Remote Access VPN
Remote Access VPN Overview
License Requirements for Remote Access VPN
Requirements and Prerequisites for Remote Access VPN
Guidelines and Limitations for Remote Access VPNs
Configuring a New Remote Access VPN Connection
Create a Copy of an Existing Remote Access VPN Policy
Set Target Devices for a Remote Access VPN Policy
Associate Local Realm with Remote Access VPN Policy
Additional Remote Access VPN Configurations
Customizing Remote Access VPN AAA Settings
Advanced Secure Client Configurations
- Configure Secure Client Modules on a Threat Defense
- Configure Application-Based (Per App VPN) Remote Access VPN on Mobile Devices
Remote Access VPN Examples
History for Remote Access VPNs

Remote Access VPN

Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a computer or other supported devices connected to the Internet. This allows mobile workers to connect from their home networks or a public Wi-Fi network, for example.

The following topics explain how to configure remote access VPN for your network.

Remote Access VPN Overview

Secure Firewall Threat Defense provides secure gateway capabilities that support remote access SSL and IPsec-IKEv2 VPNs. The full tunnel client, Secure Client, provides secure SSL and IPsec-IKEv2 connections to the security gateway for remote users. When the client negotiates an SSL VPN connection with threat defense, it connects using Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS)

Secure Client is the only client supported on endpoint devices for remote VPN connectivity to threat defense devices. The client gives remote users the benefits of an SSL or IPsec-IKEv2 VPN client without the need for network administrators to install and configure clients on remote computers. The Secure Client for Windows, Mac, and Linux is deployed from the secure gateway upon connectivity. The Secure Client apps for Apple iOS and Android devices are installed from the platform app store.

Use the Remote Access VPN policy wizard to set up SSL and IPsec-IKEv2 remote access VPNs with basic capabilities. Then, enhance the policy configuration as you want and deploy it to your threat defense secure gateway devices.

Remote Access VPN Features

The following table describes the features of Secure Firewall Threat Defense remote access VPN:

Table 1. Remote access VPN features
	Description
Secure Firewall Threat Defense remote access VPN features	SSL and IPsec-IKEv2 remote access using the Secure Client. Secure Firewall Management Center supports all combinations such as IPv6 over an IPv4 tunnel. Configuration support on both management center and device manager. Device-specific overrides. Support for both Secure Firewall Management Center and threat defense HA environments. Support for multiple interfaces and multiple AAA servers. Rapid Threat Containment support using RADIUS CoA or RADIUS dynamic authorization. Support for DTLS v1.2 protocol with Cisco Secure Client version 4.7 or higher. Secure Client modules support for additional security services for remote access VPN connections. VPN load balancing.
AAA features	Server authentication using self-signed or CA-signed identity certificates. AAA username and password-based remote authentication using RADIUS server or LDAP or AD. RADIUS group and user authorization attributes, and RADIUS accounting. Double authentication support using an additional AAA server for secondary authentication. NGFW Access Control integration using VPN Identity. LDAP or AD authorization attributes using Secure Firewall Management Center web interface. Support for single sign-on using SAML 2.0. Support for multiple identity provider trustpoints with Microsoft Azure that can have multiple applications for the same Entity ID, but a unique identity certificate.
VPN tunneling features	Address assignment. Split tunneling. Split DNS. Client Firewall ACLs. Session Timeouts for maximum connect and idle time.
Remote access VPN monitoring features	New VPN Dashboard Widget showing VPN users by various characteristics such as duration and client application. Remote access VPN events including authentication information such as username and OS platform. Tunnel statistics available using the threat defense Unified CLI.

Secure Client Components

Secure Client Deployment

Your remote access VPN policy can include the Secure Client Image and the Secure Client Profile for distribution to connecting endpoints. Or, the client software can be distributed using other methods. See the Deploy Cisco Secure Client chapter in the Cisco Secure Client (including AnyConnect) Administrator Guide, Release 5.

Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL or IPsec-IKEv2 VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, remote users must enter the URL in the form https://address. After the user enters the URL, the browser connects to that interface and displays the login screen.

After a user logs in, if the secure gateway identifies the user as requiring the VPN client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure connection, and either remains or uninstalls itself (depending on the security appliance configuration) when the connection stops. In the case of a previously installed client, after login, the threat defense security gateway examines the client version and upgrades it as necessary.

Secure Client Operation

When the client negotiates a connection with the security appliance, the client connects using Transport Layer Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

When an IPsec-IKEv2 VPN client initiates a connection to the secure gateway, negotiation consists of authenticating the device through Internet Key Exchange (IKE), followed by user authentication using IKE Extended Authentication (Xauth). The group profile is pushed to the VPN client and an IPsec security association (SA) is created to complete the VPN.

Secure Client Profile and Editor

The Secure Client Profile is a group of configuration parameters, stored in an XML file that the VPN client uses to configure its operation and appearance. These parameters (XML tags) include the names and addresses of host computers and settings to enable more client features.

You can configure a profile using the Secure Client Profile Editor. This editor is a convenient GUI-based configuration tool that is available as part of the Secure Client software package. It is an independent program that you run outside of the management center.

Remote Access VPN Authentication

Remote Access VPN Server Authentication

Secure Firewall Threat Defense secure gateways always use certificates to identify and authenticate themselves to the VPN client endpoint.

While you use the Remote Access VPN Policy Wizard, you can enroll the selected certificate on the targeted threat defense device. In the wizard, under Access & Certificate phase, select “Enroll the selected certificate object on the target devices” option. The certificate enrollment gets automatically initiated on the specified devices. As you complete the remote access VPN policy configuration, you can view the status of the enrolled certificate under the device certificate homepage. The status provides a clear standing as to whether the certificate enrollment was successful or not. Your remote access VPN policy configuration is now fully completed and ready for deployment.

Obtaining a certificate for the secure gateway, also known as PKI enrollment, is explained in Certificates. This chapter contains a full description of configuring, enrolling, and maintaining gateway certificates.

Remote Access VPN Client AAA

For both SSL and IPsec-IKEv2, remote user authentication is done using usernames and passwords only, certificates only, or both.

Note

If you are using client certificates in your deployment, they must be added to your client's platform independent of the Secure Firewall Threat Defense or Secure Firewall Management Center. Facilities such as SCEP or CA Services are not provided to populate your clients with certificates.

AAA servers enable managed devices acting as secure gateways to determine who a user is (authentication), what the user is permitted to do (authorization), and what the user did (accounting). Some examples of the AAA servers are RADIUS, LDAP/AD, TACACS+, and Kerberos. For Remote Access VPN on threat defense devices, AD, LDAP, and RADIUS AAA servers are supported for authentication.

Refer to the section Understanding Policy Enforcement of Permissions and Attributes to understand more about remote access VPN authorization.

Before you add or edit the remote access VPN policy, you must configure the Realm and RADIUS server groups you want to specify. For more information, see Create an LDAP Realm or an Active Directory Realm and Realm Directory and Add a RADIUS Server Group.

Without DNS configured, the device cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames, it can only resolve IP addresses.

The login information provided by a remote user is validated by an LDAP or AD realm or a RADIUS server group. These entities are integrated with the Secure Firewall Threat Defense secure gateway.

Note

If users authenticate with remote access VPN using Active Directory as the authentication source, users must log in using their username; the format domain\username or username@domain fails. (Active Directory refers to this username as the logon name or sometimes as sAMAccountName.) For more information, see User Naming Attributes on MSDN.

If you use RADIUS to authenticate, users can log in with any of the preceding formats.

Once authenticated via a VPN connection, the remote user takes on a VPN Identity. This VPN Identity is used by identity policies on the Secure Firewall Threat Defense secure gateway to recognize and filter network traffic belonging to that remote user.

Identity policies are associated with access control policies, which determine who has access to network resources. It is in this way that the remote user blocked or allowed to access your network resources.

For more information, see the About Identity Policies and Access Control Policies sections.

Understanding Policy Enforcement of Permissions and Attributes

The Secure Firewall Threat Defense device supports applying user authorization attributes (also called user entitlements or permissions) to VPN connections from an external authentication server and/or authorization AAA server (RADIUS) or from a group policy on the threat defense device. If the threat defense device receives attributes from the external AAA server that conflicts with those configured on the group policy, then attributes from the AAA server always take the precedence.

The threat defense device applies attributes in the following order:

User attributes on the external AAA server—The server returns these attributes after successful user authentication and/or authorization.
Group policy configured on the Firepower Threat Defense device—If a RADIUS server returns the value of the RADIUS Class attribute IETF-Class-25 (OU= group-policy) for the user, the threat defense device places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.
Group policy assigned by the Connection Profile (also known as Tunnel Group)—The Connection Profile has the preliminary settings for the connection, and includes a default group policy applied to the user before authentication.

Note

The threat defense device does not support inheriting system default attributes from the default group policy, DfltGrpPolicy. The attributes on the group policy assigned to the connection profile are used for the user session, if they are not overridden by user attributes or the group policy from the AAA server as indicated above.

Understanding AAA Server Connectivity

LDAP, AD, and RADIUS AAA servers must be reachable from the threat defense device for your intended purposes: user-identity handling only, VPN authentication only, or both activities. AAA servers are used in remote access VPN for the following activities:

User-identity handling— the servers must be reachable over the Management interface.

On the threat defense, the Management interface has a separate routing process and configuration from data interfaces.
VPN authentication—the servers must be reachable over a data interface or the Management interface.

To use the Management interface, you must explicitly select Management as the source interface. Other management-only interfaces cannot be used.

To use the same AAA servers for both activities, we recommend specifying the Management interface as the source interface.

For more information about various interfaces, see Regular Firewall Interfaces.

After deployment, use the following CLI commands to monitor and troubleshoot AAA server connectivity from the threat defense device:

show aaa-server to display AAA server statistics.
show network and show network-static-routes to view the Management interface default route and static routes.
show route to view data traffic routing table entries.
ping system and traceroute system to verify the path to the AAA server through the Management interface.
ping interface ifname and traceroute destination to verify the path to the AAA server through the data interfaces.
test aaa-server authentication and test aaa-server authorization to test authentication and authorization on the AAA server.
clear aaa-server statistics groupname or clear aaa-server statistics protocol protocol to clear AAA server statistics by group or protocol.
aaa-server groupname active host hostname to activate a failed AAA server, or aaa-server groupname fail host hostname to fail a AAA server.
debug ldap level , debug aaa authentication , debug aaa authorization , and debug aaa accounting .

License Requirements for Remote Access VPN

Threat Defense License

Threat Defense remote access VPN requires Strong Encryption and one of the following licenses for Secure Client:

Secure Client Advantage
Secure Client Premier
Secure Client VPN Only

Requirements and Prerequisites for Remote Access VPN

Model Support

Threat Defense

Supported Domains

Any

User Roles

Admin

Guidelines and Limitations for Remote Access VPNs

Remote Access VPN Policy Configuration

You can add a new remote access VPN policy only by using the wizard. You must proceed through the entire wizard to create a new policy; the policy will not be saved if you cancel before completing the wizard.
Two users must not edit a remote access VPN policy at the same time; however, the web interface does not prevent simultaneous editing. If this occurs, the last saved configuration persists.
Moving a Secure Firewall Threat Defense device from one domain to another domain is not possible if remote access VPN policy is assigned to that device.
Remote access VPN does not support SSL while using SaaS or ECMP. We recommend that you use IPsec-IKEv2.
Firepower 9300 and 4100 series in cluster mode do not support remote access VPN configuration.
Remote access VPN connectivity could fail if there is a misconfigured threat defense NAT rule.
If you are using DHCP to provide IP addresses to the client, and the client cannot obtain an address, check the NAT rules. Any NAT rule that applies to the RA VPN network should include the route lookup option. Route lookup can help ensure the DHCP requests are sent to the DHCP server through an appropriate interface.
Whenever IKE ports 500/4500 or SSL port 443 is in use or when there are some PAT translations that are active, the Secure Client IPSec-IKEv2 or SSL remote access VPN cannot be configured on the same port as it fails to start the service on those ports. These ports must not be used on the threat defense device before configuring remote access VPN policy.
While configuring remote access VPNs using the wizard, you can create in-line certificate enrollment objects, but you cannot use them to install the identity certificate. Certificate enrollment objects are used for generating the identity certificate on the threat defense device being configured as the remote access VPN gateway. Install the identity certificate on the device before deploying the remote access VPN policy to the device.

For more information about how to install the identity certificate based on the certificate enrollment object, see The Object Manager.
The ECMP zone interfaces can be used in remote access VPN with IPsec enabled.
The ECMP zone interfaces cannot be used in remote access VPN with SSL enabled. Deployment of remote access VPN (SSL enabled) configuration fails if all the remote access VPN interfaces that belong to security zones or interface groups also belong to one or more ECMP zones. However, if only some of the remote access VPN interfaces belonging to the security zones or interface groups also belongs to one or more ECMP zones, deployment of the remote access VPN configuration succeeds excluding those interfaces.
After you change the remote access VPN policy configurations, re-deploy the changes to the threat defense devices. The time it takes to deploy configuration changes depends on multiple factors such as complexity of the policies and rules, type and volume of configurations you send to the device, and memory and device model. Before deploying remote access VPN policy changes, review the Best Practices for Deploying Configuration Changes.
Issuing commands such as curl against the RA VPN headend is not directly supported, and might not have desirable results. For example, the headend does not respond to HTTP HEAD requests.
You can configure browser proxy using FlexConfig.

Concurrent VPN Sessions Capacity Planning (threat defense virtual Models)

The maximum concurrent VPN sessions are governed by the installed threat defense virtual smart-licensed entitlement tier, and enforced via a rate limiter. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the licensed device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.


Device Model	Maximum Concurrent Remote Access VPN Sessions
Threat Defense Virtual5	50
Threat Defense Virtual10	250
Threat Defense Virtual20	250
Threat Defense Virtual30	250
Threat Defense Virtual50	750
Threat Defense Virtual100	10,000

Concurrent VPN Sessions Capacity Planning (Hardware Models)

The maximum concurrent VPN sessions are governed by platform-specific limits and have no dependency on the license. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.


