Start |
WebVPN-Smart-Tunnel-Tunnel-Policy | Y | 227 | String | Single | One of “e networkname,” “i networkname,” or “a,” where networkname is the name of a Smart Tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels. |
WebVPN-SSL-VPN-Client-Enable | Y | 103 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-SSL-VPN-Client-Keep- Installation | Y | 105 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-SSL-VPN-Client-Required | Y | 104 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-SSO-Server-Name | Y | 114 | String | Single | Valid string |
WebVPN-Storage-Key | Y | 162 | String | Single | |
WebVPN-Storage-Objects | Y | 161 | String | Single | |
WebVPN-SVC-Keepalive-Frequency | Y | 107 | Integer | Single | 15-600 seconds, 0=Off |
WebVPN-SVC-Client-DPD-Frequency | Y | 108 | Integer | Single | 5-3600 seconds, 0=Off |
WebVPN-SVC-DTLS-Enable | Y | 123 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-SVC-DTLS-MTU | Y | 125 | Integer | Single | MTU value is from 256-1406 bytes. |
WebVPN-SVC-Gateway-DPD-Frequency | Y | 109 | Integer | Single | 5-3600 seconds, 0=Off |
WebVPN-SVC-Rekey-Time | Y | 110 | Integer | Single | 4-10080 minutes, 0=Off |
WebVPN-SVC-Rekey-Method | Y | 111 | Integer | Single | 0 [Off], 1 [SSL], 2 [New Tunnel] |
WebVPN-SVC-Compression | Y | 112 | Integer | Single | 0 [Off], 1 [Deflate Compression] |
WebVPN-UNIX-Group-ID [GID] | Y | 222 | Integer | Single | Valid UNIX group IDs |
WebVPN-UNIX-User-ID [UIDs] | Y | 221 | Integer | Single | Valid UNIX user IDs |
WebVPN-Upload-Max-Size | Y | 158 | Integer | Single | 0x7fffffff |
WebVPN-URL-Entry-Enable | Y | 93 | Integer | Single | 0 = Disabled 1 = Enabled |
WebVPN-URL-List | Y | 71 | String | Single | URL list name |
WebVPN-User-Storage | Y | 160 | String | Single | |
WebVPN-VDI | Y | 163 | String | Single | List of settings |
Address-Pools | 217 | String | Single | The name of a network object defined on the threat defense device that identifies a subnet, which will be used as the address pool for clients connecting to the RA VPN. Define the network object on the Objects page. |
Banner1 | 15 | String | Single | The banner to display when the user logs in. |
Banner2 | 36 | String | Single | The second part of the banner to display when the user logs in. Banner2 is appended to Banner1. |
Downloadable ACLs | Cisco-AV-Pair | merge-dacl {before-avpair | after-avpair} | Supported via Cisco-AV-Pair configuration. | |
Filter ACLs | 86, 87 | String | Single | Filter ACLs are referred to by ACL name in the RADIUS server. It requires the ACL configuration to be already present on the threat defense device, so that it can be used during RADIUS authorization. 86=Access-List-Inbound 87=Access-List-Outbound |
Group-Policy | 25 | String | Single | The group policy to use in the connection. You must create the group policy on the RA VPN Group Policy page. You can use one of the following formats:
|
Simultaneous-Logins | 2 | Integer | Single | The number of separate simultaneous connections the user is allowed to establish, 0 - 2147483647. |
VLAN | 140 | Integer | Single | The VLAN on which to confine the user's connection, 0 - 4094. You must also configure this VLAN on a subinterface on the threat defense device. |
Create or Update Aliases for a Connection Profile
Aliases contain alternate names or URLs for a specific connection profile. Remote Access VPN administrators can enable or disable the Alias names and Alias URLs. VPN users can choose an Alias name when they connect to the Secure Firewall Threat Defense device. Aliases names for all connections configured on this device can be turned on or off for display. You can also configure the list of Alias URLs, which your endpoints can select while initiating the Remote Access VPN connection. If users connect using the Alias URL, system will automatically log them using the connection profile that matches the Alias URL.
Procedure
Step 1 | Choose . |
Step 2 | From the list of available VPN policies, select the policy for which you want to modify the settings. |
Step 3 | Select a Connection Profile and click Edit. |
Step 4 | Click Aliases. |
Step 5 | To add an Alias name, do the following:
|
Step 6 | To add an Alias URL, do the following:
|
Step 7 | Click Save. |
Configure Access Interfaces for Remote Access VPN
The Access Interface table lists the interface groups and security zones that contain the device interfaces. These are configured for remote access SSL or IPsec IKEv2 VPN connections. The table displays the name of each interface group or security-zone, the interface trustpoints used by the interface, and whether Datagram Transport Layer Security [DTLS] is enabled.
Procedure
Step 1 | Choose . |
Step 2 | Select an existing remote access VPN policy in the list and click the corresponding Edit icon. |
Step 3 | Click Access Interface. |
Step 4 | To add an access interface, select Add and specify values for the following in the Add Access Interface window:
|
Step 5 | Select the following under Access Settings:
|
Step 6 | Use the following options to configure SSL Settings:
|
Step 7 | For IPsec-IKEv2 Settings, select the IKEv2 Identity Certificate from the list or add an identity certificate. |
Step 8 | Under the Access Control for VPN Traffic section, select the following option if you want to bypass access control policy:
|
Step 9 | Click Save to save the access interface changes. |
Configuring Remote Access VPN Advanced Options
Cisco AnyConnect Secure Mobility Client Image
Cisco AnyConnect Secure Mobility Client Image
The Cisco AnyConnect Secure Mobility client provides secure SSL or IPsec [IKEv2] connections to the Secure Firewall Threat Defense device for remote users with full VPN profiling to corporate resources. Without a previously-installed client, remote users can enter the IP address of an interface configured to accept clientless VPN connections in their browser to download and install the AnyConnect client. The Secure Firewall Threat Defense device downloads the client that matches the operating system of the remote computer. After downloading, the client installs and establishes a secure connection. In case of a previously installed client, when the user authenticates, the Secure Firewall Threat Defense device, examines the version of the client, and upgrades the client if necessary.
The Remote Access VPN administrator associates any new or additional AnyConnect client images to the VPN policy. The administrator can unassociate the unsupported or end of life client packages that are no longer required.
The Secure Firewall Management Center determines the type of operating system by using the file package name. If the user renamed the file without indicating the operating system information, the valid operating system type must be selected from the list box.
Download the AnyConnect client image file by visiting Cisco Software Download Center.
Adding a Cisco AnyConnect Mobility Client Image to the Secure Firewall Management Center
You can upload the Cisco AnyConnect Mobility client image to the Secure Firewall Management Center by using the AnyConnect File object. For more information, see File Objects. For more information about the client image, see Cisco AnyConnect Secure Mobility Client Image.
Click Show re-order link to view a specific client image.
Note | To delete an already installed Cisco AnyConnect client image, click Delete in that row. |
Procedure
Step 1 | On the Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access, choose and edit a listed RA VPN policy, then choose the Advanced tab. |
Step 2 | Click Add in the Available AnyConnect Images portion of the AnyConnect Images dialog. |
Step 3 | Enter the Name, File Name, and Description for the available AnyConnect Image. |
Step 4 | Click Browse to navigate to the location for selecting the client image to be uploaded. |
Step 5 | Click Save to upload the image in the Secure Firewall Management Center. Once you upload the client image to the Secure Firewall Management Center, the operating system displays platform information for the image that you uploaded to the Secure Firewall Management Center. |
Update AnyConnect Images for Remote Access VPN Clients
Before you begin
Instructions in this section help you update new AnyConnect client images to remote access VPN clients connecting to Secure Firewall Threat Defense VPN gateway. Ensure that the following configurations are complete before updating your AnyConnect images:
Download the latest AnyConnect image files from Cisco Software Download Center.
On your Secure Firewall Management Center web interface, go to Objects > Object Management > VPN > AnyConnect File and add the new AnyConnect client image files.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select an existing remote access policy in the list and click Edit. |
Step 3 | Click Advanced > AnyConnect Client Image> Add. |
Step 4 | Select a client image file from Available AnyConnect Images and click Add. If the required AnyConnect client image is not listed, click Add to browse and upload an image. |
Step 5 | Save the remote access VPN policy. |
Add a Cisco AnyConnect External Browser Package to the Secure Firewall Management Center
If you have an AnyConnect external browser package image on your local disk, use this procedure to upload the same to the Secure Firewall Management Center. After you upload the external browser package, you can update the external browser package for your remote access VPN connections.
You can upload the Cisco AnyConnect external browser package file to the Secure Firewall Management Center by using the AnyConnect File object. For more information, see File Objects.
