• Authentication Method: Determines how a user is identified before being allowed access to the network and network services. It controls access by requiring valid user credentials, which are typically a username and password. It may also include the certificate from the client.

  When you select the Authentication Method as:

  • AAA Only: If you select the Authentication Server as RADIUS, by default, the Authorization Server has the same value. Select the Accounting Server from the drop-down list. Whenever you select AD and LDAP from the Authentication Server drop-down list, you must manually select the Authorization Server and Accounting Server respectively.

  • Client Certificate Only: Each user is authenticated with a client certificate. The client certificate must be configured on VPN client endpoints. By default, the user name is derived from the client certificate fields CN and OU. If the user name is specified in other fields in the client certificate, use 'Primary' and 'Secondary' field to map appropriate fields.

    If you select the Map specific field option, which includes the username from the client certificate, the Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN as username option, the system automatically retrieves the user identity. A distinguished name (DN) is a unique identification, made up of individual fields that can be used as the identifier when matching users to a connection profile. DN rules are used for enhanced certificate authentication.

    The primary and secondary fields pertaining to the Map specific field option contain these common values:

    • C (Country)

    • CN (Common Name)

    • DNQ (DN Qualifier)

    • EA (Email Address)

    • GENQ (Generational Qualifier)

    • GN (Given Name)

    • I (Initial)

    • L (Locality)

    • N (Name)

    • O (Organisation)

    • OU (Organisational Unit)

    • SER (Serial Number)

    • SN (Surname)

    • SP (State Province)

    • T (Title)

    • UID (User ID)

    • UPN (User Principal Name)

  • Client Certificate & AAA: Each user is authenticated with both a client certificate and AAA server. Select the required certificate and AAA configurations for authentication.

    Whichever authentication method you choose, select or deselect Allow connection only if user exists in authorization database.

  • SAML: Each user is authenticated using the SAML single sign-on server. For more information, see Single Sign-on Authentication with SAML 2.0.

• Authentication Server: Authentication is the way a user is identified before being allowed access to the network and network services. Authentication requires valid user credentials, a certificate, or both. You can use authentication alone, or with authorization and accounting.

  Select (or add and select) an authentication server:

  • Realm: Configure an LDAP or AD realm. See Create a Realm.

  • RADIUS Server Group: Add a RADIUS server group object with RADIUS servers. See RADIUS Server Groups.

  • Single Sign-On Server: Create a single sign-on server object for SAML authentication. See Single Sign-on Server.

• Use secondary authentication: Secondary authentication is configured in addition to primary authentication to provide additional security for VPN sessions. Secondary authentication is applicable only to AAA only and Client Certificate & AAA authentication methods.

  Secondary authentication is an optional feature that requires a VPN user to enter two sets of username and password on the AnyConnect login screen. You can also configure to pre-fill the secondary username from the authentication server or client certificate. Remote access VPN authentication is granted only if both primary and secondary authentications are successful. VPN authentication is denied if any one of the authentication servers is not reachable or one authentication fails.

  You must configure a secondary authentication server group (AAA server) for the second username and password before configuring secondary authentication. For example, you can set the primary authentication server to an LDAP or Active Directory realm and the secondary authentication to a RADIUS server.

  Note	By default, secondary authentication is not required.

  Authentication Server: Secondary authentication server to provide secondary username and password for VPN users.

  Select the following under Username for secondary authentication:

  • Prompt: Prompts the users to enter the username and password while logging on to VPN gateway.

  • Use primary authentication username: The username is taken from the primary authentication server for both primary and secondary authentication; you must enter two passwords.

  • Map username from client certificate: Prefills the secondary username from the client certificate.

    • If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN (Distinguished Name) as username option, the system automatically retrieves the user identity.

      See Authentication Method descriptions for more information about primary and secondary field mapping.

    • Prefill username from certificate on user login window: Prefills the secondary username from the client certificate when the user connects via AnyConnect VPN client.

      • Hide username in login window: The secondary username is pre-filled from the client certificate, but hidden to the user so that the user does not modify the pre-filled username.

  • Use secondary username for VPN session: The secondary username is used for reporting user activity during a VPN session.