Device Model	Maximum Concurrent Remote Access VPN Sessions
Firepower 1010	75
Firepower 1120	150
Firepower 1140	400
Secure Firewall 3110	3000
Secure Firewall 3120	6000
Secure Firewall 3130	15,000
Secure Firewall 3140	20,000
Firepower 4100, all models	10,000
Firepower 9300 appliance, all models	20,000
ISA 3000	25

For capacity of other hardware models, contact your sales representative.

Note

The threat defense device denies the VPN connections once the maximum session limit per platform is reached. The connection is denied with a syslog message. Refer the syslog messages %ASA-4-113029 and %ASA-4-113038 in the syslog messaging guide. For more information, see Cisco Secure Firewall ASA Series Syslog Messages.

Controlling Cipher Usage for VPN

To prevent use of ciphers greater than DES, pre-deployment checks are available at the following locations in the management center:

Devices > Platform Settings > Edit > SSL.

Devices > VPN > Remote Access > Edit > Advanced > IPsec.

For more information about SSL settings and IPsec, see SSL and Configure Remote Access VPN IPsec/IKEv2 Parameters.

Authentication, Authorization, and Accounting

Configure DNS on each device in the topology in to use remote access VPN. Without DNS, the device cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames; it can only resolve IP addresses.

You can configure DNS using the Platform Settings. For more information, see DNS and DNS Server Group.

Client Certificates

Unsupported Features of Secure Client

The only supported VPN client is the Cisco Secure Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the Secure Client using a web browser.

Note

Using multiple Secure Client packages on threat defense devices can increase memory usage and affect the device's performance. We recommend that you do not use multiple Secure Client packages on low-end threat defense devices to avoid continuous reboots because of memory exhaustion.

The following Secure Client features are not supported when connecting to a threat defense secure gateway:

TACACS, Kerberos (KCD Authentication and RSA SDI).

Configuring a New Remote Access VPN Connection

This section provides instructions to configure a new remote access VPN policy with Secure Firewall Threat Defense devices as VPN gateways and Cisco Secure Client as the VPN client.


Step	Do This	More Info
1	Review the guidelines and prerequisites.	Guidelines and Limitations for Remote Access VPNs Prerequisites for Configuring Remote Access VPN
2	Create a new remote access VPN policy using the wizard.	Create a New Remote Access VPN Policy
3	Update the access control policy deployed on the device.	Update the Access Control Policy on the Secure Firewall Threat Defense Device
4	(Optional) Configure a NAT exemption rule if NAT is configured on the device.	(Optional) Configure NAT Exemption
5	Configure DNS.	Configure DNS
6	Add Secure Client Profile.	Add Secure Client Profile XML File
7	Deploy the remote access VPN policy.	Deploy Configuration Changes
8	(Optional) Verify the remote access VPN policy configuration.	Verify the Configuration

Prerequisites for Configuring Remote Access VPN

Deploy Secure Firewall Threat Defense devices and configure Secure Firewall Management Center to manage the device with required licenses with export-controlled features enabled. For more information, see VPN Licensing.
Configure the certificate enrollment object that is used to obtain the identity certificate for each threat defense device that act as a remote access VPN gateway.
Configure the RADIUS server group object and any AD or LDAP realms being used by remote access VPN policies.
Ensure that the AAA Server is reachable from the threat defense device for the remote access VPN configuration to work. Configure routing (at Devices > Device Management > Edit Device > Routing) to ensure connectivity to the AAA servers.

For remote access VPN double authentication, ensure that both the primary and secondary authentication servers are reachable from the threat defense device for the double authentication configuration to work.
Purchase and enable one of the following Cisco Secure Client licenses: Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only to enable the threat defense remote access VPN.
Download the latest Secure Client image files from Cisco Software Download Center.

On your Secure Firewall Management Center web interface, go to Objects > Object Management > VPN > Secure Client File and add the new Secure Client image files.
Create a security zone or interface group that contains the network interfaces that users will access for VPN connections. See Interface.
Download the Secure Client Profile Editor from Cisco Software Download Center to create the Secure Client profile. You can use the standalone profile editor to create a new or modify an existing Secure Client profile.

Create a New Remote Access VPN Policy

The Remote Access VPN Policy Wizard guides you to quickly and easily set up remote access VPNs with basic capabilities. You can further enhance the policy configuration by specifying additional attributes as you want and deploy it to your Secure Firewall Threat Defense secure gateway devices.

Before you begin

Ensure that you complete all the prerequisites listed in Prerequisites for Configuring Remote Access VPN.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Click Add to create a new remote access VPN policy with basic policy configuration, using the Remote Access VPN Policy wizard.

You must proceed through the entire wizard to create a new policy; the policy is not saved if you cancel before you complete the wizard.

Step 3

Select the target devices and protocols.

The threat defense devices that you select here functions as your remote access VPN gateways for the VPN client users.

You can select threat defense devices when you create a remote access VPN policy or change them later. See Set Target Devices for a Remote Access VPN Policy.

You can select SSL or IPSec-IKEv2, or both the VPN protocols. Threat Defense supports both the protocols to establish secure connections over a public network through VPN tunnels.

Note

Threat Defense does not support IPSec tunnels with NULL encryption. If you have selected IPSec-IKEv2, make sure that you do not choose NULL encryption for IPSec IKEv2 proposal. See Configure IKEv2 IPsec Proposal Objects.

For SSL settings, see SSL.

Step 4

Click Next.

Step 5

Configure the Connection Profile and Group Policy settings.

A connection profile specifies a set of parameters that define how the remote users connect to the VPN device. The parameters include settings and attributes for authentication, address assignments to VPN clients, and group policies. Threat Defense device provides a default connection profile named DefaultWEBVPNGroup when you configure a remote access VPN policy.

For more information, see Configure Connection Profile Settings.

Step 6

Configure the Authentication, Authorization & Accounting settings.

For information about configuring,

AAA settings, see Configure AAA Settings for Remote Access VPN
LDAP attribute maps, see Configuring LDAP Attribute Mapping
SAML 2.0 single sign-on authentication, see Configuring a SAML Single Sign-On Authentication

Step 7

Configure the Client Address Assignment settings.

Client IP address can be assigned from AAA server, DHCP server and IP address pools. When multiple options are selected, IP address assignment is done in the order of AAA server, DHCP server, and IP address pool. Assignment of client IP addresses from the AAA server is supported only for realm and RADIUS authorization. Ensure that realm or RADIUS server is configured to provide client IP address.

Step 8

Configure the Group Policy settings.

A group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience for VPN users. You configure attributes such as user authorization profile, IP addresses, Secure Client settings, VLAN mapping, and user session settings and so on using the group policy. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile. For more information, see Configuring Group Policies.

Step 9

Click Next.

Step 10

Select the Secure Client Image that the VPN users will use to connect to the remote access VPN.

The Secure Client provides secure SSL or IPSec (IKEv2) connections to the Secure Firewall Threat Defense device for remote users with full VPN profiling to corporate resources. After the remote access VPN policy is deployed on the threat defense device, VPN users can enter the IP address of the configured device interface in their browser to download and install the Secure Client.

For information about configuring the client profile and client modules, see Group Policy Secure Client Options.

Step 11

Click Next.

Step 12

Configure Network Interface for Incoming VPN Access.

Interface objects segment your network to help you manage and classify traffic flow. A security zone object simply groups interfaces. These groups may span multiple devices; you can also configure multiple zones interface objects on a single device. There are two types of interface objects:

Security zones—An interface can belong to only one security zone.
Interface groups—An interface can belong to multiple interface groups (and to one security zone).

(Optional) Check the Enable DTLS on member interfaces check box, if required. DTLS is applicable only for SSL protocol.

Step 13

Configure Device Certificates.

Device certificate (also called Identity certificate) identifies the VPN gateway to the remote access clients. Select a certificate which is used to authenticate the VPN gateway. From the Certificate Enrollment drop-down list, choose a certificate or click + to add a certificate.

Step 14

Configure Access Control for VPN Traffic .

By default, all decrypted traffic in the VPN tunnel is subjected to the Access Control Policy. Check the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) check box to bypass decrypted traffic from the Access Control Policy. This option bypasses the Access Control Policy inspection, but VPN filter ACL and authorization ACL downloaded from AAA server are still applied to VPN traffic.

Note

If you select this option, you need not update the access control policy for remote access VPN as specified in Update the Access Control Policy on the Secure Firewall Threat Defense Device.

Step 15

Click Next.

Step 16

View the Summary of the remote access VPN policy configuration.

The Summary page displays all the remote access VPN settings you have configured so far and provides links to the additional configurations that need to be performed before deploying the remote access VPN policy on the selected devices.

Click Back to make changes to the configuration, if required.

Step 17

Click Finish to complete the basic configuration for the remote access VPN policy.

When you complete the Remote Access VPN Policy Wizard, the policy listing page appears. Later, set up DNS configuration, configure access control for VPN users, and enable NAT exemption (if necessary) to complete a basic remote access VPN Policy configuration.

What to do next

Use the Remote Access VPN dashboard (Overview > Dashboards > Remote Access VPN) to monitor real-time data from active remote access VPN sessions on the devices. You can quickly determine problems related to user sessions and mitigate the problems for your network and users. For more information, see Remote Access VPN Dashboard.

Update the Access Control Policy on the Secure Firewall Threat Defense Device

Before deploying the remote access VPN policy, you must update the access control policy on the targeted Secure Firewall Threat Defense device with a rule that allows VPN traffic. The rule must allow all traffic coming in from the outside interface, with source as the defined VPN pool networks and destination as the corporate network.

Note

If you have selected the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) option on the Access Interface tab, you need not update the access control policy for remote access VPN.

Enable or disable the option for all your VPN connections. If you disable this option, make sure that the traffic is allowed by the access control policy or pre-filter policy.

For more information, see Configure Access Interfaces for Remote Access VPN.

Before you begin

Complete the remote access VPN policy configuration using the Remote Access VPN Policy wizard.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Policies > Access Control.
Step 2	Click Edit on the access control policy that you want to update.
Step 3	Click Add Rule to add a new rule.
Step 4	Specify the Name for the rule and select Enabled.
Step 5	Select the Action, Allow or Trust.
Step 6	Select the following on the Zones tab: Select the outside zone from Available Zones and click Add to Source. Select the inside zone from Available Zones and click Add to Destination.
Step 7	Select the following on the Networks tab: Select the inside network (inside interface and/or a corporate network) from Available networks and click Add to Destination. Select the VPN address pool network from Available Networks and click Add to Source Networks.
Step 8	Configure other required access control rule settings and click Add.
Step 9	Save the rule and access control policy.

(Optional) Configure NAT Exemption

NAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections with your protected hosts. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption enables you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT). Use static identity NAT to consider ports in the access list.

When you configure static identity NAT for remote access or site-to-site VPN, you must configure NAT with the route lookup option. Without route lookup, the threat defense sends traffic out of the interface specified in the NAT command, regardless of what the routing table says. For example, you do not want the threat defense to send the DHCP scope traffic through an incorrect interface; it will never return to the interface IP address. The route lookup option lets the threat defense send, or intercept, the traffic directly on the interface IP address instead of through the interface. For traffic from the VPN client to a host on the inside network, the route lookup option will still result in the correct egress interface (inside), so normal traffic flow is not affected.

Before you begin

Check if NAT is configured on the targeted devices where remote access VPN policy is deployed. If NAT is enabled on the targeted devices, you must define a NAT policy to exempt VPN traffic.

Procedure

Step 1

On your Secure Firewall Management Center web interface, click Devices > NAT.

Step 2

Select a NAT policy to update or click New Policy to create a NAT policy with a NAT rule to allow connections through all interfaces.

Step 3

Click Add Rule to add a NAT rule.

Step 4

On the Add NAT Rule window, select the following:

Select the NAT Rule as Manual NAT Rule.
Select the Type as Static.
Click Interface Objects and select the Source and destination interface objects.

Note

This interface object must be the same as the interface selected in the remote access VPN policy.

For more information, see Configure Access Interfaces for Remote Access VPN.

Click Translation and select the source and destination networks:
- Original Source and Translated Source
- Original Destination and Translated Destination

Step 5

On the Advanced tab, select Do not proxy ARP on Destination Interface.

Do not proxy ARP on Destination Interface—Disables proxy ARP for incoming packets to the mapped IP addresses. If you use addresses on the same network as the mapped interface, the system uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the device does not have to be the gateway for any additional networks. You can disable proxy ARP if desired, in which case you need to be sure to have proper routes on the upstream router.

Step 6

Click OK.

Configure DNS

Configure DNS on each threat defense device in order to use remote access VPN. Without DNS, the devices cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames. It can only resolve IP addresses.

Procedure

Step 1	Configure DNS server details and domain-lookup interfaces using the Platform Settings. For more information, see DNS and DNS Server Group.
Step 2	Configure split-tunnel in group policy to allow DNS traffic through remote access VPN tunnel if the DNS server is reachable through VNP network. For more information, see Configure Group Policy Objects.

Add Secure Client Profile XML File

The Secure Client Profile is a group of configuration parameters stored in an XML file that the client uses to configure its operation and appearance. These parameters (XML tags) include the names and addresses of host computers and settings to enable more client features.

You can create the Secure Client Profile using the Secure Client Profile Editor, a GUI-based configuration tool that is available as part of the Secure Client software package. It is an independent program that you run outside of the management center. For more information about Secure Client Profile Editor, see Cisco Secure Client (including AnyConnect) Administrator Guide.

Before you begin

A Secure Firewall Threat Defense remote access VPN policy requires assignment of the Secure Client Profile to the VPN clients. You can attach the client profile to a group policy.

Download the Secure Client Profile Editor from Cisco Software Download Center.

Procedure

Step 1

Choose Devices > Remote Access.

Step 2

Click Edit on the remote access VPN policy which you want to update.

Step 3

Click Edit on the connection profile to which you want to add the Secure Client profile.

Step 4

Click Edit Group Policy. If you choose to add a new group policy, click Add.

Step 5

Choose Secure Client > Profile.

Step 6

Choose a profile from the Client Profile drop-down list. If you choose to add a new client profile, click Add and do the following:

Specify the profile Name.

Click Browse and select the Secure Client Profile XML file.

Note

For two-factor authentication, make sure that the timeout is set to 60 seconds or more in the Secure Client profile.

Click Save.

Step 7

Save your changes.