Points to Remember
Only one external browser package can be added to the threat defense device.
After the external browser package is added to the Secure Firewall Management Center, the browser is pushed to the threat defense only after the external browser is enabled in the remote access VPN configuration.
Procedure
Step 1 | On the Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access, choose and edit a listed RA VPN policy, then choose the Advanced tab. | ||
Step 2 | Click Add in the AnyConnect External Browser Package portion of the AnyConnect Images dialog. | ||
Step 3 | Enter the Name, File Name, and Description for the available AnyConnect external browser package. | ||
Step 4 | Click Browse to navigate to the location for selecting the external browser package file to upload. | ||
Step 5 | Click Save to upload the image in the Secure Firewall Management Center.
|
Remote Access VPN Address Assignment Policy
The Secure Firewall Threat Defense device can use an IPv4 or IPv6 policy for assigning IP addresses to Remote Access VPN clients. If you configure more than one address assignment method, the Secure Firewall Threat Defense device tries each of the options until it finds an IP address.
You can use the IPv4 or IPv6 policy to address an IP address to Remote Access VPN clients. Firstly, you must try with the IPv4 policy and later followed by IPv6 policy.
Use Authorization Server—Retrieves address from an external authorization server on a per-user basis. If you are using an authorization server that has IP address configured, we recommend using this method. Address assignment is supported by RADIUS-based authorization server only. It is not supported for AD/LDAP. This method is available for both IPv4 and IPv6 assignment policies.
Use DHCP—Obtains IP addresses from a DHCP server configured in a connection profile. You can also define the range of IP addresses that the DHCP server can use by configuring DHCP network scope in the group policy. If you use DHCP, configure the server in the Objects > Object Management > Network pane. This method is available for IPv4 assignment policies.
For more information about DHCP network scope configuration, see Group Policy General Options.
Use an internal address pool—Internally configured address pools are the easiest method of address pool assignment to configure. If you use this method, create the IP address pools in the Objects > Object Management >Address Pools pane and select the same in the connection profile. This method is available for both IPv4 and IPv6 assignment policies.
Reuse an IP address so many minutes after it is released—Delays the reuse of an IP address after its return to the address pool. Adding a delay helps to prevent problems firewalls can experience when an IP address is reassigned quickly. By default, the delay is set to zero, meaning the Secure Firewall Threat Defense device does not impose a delay in reusing the IP address. If you want to extend the delay, enter the number of minutes in the range 0 - 480 to delay the IP address reassignment. This configurable element is available for IPv4 assignment policies.
Configure Certificate Maps
Certificate maps let you define rules matching a user certificate to a connection profile based on the contents of the certificate fields. Certificate maps are used for certificate authentication on secure gateways.
The rules or the certificate maps are defined in Certificate Map Objects.
Procedure
Step 1 | Choose . | ||
Step 2 | Select an existing remote access VPN policy in the list and click the corresponding Edit icon. | ||
Step 3 | Click . | ||
Step 4 | Select the following options under the General Settings for Certificate Group Matching pane: Selections are priority-based, if a match is not found for the first selection matching continues down the list of options. When the rules are satisfied, the mapping is done. If the rules are not satisfied, the default connection profile [listed at the bottom] is used for this connection. Select any, or all, of the following options to establish authentication and to determine which connection profile [tunnel group] that should be mapped to the client.
| ||
Step 5 | Under the Certificate to Connection Profile Mapping section, click Add Mapping to create certificate to connection profile mapping for this policy.
| ||
Step 6 | Click Save. |
Configuring Group Policies
A group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience. For example, in the group policy object, you configure general attributes such as addresses, protocols, and connection settings.
The group policy applied to a user is determined when the VPN tunnel is being established. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile.
Note | There is no group policy attribute inheritance on the threat defense. A group policy object is used, in its entirety, for a user. The group policy object identified by the AAA server upon login is used, or, if that is not specified, the default group policy configured for the VPN connection is used. The provided default group policy can be set to your default values, but will only be used if it is assigned to a connection profile and no other group policy has been identified for the user. |
Procedure
Step 1 | Choose . |
Step 2 | Select an existing remote access VPN policy in the list and click the corresponding Edit icon. |
Step 3 | Click . |
Step 4 | Select one or more group policies to associate with this remote access VPN policy. These are above and beyond the default group policy assigned during the remote access VPN policy creation. Click Add. Use the Refresh and Search utilities to locate the group policy. Add a new group policy object if necessary. |
Step 5 | Select group policies from the available group policy and click Add to select them. |
Step 6 | Click OK to complete the group policy selection. |
Configuring LDAP Attribute Mapping
An LDAP attribute name maps LDAP user or group Attribute name to a Cisco-understandable name. The attribute map equates attributes that exist in the Active Directory [AD] or LDAP server with Cisco attribute names. Any standard LDAP attribute can be mapped to a well-known vendor specific attribute [VSA]. One or more LDAP attribute[s] can be mapped to one or more Cisco LDAP attributes. When the AD or LDAP server returns authentication to the threat defense device during remote access VPN connection establishment, the threat defense device can use the information to adjust how the AnyConnect VPN client completes the connection.
When you want to provide VPN users with different access permissions or VPN content, you can configure different VPN policies on the VPN server and assign these policy-sets to each user based on their credentials. You can achieve this in threat defense by configuring LDAP authorization, with LDAP attribute maps. In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute, such as the Active Directory [AD] attribute memberOf, to the VPN-Group attribute that is understood by the VPN headend.
An LDAP attribute map consists of three components:
Name—Specifies the name for the LDAP attribute map; the name is generated based on the selected realm.
Attribute Name Mapping — Maps the LDAP user or group attribute name to Cisco-understandable name.
Attribute Value Mapping — Maps value in the LDAP user or group attribute to the value of a Cisco attribute for the selected name mapping.
When a user connects to remote access VPN, if the memberOf field matches the configured value, then group policy VPN-Group is applied to the user's VPN Session.
The group policies used in an LDAP attribute map are added to the list of group policies in a remote access VPN configuration. When a group policy is removed from a remote access VPN configuration, the associated LDAP attribute mapping is also removed.
Procedure
Step 1 | Choose . | ||
Step 2 | Select an existing remote access VPN policy in the list and click the corresponding Edit icon. | ||
Step 3 | Click . | ||
Step 4 | Click Add. | ||
Step 5 | On the Configure LDAP Attribute Map page, select a Realm to configure the attribute map. The name for the LDAP attribute map is generated based on the selected realm. If you change the realm, the LDAP attribute name is also changed. | ||
Step 6 | Click Add. You can configure multiple attribute maps. Each attribute map requires that you configure a name map and value maps.
You can click the respective Delete icon to delete an LDAP attribute map, a name map, or a value map. | ||
Step 7 | Click OK to complete LDAP attribute map configuration. | ||
Step 8 | Click Save to save the changes to the LDAP attribute mapping. |
Configuring VPN Load Balancing
About VPN Load Balancing
VPN load balancing in threat defense allows you group two or more devices logically and distribute remote access VPN sessions among the devices equally. VPN load balancing shares AnyConnect VPN sessions among the devices in a load balancing group.
VPN load balancing is based on simple distribution of traffic without taking into account throughput or other factors. A VPN load-balancing group consists of two or more threat defense devices. One device acts as the director, and the other devices are member devices. Devices in a group do not need to be of the exact same type, or have identical software versions or configurations. Any threat defense device that supports remote access VPN can participate in a load balancing group. Threat Defense supports VPN load balancing with AnyConnect SAML authentication.
All active devices in a VPN load-balancing group carry session loads. VPN load balancing directs traffic to the least-loaded device in the group, distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability.
Components of VPN Load Balancing
Following are the components of VPN load balancing:
Load-balancing group—A virtual group of two or more threat defense devices to share the VPN sessions.
A VPN load-balancing group can consist of threat defense devices of the same release or of mixed releases; but the device must support remote access VPN configuration.
See Configure Group Settings for VPN Load Balancing and Configure Additional Settings for Load Balancing.
Director—One device from the group acts a director. It distributes the load among other members in the group and participate is serving the VPN sessions.
The director monitors all devices in the group, keeps track of how loaded each device is, and distributes the session load accordingly. The role of director is not tied to a physical device; it can shift among devices. For example, if the current director fails, one of the member devices in the group takes over that role and immediately becomes the new director.
Members—Devices other than the director in a group are called members. They participate in load balancing and share the remote access VPN connections.
Configure Settings for Participating Devices.
