Radfox267

I enjoy the new VPN client, it’s small and fast, however I hated that you can’t save profiles in the drop down list like you could in the traditional VPN client.

1. Cisco Anyconnect New Connection
2. See Full List On Cisco.com
3. My Anyconnect Client Doesn't Save My Used Connection - Cisco ...
4. Cisco ASA 5500 Series Adaptive Security Appliances

This has been bothering for a long time and kept finding conflicting information on if this was possible or not. Finally got it to work.

This is for version 3.1x and Windows 7 let me know if this works for your version and OS.

AnyConnect Connection Guide The Cisco AnyConnect VPN Client provides a method for Sandbox users to create a secure VPN connection to a Sandbox Lab. This document will guide users through the process of using AnyConnect to establish a VPN connection to their reserved lab. Although the images in this. The Network Connections window should open. Right click on the Cisco AnyConnect Secure Mobility Client Connection. Click on Properties 4. Select the Networking tab. Select Internet Protocol Version 4 (TCP/IPv4) from 'This connection uses the following items.' Click on Properties. Click on Advanced.

Cisco, cisco AnyConnect, Cisco AnyConnect Secure Mobility Client 51 Comments I enjoy the new VPN client, it’s small and fast, however I hated that you can’t save profiles in the drop down list like you could in the traditional VPN client. Type “Cisco AnyConnect”. Right-click the Cisco AnyConnect Secure Mobility Client icon. This will bring up a list of options. Hover over Send to, then click Desktop (create shortcut).Now that you have a desktop shortcut, you can double-click the icon whenever you want to launch Cisco AnyConnect in the future. Cisco AnyConnect provides reliable and easy-to-deploy encrypted network connectivity from any Apple iOS by delivering persistent corporate access for users on the go. Whether providing access to business email, a virtual desktop session, or most other iOS applications, AnyConnect enables business-critical application connectivity.

• Create a preferences.xml file in C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile
• Use this format

<?xml version='1.0' encoding='UTF-8'?>

<AnyConnectProfile xmlns='http://schemas.xmlsoap.org/encoding/'>
<ServerList>
<HostEntry>
<User>dclouduser</User>
<SecondUser></SecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<HostName>dCloud</HostName>
<HostAddress>dcloud-rtp-anyconnect.cisco.com</HostAddress>
<Domain></Domain>
<Group>ssl_url</Group>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences>
<LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
</HostEntry>

<HostEntry>
<User>dmacias</User>
<SecondUser></SecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<HostName>Speech-Soft</HostName>
<HostAddress>vpn.dmacias.com</HostAddress>
<Domain></Domain>
<Group>ssl_url</Group>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences>
<LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
</HostEntry>
</ServerList>

</AnyConnectProfile>

• Save the file.
• Restart the connectivity client.
• Enjoy

~david

EDIT 01/18/2017: This also works with Cisco AnyConnect 4.x!

The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication with Cisco AnyConnect SSL-VPN.

Requirements

A Mideye Server (any release). If there is a firewall between the Cisco ASA and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Cisco ASA acts as a RADIUS client towards the Mideye Server. Hence, the Cisco ASA must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Password-change using MS-CHAP-v2

Since Cisco ASA supports MS-CHAP-v2 as authentication protocol, users that are about to have their password expired can change their password when login on using AnyConnect SSLVPN. To enable this feature Mideye Server release 4.3.0 or higher is required. For detailed instruction how to enable password-management, see section Enable MS-CHAP-V2.

Limitations with dynamic RADIUS-reject messages

The option to present RADIUS-reject messages dynamically from a RADIUS server was introduced in ASA version 8.3.x when using PAP as authentication method (default authentication method). This means that more information about failed login attempts is presented to the user, enabling users to solve login problems themselves. For example, if login fails due to the mobile phone not being reachable, the Mideye error message ’Phone not reachable, for help see [www.mideye.com/help]’ is displayed to the user instead of the default message ’Login failed’. Also information about token cards that are out of sync can be presented to the user. When using MS-CHAP-v2, dynamic reject messages will not be displayed from the Mideye Server, but instead from an internal database from your ASA. This means that reject messages can not be customised the same way as with using PAP. Challenge-messages will still be presented from the Mideye Server. For detailed instructions how to enable dynamic RADIUS-messages see section Dynamically display RADIUS-reject messages.