(Optional) Configure Split Tunneling

Split tunnel allows VPN connectivity to a remote network across a secure tunnel and also to a network outside VPN tunnel. Configure split tunneling if you want to allow your VPN users to access an outside network while they remain connected to the remote access VPN. To configure a split-tunnel list, you must create a Standard Access List or Extended Access List.

For more information, see Configuring Group Policies.

Procedure

Step 1	Choose Devices > Remote Access.
Step 2	Click Edit on the remote access VPN policy for which you want to configure split tunneling.
Step 3	Click Edit on the required connection profile.
Step 4	Click Add to add a group policy or click Edit Group Policy.
Step 5	Choose General > Split Tunneling.
Step 6	From the IPv4 Split Tunneling or IPv6 Split Tunneling list, select Exclude networks specified below and then select the networks that you want to exclude from VPN traffic. The default setting allows all traffic over the VPN tunnel.
Step 7	Click Standard Access List or Extended Access List, and select an access list from the drop-down or add a new one.
Step 8	If you choose to add a new standard or extended access list, do the following: Specify the Name for the new access list and click Add. Choose Allow from the Action drop-down. Select the network traffic that you want to allow over the VPN tunnel and click Add.
Step 9	Save your changes.

(Optional) Configure Dynamic Split Tunneling

Dynamic split tunneling allows you to fine-tune split tunneling based on DNS domain names. You can configure domains that must be included or excluded in the remote access VPN tunnel. Excluded domains are not blocked. Instead, traffic to those domains is kept outside the VPN tunnel. For example, you could send traffic to Cisco WebEx on the public Internet, thus freeing bandwidth in your VPN tunnel for traffic that is targeted to servers within your protected network. For more information about configuring this feature, see Configure AnyConnect Dynamic Split Tunnel on FTD Managed by FMC.

Before you begin

You can configure this feature using the management center and threat defense from versions 7.0 or later. If you have an older version of the management center, you can configure it using FlexConfig as instructed in the Advanced AnyConnect VPN Deployments for Firepower Threat Defense with FMC.

Procedure

Step 1	Configure the group policy to use Dynamic Split Tunnel. Choose Devices > Remote Access. Click Edit on the remote access VPN policy for which you want to configure dynamic split tunneling. Click Edit on the required connection profile. Click Edit Group Policy.
Step 2	Configure the Secure Client custom attribute in the Add/Edit Group Policy dialog box. Click the Secure Client tab. Click Custom Attributes and click +. Choose Dynamic Split Tunneling from the Secure Client Attribute drop-down list. Click + to create a new custom attribute object. Enter the name for the custom attribute object. Include domains—Specify domain names that will be included in the remote access VPN tunnel. You can include domains in the tunnel that will be excluded based on IP addresses. Exclude domains—Specify domain names that will be excluded from the remote access VPN. Excluded domains are not blocked, traffic to these domains is kept outside the VPN tunnel. Click Save. Click Add.
Step 3	Verify the configured custom attribute and click Save to save the group policy.
Step 4	Click Save to save the connection profile.
Step 5	Click Save to save the remote access VPN policy.

What to do next

Deploy the configuration to threat defense.
Verify the configured dynamic split tunnel configuration on the threat defense and the Secure Client. For more information, see Verify Dynamic Split Tunneling Configuration.

Verify Dynamic Split Tunneling Configuration

On the Threat Defense

Use the following commands to verify the dynamic split tunneling configuration:

show running-config webvpn
show running-config anyconnect-custom-data
show running-config group-policy <group-policy-name>

On the Secure Client

Click the Statistics () icon and choose VPN > Statistics. You can confirm the domains under the Dynamic Split Exclusion/Inclusion category.

Verify the Configuration

Procedure

Step 1

Open a web browser on a machine on the outside network.

Step 2

Enter the URL of the threat defense remote access VPN gateway device.

Step 3

Enter the username and password when prompted, and click Logon.

Note

Connection to the VPN establishes automatically if you install Secure Client on the system.

The VPN prompts you to download Secure Client if Secure Client is not installed.

Step 4

Download Secure Client if it is not installed and connect to the VPN.

The Secure Client installs itself. On successful authentication, you establish connection to the Secure Firewall Threat Defense remote access VPN gateway. The remote access VPN enforces the applicable identity or QoS policy according to your VPN policy configuration.

Create a Copy of an Existing Remote Access VPN Policy

You can copy an existing remote access VPN policy to create a new one with all the settings, including the connection profiles and access interfaces. You can then assign devices to the new policy and deploy the VPN on the assigned devices as required.

Note

Users with read-only permission for remote access VPN cannot create copy of the VPN. Users with read-only privileges in the domain can copy the remote access VPNs.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Click Copy on the policy that you want to copy.
Step 3	Specify a Name for the new remote access VPN.
Step 4	Click OK.

What to do next

To assign devices to the new policy, see Set Target Devices for a Remote Access VPN Policy.

Set Target Devices for a Remote Access VPN Policy

After you create remote access VPN policy, you can assign the policy to threat defense devices.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Click Edit () next to the remote access VPN policy that you want to edit.
Step 3	Click Policy Assignments.
Step 4	Do any of the following: To assign a device, high-availability pair, or device group to the policy, select it in the Available Devices list and click Add. You can also drag and drop the available devices to select. To remove a device assignment, click Delete () next to a device, high-availability pair, or device group in the Selected Devices list.
Step 5	Click OK.
Step 6	Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Associate Local Realm with Remote Access VPN Policy

You can associate local realm to remote access VPN policy to enable local user authentication.

For information about creating and managing realms, see Manage a Realm.

For information about configuring local user authentication for remote access VPNs, see Configure AAA Settings for Remote Access VPN.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Click Edit () next to the remote access VPN policy that you want to edit.
Step 3	Click the link next to Local Realm.
Step 4	Select the Local Realm Server from the list, or click Add to add a new local realm.
Step 5	Click OK.
Step 6	Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Additional Remote Access VPN Configurations

Configure Connection Profile Settings

Remote Access VPN policy contains the connection profiles targeted for specific devices. These policies pertain to creating the tunnel itself, such as, how AAA is accomplished, and how addresses are assigned (DHCP or Address Pools) to VPN clients. They also include user attributes, which are identified in group policies configured on the threat defense device or obtained from a AAA server. A device also provides a default connection profile named DefaultWEBVPNGroup. The connection profile that is configured using the wizard appears in the list.

If you decide to grant different rights to different groups of VPN users, then you can add specific connection profiles for each of the user groups and maintain multiple connection profiles in your remote access VPN policy.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Select an existing remote access VPN policy in the list and click the corresponding Edit icon.
Step 3	Select a Connection Profile and click Edit.
Step 4	(Optional) If you choose to add new connection profile, click Add.
Step 5	Configure IP Addresses for VPN Clients. Configure IP Addresses for VPN Clients
Step 6	(Optional) Update AAA Settings for remote access VPNs. Configure AAA Settings for Remote Access VPN
Step 7	(Optional) Create or update Aliases. Create or Update Aliases for a Connection Profile
Step 8	Save your changes.

Configure IP Addresses for VPN Clients

Client address assignment allows you to assign IP addresses for the remote access VPN users.

You can assign IP Address for remote VPN clients from the local IP address pools, DHCP Servers, and AAA servers. The AAA servers are assigned first, followed by others. Configure the Client Address Assignment policy in the Advanced tab to define the assignment criteria. The IP pools defined in this connection profile will only be used if no IP pools are defined in group policy associated with the connection profile, or the system default group policy DfltGrpPolicy.

IPv4 Address Pools—SSL VPN clients receive new IP addresses when they connect to the Threat Defense device. Address pools define a range of addresses that remote clients can receive. You can add a maximum of six pools for IPv4 and IPv6 addresses each.

Note

You can use the IP address from the existing IP pools in the Management Center or create a new pool using the Add option. Also, you can create an IP pool in Management Center using the Objects > Object Management > Address Pools path. For more information, see Address Pools.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Existing remote access policies are listed.

Step 2

Select a remote access VPN policy and click the edit icon.

Step 3

Select the connection profile that you want to update and click the edit icon.

Step 4

Under the Client Address Assignment tab, do the following:

Step 5

Click + next to Address Pools:

Click + next to Address Pools to add IP addresses, and select IPv4 or IPv6 to add the corresponding address pool. Select the IP address pool from Available Pools and click Add.

Note

If you share your remote access VPN policy among multiple Secure Firewall Threat Defense devices, bear in mind that all devices share the same address pool unless you use device-level object overrides to replace the global definition with a unique address pool for each device. Unique address pools are required to avoid overlapping addresses in cases where the devices are not using NAT.

Click + next to Available Pools in the Address Pools window to add a new IPv4 or IPv6 address pool. When you choose the IPv4 pool, provide a starting and ending IP address. When you choose to include a new IPv6 address pool, enter Number of Addresses in the range 1-16384. Select the Allow Overrides option to avoid conflicts with IP address when objects are shared across many devices. For more information, see Address Pools.
Click OK.
If you plan to edit the IP address pools, we recommend that you perform the following steps during a maintenance window:
1. Unassign the device from the remote access VPN.
2. Select the device and click Deploy.
  
  This deployment removes all the remote access VPN configurations from the device, terminates the remote access VPN sessions, the sessions are not reestablished.
3. Click the edit icon next to the IP address pools to edit it, edit any other remote access VPN configurations, if required, on the Management Center.
4. Assign the device to the updated remote access VPN policy.
5. Deploy the configurations on the device.
  
  The remote access VPN clients can connect to the device after the maintenance window.

Step 6

Click + next to DHCP Servers to add DHCP servers:

Note

The DHCP server address can be configured only with IPv4 address.

Specify the name and DHCP (Dynamic Host Configuration Protocol) server address as network objects. Click Add to choose the server from the object list. Click Delete to delete a DHCP server.
Click Add in the New Objects page to add a new network object. Enter the new object name, description, network, and select the Allow Overrides option as applicable. For more information, see Creating Network Objects and Allowing Object Overrides.
Click OK.

Step 7

Click Save.

Configure AAA Settings for Remote Access VPN

Before you begin

Ensure that the required machine and user certificates are deployed on the endpoints. For information about Secure Firewall Threat Defense certificates, see Managing Threat Defense Certificates Managing VPN Certificate.
Configure Secure Client profiles with required certificates. For more information, see Cisco Secure Client (including AnyConnect) Administrator Guide.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Select a connection profile to update AAA settings, click Edit > AAA.

Step 4

Select the following for Authentication:

Authentication Method—Determines how a user is identified before being allowed access to the network and network services. It controls access by requiring valid user credentials, which are typically a username and password. It may also include the certificate from the client. Supported authentication methods are AAA only, Client Certificate only, and AAA + Client Certificate.

When you select the Authentication Method as:

AAA Only—If you select the Authentication Server as RADIUS, by default, the Authorization Server has the same value. Select the Accounting Server from the drop-down list. Whenever you select AD and LDAP from the Authentication Server drop-down list, you must select the Authorization Server and Accounting Server manually.
SAML—Each user is authenticated using the SAML single sign-on server. For more information, see Single Sign-On Authentication with SAML 2.0.

Override Identity Provider Certificate—Select to override the primary identity provider certificate of the SAML provider with an IdP certificate specific to a connection profile or SAML application. Select the IdP certificate from the drop-down.

Microsoft Azure can support multiple applications for the same entity ID. Each application (mapped to a different connection profile) requires a unique certificate. If you want to retain an existing entity ID for the single-sign-on object in current connection profile and use a different IdP certificate, you can select this option.

This enables support for multiple SAML applications per Microsoft Azure SAML identity provider.

The primary identity certificate is configured in the single sign-on server object.

For information about configuring a single sign-on server object, see Add a Single Sign-on Server.

Choose your SAML Login Experience to configure a browser for SAML web authentication:
- VPN client embedded browser—Choose this option to use the browser embedded with the VPN client for web authentication. The authentication applies to the VPN connection only.
- Default OS Browser—Choose this option to configure the operating system that default or native browser that supports WebAuthN (FIDO2 standard for web authentication). This option enables single sign-on(SSO) support for web authentication methods such as biometric authentication.
  
  The default browser requires an external browser package for web authentication. The package Default-External-Browser-Package is configured by default. You can change the default external browser package by editing a remote access VPN policy and selecting the file under Advanced > Secure Client Images > Package File.
  
  You can also add a new package file by selecting. Objects > Object Management > VPN > Secure Client File > Add Secure Client File.

Client Certificate Only—Each user is authenticated with a client certificate. The client certificate must be configured on VPN client endpoints. By default, the user name is derived from the client certificate fields CN and OU. If the user name is specified in other fields in the client certificate, use 'Primary' and 'Secondary' field to map appropriate fields.

Select Enable multiple certificate authentication to authenticate the VPN client using the machine and user certificates.

If have enabled multiple certificate authentication, you can select one of the following certificates to map the username and authenticate the VPN user:

First Certificate—Select this option to map the username from the machine certificate sent from the VPN client.
Second Certificate—Select this option to map the username from the user certificate sent from the client.

Note

If you do not enable multiple certificate authentication, the user certificate (second certificate) is used for authentication by default.

If you select the Map specific field option, which includes the username from the client certificate, the Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN as username option, the system automatically retrieves the user identity. A distinguished name (DN) is a unique identification, made up of individual fields used as the identifier when matching users to a connection profile. DN rules are used for enhanced certificate authentication.

The primary and Secondary fields pertaining to the Map specific field option contain these common values:

C (Country)
CN (Common Name)
DNQ (DN Qualifier)
EA (Email Address)
GENQ (Generational Qualifier)
GN (Given Name)
I (Initial)
L (Locality)
N (Name)
O (Organisation)
OU (Organisational Unit)
SER (Serial Number)
SN (Surname)
SP (State Province)
T (Title)
UID (User ID)
UPN (User Principal Name)

Client Certificate & AAA— Each user is authenticated with both a client certificate and AAA server. Select the required certificate and AAA configurations for authentication.

Whichever authentication method you choose, select or deselect Allow connection only if user exists in authorization database.
Client Certificate & SAML— Each user is authenticated with both a client certificate and SAML server. Select the required certificate and SAML configurations for authentication.
- Allow connection only if username from certificate and SAML are the same—Select to allow VPN connection only if the username from the certificate matches the SAML single sign-on username.
- Use username from client certificate for Authorization—When you choose the option to pick username from client certificate for authorization, you must configure the fields to pick from the client certificate.
  