Prerequisites for VPN Load Balancing
Certificates—threat defense’s certificate must contain the IP addresses or FQDN of the director and members to which the connection is redirected. Or else, the certificate will be deemed untrusted. The certificate must use Subject Alternate Name [SAN] or wildcard certificate
Group URL—Add the group URL for VPN load-balancing group IP address to the connection profiles. Specify a group URL to eliminate the need for the user to select a group at login.
IP Address Pool—Choose unique IP address pool for member devices, and override the IP pool in management center for each of the member devices.
Devices that are behind Network Address Translation [NAT] can also be part of a load balancing group.
Guidelines and Limitations for VPN Load Balancing
VPN load balancing is disabled by default. You must explicitly enable VPN load balancing.
Only the threat defense devices that are co-located can be added to a load-balancing group.
A load-balancing group must have a minimum of two threat defense devices.
Devices in threat defense high availability can participate in a load-balancing group.
Devices that are behind Network Address Translation [NAT] can also be part of a load balancing group.
When a member or a director device goes down, remote access VPN connections that are served by that device will be dropped. You must initiate the VPN connection again.
Identity certificate on each device must have Subject Alternate Name [SAN] or wildcard.
Configure Group Settings for VPN Load Balancing
Procedure
Step 1 | Choose . |
Step 2 | Select an existing remote access VPN policy or create a new one, and then edit the remote access VPN policy |
Step 3 | Click . |
Step 4 | Click the Enable Load balancing between member devices toggle button to enable load balancing. |
Step 5 | Specify the Group IPv4 address and Group IPv6 address as applicable. The IP address specified here is for the entire load-balancing group and the director will open up this IP address for incoming VPN connections. |
Step 6 | Select the Communication Interface for the load balancing group. Or click Add to add an interface group or security zone. This is a private interface through which director and members share information about their load. |
Step 7 | Enter the UDP port for communication between the director and members in a group. The default port is 9023. |
Step 8 | Click the Enable toggle button to activate IPsec Encryption for the communication between the director and members. Enabling the encryption establishes IKEv1/IPsec tunnel between the director and members using a pre-shared key. |
Step 9 | Enter Encryption Key for IPsec encryption and re-enter the key to Confirm Key. |
Step 10 | Click OK. |
Configure Additional Settings for Load Balancing
Procedure
Step 1 | Choose . |
Step 2 | Select an existing remote access VPN policy or create a new one, and then edit the remote access VPN policy |
Step 3 | Click . |
Step 4 | Click the Enable Load balancing between member devices toggle button to enable load balancing if not done already. |
Step 5 | Click Settings. |
Step 6 | Click Send FQDN to peer devices instead of IP to enable redirection using a fully qualified domain name. By default, threat defense sends only IP addresses in VPN load balancing redirection to a client. |
Step 7 | Select one of the IKEv2 Redirect phase:
|
Step 8 | Click OK. |
Configure Settings for Participating Devices
The device participation settings determines how the devices share load in VPN load balancing. Configure a participating device by enabling VPN load balancing on the device and defining device-specific properties. These values vary from device to device. You can provide a priority number for the devices participating in load balancing; a higher priority number gives a device a better chance of becoming the director over other devices. But you cannot select a device to be the director of the group.
Procedure
Step 1 | Choose . |
Step 2 | Select an existing remote access VPN policy or create a new one. |
Step 3 | Edit a remote access VPN policy. |
Step 4 | Click . |
Step 5 | Click the Enable Load balancing between member devices toggle button to enable load balancing if you have not enabled already. |
Step 6 | Configure Device Participation settings: The Device Participation section lists all the devices that are added to the selected remote access VPN configuration. These devices can be configured to share the load of the incoming VPN sessions.
|
Step 7 | Click Save to save the remote access VPN policy settings. |
Configuring IPsec Settings for Remote Access VPNs
The IPsec settings are applicable only if you selected IPsec as the VPN protocol while configuring your remote access VPN policy. If not, you can enable IKEv2 using the Edit Access Interface dialog box. See Configure Access Interfaces for Remote Access VPN for more information.
Procedure
Step 1 | Choose . |
Step 2 | From the list of available VPN policies, select the policy for which you want to modify the settings. |
Step 3 | Click Advanced. The list of IPsec settings appears in a navigation pane on the left of the screen. |
Step 4 | Use the navigation pane to edit the following IPsec options:
|
Step 5 | Click Save. |
Configure Remote Access VPN Crypto Maps
Crypto maps are automatically generated for the interfaces on which IPsec-IKEv2 protocol has been enabled. You can add or remove interface groups to the selected VPN policy in Access Interface. See Configure Access Interfaces for Remote Access VPN for more information.
Procedure
Step 1 | Choose . | ||
Step 2 | From the list of available VPN policies, select the policy for which you want to modify the settings. | ||
Step 3 | Click the Advanced > Crypto Maps, and select a row in the table and click Edit to edit the Crypto map options. | ||
Step 4 | Select IKEv2 IPsec Proposals and select the transform sets to specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. | ||
Step 5 | Select Enable Reverse Route Injection to enable static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. | ||
Step 6 | Select Enable Client Services and specify the port number. The Client Services Server provides HTTPS [SSL] access to allow the AnyConnect Downloader to receive software upgrades, profiles, localization and customization files, CSD, SCEP, and other file downloads required by the AnyConnect client. If you select this option, specify the client services port number. If you do not enable the Client Services Server, users will not be able to download any of these files that the AnyConnect client might need.
| ||
Step 7 | Select Enable Perfect Forward Secrecy and select the Modulus group. Use Perfect Forward Secrecy [PFS] to generate and use a unique session key for each encrypted exchange. The unique session key protects the exchange from subsequent decryption, even if the entire exchange was recorded and the attacker has obtained the preshared or private keys used by the endpoint devices. If you select this option, also select the Diffie-Hellman key derivation algorithm to use when generating the PFS session key in the Modulus Group list. Modulus group is the Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Select the modulus group that you want to allow in the remote access VPN configuration:
| ||
Step 8 | Specify the Lifetime Duration [seconds]. The lifetime of the security association [SA], in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. Generally, the shorter the lifetime [up to a point], the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes. You can specify a value from 120 to 2147483647 seconds. The default is 28800 seconds. | ||
Step 9 | Specify the Lifetime Size [kbytes]. The volume of traffic [in kilobytes] that can pass between IPsec peers using a given security association before it expires. You can specify a value from 10 to 2147483647 kbytes. The default is 4,608,000 kilobytes. No specification allows infinite data. | ||
Step 10 | Select the following ESPv3 Settings:
| ||
Step 11 | Click OK. |
IKE Policies in Remote Access VPNs
Internet Key Exchange [IKE] is a key management protocol that is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations [SAs]. The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE establishes SAs for other applications, such as IPsec. Both phases use proposals when they negotiate a connection. An IKE proposal is a set of algorithms that two peers use to secure the negotiation between them. IKE negotiation begins by each peer agreeing on a common [shared] IKE policy. This policy states which security parameters are used to protect subsequent IKE negotiations.
Note |
Unlike IKEv1, in an IKEv2 proposal, you can select multiple algorithms and modulus groups in one policy. Since peers choose during the Phase 1 negotiation, this makes it possible to create a single IKE proposal, but consider multiple, different proposals to give higher priority to your most desired options. For IKEv2, the policy object does not specify authentication, other policies must define the authentication requirements.
An IKE policy is required when you configure a remote access IPsec VPN.
Configuring Remote Access VPN IKE Policies
The IKE Policy table specifies all the IKE policy objects applicable for the selected VPN configuration when AnyConnect endpoints connect using the IPsec protocol. For more information, see IKE Policies in Remote Access VPNs.
Note |
Step 1 | Choose . |
Step 2 | From the list of available VPN policies, select the policy for which you want to modify the settings. |
Step 3 | Click Advanced > IKE Policy. |
Step 4 | Click Add to select from the available IKEv2 policies, or add a new IKEv2 policy and specify the following:
|
Step 5 | Click Save. |
Configure Remote Access VPN IPsec/IKEv2 Parameters
Procedure
Step 1 | Choose . |
Step 2 | From the list of available VPN policies, select the policy for which you want to modify the settings. |
Step 3 | Click Advanced > IPsec> IPsec/IKEv2 Parameters. |
Step 4 | Select the following for IKEv2 Session Settings:
|
Step 5 | Select the following for IKEv2 Security Association [SA] Settings:
|
Step 6 | Select the following for IPsec Settings:
|
Step 7 | Select the following for NAT Settings:
|
Step 8 | Click Save. |
Configure AnyConnect Management VPN Tunnel
A management VPN tunnel provides connectivity to the corporate network whenever a client system is powered up, without the VPN users having to connect to the VPN. This helps organizations keep their endpoints up-to-date with software patches and updates. Management tunnel disconnects when the user-initiated VPN tunnel is established.