• Authorization Server: After authentication is complete, authorization controls the services and commands available to each authenticated user. Authorization works by assembling a set of attributes that describe what the user is authorized to perform, their actual capabilities, and restrictions. When you do not use authorization, authentication alone provides the same access to all authenticated users. Authorization requires authentication.

  To know more about how remote access VPN authorization works, see Understanding Policy Enforcement of Permissions and Attributes.

  When a RADIUS Server is configured for user authorization in the connection profile, the Remote Access VPN system administrator can configure multiple authorization attributes for users or user-groups. The authorization attributes that are configured on the RADIUS server can be specific for a user or a user-group. Once users are authenticated, these specific authorization attributes are pushed to the Firepower Threat Defense device.

  Note	The AAA server attributes obtained from the authorization server override the attribute values that may have been previously configured on the group policy or the connection profile.

• Check Allow connection only if user exists in authorization database if desired.

  When enabled, the system checks the username of the client must exist in the authorization database to allow a successful connection. If the username does not exist in the authorization database, then the connection is denied.

• When you select a realm as the Authorization Server, you must configure an LDAP attribute map. You can choose a single server for authentication and authorization or a different servers. Click Configure LDAP Attribute Map to add LDAP attribute maps for authorization.

  Note

  Firepower Threat Defense does not support SAML Identity Provider as the Authorization server. If the Active Directory behind the SAML Identity Provider is reachable via FMC and FTD, you can configure authorization following these steps: Add realm for the AD Server. See Create a Realm. Select the realm object as the Authorization Server in remote access VPN connection profile. Configure LDAP attribute map for the selected realm.

  For information about configuring LDAP attribute maps, see Configuring LDAP Attribute Mapping.

• Accounting Server: Accounting is used to track the services that users are accessing and the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS server. Accounting information includes when sessions start and stop, usernames, the number of bytes that pass through the device for each session, the services used, and the duration of each session. This data can then be analyzed for network management, client billing, or auditing. You can use accounting alone or together with authentication and authorization.

  Specify the RADIUS Server Group object that will be used to account for the Remote Access VPN session.

• Strip Realm from username: Select to remove the realm from the username before passing the username on to the AAA server. For example, if you select this option and provide domain\username, the domain is stripped off from the username and sent to AAA server for authentication. By default this option is unchecked.

• Strip Group from username: Select to remove the group name from the username before passing the username on to the AAA server. By default this option is unchecked.

  Note	A realm is an administrative domain. Enabling these options allows the authentication to be based on the username alone. You can enable any combination of these options. However, you must select both check boxes if your server cannot parse delimiters.

• Password Management: Enable managing the password for the Remote Access VPN users. Select to notify ahead of the password expiry or on the day the password expires.

• Click Edit to edit the Alias name or the Alias URL.

• To delete an Alias name or the Alias URL, click Delete in that row.

The Client Services Server provides HTTPS (SSL) access to allow the AnyConnect Downloader to receive software upgrades, profiles, localization and customization files, CSD, SCEP, and other file downloads required by the AnyConnect client. If you select this option, specify the client services port number. If you do not enable the Client Services Server, users will not be able to download any of these files that the AnyConnect client might need.

Use Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange. The unique session key protects the exchange from subsequent decryption, even if the entire exchange was recorded and the attacker has obtained the preshared or private keys used by the endpoint devices. If you select this option, also select the Diffie-Hellman key derivation algorithm to use when generating the PFS session key in the Modulus Group list.

Modulus group is the Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Select the modulus group that you want to allow in the remote access VPN configuration:

• 1—Diffie-Hellman Group 1 (768-bit modulus).

• 2—Diffie-Hellman Group 2 (1024-bit modulus).

• 5—Diffie-Hellman Group 5 (1536-bit modulus, considered good protection for 128-bit keys, but group 14 is better). If you are using AES encryption, use this group (or higher).

• 14—Diffie-Hellman Group 14 (2048-bit modulus, considered good protection for 128-bit keys).

• 19—Diffie-Hellman Group 19 (256-bit elliptical curve field size).

• 20—Diffie-Hellman Group 20 (384-bit elliptical curve field size).

• 21—Diffie-Hellman Group 21 (521-bit elliptical curve field size).

• 24—Diffie-Hellman Group 24 (2048-bit modulus and 256-bit prime order subgroup).