  You can choose to map a specific filed as the username or use the entire distinguished name (DN) for authorization:
  - Map specific field— Select to include the username from the client certificate; the Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively.
  - Use entire DN as username— The system automatically retrieves the user identity for authorization.
You can also create a Dynamic Access Policy (DAP) to match user-specific SAML assertion attributes or username to DAP certificate attributes. See Configure AAA Criteria Settings for DAP.

Authentication Server—Authentication is the way a user is identified before being allowed access to the network and network services. Authentication requires valid user credentials, a certificate, or both. You can use authentication alone, or with authorization and accounting.

Select an authentication server from the list if you have added a server already or else create an authentication server:
- LOCAL—Use a local database from the threat defense for user authentication.
  - Local Realm—Select a local realm or click Add to configure a realm. See Create an LDAP Realm or an Active Directory Realm and Realm Directory.
- Realm—Configure an LDAP or AD realm. See Create an LDAP Realm or an Active Directory Realm and Realm Directory.
- RADIUS Server Group—Add a RADIUS server group object with RADIUS servers. See Add a RADIUS Server Group.
- Single Sign-On Server—Create a single sign-on server object for SAML authentication. See Add a Single Sign-on Server.

Fallback to LOCAL Authentication— The user is authenticated using the local database and the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured.

Use secondary authentication — Secondary authentication is configured in addition to primary authentication to provide additional security for VPN sessions. Secondary authentication is applicable only to AAA only and Client Certificate & AAA authentication methods.

Secondary authentication is an optional feature that requires a VPN user to enter two sets of username and password on the Secure Client login screen. You can also configure to pre-fill the secondary username from the authentication server or client certificate. Remote access VPN authentication is granted only if both primary and secondary authentications are successful. VPN authentication is denied if any one of the authentication servers is not reachable or one authentication fails.

You must configure a secondary authentication server group (AAA server) for the second username and password before configuring secondary authentication. For example, you can set the primary authentication server to an LDAP or Active Directory realm and the secondary authentication to a RADIUS server.

Note

By default, secondary authentication is not required.

Authentication Server— Secondary authentication server to provide secondary username and password for VPN users.

Fallback to LOCAL Authentication— This user is authenticated using the local database and the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured.

Select the following under Username for secondary authentication:

Prompt: Prompts the users to enter the username and password while logging on to VPN gateway.
Use primary authentication username: The username is taken from the primary authentication server for both primary and secondary authentication; you must enter two passwords.
Map username from client certificate: Prefills the secondary username from the client certificate.

If you have enabled multiple certificate authentication, you can select one of the following certificates:
- First Certificate— Select this option to map the username from the machine certificate sent from the VPN client.
- Second Certificate— Select this option to map the username from the user certificate sent from the client.
- If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN (Distinguished Name) as username option, the system automatically retrieves the user identity.
  
  See Authentication Method descriptions for more information about primary and secondary field mapping.
- Prefill username from certificate on user login window: Prefills the secondary username from the client certificate when the user connects via Secure Client.
  - Hide username in login window: The secondary username is pre-filled from the client certificate, but hidden to the user so that the user does not modify the pre-filled username.
Use secondary username for VPN session: The secondary username is used for reporting user activity during a VPN session.

Step 5

Select the following for Authorization:

Authorization Server—After authentication is complete, authorization controls the services and commands available to each authenticated user. Authorization works by assembling a set of attributes that describe what the user is authorized to perform, their actual capabilities, and restrictions. When you do not use authorization, authentication alone provides the same access to all authenticated users. Authorization requires authentication.

To know more about how remote access VPN authorization works, see Understanding Policy Enforcement of Permissions and Attributes.

When a RADIUS Server is configured for user authorization in the connection profile, the remote access VPN system administrator can configure multiple authorization attributes for users or user-groups. The authorization attributes that are configured on the RADIUS server can be specific for a user or a user-group. Once users are authenticated, these specific authorization attributes are pushed to the threat defense device.

Note

The AAA server attributes obtained from the authorization server override the attribute values that may have been previously configured on the group policy or the connection profile.

Check Allow connection only if user exists in authorization database if desired.

When enabled, the system checks the username of the client must exist in the authorization database to allow a successful connection. If the username does not exist in the authorization database, then the connection is denied.

When you select a realm as the Authorization Server, you must configure an LDAP attribute map. You can choose a single server for authentication and authorization or a different servers. Click Configure LDAP Attribute Map to add LDAP attribute maps for authorization.

Note

Threat Defense does not support SAML Identity Provider as the Authorization server. If the Active Directory behind the SAML Identity Provider is reachable via management center and threat defense, you can configure authorization following these steps:

Add realm for the AD Server. See Create an LDAP Realm or an Active Directory Realm and Realm Directory.
Select the realm object as the Authorization Server in remote access VPN connection profile.
Configure LDAP attribute map for the selected realm.

For information about configuring LDAP attribute maps, see Configuring LDAP Attribute Mapping.

Step 6

Select the following for Accounting:

Accounting Server—Accounting is used to track the services that users are accessing and the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS server. Accounting information includes when sessions start and stop, usernames, the number of bytes that pass through the device for each session, the services used, and the duration of each session. This data can then be analyzed for network management, client billing, or auditing. You can use accounting alone or together with authentication and authorization.

Specify the RADIUS Server Group object that will be used to account for the remote access VPN session.

Step 7

Select the following Advanced Settings:

Strip Realm from username—Select to remove the realm from the username before passing the username on to the AAA server. For example, if you select this option and provide domain\username, the domain is stripped off from the username and sent to AAA server for authentication. By default this option is unchecked.

Strip Group from username—Select to remove the group name from the username before passing the username on to the AAA server. By default this option is unchecked.

Note

A realm is an administrative domain. Enabling these options allows the authentication to be based on the username alone. You can enable any combination of these options. However, you must select both check boxes if your server cannot parse delimiters.

Password Management—Enable managing the password for the remote access VPN users. Select to notify ahead of the password expiry or on the day the password expires.

Step 8

Click Save.

RADIUS Server Attributes for Secure Firewall Threat Defense

The threat defense device supports applying user authorization attributes (also called user entitlements or permissions) to VPN connections from the external RADIUS server that are configured for authentication and/or authorization in the remote access VPN policy.

Note

Secure Firewall Threat Defense devices support attributes with vendor ID 3076.

The following user authorization attributes are sent to the threat defense device from the RADIUS server.

RADIUS attributes 146 and 150 are sent from threat defense devices to the RADIUS server for authentication and authorization requests.
All three (146, 150, and 151) attributes are sent from threat defense devices to the RADIUS server for accounting start, interim-update, and stop requests.

Table 2. RADIUS Attributes Sent from Secure Firewall Threat Defense to RADIUS Server
Attribute	Attribute Number	Syntax, Type	Single or Multi-valued	Description or Value
Connection Profile Name or Tunnel Group Name	146	String	Single	1-253 characters
Client Type	150	Integer	Single	2 = Secure Client SSL VPN, 6 = Secure Client IPsec VPN (IKEv2)
Session Type	151	Integer	Single	1 = Secure Client SSL VPN, 2 = Secure Client IPsec VPN (IKEv2)