This section provides information about configuring AnyConnect management VPN tunnel on threat defense. Configuring an AnyConnect management tunnel on threat defense using the management center web interface requires the following settings:
A Connection profile with certificate-based authentication and a group URL.
AnyConnect management VPN profile file, configured a server with group URL and backup servers if required.
A Group policy with the management VPN profile, split tunneling with explicitly included networks, client bypass protocol, and no banner.
For detailed instructions to configure an AnyConnect Management VPN tunnel, see Configuring AnyConnect Management VPN Tunnel on Threat Defense.
Requirements and Prerequisites for AnyConnect Management VPN Tunnel
Software and Configuration Requirements
Ensure that you have the following before you configure the AnyConnect Management tunnel on using the threat defense using the management center web interface:
Ensure that you are using threat defense and management center versions 6.7.0 or above.
Download the AnyConnect VPN Webdeploy package 4.7 or above and upload it to threat defense remote access VPN.
Ensure that the certificate authentication is configured in the connection profile.
Ensure that no banner is configured in the group policy.
Check the split tunneling configuration in the management tunnel-group policy.
Certificate Requirements
Threat Defense must have a valid identity certificate for remote access VPN and the root certificate from the local certifying authority [CA] must be present on the threat defense.
Endpoints connecting to the management VPN tunnel must have a valid identity certificate
CA certificate for threat defense's identity certificate must be installed on the endpoints and the CA certificate for the endpoints must be installed on the threat defense.
The identity certificate issued by the same local CA must be present in the Machine store.
Certificate Store [For Windows] and/or in System Keychain [For macOS].
Limitations of AnyConnect Management VPN Tunnel
AnyConnect Management VPN Tunnel supports only certificate authentication, it does not support AAA-based authentication.
Public or private proxy settings are not supported.
AnyConnect client upgrade and AnyConnect module download are not supported when the management VPN tunnel is connected.
Configuring AnyConnect Management VPN Tunnel on Threat Defense
Procedure
Step 1 | Create a remote access VPN policy configuration using the wizard: For information about configuring a remote access VPN, see Configuring a New Remote Access VPN Connection. | ||||
Step 2 | Configure connection profile settings for management VPN tunnel:
For more information about connection profile settings, see Configure Connection Profile Settings. | ||||
Step 3 | Create a management tunnel profile using the AnyConnect profile editor:
For information about creating a management profile using the Profile Editor, see the Cisco AnyConnect Secure Mobility Client Administrator Guide. | ||||
Step 4 | Create a management tunnel object:
| ||||
Step 5 | Associate a management profile with a group policy and configure group policy settings: You must add the management VPN profile to the group policy associated with the connection profile used for the management tunnel VPN connection. When the user connects, the management VPN profile is downloaded along with the user VPN profile already mapped to the group policy, enabling the management VPN tunnel feature.
| ||||
Step 6 | Configure split tunneling in group policy:
AnyConnect Custom Attribute AnyConnect Management VPN tunnel requires split include tunneling configuration by default. If you are configuring AnyConnect custom attribute in the group policy to deploy the management VPN tunnel with split tunneling to tunnel all, you can do so using FlexConfig because management center 6.7 web interface does not support AnyConnect custom attribute. The following is an example command for AnyConnect custom attribute: | ||||
Step 7 | Deploy, verify, and monitor the remote access VPN policy:
|
Multiple Certificate Authentication
Multiple certificate based authentication gives the ability to have the threat defense validate the machine or device certificate, to ensure the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow VPN access using the AnyConnect client during SSL or IKEv2 EAP phase.
The multiple certificates option allows certificate authentication of both the machine and user via certificates. Without this option, you could only do certificate authentication of either machine or the user, but not both.
Limitations of Multiple Certificate Authentication
Multiple certificate authentication currently limits the number of certificates to two.
AnyConnect client must indicate support for multiple certificate authentication. If that is not the case then the gateway uses one of the legacy authentication methods or fails the connection. AnyConnect version 4.4.04030 or later supports Multi-Certificate based authentication.
Anyconnect supports only RSA-based certificates.
Only SHA256, SHA384, and SHA512 based certificate are supported during the AnyConnect aggregate authentication.
Certificate authentication cannot be combined with SAML authentication.
Configuring Multiple Certificate Authentication
Before you begin
Before you configure multiple certificate authentication, ensure that you have configured the certificate enrollment object that is used to obtain the identity certificate for each Secure Firewall Threat Defense device. For more information, see Certificate Map Objects.
Procedure
Step 1 | Choose . | ||
Step 2 | Select the remote access VPN policy and click Edit.
| ||
Step 3 | Select and Edit a connection profile to configure multiple certificate authentication. | ||
Step 4 | Click AAA settings and select Authentication Method > Client Certificate Only or Client Certificate & AAA.
| ||
Step 5 | Select the Enable multiple certificate authentication checkbox. | ||
Step 6 | Choose one of the certificates to Map username from client certificate:
The username sent from the client is used as the VPN session username when certificate only authentication is enabled. When AAA and certificate authentication is enabled, VPN session username will be based on prefill option.
| ||
Step 7 | Configure the required AAA settings and connection profile settings for the remote access VPN. | ||
Step 8 | Save the connection profile and remote access VPN configuration and deploy it on your Secure Firewall Threat Defense device. |
Customizing Remote Access VPN AAA Settings
This section provides information about customizing your AAA preferences for remote access VPNs. For more information, see Configure AAA Settings for Remote Access VPN.
Authenticate VPN Users via Client Certificates
You can configure remote access VPN authentication using client certificate when you create a new remote access VPN policy using the wizard or by editing the policy later.
Before you begin
Configure the certificate enrollment object that is used to obtain the identity certificate for each Secure Firewall Threat Defense device that acts as a VPN gateway.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access policy and click Edit; or click Add to create a new remote access VPN policy. |
Step 3 | For a new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit. |
Step 4 | Click . With this authentication method, the user is authenticated using a client certificate. You must configure the client certificate on VPN client endpoints. By default, the user name is derived from client certificate fields CN and OU respectively. If the user name is specified in other fields in the client certificate, use 'Primary' and 'Secondary' field to map appropriate fields. If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display the following default values, respectively: CN [Common Name] and OU [Organisational Unit] respectively. If you select the Use entire DN as username option, the system automatically retrieves the user identity. A distinguished name [DN] is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a connection profile. DN rules are used for enhanced certificate authentication.
For more information, see Configure AAA Settings for Remote Access VPN. |
Configure Remote Access VPN Login via Client Certificate and AAA Server
When remote access VPN authentication is configured to use both client certificate and authentication server, VPN client authentication is done using both the client certificate validation and AAA server.
Before you begin
Configure the certificate enrollment object that is used to obtain the identity certificate for each threat defense device that acts as a VPN gateway.
Configure the RADIUS server group object and any AD or LDAP realms being used by this remote access VPN policy.
Ensure that the AAA Server is reachable from the Secure Firewall Threat Defense device for the remote access VPN configuration to work.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a existing remote access policy and click Edit; or click Add to create a new remote access VPN policy. |
Step 3 | For a new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit. |
Step 4 | Click , Client Certificate & AAA.
For more information, see Configure AAA Settings for Remote Access VPN. |
Manage Password Changes over VPN Sessions
Password management allows a remote access VPN administrator to configure the notification settings for the remote access VPN users on their password expiry. Password management is available in AAA settings with authentication methods AAA Only and Client Certificate & AAA. For more information, see Configure AAA Settings for Remote Access VPN.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access policy and click Edit. |
Step 3 | Select the connection profile that includes AAA settings and click Edit. |
Step 4 | Select AAA > Advanced Settings > Password Management. |
Step 5 | Select Enable Password Management and select one of the following:
|
Step 6 | Click Save. |
Send Accounting Records to the RADIUS Server
Accounting records in remote access VPN help the VPN administrator track the services that users access and the amount of network resources they consume. Accounting information includes when users sessions start and stop, usernames, the number of bytes that pass through the device for each session, the service used, and the duration of each session. This data can then be analyzed for network management, client billing, or auditing.
You can use accounting alone or together with authentication and authorization. When you activate AAA accounting, the network access server reports user activity to the configured accounting server. You can configure a RADIUS server as the accounting server so that all the user activity information is sent from Secure Firewall Management Center to the RADIUS server.Note | You can use the same RADIUS server or separate RADIUS servers for authentication, authorization, and accounting in remote access VPN AAA settings. |
Before you begin
Configure a RADIUS group object with RADIUS servers to which authentication requests or accounting records will be sent. See RADIUS Server Group Options.