Prerequisites

This guide will not explain how to create a new connection-profile. Refer to Cisco-documentation how to setup your ASA to act as a remote-access VPN using AnyConnect.

The following steps will describe how create a new RADIUS-client on your Mideye Server, and how to create a new AAA-server and apply it to an existing connection profile with SSL-VPN enabled. All steps regarding the Cisco ASA will be executed from IOS accessed from either SSH, telnet or console.

Create a new RADIUS-client

Open “Configuration Tool” on your Mideye Server and click the “RADIUS-clients” tab. Click “New” and type the IP-address or hostname for your Cisco ASA. Click “LDAP Server” and assign LDAP-servers. Click “OK” followed by “Save” and “Close” to restart the services.

Create a new RADIUS-client for your Cisco ASA.

Cisco Anyconnect New Connection

Create a new AAA-server using RADIUS

From Cisco IOS, access enter global configuration mode:

Create a new AAA-server using RADIUS:

Cisco-ASA (config)# aaa-server mideye-server protocol RADIUS

Assign IP, shared secret and timeout settings for the aaa-server:

Apply the created AAA-server to your existing SSL-VPN-profile:

Write the configuration made to memory:

Verify two-factor OTP functionality

To verify that RADIUS is setup correctly, logon to your Cisco ASA-firewall using ASDM and navigate to Configuration → RemoteAccessV P N → AAA/LocalUsers. Select the “Server Group” and the correct server name and click “Test”. Select “Authentication” and type a username and password that your RADIUS-server should be able to find via LDAP. An SMSOTP should be delivered followed by the following error-message:

This message appears because ASDM cannot handle challenge-response.

This chapter will explain various settings that can be made on the connection-profile.

Increase the timeout-value for the Cisco Anyconnect client

The default timeout-value for a connection-attempt initiated from a Cisco AnyConnect client is 12 seconds. For full functionality with Mideye RADIUS-server, the recommended timeout value is 35 seconds. This can only be changed using Cisco ASDM since all changes are written to an xml-file.

To change the timeout-value open ASDM and click “Configuration” → ”RemoteAccess VPN” → ”Network(Client)Access” → ”AnyConnectClientProfile”. Select the client profile used for Cisco AnyConnect and click “Edit”. If none exist, create a new one and assign it to the group-policy for AnyConnect then click “Edit”. Navigate to “Preferences (Part2)” and change the value “Authentication timeout (seconds) to 35 seconds. This new timeout-value will be downloaded automatically when connecting using Cisco AnyConnect client.

Change the timeout-value to 35 seconds (default 12 seconds).

Last step is to add a Server Listing. Navigate to Server List and click “Add”. Add a host display name followed by the FQDN of the SSL-VPN URL. Save the configuration.

Note: First time changing this requires the endusers to first download the new .xml profile. The new timeout will function on their second connection using Anyconnect.

Dynamically display RADIUS-reject messages

Mideye error messages (and the default language) can be modified via Mideye Configuration tool, see screenshot below. RADIUS-reject messages on Cisco AnyConnect Secure Mobility will only work on Security Appliance Software Version 9.1(2) or higher using Cisco AnyConnect Secure Mobility Client 3.1.04066 or higher. This will only work when PAP is used as authentication-protocol. To enable the dynamic reject messages from ASDM complete the following steps.

1. Click on “Configuration” followed by “Remote Access VPN”
2. Click the “AnyConnect Connection Profile” and select the connection profile used for login with RADIUS followed by “Edit”
3. Expand “Advanced” and click “Group Alias / Group URL”
4. Check “Enable the display of RADIUS Reject-Messages on the login screen when authentication is rejected.”