Table 3. Supported RADIUS Authorization Attributes
Attribute Name	Threat Defense	Attr. No.	Syntax/Type	Single or Multi- Valued	Description or Value
Access-Hours	Y	1	String	Single	Name of the time range, for example, Business-hours
Access-List-Inbound	Y	86	String	Single	Both of the Access-List attributes take the name of an ACL that is configured on the threat defense device. Create these ACLs using the Smart CLI Extended Access List object type (select Device > Advanced Configuration > Smart CLI > Objects). These ACLs control traffic flow in the inbound (traffic entering the threat defense device) or outbound (traffic leaving the threat defense device) direction.
Access-List-Outbound	Y	87	String	Single
Address-Pools	Y	217	String	Single	The name of a network object defined on the threat defense device that identifies a subnet, which will be used as the address pool for clients connecting to the remote access VPN. Define the network object on the Objects page and then associate the network object with a group policy or a connection profile.
Allow-Network-Extension-Mode	Y	64	Boolean	Single	0 = Disabled 1 = Enabled
Authenticated-User-Idle-Timeout	Y	50	Integer	Single	1-35791394 minutes
Authorization-DN-Field	Y	67	String	Single	Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name
Authorization-Required		66	Integer	Single	0 = No 1 = Yes
Authorization-Type	Y	65	Integer	Single	0 = None 1 = RADIUS 2 = LDAP
Banner1	Y	15	String	Single	Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, Secure Client SSL-TLS/DTLS/IKEv2, and Clientless SSL
Banner2	Y	36	String	Single	Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, Secure Client SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string , if configured.
Cisco-IP-Phone-Bypass	Y	51	Integer	Single	0 = Disabled 1 = Enabled
Cisco-LEAP-Bypass	Y	75	Integer	Single	0 = Disabled 1 = Enabled
Client Type	Y	150	Integer	Single	1 = Cisco VPN Client (IKEv1) 2 = Secure Client SSL VPN 3 = Clientless SSL VPN 4 = Cut-Through-Proxy 5 = L2TP/IPsec SSL VPN 6 = Secure Client IPsec VPN (IKEv2)
Client-Type-Version-Limiting	Y	77	String	Single	IPsec VPN version number string
DHCP-Network-Scope	Y	61	String	Single	IP Address
Extended-Authentication-On-Rekey	Y	122	Integer	Single	0 = Disabled 1 = Enabled
Framed-Interface-Id	Y	96	String	Single	Assigned IPv6 interface ID. Combines with Framed-IPv6-Prefix to create a complete assigned IPv6 address. For example: Framed-Interface-ID=1:1:1:1 combined with Framed-IPv6-Prefix=2001:0db8::/64 gives the assigned IP address 2001:0db8::1:1:1:1.
Framed-IPv6-Prefix	Y	97	String	Single	Assigned IPv6 prefix and length. Combines with Framed-Interface-Id to create a complete assigned IPv6 address. For example: prefix 2001:0db8::/64 combined with Framed-Interface-Id=1:1:1:1 gives the IP address 2001:0db8::1:1:1:1. You can use this attribute to assign an IP address without using Framed-Interface-Id, by assigning the full IPv6 address with prefix length /128, for example, Framed-IPv6-Prefix=2001:0db8::1/128.
Group-Policy	Y	25	String	Single	Sets the group policy for the remote access VPN session. You can use one of the following formats: group policy name OU=group policy name OU=group policy name;
IE-Proxy-Bypass-Local		83	Integer	Single	0 = None 1 = Local
IE-Proxy-Exception-List		82	String	Single	New line (\n) separated list of DNS domains
IE-Proxy-PAC-URL	Y	133	String	Single	PAC address string
IE-Proxy-Server		80	String	Single	IP address
IE-Proxy-Server-Policy		81	Integer	Single	1 = No Modify 2 = No Proxy 3 = Auto detect 4 = Use Concentrator Setting
IKE-KeepAlive-Confidence-Interval	Y	68	Integer	Single	10-300 seconds
IKE-Keepalive-Retry-Interval	Y	84	Integer	Single	2-10 seconds
IKE-Keep-Alives	Y	41	Boolean	Single	0 = Disabled 1 = Enabled
Intercept-DHCP-Configure-Msg	Y	62	Boolean	Single	0 = Disabled 1 = Enabled
IPsec-Allow-Passwd-Store	Y	16	Boolean	Single	0 = Disabled 1 = Enabled
IPsec-Authentication		13	Integer	Single	0 = None 1 = RADIUS 2 = LDAP (authorization only) 3 = NT Domain 4 = SDI 5 = Internal 6 = RADIUS with Expiry 7 = Kerberos/Active Directory
IPsec-Auth-On-Rekey	Y	42	Boolean	Single	0 = Disabled 1 = Enabled
IPsec-Backup-Server-List	Y	60	String	Single	Server Addresses (space delimited)
IPsec-Backup-Servers	Y	59	String	Single	1 = Use Client-Configured list 2 = Disable and clear client list 3 = Use Backup Server list
IPsec-Client-Firewall-Filter-Name		57	String	Single	Specifies the name of the filter to be pushed to the client as firewall policy
IPsec-Client-Firewall-Filter-Optional	Y	58	Integer	Single	0 = Required 1 = Optional
IPsec-Default-Domain	Y	28	String	Single	Specifies the single default domain name to send to the client (1-255 characters).
IPsec-IKE-Peer-ID-Check	Y	40	Integer	Single	1 = Required 2 = If supported by peer certificate 3 = Do not check
IPsec-IP-Compression	Y	39	Integer	Single	0 = Disabled 1 = Enabled
IPsec-Mode-Config	Y	31	Boolean	Single	0 = Disabled 1 = Enabled
IPsec-Over-UDP	Y	34	Boolean	Single	0 = Disabled 1 = Enabled
IPsec-Over-UDP-Port	Y	35	Integer	Single	4001- 49151. The default is 10000.
IPsec-Required-Client-Firewall-Capability	Y	56	Integer	Single	0 = None 1 = Policy defined by remote FW Are-You-There (AYT) 2 = Policy pushed CPP 4 = Policy from server
IPsec-Sec-Association		12	String	Single	Name of the security association
IPsec-Split-DNS-Names	Y	29	String	Single	Specifies the list of secondary domain names to send to the client (1-255 characters).
IPsec-Split-Tunneling-Policy	Y	55	Integer	Single	0 = No split tunneling 1 = Split tunneling 2 = Local LAN permitted
IPsec-Split-Tunnel-List	Y	27	String	Single	Specifies the name of the network or ACL that describes the split tunnel inclusion list.
IPsec-Tunnel-Type	Y	30	Integer	Single	1 = LAN-to-LAN 2 = Remote access
IPsec-User-Group-Lock		33	Boolean	Single	0 = Disabled 1 = Enabled
IPv6-Address-Pools	Y	218	String	Single	Name of IP local pool-IPv6
IPv6-VPN-Filter	Y	219	String	Single	ACL value
L2TP-Encryption		21	Integer	Single	Bitmap: 1 = Encryption required 2 = 40 bits 4 = 128 bits 8 = Stateless-Req 15= 40/128-Encr/Stateless-Req
L2TP-MPPC-Compression		38	Integer	Single	0 = Disabled 1 = Enabled
Member-Of	Y	145	String	Single	Comma-delimited string, for example: `Engineering, Sales` An administrative attribute that can be used in dynamic access policies. It does not set a group policy.
MS-Client-Subnet-Mask	Y	63	Boolean	Single	An IP address
NAC-Default-ACL		92	String		ACL
NAC-Enable		89	Integer	Single	0 = No 1 = Yes
NAC-Revalidation-Timer		91	Integer	Single	300-86400 seconds
NAC-Settings	Y	141	String	Single	Name of the NAC policy
NAC-Status-Query-Timer		90	Integer	Single	30-1800 seconds
Perfect-Forward-Secrecy-Enable	Y	88	Boolean	Single	0 = No 1 = Yes
PPTP-Encryption		20	Integer	Single	Bitmap: 1 = Encryption required 2 = 40 bits 4 = 128 bits 8 = Stateless-Required 15= 40/128-Encr/Stateless-Req
PPTP-MPPC-Compression		37	Integer	Single	0 = Disabled 1 = Enabled
Primary-DNS	Y	5	String	Single	An IP address
Primary-WINS	Y	7	String	Single	An IP address
Privilege-Level	Y	220	Integer	Single	An integer between 0 and 15.
Required-Client- Firewall-Vendor-Code	Y	45	Integer	Single	1 = Cisco Systems (with Cisco Integrated Client) 2 = Zone Labs 3 = NetworkICE 4 = Sygate 5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)
Required-Client-Firewall-Description	Y	47	String	Single	String
Required-Client-Firewall-Product-Code	Y	46	Integer	Single	Cisco Systems Products: 1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC) Zone Labs Products: 1 = Zone Alarm 2 = Zone AlarmPro 3 = Zone Labs Integrity NetworkICE Product: 1 = BlackIce Defender/Agent Sygate Products: 1 = Personal Firewall 2 = Personal Firewall Pro 3 = Security Agent
Required-Individual-User-Auth	Y	49	Integer	Single	0 = Disabled 1 = Enabled
Require-HW-Client-Auth	Y	48	Boolean	Single	0 = Disabled 1 = Enabled
Secondary-DNS	Y	6	String	Single	An IP address
Secondary-WINS	Y	8	String	Single	An IP address
SEP-Card-Assignment		9	Integer	Single	Not used
Session Subtype	Y	152	Integer	Single	0 = None 1 = Clientless 2 = Client 3 = Client Only Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4.
Session Type	Y	151	Integer	Single	0 = None 1 = Secure Client SSL VPN 2 = Secure Client IPSec VPN (IKEv2) 3 = Clientless SSL VPN 4 = Clientless Email Proxy 5 = Cisco VPN Client (IKEv1) 6 = IKEv1 LAN-LAN 7 = IKEv2 LAN-LAN 8 = VPN Load Balancing
Simultaneous-Logins	Y	2	Integer	Single	0-2147483647
Smart-Tunnel	Y	136	String	Single	Name of a Smart Tunnel
Smart-Tunnel-Auto	Y	138	Integer	Single	0 = Disabled 1 = Enabled 2 = AutoStart
Smart-Tunnel-Auto-Signon-Enable	Y	139	String	Single	Name of a Smart Tunnel Auto Signon list appended by the domain name
Strip-Realm	Y	135	Boolean	Single	0 = Disabled 1 = Enabled
SVC-Ask	Y	131	String	Single	0 = Disabled 1 = Enabled 3 = Enable default service 5 = Enable default clientless (2 and 4 not used)
SVC-Ask-Timeout	Y	132	Integer	Single	5-120 seconds
SVC-DPD-Interval-Client	Y	108	Integer	Single	0 = Off 5-3600 seconds
SVC-DPD-Interval-Gateway	Y	109	Integer	Single	0 = Off) 5-3600 seconds
SVC-DTLS	Y	123	Integer	Single	0 = False 1 = True
SVC-Keepalive	Y	107	Integer	Single	0 = Off 15-600 seconds
SVC-Modules	Y	127	String	Single	String (name of a module)
SVC-MTU	Y	125	Integer	Single	MTU value 256-1406 in bytes
SVC-Profiles	Y	128	String	Single	String (name of a profile)
SVC-Rekey-Time	Y	110	Integer	Single	0 = Disabled 1-10080 minutes
Tunnel Group Name	Y	146	String	Single	1-253 characters
Tunnel-Group-Lock	Y	85	String	Single	Name of the tunnel group or “none”
Tunneling-Protocols	Y	11	Integer	Single	1 = PPTP 2 = L2TP 4 = IPSec (IKEv1) 8 = L2TP/IPSec 16 = WebVPN 32 = SVC 64 = IPsec (IKEv2) 8 and 4 are mutually exclusive. 0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values.
Use-Client-Address		17	Boolean	Single	0 = Disabled 1 = Enabled
VLAN	Y	140	Integer	Single	0-4094
WebVPN-Access-List	Y	73	String	Single	Access-List name
WebVPN ACL	Y	73	String	Single	Name of a WebVPN ACL on the device
WebVPN-ActiveX-Relay	Y	137	Integer	Single	0 = Disabled Otherwise = Enabled
WebVPN-Apply-ACL	Y	102	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Auto-HTTP-Signon	Y	124	String	Single	Reserved
WebVPN-Citrix-Metaframe-Enable	Y	101	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Content-Filter-Parameters	Y	69	Integer	Single	1 = Java ActiveX 2 = Java Script 4 = Image 8 = Cookies in images
WebVPN-Customization	Y	113	String	Single	Name of the customization
WebVPN-Default-Homepage	Y	76	String	Single	A URL such as http://example-example.com
WebVPN-Deny-Message	Y	116	String	Single	Valid string (up to 500 characters)
WebVPN-Download_Max-Size	Y	157	Integer	Single	0x7fffffff
WebVPN-File-Access-Enable	Y	94	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-File-Server-Browsing-Enable	Y	96	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-File-Server-Entry-Enable	Y	95	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List	Y	78	String	Single	Comma-separated DNS/IP with an optional wildcard () (for example .cisco.com, 192.168.1.*, wwwin.cisco.com)
WebVPN-Hidden-Shares	Y	126	Integer	Single	0 = None 1 = Visible
WebVPN-Home-Page-Use-Smart-Tunnel	Y	228	Boolean	Single	Enabled if clientless home page is to be rendered through Smart Tunnel.
WebVPN-HTML-Filter	Y	69	Bitmap	Single	1 = Java ActiveX 2 = Scripts 4 = Image 8 = Cookies
WebVPN-HTTP-Compression	Y	120	Integer	Single	0 = Off 1 = Deflate Compression
WebVPN-HTTP-Proxy-IP-Address	Y	74	String	Single	Comma-separated DNS/IP:port, with http= or https= prefix (for example http=10.10.10.10:80, https=11.11.11.11:443)
WebVPN-Idle-Timeout-Alert-Interval	Y	148	Integer	Single	0-30. 0 = Disabled.
WebVPN-Keepalive-Ignore	Y	121	Integer	Single	0-900
WebVPN-Macro-Substitution	Y	223	String	Single	Unbounded.
WebVPN-Macro-Substitution	Y	224	String	Single	Unbounded.
WebVPN-Port-Forwarding-Enable	Y	97	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Port-Forwarding-Exchange-Proxy-Enable	Y	98	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Port-Forwarding-HTTP-Proxy	Y	99	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-Port-Forwarding-List	Y	72	String	Single	Port forwarding list name
WebVPN-Port-Forwarding-Name	Y	79	String	Single	String name (example, “Corporate-Apps”). This text replaces the default string, “Application Access,” on the clientless portal home page.
WebVPN-Post-Max-Size	Y	159	Integer	Single	0x7fffffff
WebVPN-Session-Timeout-Alert-Interval	Y	149	Integer	Single	0-30. 0 = Disabled.
WebVPN Smart-Card-Removal-Disconnect	Y	225	Boolean	Single	0 = Disabled 1 = Enabled
WebVPN-Smart-Tunnel	Y	136	String	Single	Name of a Smart Tunnel
WebVPN-Smart-Tunnel-Auto-Sign-On	Y	139	String	Single	Name of a Smart Tunnel auto sign-on list appended by the domain name
WebVPN-Smart-Tunnel-Auto-Start	Y	138	Integer	Single	0 = Disabled 1 = Enabled 2 = Auto Start
WebVPN-Smart-Tunnel-Tunnel-Policy	Y	227	String	Single	One of “e networkname,” “i networkname,” or “a,” where networkname is the name of a Smart Tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels.
WebVPN-SSL-VPN-Client-Enable	Y	103	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-SSL-VPN-Client-Keep- Installation	Y	105	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-SSL-VPN-Client-Required	Y	104	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-SSO-Server-Name	Y	114	String	Single	Valid string
WebVPN-Storage-Key	Y	162	String	Single
WebVPN-Storage-Objects	Y	161	String	Single
WebVPN-SVC-Keepalive-Frequency	Y	107	Integer	Single	15-600 seconds, 0=Off
WebVPN-SVC-Client-DPD-Frequency	Y	108	Integer	Single	5-3600 seconds, 0=Off
WebVPN-SVC-DTLS-Enable	Y	123	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-SVC-DTLS-MTU	Y	125	Integer	Single	MTU value is from 256-1406 bytes.
WebVPN-SVC-Gateway-DPD-Frequency	Y	109	Integer	Single	5-3600 seconds, 0=Off
WebVPN-SVC-Rekey-Time	Y	110	Integer	Single	4-10080 minutes, 0=Off
WebVPN-SVC-Rekey-Method	Y	111	Integer	Single	0 (Off), 1 (SSL), 2 (New Tunnel)
WebVPN-SVC-Compression	Y	112	Integer	Single	0 (Off), 1 (Deflate Compression)
WebVPN-UNIX-Group-ID (GID)	Y	222	Integer	Single	Valid UNIX group IDs
WebVPN-UNIX-User-ID (UIDs)	Y	221	Integer	Single	Valid UNIX user IDs
WebVPN-Upload-Max-Size	Y	158	Integer	Single	0x7fffffff
WebVPN-URL-Entry-Enable	Y	93	Integer	Single	0 = Disabled 1 = Enabled
WebVPN-URL-List	Y	71	String	Single	URL list name
WebVPN-User-Storage	Y	160	String	Single
WebVPN-VDI	Y	163	String	Single	List of settings

Table 4. RADIUS Attributes Sent to Secure Firewall Threat Defense
Attribute	Attribute Number	Syntax, Type	Single or Multi-valued	Description or Value
Address-Pools	217	String	Single	The name of a network object defined on the threat defense device that identifies a subnet, which will be used as the address pool for clients connecting to the remote access VPN. Define the network object on the Objects page.
Banner1	15	String	Single	The banner to display when the user logs in.
Banner2	36	String	Single	The second part of the banner to display when the user logs in. Banner2 is appended to Banner1.
Downloadable ACLs	Cisco-AV-Pair	merge-dacl {before-avpair \| after-avpair}		Supported via Cisco-AV-Pair configuration.
Filter ACLs	86, 87	String	Single	Filter ACLs are referred to by ACL name in the RADIUS server. It requires the ACL configuration to be already present on the threat defense device, so that it can be used during RADIUS authorization. 86=Access-List-Inbound 87=Access-List-Outbound
Group-Policy	25	String	Single	The group policy to use in the connection. You must create the group policy on the remote access VPN Group Policy page. You can use one of the following formats: `group policy name` OU=`group policy name` OU=`group policy name`;
Simultaneous-Logins	2	Integer	Single	The number of separate simultaneous connections the user is allowed to establish, 0 - 2147483647.
VLAN	140	Integer	Single	The VLAN on which to confine the user's connection, 0 - 4094. You must also configure this VLAN on a subinterface on the threat defense device.

You must set the values of the IE-Proxy-Server-Method attribute returned from ISE to one of the following:

IE_PROXY_METHOD_PACFILE: 8
IE_PROXY_METHOD_PACFILE_AND_AUTODETECT: 11
IE_PROXY_METHOD_PACFILE_AND_USE_SERVER: 12
IE_PROXY_METHOD_PACFILE_AND_AUTODETECT_AND_USE_SERVER: 15

Threat Defense will deliver a proxy setting only if one of the above values is used for the IE-Proxy-Server-Method attribute.

Create or Update Aliases for a Connection Profile

Aliases contain alternate names or URLs for a specific connection profile. Remote access VPN administrators can enable or disable the Alias names and Alias URLs. VPN users can choose an Alias name when they connect to the Secure Firewall Threat Defense device. Aliases names for all connections configured on this device can be turned on or off for display. You can also configure the list of Alias URLs, which your endpoints can select while initiating the remote access VPN connection. If users connect using the Alias URL, system will automatically log them using the connection profile that matches the Alias URL.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Click Edit on the policy that you want to modify.
Step 3	Click Edit on the connection profile for which you want to create or update aliases.
Step 4	Click Aliases.
Step 5	To add an Alias name, do the following: Click Add under Alias Names. Specify the Alias Name. Select the Enabled check box in each window to enable the aliases. Click OK.
Step 6	To add an Alias URL, do the following: Click Add under URL Alias. Select the Alias URL from the list or create a new URL object. For more information see Creating URL Objects. Select the Enabled check box in each window to enable the aliases. Click OK.
Step 7	Save your changes.

Configure Access Interfaces for Remote Access VPN

The Access Interface table lists the interface groups and security zones that contain the device interfaces. These are configured for remote access SSL or IPsec IKEv2 VPN connections. The table displays the name of each interface group or security-zone, the interface trustpoints used by the interface, and whether Datagram Transport Layer Security (DTLS) is enabled.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Click the Access Interface tab.

Step 4

To add an access interface, click + and specify values for the following in the Add Access Interface dialog box:

Access Interface—Select the interface group or security zone to which the interface belongs.

The interface group or security zone must be a Routed type. Other interface types are not supported for remote access VPN connectivity.
Associate the Protocol object with the access interface by selecting the following options:
- Enable IPSet-IKEv2—Select this option to enable IKEv2 settings.
- Enable SSL—Select this option to enable SSL settings.
  - Select Enable Datagram Transport Layer Security.
    