Ensure that the RADIUS servers are reachable from the Secure Firewall Threat Defense device. Configure routing on your Secure Firewall Management Center at Devices > Device Management > Edit Device > Routing to ensure connectivity to the RADIUS server.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access policy and click Edit, or create a new remote access VPN policy. |
Step 3 | Select the connection profile that includes AAA settings and click Edit > AAA. |
Step 4 | Select a RADIUS server as the Accounting Server. |
Step 5 | Click Save. |
Delegating Group Policy Selection to Authorization Server
The group policy applied to a user is determined when the VPN tunnel is being established. You can select a group policy for a connection profile while creating a remote access VPN policy using the wizard or update the connection policy for connection profiles later. However, you can configure the AAA [RADIUS] server to assign the group policy or it is obtained from the current connection profile. If the threat defense device receives attributes from the external AAA server that conflicts with those configured on the connection profile, then attributes from the AAA server always take the precedence.
You can configure ISE or the RADIUS Server to set the Authorization Profile for a user or user-group by sending IETF RADIUS Attribute 25 and map to the corresponding group policy name. You can configure specific group policy to a user or user group to push a Downloadable ACL, set a banner, Restrict VLAN, and configure the advanced option of applying an SGT to the session. These attributes are applied to all users that are part of that group when the VPN connection is established.
For more information, see the Configure Standard Authorization Policies section of Cisco Identity Services Engine Administrator Guide and RADIUS Server Attributes for Secure Firewall Threat Defense.
Override the Selection of Group Policy or Other Attributes by the Authorization Server
When a remote access VPN user connects to the VPN, the group policy and other attributes configured in the connection profile are assigned to the user. However, the remote access VPN system administrator can delegate the selection of group policy and other attributes to the authorization server by configuring ISE or the RADIUS Server to set the Authorization Profile for a user or user-group. Once users are authenticated, these specific authorization attributes are pushed to the Secure Firewall Threat Defense device.
Ensure that you configure a remote access VPN policy with RADIUS as the authentication server.
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access policy and click Edit. |
Step 3 | Select RADIUS or ISE as the authorization server if not configured already. |
Step 4 | Select Advanced > Group Policies and add the required group policy. For detailed information about a group policy object, see Configure Group Policy Objects. You can map only one group policy to a connection profile; but you can create multiple group policies in a remote access VPN policy. These group policies can be referenced in ISE or the RADIUS server and configured to override the group policy configured in the connection profile by assigning the authorization attributes in the authorization server. |
Step 5 | Deploy the configuration on the target Secure Firewall Threat Defense device. |
Step 6 | On the authorization server, create an Authorization Profile with RADIUS attributes for IP address and downloadable ACLs. When the group policy is configured in the authorization server selected for remote access VPN, the group policy overrides the group policy configured in the connection profile for the remote access VPN user after the user is authenticated. |
Deny VPN Access to a User Group
Ensure that you have configured remote access VPN using the Remote Access Policy wizard and configured authentication settings for the remote access VPN policy.
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access policy and click Edit. |
Step 3 | Select Advanced > Group Policies. |
Step 4 | Select a group policy and click Edit or add a new group policy. |
Step 5 | Select Advanced > Session Settings and set Simultaneous Login Per User to 0 [zero]. |
Step 6 | Click Save to save the group policy and then save the remote access VPN configuration. |
Step 7 | Configure ISE or the RADIUS server to set the Authorization Profile for that user/user-group to send IETF RADIUS Attribute 25 and map to the corresponding group policy name. |
Step 8 | Configure the ISE or RADIUS server as the authorization server in the remote access VPN policy. |
Step 9 | Save and deploy the remote access VPN policy. |
Restrict Connection Profile Selection for a User Group
When you want to enforce a single connection profile on a user or user group, you can choose to disable the connection profile so that the group alias or URLs are not available for the users to select when they connect using the AnyConnect VPN client.
For example, if your organization wants to use specific configurations for different VPN user groups such as mobile users, corporate-issued laptop users, or personal laptop users, you can configure connection a profile specific to each of these user groups and apply the appropriate connection profile when the user connects to the VPN.
The AnyConnect client, by default, shows a list of the connection profiles [ by connection profile name, alias, or alias URL] configured in Secure Firewall Management Center and deployed on Secure Firewall Threat Defense. If custom connection profiles are not configured, AnyConnect shows the DefaultWEBVPNGroup connection profile. Use the following procedure to enforce a single connection profile for a user group.
On your Secure Firewall Management Center web interface, configure remote access VPN using the remote access VPN policy wizard with Authentication Method as 'Client Certificate Only' or 'Client Certificate + AAA'. Choose the username fields from the certificate.
Configure ISE or RADIUS server for authorization and associate the group policy with the authorization server.
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access policy and click Edit. |
Step 3 | Select Access Interfaces and disable Allow users to select connection profile while logging in. |
Step 4 | Click Advanced > Certificate Maps. |
Step 5 | Select Use the configured rules to match a certificate to a Connection Profile. |
Step 6 | Select the Certificate Map Name or click the Add icon to add a certificate rule. |
Step 7 | Select the Connection Profile, and click Ok. |
Update the AnyConnect Client Profile for Remote Access VPN Clients
AnyConnect Client Profile is an XML file that contains an administrator-defined end user requirements and authentication policies to be deployed on a VPN client system as part of AnyConnect. It makes the preconfigured network profiles available to end users.
You can use the GUI-based AnyConnect Profile Editor, an independent configuration tool, to create an AnyConnect Client Profile. The standalone profile editor can be used to create a new or modify existing AnyConnect profile. You can download the profile editor from Cisco Software Download Center.
See the AnyConnect Profile Editor chapter in the appropriate release of the Cisco AnyConnect Secure Mobility Client Administrator Guide for details.
Ensure that you have configured remote access VPN using the Remote Access Policy wizard and deployed the configuration on Secure Firewall Threat Defense device. See Create a New Remote Access VPN Policy.
On your Secure Firewall Management Center web interface, go to Objects > Object Management > VPN > AnyConnect File and add the new AnyConnect client image.
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access VPN policy and click Edit. |
Step 3 | Select the connection profile that includes the client profile to be edited, and click Edit. |
Step 4 | Click Edit Group Policy > AnyConnect > Profiles. |
Step 5 | Select the client profile XML file from the list or click Add to add a new client profile. |
Step 6 | Save the group policy, connection profile, and then the remote access VPN policy. |
Step 7 | Deploy the changes. |
RADIUS Dynamic Authorization
Secure Firewall Threat Defense has the capability to use RADIUS servers for user authorization of VPN remote access and firewall cut-through-proxy sessions using dynamic access control lists [ACLs] or ACL names per user. To implement dynamic ACLs for dynamic authorization or RADIUS Change of Authorization [RADIUS CoA], you must configure the RADIUS server to support them. When the user tries to authenticate, the RADIUS server sends a downloadable ACL or ACL name to the Secure Firewall Threat Defense. Access to a given service is either permitted or denied by the ACL. Secure Firewall Threat Defense deletes the ACL when the authentication session expires.
Configuring RADIUS Dynamic Authorization
Only one interface can be configured in the security zone or interface group if it is referred in a RADIUS Server.
A dynamic authorization enabled RADIUS server requires Secure Firewall Threat Defense 6.3 or later for the dynamic authorization to work.
Interface selection in RADIUS server is not supported on Secure Firewall Threat Defense 6.2.3 or earlier versions. The interface option will be ignored during deployment.
Threat Defense posture VPN does not support group policy change through dynamic authorization or RADIUS change of authorization [CoA].
Step 1 | Log on to your Secure Firewall Management Center web interface. | |
Step 2 | Configure a RADIUS server object with dynamic authorization. | RADIUS Server Group Options |
Step 3 | Configure a route to ISE server through an interface enabled for change of authorization [CoA] to establish connectivity from Secure Firewall Threat Defense to RADIUS server through routing or a specific interface. | RADIUS Server Group Options Configure ISE/ISE-PIC for User Control |
Step 4 | Configure a remote access VPN policy and select the RADIUS server group object that you have created with dynamic authorization. | Create a New Remote Access VPN Policy |
Step 5 | Configure the DNS server details and domain-lookup interfaces using the Platform Settings. | Configure DNS DNS Server Group Objects |
Step 6 | Configure a split-tunnel in group policy to allow DNS traffic through Remote Access VPN tunnel if the DNS server is reachable through VNP network. | Configure Group Policy Objects |
Step 7 | Deploy the configuration changes. | Deploy Configuration Changes |
Two-Factor Authentication
You can configure two-factor authentication for the remote access VPN. With two-factor authentication, the user must supply a username and static password, plus an additional item such as an RSA token or a passcode. Two-factor authentication differs from using a second authentication source in that two-factor is configured on a single authentication source, with the relationship to the RSA server tied to the primary authentication source.