Reject messages from Mideye RADIUS-server shown instead of “Login Failed”.

Reject messages dynamically displayed by the Mideye Server. These messages can be modified using configuration-tool on your Mideye Server.

Enable password-management (MS-CHAP-v2)

See Full List On Cisco.com

Starting from Mideye Server-release 4.3.0 and higher it is possible to manage passwords that are about to expire. This require further configuration on the Mideye Server (refer to Configuration guide). To enable this feature on Cisco ASA the following configuration need to be added.

Configure RADIUS-client to properly display special characters such as å, ä and ö

By default any created RADIUS client will use UTF-8 as encoding. To properly display special character such as å, ä and ö the encoding has to be changed to use ISO-8859- 1. This can be done by opening “Radiusconfigure” on your Mideye Server and select RADIUS Clients. Select the RADIUS-client created for ASA55xx and click modify. Click “Client configuration” and change “Encoding” to ISO-8859-1. Click “OK”, “Save” and “Close” to restart the Mideye Server.

This chapter explains optional configuration such as Dynamic Access Policy (DAP) with RADIUS-translation.

Dynamic Access Policy using RADIUS-translation

To further extend the functionality of RADIUS, Dynamic Access Policy (DAP) can be used to assign specific users or group permission from LDAP when logging in using AnyConnect. This require configuration on both the Mideye Server and Cisco ASA. When using DAP, all AnyConnect users will share the same IP-subnet but will be granted permission to certain network resources based on what group(s) they belong to in LDAP. Complete the following steps to enable RADIUS-translation with DAP:

Steps for Mideye Server:

My Anyconnect Client Doesn't Save My Used Connection - Cisco ...

• Open “Configuration Tool” on your Mideye Server and click the “LDAP RADIUS Translation” tab. Click “New”.
• Type the Distinguished name for a group containing users of a certain type (for example administrators) in the “LDAP Attribute Value” field. Select “CLASS” and click “Assign”. Add a suitable string for the group and click “OK”. Starting from Mideye Server release 4.2.3 LDAP-RADIUS translation can also be used with wildcard/Java Regular Expressions, e,g. CN=Mideye-administrators.*

Add DN, select CLASS and add a string for for the DN.

• Click “LDAP Servers” and select the LDAP Server being used and click “Modify”. Navigate to the “LDAP-RADIUS” tab and check” LDAP-RADIUS Translation” and type “memberOf” in the “LDAP Attribute Name:” field.

Cisco ASA 5500 Series Adaptive Security Appliances

Enable LDAP – RADIUS Translation on the LDAP-server

• Click “Save” and “Close” to restart the service.

Steps for Cisco ASA:

• All configuration for DAP must be done using ASDM. Click “Configuration” → ”RemoteAccessVPN” → ”Network(Client)Access” → ”DynamicAccessPolicy”. Click “Add”.
• Give the policy a suitable Policy name and change the “Selection Criteria” to “User has ALL of the following AAA…”
• Click the left “Add” button and change the AAA Attribute Type to “RADIUS” and type the Attribute ID 25. Add the same value as the string from the Mideye Server

• Click the “Network ACL Filters (client)” tab. Click “Manage” followed by “Add”. Create a new ACL and give it a suitable name. Select the ACL and click “Add” and add a new ACE. Add permissions to what networks or IP-addresses users should have access to. Click “OK” and finish the new DAP.

Manage permissions for the DAP.

Repeat steps 1-8 to add more groups. Verify that your DAP-policies work by connecting using AnyConnect. When verified change the default DAP “DfltAccessPolicy” to terminate all other connections. This can be done by selecting the default DAP-policy and click “Edit”. Change “Action” to “Terminate”.

Change the default DAP to terminate all other connections

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs

If nothing is logged, verify that udp/1812 is allowed between your Cisco ASA and Mideye Server.

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.