    When selected, it enables Datagram Transport Layer Security (DTLS) on the interface and allows the AnyConnect VPN module of Cisco Secure Client to establish an SSL VPN connection using two simultaneous tunnels—an SSL tunnel and a DTLS tunnel.
    
    Enabling DTLS avoids the latency and bandwidth problems associated with certain SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
    
    To configure SSL settings, and TLS and DTLS versions, see About SSL Settings.
    
    To configure SSL settings for the AnyConnect VPN module of Cisco Secure Client, see Group Policy Secure Client Options.
  - Select the Configure Interface Specific Identity Certificate check box and select Interface Identity Certificate from the drop-down list.
    
    If you do not select the Interface Identity Certificate, the Trustpoint will be used by default.
    
    If you do not select the Interface Identity Certificate or Trustpoint, the SSL Global Identity Certificate will be used by default.
Click OK to save the changes.

Step 5

Select the following under Access Settings:

Allow Users to select connection profile while logging in—If you have multiple connection profiles, check this check box to allow user to select the correct connection profile during login. You must select this option for IPsec-IKEv2 VPNs.
Enable HTTP-only VPN Cookies—Check this check box to enable HTTP-only VPN cookies.

Step 6

Use the following options to configure SSL Settings:

Web Access Port Number—The port to use for VPN sessions. The default port is 443.
DTLS Port Number—The UDP port to use for DTLS connections. The default port is 443.
SSL Global Identity Certificate— The selected SSL Global Identity Certificate will be used for all the associated interfaces if the Interface Specific Identity Certificate is not provided.

Step 7

For IPsec-IKEv2 Settings, select the IKEv2 Identity Certificate from the list or add an identity certificate.

Step 8

Under the Access Control for VPN Traffic section, select the following option if you want to bypass access control policy:

Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) — Decrypted traffic is subjected to Access Control Policy inspection by default. Enabling the Bypass Access Control policy for decrypted traffic option bypasses the ACL inspection, but VPN Filter ACL and authorization ACL downloaded from AAA server are still applied to VPN traffic.

Note

If you select this option, you need not update the access control policy for remote access VPN as specified in Update the Access Control Policy on the Secure Firewall Threat Defense Device.

Step 9

Click Save to save the access interface changes.

Configure Advanced Options for Remote Access VPN

Cisco Secure Client Image

Secure Client Image

The Secure Client provides secure SSL or IPsec (IKEv2) connections to the threat defense device for remote users with full VPN profiling to corporate resources. Without a previously-installed client, remote users can enter the IP address of an interface configured to accept clientless VPN connections in their browser to download and install the Secure Client. The threat defense device downloads the client that matches the operating system of the remote computer. After downloading, the client installs and establishes a secure connection. In case of a previously installed client, when the user authenticates, the threat defense device, examines the version of the client, and upgrades the client if necessary.

The Remote Access VPN administrator associates any new or additional Secure Client images to the VPN policy. The administrator can unassociate the unsupported or end of life client packages that are no longer required.

The Secure Firewall Management Center determines the type of operating system by using the file package name. If the user renamed the file without indicating the operating system information, the valid operating system type must be selected from the list box.

Download the Secure Client image file by visiting Cisco Software Download Center.

Adding a Secure Client Image to the Secure Firewall Management Center

You can upload the Secure Client image to the Secure Firewall Management Center by using the Secure Client File object. For more information, see File Objects. For more information about the client image, see Cisco Secure Client Image.

Procedure

Step 1	Choose Devices > Remote Access, choose and edit a listed remote access policy, then choose the Advanced tab.
Step 2	Click Add to add a Secure Client image.
Step 3	Click Add in the Available Secure Client Images portion of the Secure Client Images dialog.
Step 4	Enter the Name and Description(optional) for the available Secure Client Image.
Step 5	Click Browse, locate and select the client image that you want to upload.
Step 6	Click Save to upload the image to the management center. When you upload the client image to the Secure Firewall Management Center, the operating system information for the image appears automatically.
Step 7	To change the order of client images, Click Show Re-order buttons and move the client image up or down.

Update Secure Client Image for Remote Access VPN Clients

When new Secure Client updates are available in Cisco Software Download Center, you can download the packages manually and add them to the remote access VPN policy so that the new client packages are upgraded on the VPN client systems according to their operating systems.

Before you begin

Instructions in this section help you update new Secure Client images to remote access VPN clients connecting to Secure Firewall Threat Defense VPN gateway. Ensure that the following configurations are complete before updating your Secure Client images:

Download the latest Secure Client image files from Cisco Software Download Center.
On your Secure Firewall Management Center web interface, go to Objects > Object Management > VPN > Secure Client File and add the new Secure Client image files.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.
Step 2	Click Edit on the remote access VPN policy that you want to update.
Step 3	Click Advanced > Secure Client Image > Add.
Step 4	Select a client image file from Available Secure Client Images and click Add. If the required client image is not listed, click Add to browse and upload an image.
Step 5	Click OK.
Step 6	Save the remote access VPN policy. After the remote access VPN policy changes are deployed, the new Secure Client images are updated on the Secure Firewall Threat Defense device that is configured as the remote access VPN gateway. When a new VPN user connects to the VPN gateway, the user gets the new Secure Client image to download depending on the operating system of the client system. For existing VPN users, the Secure Client image gets updated in their next VPN session.

Add a Cisco Secure Client External Browser Package to the Secure Firewall Management Center

If you have the Secure Client external browser package image on your local disk, use this procedure to upload the same to the Secure Firewall Management Center. After you upload the external browser package, you can update the external browser package for your remote access VPN connections.

You can upload the external browser package file to the Secure Firewall Management Center by using the Secure Client File object. For more information, see File Objects.

Points to Remember

Only one external browser package can be added to the threat defense device.
After the external browser package is added to the management center, the browser is pushed to the threat defense only after the external browser is enabled in the remote access VPN configuration.

Procedure

Step 1

On the Secure Firewall Management Center web interface, choose Devices > Remote Access, choose and edit a listed remote access policy, then choose the Advanced tab.

Step 2

Click Add in the Secure Client External Browser Package portion of the Secure Client Images page.

Step 3

Enter the Name and Description for the Secure Client package.

Step 4

Click Browse and locate the external browser package file to upload.

Step 5

Click Save to upload the image to the Secure Firewall Management Center.

Note

If you want to update the remote access VPN connection with an existing external browser package, select the file from the Package File drop-down.

Step 6

Save the remote access VPN policy.

Remote Access VPN Address Assignment Policy

The threat defense device can use an IPv4 or IPv6 policy for assigning IP addresses to Remote Access VPN clients. If you configure more than one address assignment method, the threat defense device tries each of the options until it finds an IP address.

IPv4 or IPv6 Policy

You can use the IPv4 or IPv6 policy to address an IP address to remote access VPN clients. You must try with the IPv4 policy to begin and later followed by IPv6 policy.

Use Authorization Server—Retrieves the address from an external authorization server on a per-user basis. If you are using an authorization server that has IP address configured, we recommend using this method. Address assignment is supported by RADIUS-based authorization server only. It is not supported for AD/LDAP. This method is available for both IPv4 and IPv6 assignment policies.
Use DHCP—Obtains IP addresses from a DHCP server configured in a connection profile. You can also define the range of IP addresses that the DHCP server can use by configuring DHCP network scope in the group policy. If you use DHCP, configure the server in the Objects > Object Management > Network pane. This method is available for IPv4 assignment policies.

For more information about DHCP network scope configuration, see Group Policy General Options.
Use an internal address pool—Internally configured address pools are the easiest method of address pool assignment to configure. If you use this method, create the IP address pools in the Objects > Object Management >Address Pools pane and select the same in the connection profile. This method is available for both IPv4 and IPv6 assignment policies.

Allow reuse an IP address so many minutes after it is released—Delays the reuse of an IP address after its return to the address pool. Adding a delay helps to prevent problems firewalls can experience when an IP address is reassigned quickly. By default, the delay is set to zero. If you want to extend the delay, enter the number of minutes in the range of 0–480 to delay the IP address reassignment. This configurable element is available for IPv4 assignment policies.

Configure Certificate Maps

Certificate maps let you define rules matching a user certificate to a connection profile based on the contents of the certificate fields. Certificate maps provide certificate authentication on secure gateways.

The rules or the certificate maps are defined in Certificate Map Objects.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Choose Advanced > Certificate Maps.

Step 4

Select the following options from the General Settings for Connection Profile Mapping pane:

Selections are priority-based, matching continues down the list of options when the first selection does not match. Matching is complete when the rules are satisfied. If the rules are not satisfied, the default connection profile listed at the bottom of this page is used for the connection. Select any, or all of the following options to establish authentication and to determine which connection profile (tunnel group) must be mapped to the client.

Use Group URL if Group URL and Certificate Map match different Connection profiles
Use the configured rules to match a certificate to a Connection Profile—Enable this to use the rules defined in the Connection Profile Maps.

Note

Configuring a certificate mapping implies certificate-based authentication. The remote user will be prompted for a client certificate regardless of the configured authentication method.

Step 5

Under the Certificate to Connection Profile Mapping section, click Add Mapping to create certificate to connection profile mapping for this policy.

Choose or create a Certificate Map Name object.
Select the Connection Profile that want to use if the rules in the certificate map object are satisfied.
Click OK to create the mapping.

Step 6

Click Save.

Configuring Group Policies

A group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience. For example, in the group policy object, you configure general attributes such as addresses, protocols, and connection settings.

The group policy applied to a user is determined when the VPN tunnel is being established. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile.

Note

There is no group policy attribute inheritance on the threat defense. A group policy object is used, in its entirety, for a user. The group policy object identified by the AAA server upon login is used, or, if that is not specified, the default group policy configured for the VPN connection is used. The provided default group policy can be set to your default values, but will only be used if it is assigned to a connection profile and no other group policy has been identified for the user.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Select an existing remote access VPN policy in the list and click the corresponding Edit icon.
Step 3	Choose Advanced > Group Policies > Add.
Step 4	Select group policies from the Available Group Policy list and click Add. You can select one or more group policies to associate with this remote access VPN policy.
Step 5	Click OK to complete the group policy selection.
Step 6	Save your changes.

Configuring LDAP Attribute Mapping

An LDAP attribute name maps LDAP user or group attribute name to a Cisco-understandable name. The attribute map equates attributes that exist in the Active Directory (AD) or LDAP server with Cisco attribute names. You can map any standard LDAP attribute to a well-known vendor specific attribute (VSA). You can map one or more LDAP attributes to one or more Cisco LDAP attributes. When the AD or LDAP server returns authentication to the threat defense device during remote access VPN connection establishment, the threat defense device can use the information to adjust how the Secure Client completes the connection.

When you want to provide VPN users with different access permissions or VPN content, you can configure different VPN policies on the VPN server and assign these policy-sets to each user based on their credentials. You can achieve this in threat defense by configuring LDAP authorization, with LDAP attribute maps. In order to use LDAP to assign a group policy to a user, you must configure a map that maps an LDAP attribute.

An LDAP attribute map consists of three components:

Realm—Specifies the name for the LDAP attribute map; the name is generated based on the selected realm.
Attribute Name Map—Maps the LDAP user or group attribute name to Cisco-understandable name.
Attribute Value Map—Maps value in the LDAP user or group attribute to the value of a Cisco attribute for the selected name mapping.

The group policies that are used in an LDAP attribute map get added to the list of group policies in the remote access VPN configuration. Removing a group policy from the remote access VPN configuration also removes the associated LDAP attribute mapping.

In versions 6.4 to 6.6, you can configure LDAP attribute maps only using FlexConfig. For more information, see Configure AnyConnect Modules and Profiles Using FlexConfig.

In versions 7.0 and later, you can use the following procedure:

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Click Advanced > LDAP Attribute Mapping.

Step 4

Click Add.

Step 5

On the Configure LDAP Attribute Map page, select a Realm to configure the attribute map.

Step 6

Click Add.

You can configure multiple attribute maps. Each attribute map requires that you configure a name map and value maps.

Note

Ensure that you follow these guidelines while creating an LDAP attribute map:

Configure at least one mapping for an LDAP attribute; multiple mappings with the same LDAP attribute name is not allowed.
Configure a minimum of one name map to create an LDAP attribute map.
You can remove any LDAP attribute map if the attribute map is not associated with any connection profile in the remote access VPN configuration.
Use the correct spelling and capitalization in the LDAP attribute map for both the Cisco and LDAP attribute names and values.

Specify the LDAP Attribute Name and then select the required Cisco Attribute Name from the list.
Click Add Value Map and Specify the LDAP Attribute Value and Cisco Attribute Value.

Repeat this step to add more value maps.

Step 7

Click OK to complete LDAP attribute map configuration.

Step 8

Click Save to save the changes to the LDAP attribute mapping.

Example

For a detailed example, see Configure RA VPN with LDAP Authentication and Authorization for FTD.

Configuring VPN Load Balancing

About VPN Load Balancing

VPN load balancing in threat defense allows you group two or more devices logically and distribute remote access VPN sessions among the devices equally. VPN load balancing shares Secure Client VPN sessions among the devices in a load balancing group.

VPN load balancing is based on simple distribution of traffic without taking into account throughput or other factors. A VPN load-balancing group consists of two or more threat defense devices. One device acts as the director, and the other devices are member devices. Devices in a group do not need to be of the exact same type, or have identical software versions or configurations. Any threat defense device that supports remote access VPN can participate in a load balancing group. Threat Defense supports VPN load balancing with Secure Client SAML authentication.

All active devices in a VPN load-balancing group carry session loads. VPN load balancing directs traffic to the least-loaded device in the group, distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability.

Components of VPN Load Balancing

Following are the components of VPN load balancing:

Load-balancing group—A virtual group of two or more threat defense devices to share the VPN sessions.

A VPN load-balancing group can consist of threat defense devices of the same release or of mixed releases; but the device must support remote access VPN configuration.

See Configure Group Settings for VPN Load Balancing and Configure Additional Settings for Load Balancing.
Director—One device from the group acts a director. It distributes the load among other members in the group and participate is serving the VPN sessions.