Secure Firewall Threat Defense supports RSA tokens and Duo Push authentication requests to Duo Mobile for the second factor in conjunction with any RADIUS or AD server as the first factor in the two-factor authentication process.
Configuring RSA Two-Factor Authentication
You can configure the RADIUS or AD server as the authentication agent in the RSA server, and use the server in Secure Firewall Management Center as the primary authentication source in the remote access VPN.
When using this approach, the user must authenticate using a username that is configured in the RADIUS or AD server, and concatenate the password with the one-time temporary RSA token, separating the password and token with a comma: password,token.
In this configuration, it is typical to use a separate RADIUS server [such as one supplied in Cisco ISE] to provide authorization services. You would configure the second RADIUS server as the authorization and, optionally, accounting server.
Ensure that the following configurations are complete before configuring RADIUS two-factor authentication on Secure Firewall Threat Defense:
On the RSA Server
Configure RADIUS or Active Directory server as an authentication agent.
Generate and download the configuration [sdconf.rec] file.
Create a token profile, assign the token to the user, and distribute the token to the user. Download and install the token on the remote access VPN client system.
For more information, see RSA SecureID Suite documentation.
On the ISE Server
Import the configuration [sdconf.rec] file generated on the RSA server.
Add the RSA server as the external identity source and specify the shared secret.
Step 1 | Log on to your Secure Firewall Management Center web interface. | |||
Step 2 | Create a RADIUS server group. | RADIUS Server Group Options | ||
Step 3 | Create a RADIUS Server object within the new RADIUS server group, with RADIUS or AD server as the host and with a timeout of 60 seconds or more. | RADIUS Server Group Options
| ||
Step 4 | Configure a new remote access VPN policy using the wizard or edit an existing remote access VPN policy. | Create a New Remote Access VPN Policy | ||
Step 5 | Select RADIUS as the authentication server and then select the newly-created RADIUS server group as the authentication server. | Configure AAA Settings for Remote Access VPN | ||
Step 7 | Deploy the configuration changes. | Deploy Configuration Changes |
Configuring Duo Two-Factor Authentication
You can configure the Duo RADIUS server as the primary authentication source. This approach uses the Duo RADIUS Authentication Proxy. [You cannot use a direct connection with the Duo Cloud Service over LDAPS.]
For the detailed steps to configure Duo, see //duo.com/docs/cisco-firepower.
You would then configure Duo to forward authentication requests directed to the proxy server to use another RADIUS server, or an AD server, as the first authentication factor, and the Duo Cloud Service as the second factor.
When using this approach, the user must authenticate using a username that is configured on both the Duo Cloud or web server, and the associated RADIUS server. The user must enter the password configured in the RADIUS server, followed by one of the following Duo codes:
Duo-passcode. For example, my-password,123456.
push. For example, my-password,push. Use push to tell Duo to send a push authentication to the Duo Mobile app, which the user must have already installed and registered.
sms. For example, my-password,sms. Use sms to tell Duo to send an SMS message with a new batch of passcodes to the user’s mobile device. The user’s authentication attempt will fail when using sms. The user must then re-authenticate and enter the new passcode as the secondary factor.
phone. For example, my-password,phone. Use phone to authenticate using phone callback.
For more information on login options with examples, see //guide.duo.com/anyconnect.
Before configuring two-factor authentication with Duo Authentication Proxy on Secure Firewall Threat Defense, ensure that you complete the following configurations:
Configure a working primary authentication [RADIUS or AD] for your remote access VPN users before you begin to deploy Duo.
Install Duo proxy service on a Windows or Linux machine within your network to integrate Duo with Secure Firewall Threat Defense remote access VPN. This Duo proxy server also acts as a RADIUS server.
Download and install the most recent Duo authentication proxy from the following location:
Windows: //dl.duosecurity.com/duoauthproxy-latest.exe
Linux: //dl.duosecurity.com/duoauthproxy-latest-src.tgz
Verify the checksum at //duo.com/docs/checksums#duo-authentication-proxy.
Configure Duo authentication file authproxy.cfg. Follow instructions on the //duo.com/docs/cisco-firepower#configure-the-proxy page to configure the authentication configuration settings.
The authproxy.cfg configuration file must contain the details for RADIUS or ISE server, Secure Firewall Threat Defense device, Duo proxy server details, Integration Key, Secret key, and API host details.
Ensure that you have the right API host information in the authproxy.cfg file.
Configure other required settings such as secondary authentication factor in the newly installed Duo proxy server at Duo Security Server > Duo Admin Panel > Applications > CISCO RADIUS VPN.
Step 1 | Log on to your Secure Firewall Management Center web interface. | |||
Step 2 | Create a RADIUS server group. | RADIUS Server Group Options | ||
Step 3 | Create a RADIUS Server object within the new RADIUS server group with Duo proxy server as the host with a timeout of 60 seconds or more. | RADIUS Server Options
| ||
Step 4 | Configure a new remote access VPN policy using the wizard or edit an existing remote access VPN policy. | Create a New Remote Access VPN Policy | ||
Step 5 | Select RADIUS as the authentication server and then select the RADIUS server group created with the Duo proxy server as the authentication server. | Configure AAA Settings for Remote Access VPN | ||
Step 7 | Deploy the configuration changes. | Deploy Configuration Changes |
Secondary Authentication
Secondary authentication or double authentication in Secure Firewall Threat Defense adds an additional layer of security to remote access VPN connections by using two different authentication servers. With secondary authentication enabled, an AnyConnect VPN user must provide two sets of credentials to login to the VPN gateway.
Secure Firewall Threat Defense remote access VPN supports secondary authentication in AAA Only and Client Certificate & AAA authentication methods.
Configure Remote Access VPN Secondary Authentication
Configure two authentication [AAA] servers— the primary and secondary authentication servers, and required identity certificates. The authentication servers can be RADIUS server, and AD or LDAP realms.
Ensure that the AAA servers are reachable from the Secure Firewall Threat Defense device for the remote access VPN configuration to work. Configure routing [at Devices > Device Management > Edit Device > Routing] to ensure connectivity to the AAA servers.
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. | ||
Step 2 | Select a remote access policy and click Edit; or click Add to create a new remote access VPN policy. | ||
Step 3 | For a new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit. | ||
Step 4 | Click , AAA or Client Certificate & AAA.
|
Single Sign-on Authentication with SAML 2.0
About SAML Single Sign-on Authentication
Security Assertion Markup Language [SAML] is an open standard for logging users into applications based on their sessions in another context. Organizations already know the identity of users when users are logged in to their Active Directory [AD] domain or the intranet. They use this identity information to log users in to other applications, such as web-based applications by using SAML. Individual applications do not need to store credentials and users do not have to remember and manage different sets of credentials for individual applications. SAML sing sign-on [SSO] works by transferring the user’s identity from one place [the identity provider] to another [the service provider].
SAML Single Sign-on with Secure Firewall Threat Defense
The Secure Firewall Threat Defense device supports SAML 2.0 single sign-on [SSO] authentication for remote access VPN connections using the AnyConnect Secure Mobility Client. You need the following to configure SAML 2.0 SSO on Secure Firewall Threat Defense:
Identity Provider [IdP]—The Duo Access Gateway acts as the identity provider to perform user authentication and issues assertions.
Service Provider [SP]—The threat defense device acts as the service provider and obtains the authentication assertion from the identity provider.
VPN Client—The AnyConnect Security Mobility Client performs SAML 2.0 authentication via embedded browser.
Guidelines and Limitations for SAML 2.0
Threat Defense supports the following signatures for SAML authentication:
SHA1 with RSA and HMAC
SHA2 with RSA and HMAC
Threat Defense supports SAML 2.0 Redirect-POST binding , which is supported by all SAML IdPs.
The Threat Defense functions as a SAML SP only. It cannot act as an Identity Provider in gateway mode or peer mode.
Having SAML authentication attributes available in DAP evaluation [similar to RADIUS attributes sent in RADIUS auth response from AAA server] is not supported. Threat Defense supports SAML enabled group policy on DAP policy; however, you cannot check the username attribute while using SAML authentication, because the username attribute is masked by the SAML Identity provider.
Threat Defense administrators need to ensure clock synchronization between the threat defense and the SAML IdP for proper handling of authentication assertions and proper timeout behavior.
Threat Defense administrators have the responsibility to maintain a valid signing certificate on both threat defense and IdP considering the following:
The IdP signing certificate is mandatory when configuring an IdP on the threat defense.
The threat defense does not do a revocation check on the signing certificate received from the IdP.