The lifetime of the security association (SA), in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. Generally, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes.

You can specify a value from 120 to 2147483647 seconds. The default is 28800 seconds.

The volume of traffic (in kilobytes) that can pass between IPsec peers using a given security association before it expires.

You can specify a value from 10 to 2147483647 kbytes. The default is 4,608,000 kilobytes. No specification allows infinite data.

• Validate incoming ICMP error messages—Choose whether to validate ICMP error messages received through an IPsec tunnel and destined for an interior host on the private network.

• Enable 'Do Not Fragment' Policy—Define how the IPsec subsystem handles large packets that have the do-not-fragment (DF) bit set in the IP header, and select one of the following from the Policy list:

  • Copy—Maintains the DF bit.

  • Clear—Ignores the DF bit.

  • Set—Sets and uses the DF bit.

• Select Enable Traffic Flow Confidentiality (TFC) Packets— Enable dummy TFC packets that mask the traffic profile which traverses the tunnel. Use the Burst, Payload Size, and Timeout parameters to generate random length packets at random intervals across the specified SA.

  Note	Enabling traffic flow confidentiality (TFC) packets prevents the VPN tunnel from being idle. Thus the VPN idle timeout configured in the group policy does not work as expected when you enable the TFC packets.

  • Burst—Specify a value from 1 to 16 bytes.

  • Payload Size—Specify a value from 64 to 1024 bytes.

  • Timeout—Specify a value from 10 to 60 seconds.

• Identity Sent to Peers—Choose the identity that the peers will use to identify themselves during IKE negotiations:

  • Auto—Determines the IKE negotiation by connection type: IP address for preshared key, or Cert DN for certificate authentication (not supported).

  • IP address—Uses the IP addresses of the hosts exchanging ISAKMP identity information.

  • Hostname—Uses the fully qualified domain name (FQDN) of the hosts exchanging ISAKMP identity information. This name comprises the hostname and the domain name.

• Enable Notification on Tunnel Disconnect—Allows an administrator to enable or disable the sending of an IKE notification to the peer when an inbound packet that is received on an SA does not match the traffic selectors for that SA. Sending this notification is disabled by default.

• Do not allow device reboot until all sessions are terminated—Check to enable waiting for all active sessions to voluntarily terminate before the system reboots. This is disabled by default.

• Cookie Challenge—Whether to send cookie challenges to peer devices in response to SA initiated packets, which can help thwart denial of service (DoS) attacks. The default is to use cookie challenges when 50% of the available SAs are in negotiation. Select one of these options:

  • Custom—Specify Threshold to Challenge Incoming Cookies, the percentage of the total allowed SAs that are in-negotiation. This triggers cookie challenges for any future SA negotiations. The range is zero to 100%. The default is 50%.

  • Always— Select to send cookie challenges to peer devices always.

  • Never— Select to never send cookie challenges to peer devices.

• Number of SAs Allowed in Negotiation—Limits the maximum number of SAs that can be in negotiation at any time. If used with Cookie Challenge, configure the cookie challenge threshold lower than this limit for an effective cross-check. The default is 100 %.

• Maximum number of SAs Allowed—Limits the number of allowed IKEv2 connections.

• Enable Fragmentation Before Encryption—This option lets traffic travel across NAT devices that do not support IP fragmentation. It does not impede the operation of NAT devices that do support IP fragmentation.

• Path Maximum Transmission Unit Aging—Check to enable PMTU (Path Maximum Transmission Unit) Aging, the interval to Reset PMTU of an SA (Security Association).

• Value Reset Interval—Enter the number of minutes at which the PMTU value of an SA (Security Association) is reset to its original value. Valid range is 10 to 30 minutes, default is unlimited.

• Keepalive Messages Traversal—Select whether to enable NAT keepalive message traversal. NAT traversal keepalive is used for the transmission of keepalive messages when there is a device (middle device) located between a VPN-connected hub and spoke, and that device performs NAT on the IPsec flow. If you select this option, configure the interval, in seconds, between the keepalive signals sent between the spoke and the middle device to indicate that the session is active. The value can be from 10 to 3600 seconds. The default is 20 seconds.

• Interval—Sets the NAT keepalive interval, from 10 to 3600 seconds. The default is 20 seconds.