The director monitors all devices in the group, keeps track of how loaded each device is, and distributes the session load accordingly. The role of director is not tied to a physical device; it can shift among devices. For example, if the current director fails, one of the member devices in the group takes over that role and immediately becomes the new director.
Members—Devices other than the director in a group are called members. They participate in load balancing and share the remote access VPN connections.

Configure Settings for Participating Devices.

Prerequisites for VPN Load Balancing

Certificates—threat defense’s certificate must contain the IP addresses or FQDN of the director and members to which the connection is redirected. Or else, the certificate will be deemed untrusted. The certificate must use Subject Alternate Name (SAN) or wildcard certificate
Group URL—Add the group URL for VPN load-balancing group IP address to the connection profiles. Specify a group URL to eliminate the need for the user to select a group at login.
IP Address Pool—Choose unique IP address pool for member devices, and override the IP pool in management center for each of the member devices.
Devices that are behind Network Address Translation (NAT) can also be part of a load balancing group.

Guidelines and Limitations for VPN Load Balancing

VPN load balancing is disabled by default. You must explicitly enable VPN load balancing.
Only the threat defense devices that are co-located can be added to a load-balancing group.
A load-balancing group must have a minimum of two threat defense devices.
Devices in threat defense high availability can participate in a load-balancing group.
Devices that are behind Network Address Translation (NAT) can also be part of a load balancing group.
When a member or a director device goes down, remote access VPN connections that are served by that device will be dropped. You must initiate the VPN connection again.
Identity certificate on each device must have Subject Alternate Name (SAN) or wildcard.

Configure Group Settings for VPN Load Balancing

You can enable VPN load balancing and configure group settings that are applicable to all the members of the load-balancing group. When you create the group, you can configure participation settings for load balancing.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Click Edit on the remote access VPN policy that you want to update.
Step 3	Click Advanced > Load Balancing.
Step 4	Click the Enable Load balancing between member devices toggle button to enable load balancing. The Edit Group Configuration page opens. Group parameters apply to all devices under the load-balancing group.
Step 5	Specify the Group IPv4 Address and Group IPv6 Address as applicable. The IP address that you specify here is for the entire load-balancing group and the director opens this IP address for incoming VPN connections.
Step 6	Select the Communication Interface for the load-balancing group. Click Add to add an interface group or security zone. Communication interface is a private interface through which the director and members share information about their load.
Step 7	Enter the UDP Port for communication between the director and members in a group. The default port is 9023.
Step 8	Enable the IPsec Encryption toggle button to activate IPsec encryption for the communication between the director and members. Enabling the encryption establishes an IKEv1/IPsec tunnel between the director and members using a pre-shared key.
Step 9	Enter Encryption Key for IPsec encryption and confirm the encryption key.
Step 10	Click OK.

Configure Additional Settings for Load Balancing

The additional settings for VPN load balancing include FQDN and IKEv2 redirection.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Click Edit on the remote access VPN policy that you want to update.
Step 3	Click Advanced > Load Balancing.
Step 4	Turn on the Enable Load balancing between member devices toggle button to enable load balancing if not done already.
Step 5	Click Settings.
Step 6	Turn on the Send FQDN to peer devices instead of IP toggle button to enable redirection using a fully qualified domain name. By default, threat defense sends only IP addresses in VPN load balancing redirection to a client.
Step 7	Select one of the IKEv2 Redirect phases: Redirect during SA authentication Redirect during SA initialization
Step 8	Click OK.
Step 9	Save your changes.

Configure Settings for Participating Devices

The device participation settings determine how the devices share load in VPN load balancing. Configure a participating device by enabling VPN load balancing on the device and defining device-specific properties. These values vary from device to device. You can provide a priority number for the devices participating in load balancing. A higher priority number gives the device a better chance to become the director over other devices. But you cannot select a device to be the director of the group.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Click Edit next to the remote access VPN policy that you want to modify.
Step 3	Click Advanced > Load Balancing.
Step 4	Turn on the Enable Load balancing between member devices toggle button to enable load balancing if you have not enabled already.
Step 5	Configure Device Participation settings: The Device Participation section lists all the target devices of the selected remote access VPN configuration. You can configure these devices to share the load of the incoming VPN sessions. Turn on the Load Balancing toggle button to enable load balancing for a device and then click Edit. Enter the device Priority. By default, the device priority is set to 5. You can choose a number from 1 trough 10. Specify the IPv4 NAT or IPv6 NAT address for VPN interface IP address if the device is behind NAT. Click OK.
Step 6	Click Save to save the remote access VPN policy settings.

Configuring IPsec Settings for Remote Access VPNs

The IPsec settings are applicable only if you selected IPsec as the VPN protocol while configuring your remote access VPN policy. If not, you can enable IKEv2 using the Edit Access Interface dialog box. See Configure Access Interfaces for Remote Access VPN for more information.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	From the list of available VPN policies, select the policy for which you want to modify the settings.
Step 3	Click Advanced. The list of IPsec settings appears in a navigation pane on the left of the screen.
Step 4	Use the navigation pane to edit the following IPsec options: Crypto Maps—The Crypto Maps page lists the interface groups on which IKEv2 protocol is enabled. Crypto Maps are auto generated for the interfaces on which IKEv2 protocol is enabled. To edit a Crypto Map, see Configure Remote Access VPN Crypto Maps. You can add or remove interface groups to the selected VPN policy in Access Interface. See Configure Access Interfaces for Remote Access VPN for more information. IKE Policy—The IKE Policy page lists all the IKE policy objects applicable for the selected VPN policy when Secure Client endpoints connect using the IPsec protocol. See IKE Policies in Remote Access VPNs for more information. To add a new IKE policy, see Configure IKEv2 Policy Objects. Threat Defense supports only Secure Client IKEv2 clients. Third-party standard IKEv2 clients are not supported. IPsec/IKEv2 Parameters—The IPsec/IKEv2 Parameters page enables you to modify the IKEv2 session settings, IKEv2 Security Association settings, IPsec settings, and NAT Transparency settings. See Configure Remote Access VPN IPsec/IKEv2 Parameters for more information.
Step 5	Click Save.

Configure Remote Access VPN Crypto Maps

Crypto maps are automatically generated for the interfaces on which IPsec-IKEv2 protocol has been enabled. You can add or remove interface groups to the selected VPN policy in Access Interface. See Configure Access Interfaces for Remote Access VPN for more information.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

From the list of available VPN policies, select the policy for which you want to modify the settings.

Step 3

Click the Advanced > Crypto Maps, and select a row in the table and click Edit to edit the Crypto map options.

Step 4

Select IKEv2 IPsec Proposals and select the transform sets to specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel.

Step 5

Select Enable Reverse Route Injection to enable static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint.

Step 6

Select Enable Client Services and specify the port number.

The Client Services Server provides HTTPS (SSL) access to allow the Secure Client Downloader to receive software upgrades, profiles, localization and customization files, CSD, SCEP, and other file downloads required by the client. If you select this option, specify the client services port number. If you do not enable the Client Services Server, users will not be able to download any of these files that the Secure Client might need.

Note

You can use the same port that you use for SSL VPN running on the same device. Even if you have an SSL VPN configured, you must select this option to enable file downloads over SSL for IPsec-IKEv2 clients.

Step 7

Select Enable Perfect Forward Secrecy and select the Modulus group.

Use Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange. The unique session key protects the exchange from subsequent decryption, even if the entire exchange was recorded and the attacker has obtained the preshared or private keys used by the endpoint devices. If you select this option, also select the Diffie-Hellman key derivation algorithm to use when generating the PFS session key in the Modulus Group list.

Modulus group is the Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Select the modulus group that you want to allow in the remote access VPN configuration:

1—Diffie-Hellman Group 1 (768-bit modulus).
2—Diffie-Hellman Group 2 (1024-bit modulus).
5—Diffie-Hellman Group 5 (1536-bit modulus, considered good protection for 128-bit keys, but group 14 is better). If you are using AES encryption, use this group (or higher).
14—Diffie-Hellman Group 14 (2048-bit modulus, considered good protection for 128-bit keys).
19—Diffie-Hellman Group 19 (256-bit elliptical curve field size).
20—Diffie-Hellman Group 20 (384-bit elliptical curve field size).
21—Diffie-Hellman Group 21 (521-bit elliptical curve field size).
24—Diffie-Hellman Group 24 (2048-bit modulus and 256-bit prime order subgroup).

Step 8

Specify the Lifetime Duration (seconds).

The lifetime of the security association (SA), in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. Generally, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes.

You can specify a value from 120 to 2147483647 seconds. The default is 28800 seconds.

Step 9

Specify the Lifetime Size (kbytes).

The volume of traffic (in kilobytes) that can pass between IPsec peers using a given security association before it expires.

You can specify a value from 10 to 2147483647 kbytes. The default is 4,608,000 kilobytes. No specification allows infinite data.

Step 10

Select the following ESPv3 Settings:

Validate incoming ICMP error messages—Choose whether to validate ICMP error messages received through an IPsec tunnel and destined for an interior host on the private network.
Enable 'Do Not Fragment' Policy—Define how the IPsec subsystem handles large packets that have the do-not-fragment (DF) bit set in the IP header, and select one of the following from the Policy list:
- Copy—Maintains the DF bit.
- Clear—Ignores the DF bit.
- Set—Sets and uses the DF bit.

Select Enable Traffic Flow Confidentiality (TFC) Packets— Enable dummy TFC packets that mask the traffic profile which traverses the tunnel. Use the Burst, Payload Size, and Timeout parameters to generate random length packets at random intervals across the specified SA.

Note

Enabling traffic flow confidentiality (TFC) packets prevents the VPN tunnel from being idle. Thus the VPN idle timeout configured in the group policy does not work as expected when you enable the TFC packets. See Group Policy Advanced Options.

Burst—Specify a value from 1 to 16 bytes.
Payload Size—Specify a value from 64 to 1024 bytes.
Timeout—Specify a value from 10 to 60 seconds.

Step 11

Click OK.

IKE Policies in Remote Access VPNs

Internet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations (SAs). The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE establishes SAs for other applications, such as IPsec. Both phases use proposals when they negotiate a connection. An IKE proposal is a set of algorithms that two peers use to secure the negotiation between them. IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters are used to protect subsequent IKE negotiations.

Note

threat defense supports only IKEv2 for remote access VPNs.

Unlike IKEv1, in an IKEv2 proposal, you can select multiple algorithms and modulus groups in one policy. Since peers choose during the Phase 1 negotiation, this makes it possible to create a single IKE proposal, but consider creating multiple, different proposals to give higher priority to your most desired options. For IKEv2, the policy object does not specify authentication, other policies must define the authentication requirements.

An IKE policy is required when you configure a remote access IPsec VPN.

Configuring Remote Access VPN IKE Policies

The IKE Policy table specifies all the IKE policy objects applicable for the selected VPN configuration when Secure Client endpoints connect using the IPsec protocol. For more information, see IKE Policies in Remote Access VPNs.

Note

threat defense supports only IKEv2 for remote access VPNs.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	From the list of available VPN policies, select the policy for which you want to modify the settings.
Step 3	Click Advanced > IKE Policy.
Step 4	Click Add to select from the available IKEv2 policies, or add a new IKEv2 policy and specify the following: Name—Name of the IKEv2 policy. Description—Optional description of the IKEv2 policy Priority—The priority value determines the order of the IKE policy compared by the two negotiating peers when attempting to find a common security association (SA). Lifetime— Lifetime of the security association (SA), in seconds Integrity—The Integrity Algorithms portion of the Hash Algorithm used in the IKEv2 policy. Encryption—The Encryption Algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations. PRF Hash—The pseudorandom function (PRF) portion of the Hash Algorithm used in the IKE policy. In IKEv2, you can specify different algorithms for these elements. DH Group—The Diffie-Hellman group used for encryption.
Step 5	Click Save.

Configure Remote Access VPN IPsec/IKEv2 Parameters

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	From the list of available VPN policies, select the policy for which you want to modify the settings.
Step 3	Click Advanced > IPsec> IPsec/IKEv2 Parameters.
Step 4	Select the following for IKEv2 Session Settings: Identity Sent to Peers—Choose the identity that the peers will use to identify themselves during IKE negotiations: Auto—Determines the IKE negotiation by connection type: IP address for preshared key, or Cert DN for certificate authentication (not supported). IP address—Uses the IP addresses of the hosts exchanging ISAKMP identity information. Hostname—Uses the fully qualified domain name (FQDN) of the hosts exchanging ISAKMP identity information. This name comprises the hostname and the domain name. Enable Notification on Tunnel Disconnect—Allows an administrator to enable or disable the sending of an IKE notification to the peer when an inbound packet that is received on an SA does not match the traffic selectors for that SA. Sending this notification is disabled by default. Do not allow device reboot until all sessions are terminated—Check to enable waiting for all active sessions to voluntarily terminate before the system reboots. This is disabled by default.
Step 5	Select the following for IKEv2 Security Association (SA) Settings: Cookie Challenge—Whether to send cookie challenges to peer devices in response to SA initiated packets, which can help thwart denial of service (DoS) attacks. The default is to use cookie challenges when 50% of the available SAs are in negotiation. Select one of these options: Custom—Specify Threshold to Challenge Incoming Cookies, the percentage of the total allowed SAs that are in-negotiation. This triggers cookie challenges for any future SA negotiations. The range is zero to 100%. The default is 50%. Always— Select to send cookie challenges to peer devices always. Never— Select to never send cookie challenges to peer devices. Number of SAs Allowed in Negotiation—Limits the maximum number of SAs that can be in negotiation at any time. If used with Cookie Challenge, configure the cookie challenge threshold lower than this limit for an effective cross-check. The default is 100 %. Maximum number of SAs Allowed—Limits the number of allowed IKEv2 connections.
Step 6	Select the following for IPsec Settings: Enable Fragmentation Before Encryption—This option lets traffic travel across NAT devices that do not support IP fragmentation. It does not impede the operation of NAT devices that do support IP fragmentation. Path Maximum Transmission Unit Aging—Check to enable PMTU (Path Maximum Transmission Unit) Aging, the interval to Reset PMTU of an SA (Security Association). Value Reset Interval—Enter the number of minutes at which the PMTU value of an SA (Security Association) is reset to its original value. Valid range is 10 to 30 minutes, default is unlimited.
Step 7	Select the following for NAT Settings: Keepalive Messages Traversal—Select whether to enable NAT keepalive message traversal. NAT traversal keepalive is used for the transmission of keepalive messages when there is a device (middle device) located between a VPN-connected hub and spoke, and that device performs NAT on the IPsec flow. If you select this option, configure the interval, in seconds, between the keepalive signals sent between the spoke and the middle device to indicate that the session is active. The value can be from 10 to 3600 seconds. The default is 20 seconds. Interval—Sets the NAT keepalive interval, from 10 to 3600 seconds. The default is 20 seconds.
Step 8	Click Save.