In SAML assertions, there are NotBefore and NotOnOrAfter conditions. The threat defense SAML configured timeout interacts with these conditions as follows:
Timeout overrides NotOnOrAfter if the sum of NotBefore and timeout is earlier than NotOnOrAfter.
If NotBefore + timeout is later than NotOnOrAfter, then NotOnOrAfter takes effect.
If the NotBefore attribute is absent, the threat defense denies the login request. If the NotOnOrAfter attribute is absent and SAML timeout is not set, threat defense denies the login request.
Threat Defense does not work with Duo in a deployment using an internal SAML, which forces the threat defense to proxy for the client to authenticate, due to the FQDN change that occurs during challenge/response for Two-factor authentication [push, code, password].
When using SAML with AnyConnect, follow these guidelines:
Untrusted server certificates are not allowed in the embedded browser.
The embedded browser SAML integration is not supported in CLI or SBL modes.
SAML authentication established in a web browser is not shared with AnyConnect and vice versa.
Depending on the configuration, various methods are used when connecting to the headend with the embedded browser. For example, while AnyConnect might prefer an IPv4 connection over an IPv6 connection, the embedded browser might prefer IPv6, or vice versa. Similarly, AnyConnect may fall back to no proxy after trying proxy and getting a failure, while the embedded browser may stop navigation after trying proxy and getting a failure.
You must synchronize your threat defense's Network Time Protocol [NTP] server with the IdP NTP server in order to use the SAML feature.
You cannot access internal servers with SSO after logging in using an internal IdP.
The SAML IdP NameID attribute determines the user's username and is used for authorization, accounting, and VPN session database.
Configuring a SAML Single Sign-on Authentication
Ensure that you have done the following before you configure SAML single sign-on with threat defense remote access VPN:
Create an account with Duo
Download and install the Duo Access Gateway
Obtain the following from your SAML identity provider [Duo]
Identity Provider Entity ID URL
Sign-in URL
Sign-out URL
Identity provider certificate
Create a SAML single sign-on server object under Object > Object Management > AAA Server > Single Sign-on Server
NoteYou can also create a single sign-on server object in the connection profile settings when you create a new remote access VPN configuration using the wizard.
Step 1 | Choose . | ||
Step 2 | Click Add to create a new remote access VPN or edit an existing VPN configuration. | ||
Step 3 | Configure the Connection Profile > AAA settings and select Authentication Method > SAML. | ||
Step 4 | Select the required SAML single sign-on server as the Authentication Server.
| ||
Step 5 | Configure the required settings for the remote access VPN. | ||
Step 6 | Save the remote access VPN configuration and deploy it on your Secure Firewall Threat Defense device. |
Configuring SAML Authorization
SAML authorization supports user attributes delivered in SAML assertions within the AAA and Dynamic Access Policy [DAP] frameworks. The SAML assertion attributes can be configured on the Identity Provider as name-value pairs and they will be parsed as strings. The attributes received are made available to DAP so that they can be used when defining selection criteria within a DAP record. The SAML assertion cisco_group_policy is used to determine the Group Policy to be applied to the VPN session.
In the DAP table, the DAP attributes are represented in the following format:
aaa.saml.name = "value”Example, aaa.saml.department = ”finance"
This attribute can be used in DAP selection as follows:
aaa.saml.department finance EQMulti-valued attributes are also supported in DAP and the DAP table is indexed :
aaa.saml.name.1 = "value” aaa.saml.name.2 = "value"The Active Directory [AD] memberOf attribute receives a special processing that is consistent with the way it is handled through an LDAP query.
Group names are represented by the CN attribute of the DN.
Example Attributes received from the authorization server:
memberOf = "CN=FTD-VPN-Group,OU=Users,OU=TechspotUsers,DC=techspot,DC=us" memberOf = "CN=Domain Admins,OU=Users,DC=techspot,DC=us”Dynamic Access Policy attributes:
aaa.saml.memberOf.1 = "FTD-VPN-Group” aaa.saml.memberOf.2 = "Domain Admins"A group-policy can be specified by a SAML assertion attribute. When an attribute "cisco_group_policy" is received by the threat defense, the corresponding value is used to select the connection group-policy
Ensure that you have configured a single-sign on server like DUO and completed the required Identity Provider[IdP] and Service Provider[SP] settings.
For more information, see Single Sign-on Authentication with SAML 2.0.
Step 1 | Configure a single-sign-on server object if not configured already.
For more information, see Add a Single Sign-on Server. |
Step 2 | Configure SAML authentication in the remote access VPN connection profile.
|
Step 3 | Match a SAML criteria in DAP policy.
|
Step 4 | Deploy the remote access VPN configuration. |
Remote Access VPN Examples
How to Limit AnyConnect Bandwidth Per User
This section provides instructions to limit the maximum bandwidth consumed by VPN users when the users connect using the Cisco AnyConnect VPN client to Secure Firewall Threat Defense remote access VPN gateway. You can limit the maximum bandwidth by using a Quality of service [QoS] policy in Secure Firewall Threat Defense, to ensure that a single user or group or users do not take over the entire resource. This configuration lets you give priority to critical traffic, prevent bandwidth hogging, and manage network. If a When traffic exceeds the maximum rate, the Secure Firewall Threat Defense drops the excess traffic.
Step 1 | Create and set up a realm. | Create and Set up an Active Directory Realm. |
Step 2 | Create a QoS policy and QoS rule for the user or group available in the newly created realm. | Create a QoS Policy and Rule |
Step 3 | Configure a remote access VPN policy and select the newly-created realm for user authentication. | Create or Update a Remote Access VPN Policy |
Step 4 | Deploy the remote access VPN policy. | Deploy Configuration Changes |
Create and Set up an Active Directory Realm
This section provides instructions to create a realm and specify the VPN users and user groups whose activity you want to monitor.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose System > Integration > Realms. |
Step 2 | Click New realm, specify the realm details, and click OK. |
Step 3 | Enter the required details on the following tabs and then click Save:
|
Step 4 | Slide State to the right to enable a realm to be able to use it for user control. See Manage a Realm. |
Step 5 | Click download to download users and user groups to Secure Firewall Management Center. See Synchronize Users and Groups. |
Step 6 | Click Save. |
Create a QoS Policy and Rule
QoS policies deployed to managed devices govern rate limiting. You can create a QoS policy by selecting a realm to limit the VPN bandwidth a user or user group can consume. Each QoS policy can target multiple devices; each device can have one deployed QoS policy at a time.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > QoS > New Policy. | ||
Step 2 | Enter a Name and, optionally, a Description. | ||
Step 3 | Choose the Available Devices where you want to deploy the QoS policy, then click Add to Policy, or drag and drop to the Selected Devices.
| ||
Step 4 | On QoS policy Rules, click Add Rule. | ||
Step 5 | Enter a Name. | ||
Step 6 | Configure rule components:
| ||
Step 7 | Save the rule. In the policy editor, set the rule position. Click and drag or use the right-click menu to cut and paste. Rules are numbered starting at 1. The system matches traffic to rules in top-down order by ascending rule number. The first rule that traffic matches is the rule that handles that traffic. Proper rule order reduces the resources required to process network traffic and prevents rule preemption. | ||
Step 8 | Click Save to save the policy. |
Create or Update a Remote Access VPN Policy
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. | ||
Step 2 | Create a new remote access VPN policy using the wizard. And select the newly-created realm as the Authentication Server or edit an existing remote access VPN policy and performing the following:
| ||
Step 3 | Complete the required configurations for remote access VPN policy and click Save. |
How to Use VPN Identity for User-id Based Access Control Rules
Step 1 | Create and set up a realm. | Create and Set up an Active Directory Realm. |
Step 2 | Create an identity policy and add an identity rule. | Create an Identity Policy and an Identity Rule. |
Step 3 | Associate the identity policy with an access control policy. | Associate an Identity Policy with an Access Control Policy |
Step 4 | Configure a remote access VPN policy and select the newly-created realm for user authentication. | Create or Update a Remote Access VPN Policy |
Step 5 | Deploy the remote access VPN policy. | Deploy Configuration Changes |
Create and Set up an Active Directory Realm
This section provides instructions to create a realm and specify the VPN users and user groups whose activity you want to monitor.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose System > Integration > Realms. |
Step 2 | Click New realm, specify the realm details, and click OK. |
Step 3 | Enter the required details on the following tabs and then click Save:
|
Step 4 | Slide State to the right to enable a realm to be able to use it for user control. See Manage a Realm. |
Step 5 | Click download to download users and user groups to Secure Firewall Management Center. See Synchronize Users and Groups. |
Step 6 | Click Save. |
Create an Identity Policy and an Identity Rule
Identity policies contain identity rules to perform user authentication based on the realm and authentication method associated with the traffic. Identity rules associate sets of traffic with a realm and an authentication method: passive authentication, active authentication, or no authentication. You must fully configure the realms and authentication methods you plan to use before you can invoke them in your identity rules.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Policies > Access Control > Identity and lick New Policy. |
Step 2 | Enter a Name and Description, and then click Save. |
Step 3 | To add a rule to the policy, click Add Rule, and enter a Name. |
Step 4 | Specify whether the rule is Enabled. |
Step 5 | To add the rule to an existing category, indicate where you want to Insert the rule. To add a new category, click Add Category. |
Step 6 | Choose a rule Action from the list and select the interface configured in remote access VPN as the source interface. |
Step 7 | Click Realms & Settings, choose the new realm created for the identity rule from the Realms list. Make sure that you select the same realm selected for user authentication in remote access VPN policy. |
Step 8 | Configure your preferred settings for the users in the selected realm and select other required rule options. |
Step 9 | Click Add to save the rule and then save the identity policy. |
Associate an Identity Policy with an Access Control Policy
You must associate an identity policy with an access control policy that is deployed on the Secure Firewall Threat Defense device where the remote access VPN policy will be deployed.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose . |
Step 2 | Select the required access control policy and click Edit. |
Step 3 | In the access control policy editor, click Advanced. |
Step 4 | Click Edit [ If View [ |
Step 5 | Choose an identity policy from the drop-down list. You can click edit in edit the identity policy. |
Step 6 | Click OK. |
Step 7 | Click Save to save the access control policy. |
Create or Update a Remote Access VPN Policy
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. | ||
Step 2 | Create a new remote access VPN policy using the wizard. And select the newly-created realm as the Authentication Server or edit an existing remote access VPN policy and performing the following:
| ||
Step 3 | Complete the required configurations for remote access VPN policy and click Save. |
Configure Threat Defense Multiple Certificate Authentication
Multiple Certificate-based Authentication
Multiple certificate-based authentication allows the threat defense to validate the machine or device certificate. Multiple certificates can be enabled for certificate-based authentication in the remote access VPN connection profile. It can be combined with AAA authentication. The multiple certificates option in the remote access VPN connection profile allows certificate authentication of both the machine and user via certificates. This ensures that the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow RA VPN access. The administrator can choose if the username for the session should be taken from the machine certificate or user certificate.
When multiple certificate-based authentication is configured, two certificates are obtained from the VPN client:
First Certificate —Machine certificate to authenticate the endpoint.
Second Certificate—User certificate to authenticate the VPN user.
For detailed information about threat defense certificates, see Managing Threat Defense Certificates.
Limitations
Multiple certificate authentication currently limits the number of certificates to two.
AnyConnect supports only RSA-based certificates.
Only SHA256, SHA384, and SHA512 based certificates are supported during the AnyConnect aggregate authentication.
Certificate authentication cannot be combined with SAML authentication.
Pre-fill Username from Certificate
The Pre-fill username option allows a field from the certificates to be parsed and used for subsequent AAA authentication [primary and secondary]. When two certificates are used for authentication, the Administrator can choose the certificate from which the username should be derived for the prefill functionality. By default, username for prefill is retrieved from the User certificate [second certificate received from AnyConnect]. The prefilled username is used as the VPN session username when the Certificate Only authentication method is enabled. When AAA and certificate authentication is enabled, VPN session username will be based on the pre-fill option.
Configure Multiple Certificate Authentication for Remote Access VPN
On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.
Edit an existing remote access policy, or create a new one and then edit.
See Create a New Remote Access VPN Policy.
Select the connection profile to configure multiple certificate authentication, and click Edit.
See Configure Connection Profile Settings.Choose AAA, and then select an Authentication Method:
Figure 3.Client Certificate Only—User is authenticated using client certificate. Client certificate must be configured on VPN client endpoints. By default, the username is derived from client certificate fields CN & OU respectively. In case, the username is specified in other fields in the client certificate, use 'Primary' and 'Secondary' field to map appropriate fields.
Client Certificate & AAA—User is authenticated using both the types of authentication, AAA and client certificate.
Select Enable multiple certificate authentication.
Select Map username from client certificate and select a certificate from the Certificate to choose drop-down to choose the username for the VPN session from the machine certificate or user certificate.
First Certificate —Map the username from the Machine Certificate.
Second Certificate—Map the username from the User certificate to authenticate the VPN user.
Configure the required connection profile settings and remote access VPN settings.
Save the connection profile and remote access VPN policy. Deploy the remote access VPN on threat defense.
For information about remote access VPN AAA settings, see Configure AAA Settings for Remote Access VPN.
Certificate Configuration in DAP
You can also configure certificate criteria attributes in a DAP record. The user and machine certificate received from the VPN client during multiple-certificate authentication is loaded into dynamic access policy [DAP] to allow policies to be configured based on the field of the certificate. You can make policy decisions based on the fields of a certificate used to authenticate that connection attempt.
Choose .
Edit an existing DAP policy or create a new one and then edit the policy.
Choose an existing DAP record, or create a new one and then edit the record.
-
Select .
Select the Match Criteria All or Any.
Click Add to add certificate attributes.
Figure 4.Select the certificate, Cert1 or Cert2.
Select the Subject and specify the certificate subject value.
Select the Issuer and specify the certificate issuer name.
Select the Subject Alternate Name and specify the alternate name for the subject.
Specify the Serial Number.
Select the Certificate Store: None, Machine, or User.
This option adds a condition to check for the store from which the certificate is picked on the endpoint.
Click Save to complete the certificate criteria settings.
Configure the required DAP record settings and then associate the DAP with the remote access VPN.
For more information about DAP, see Dynamic Access Policies.
History for Remote Access VPNs
SAML with Certificate Support | 7.2 | We have updated the remote access VPN configuration wizard to support user authentication with Certificate and SAML. You can configure a remote access VPN to authenticate machine or user certificate before a SAML authentication is initiated. |
IPsec flow offload. | 7.2 | On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association [SA], IPsec connections are offloaded to the field-programmable gate array [FPGA] in the device, which should improve device performance. You can change the configuration using FlexConfig and the flow-offload-ipsec command. |
Multiple IDP trustpoint support | 7.1 | Secure Firewall Management Center supports multiple identity provider trustpoints with Microsoft Azure that can have multiple applications for the same Entity ID, but a unique identity certificate. |
AnyConnect VPN SAML External Browser | 7.1 | You can now configure AnyConnect VPN SAML External Browser to enable additional authentication choices, such as passwordless authentication, WebAuthN, FIDO, SSO, U2F, and an improved SAML experience due to the persistence of cookies. When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser to perform the web authentication. This option enables single sign-on [SSO] between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication and Yubikeys, that cannot be performed in the embedded browser. We updated the remote access VPN connection profile wizard to allow you to configure the SAML Login Experience. |
Multi-Certificate Authentication | 7.0 | Secure Firewall Management Center now supports multiple certificate-based authentication for threat defense to validate the machine or device certificate, to ensure that the device is a corporate-issued device in addition to authenticating the user’s identity certificate to allow VPN access using AnyConnect client. |
VPN Load balancing | 7.0 | VPN load balancing logically group two or more devices and distributes remote access VPN sessions among the grouped devices equally without considering throughput and other traffic parameters. |
AnyConnect Custom Attributes | 7.0 | Secure Firewall Management Center now supported AnyConnect custom attributes and provides an infrastructure to configure the AnyConnect client feature without adding hard-coded support for these features on threat defense. |
Local User Authentication | 7.0 | You can now configure and manage users locally on threat defense using the Secure Firewall Management Center web interface, and configure the local users for primary and secondary remote access VPN authentication. |
Selective Policy Deployment | 7.0 | You can now choose to include or exclude changes to remote access VPN and site-to-site VPN configurations during the deployment. |
Support for AnyConnect Modules Configuration | 6.7 | Secure Firewall Management Center now supports configuring AnyConnect modules and profiles for additional security. |
Support for LDAP Authorization | 6.7 | You can configure LDAP authorization for remote access VPN using the Secure Firewall Management Center. |
SAML single sign-on support for remote access VPN | 6.7 | You can configure a SAML 2.0 server as the single sign-on authentication server for remote access VPNs. |
AnyConnect Management VPN tunnel support | 6.7 | Threat Defense remote access VPN supports configuring AnyConnect Management VPN tunnel that allows VPN connectivity to endpoints when the corporate endpoints are powered on, without the VPN users connecting to the VPN. |
Support for Datagram Transport Layer Security [DTLS] 1.2 | 6.6 | DTLS 1.2 is now part of the default SSL cipher group and it can be configured along with TLS 1.2. |