Customize Cisco Secure Client

You can configure the Secure Client customizations using the management center and deploy them to the VPN headend. The threat defense device distributes these customizations to the endpoint when a user connects from the Secure Client. Administrators can customize the following elements at the endpoint:

Table 5. Secure Client Customizations Available in Management Center
Customization	Description	More Info
GUI text and messages	Customize or localize Secure Client GUI text and informational/error messages.	Customize and Localize Secure Client GUI Text and Messages
Icons and images	Customize the logo, images, or icons of the Secure Client GUI.	Customize Secure Client Icons and Images
Scripts	Deploy scripts on the endpoint devices when a client establishes or disconnects a VPN session.	Deploy Scripts on Endpoint Devices Using Secure Client
Binaries	Deploy custom applications using Secure Client APIs.	Deploy Custom Applications Using Cisco Secure Client APIs
Custom Installer Transforms	Customize the Secure Client installer.	Customize the Secure Client Installer
Localized Installer Transforms	Localize the Secure Client installer.	Localize the Client Installer

Guidelines and Limitations for Secure Client Customizations

General Limitations

If there are any customizations earlier than 7.4 configured directly on the threat defense using the CLI, the management center removes these customizations during deployment.
No clustering support.

Table 6. Limitations for Secure Client Customizations
Customization	Limitations
GUI Text and Message Customizations	You must restart Secure Client before you use this customization. No support for right-to-left languages. Some strings are truncated in the GUI due to hardcoded field lengths. Some messages are hardcoded in the client. For example: Status messages (during an update) Untrusted server messages Deferred update messages Localization is version-specific. If an Administrator created a translation table based on a template of an old Secure Client version, the new messages do not appear to the remote users. The Administrator must merge the latest template with the translation table so that the table has the new messages. You can use third-party tools like Get text to perform the merge.
Icons and Images Customizations	You must restart Secure Client before you use this customization. The customization object names must match the Secure Client GUI filenames. File names are different for each operating system and are case-sensitive. For more information about the filenames, extensions, and sizes for each OS, see the Cisco Secure Client Administrator Guide. Images do not appear properly if the image size is not correct. The management center or the threat defense device does not verify the image size. MacOS does not support customization of Secure Client images and icons.
Deploy Customized Scripts	Secure Client runs only one OnConnect and one OnDisconnect script; however, these scripts may launch other scripts. Scripts can only execute functions that the user has the right to invoke. You cannot launch the OnConnect script from the Start Before Logon (SBL) GUI.
Deploy Custom Applications Using Cisco Secure Client APIs (Binaries)	After you use this customization, if you deploy an updated version of the Secure Client on the management center, the client will download the update and replace your custom UI.
Customize the Client Installer	This customization is available only for Windows.

Customize and Localize Secure Client GUI Text and Messages

You can customize the Secure Client GUI text and the informational/error messages. You also can customize the GUI text and all messages to appear in a preferred language.

Customize GUI Text and Messages

To customize the GUI text or messages, you can edit the messages in the message file. You can update the messages to include more details in the error messages. For example:

Modify any label in the login dialog box such as Password to Domain Password.
Add your support contact details in the error messages.

Localize GUI Text and Messages

Threat defense devices use translation tables to translate the labels and user messages displayed in the Secure Client. When a user connects to the remote access VPN, the Secure Client identifies the locale set on the endpoint and downloads the translation file. Threat defense devices support 128 locales. By default, Secure Client is installed in English.

For Cisco Secure Client 5.0, the default localization files for various languages are part of the application.
For AnyConnect Clients 4.x, you can download the localization files for a few languages from Cisco.com and upload them to the management center.

How to Customize Secure Client GUI Text and Messages

Before you begin

Configure one or more remote access VPN policies.

Procedure

Step 1	Get the base template or translation file either from the Secure Client package or from Cisco.com. For example, AnyConnect.po.
Step 2	Use a text editor to add the translations or customize the labels or messages.
Step 3	Update the msgstr string corresponding to each msgid.
Step 4	Save the file.
Step 5	Create a new Secure Client Customization object. Choose Objects > Object Management > VPN > Secure Client Customization. Click Add Secure Client Customization. Enter the name and description for the customization. From the Customization Type drop-down list, choose GUI Text and Messages. From the Language drop-down list, choose a language for which you are adding the translation. Click Browse and select the translation file. The supported file extensions are .po, .mo, and .txt.
Step 6	Add the customization to the remote access VPN policy. Choose Devices > Remote Access. Click the edit icon of the remote access VPN policy. Click Advanced > Secure Client Customizations > Localization. Click + to select the translation file. Click Add. Click OK.
Step 7	Click Save.
Step 8	Choose Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.

What to do next

Verify the Secure Client customizations. For more information, see Verify Secure Client Customizations.

Customize Secure Client Icons and Images

You can customize the logo, images, and icons of the Secure Client GUI using the management center.

To customize the logo, images, and icons of the Secure Client GUI, you must create a Secure Client customization object in the management center. The name of this customization object must match the Secure Client GUI filename. File names are different for each operating system and are case-sensitive. For more information about the filenames, extensions, and sizes for each OS, see the Cisco Secure Client Administrator Guide.

For example, if you want to replace the corporate logo for Windows clients, you must create a customization object with the name as company_logo and add this customization object to the remote access VPN policy. If you use a different name for the customization object, the Secure Client installer does not change the component. However, if you deploy your own executable to customize the GUI, the customization object can have any name.

Location of all images files:

Windows: %PROGRAMFILES%\Cisco\Cisco Secure Client\res\
Linux: /opt/cisco/secure client/pixmaps
macOS: Not supported

How to Customize Secure Client Images and Icons

Before you begin

Configure one or more remote access VPN policies.

Procedure

Step 1	Create the icons or images using the correct extensions, and sizes. Images do not appear properly if the image size is not correct. The management center or the threat defense device does not verify the image size. For more information about the filenames, extensions, and sizes, see the Cisco Secure Client Administrator Guide.
Step 2	Create a new Secure Client Customization object. Choose Objects > Object Management > VPN > Secure Client Customization. Click Add Secure Client Customization. Enter the name and description for the customization object. Ensure that the customization object name matches the Secure Client GUI filenames. For more information about the filenames, see the Cisco Secure Client Administrator Guide. From the Customization Type drop-down list, choose Icon and Images. From the Platform drop-down list, choose a platform. Click Browse and select the file. The supported file extensions are .png, .ico, and .jpeg. Repeat the steps from 2a - f to add multiple icons and images.
Step 3	Add the customization object to the remote access VPN policy. Choose Devices > Remote Access. Click the edit icon of the remote access VPN policy. Click Advanced > Secure Client Customizations > Icons and Images. Click + to select the file. Click Add. Click OK.
Step 4	Click Save.
Step 5	Choose Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.

What to do next

Verify the Secure Client customizations. For more information, see Verify Secure Client Customizations.

Deploy Scripts on Endpoint Devices Using Secure Client

Secure Client lets you download and run scripts when the following events occur:

Establishment of a new client VPN session with the threat defense. The script triggered by this event is an OnConnect script because it requires this filename prefix. Reconnection of the VPN session does not trigger this script.
Disconnection of a client VPN session with the threat defense. The script triggered by this event is an OnDisconnect script because it requires this filename prefix.

These scripts run asynchronously and do not delay the connection establishment or disconnection. They can be of any extension and must be executable on the endpoint. Secure Client identifies the OnConnect and OnDisconnect scripts by the filename. It looks for a file whose name begins with OnConnect or OnDisconnect regardless of the file extension.

Some examples of this feature are:

Refresh the group policy upon VPN connection.
Mount a network drive upon a VPN connection.
Unmount a network drive upon a VPN disconnection.

To enable scripts, check the Enable Scripting option in the VPN profile. By default, the client does not launch scripts. The client does not require the script to be written in a specific language. It requires an application that can run the script to be installed on the client computer. For the client to launch the script, the script must run from the command line.

Secure Client can only launch scripts after the user logs in and establishes a VPN session. You cannot launch the OnConnect script from the Start Before Logon (SBL) GUI. You must check the Enable Post SBL On Connect Script option in the VPN profile to trigger the scripts once the user logs in. Secure Client is a 32-bit application. When the scripts run on a 64-bit Windows version, they use the 32-bit version of cmd.exe.

How to Add Customized Scripts for Secure Client

Before you begin

Configure a remote access VPN.
Enable scripting in the VPN profile.
Add the VPN profile to the remote access VPN group policy.

Procedure

Step 1	Create OnConnect and OnDisconnect scripts for a platform.
Step 2	Create a new Secure Client Customization object. Choose Objects > Object Management > VPN > Secure Client Customization. Click Add Secure Client Customization. Enter the name and description for the customization. From the Customization Type drop-down list, choose Scripts. From the Platform drop-down list, choose a platform. Select one of the following: On Connect: To select an OnConnect script. On Disconnect: To select an OnDisconnect script. Click Browse and select the script you want to execute on the endpoint.
Step 3	Add the customization to the remote access VPN policy. Choose Devices > Remote Access. Click the edit icon of the remote access VPN policy. Click Advanced > Secure Client Customizations > Localization. Click + to select the translation file. Click Add. Click OK.
Step 4	Click Save.
Step 5	Choose Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.

What to do next

Verify the Secure Client customizations. For more information, see Verify Secure Client Customizations.

Deploy Custom Applications Using Cisco Secure Client APIs

For Windows, Linux, or MacOs machines, you can create and deploy a custom client that uses the Secure Client APIs. You can use this client binary file to replace the Secure Client GUI or CLI binary files.

Your executable can call any resource files such as logo images that you import to the management center. When you deploy your own executable, you can use any filenames for your resource files.

The following table lists the filenames of the client executable files for the different operating systems:

Table 7. Filenames of the Secure Client Executable Files
Client OS	Client GUI File	Client CLI File
Windows	vpnui.exe	vpncli.exe
Linux	vpnui	vpn
MacOS	Not supported by the management center deployment. However, you can deploy an executable for the macOS that replaces the client GUI using other means, such as Altiris Agent.	vpn

How to Deploy Custom Applications Using Cisco Secure Client API

Before you begin

Configure one or more remote access VPN policies.

Procedure

Step 1	Create the custom application using the Cisco Secure Client APIs.
Step 2	Create a new Secure Client Customization object. Choose Objects > Object Management > VPN > Secure Client Customization. Click Add Secure Client Customization. Enter the name and description for the customization. From the Customization Type drop-down list, choose Binary. From the Platform drop-down list, choose a platform. Click Browse and select the custom application.
Step 3	Add the customization to the remote access VPN policy. Choose Devices > Remote Access. Click the edit icon of the remote access VPN policy. Click Advanced > Secure Client Customizations > Binaries. Click + to select the translation file. Click Add. Click OK.
Step 4	Click Save.
Step 5	Choose Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.

Customize the Secure Client Installer

You can customize the Secure Client GUI by creating a custom transform that deploys with the client installer program. You can import the transform to the management center and deploy it to the threat defense device. The threat defense deploys this transform to the endpoint using the client installer program.

Note

This customization is available only for Windows.

Localize the Client Installer

You can translate the messages displayed by the Cisco Secure Client installer. The management center uses a transform to translate the messages displayed by the installer. The transform alters the installation but leaves the original security-signed MSI intact. These transforms only translate the installer screens and do not translate the client GUI screens.

Every release of Cisco Secure Client includes a localized transform that administrators can upload to the management center whenever they upload Cisco Secure Client packages with new software. If you use our localization transform, ensure that you update them with the latest release from Cisco.com whenever you upload a new Cisco Secure Client package.

How to Customize or Localize the Client Installer

Before you begin

Configure one or more remote access VPN policies.

Procedure

Step 1	Create a customized or localized transform.
Step 2	Create a new Secure Client Customization object. Choose Objects > Object Management > VPN > Secure Client Customization. Click Add Secure Client Customization. Enter the name and description for the customization. From the Customization Type drop-down list, choose Customized Installer Transform or Localized Installer Transform. From the Platform drop-down list, choose a platform. Click Browse and select the transform.
Step 3	Add the customization to the remote access VPN policy. Choose Devices > Remote Access. Click the edit icon of the remote access VPN policy. Click Advanced > Secure Client Customizations > Custom Installer Transforms or Localized Installer Transforms. Click + to select the transform. Click Add. Click OK.
Step 4	Click Save.
Step 5	Choose Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.

Verify Secure Client Customizations

Validate the Deployment

After the deployment is complete, validate the deployment in the management center. Click the Transcript Details ( transcript details icon )) icon to verify the commands generated for the customizations.

Examples

The example below shows the transcript details of a GUI text and messages customization: Secure Client en_us localization with customized prompts.
```
import webvpn translation-table AnyConnect language en-us disk0:/AnyConnect_en-us.po
```
The example below shows the transcript details of customized icons and images: customization of the Secure Client logo to ABC logo.
```
import webvpn AnyConnect-customization type resource platform win name company_logo.png disk0:/company_logo.png
```
The example below shows the transcript details of the customized OnConnect and OnDisconnect scripts. The On connect script mounts the network drive and the On disconnect script unmounts the network drive.
```
import webvpn AnyConnect-customization type binary platform win name 
  scripts_OnConnect_mount.bat disk0:/mount.bat
import webvpn AnyConnect-customization type binary platform win name 
  scripts_OnDisconnect_unmount.bat disk0:/unmount.bat
```

Verify Customizations Using Threat Defense Commands

Use the following commands on the threat defense to verify the customizations:

show import webvpn translation-table detailed: Shows the available translation tables.

HQ-FTD# show import webvpn translation-table detailed 
 Translation Tables' Templates:
   AnyConnect           ia4DaAXNSvl5pZboQRGJcs9KMXY=
   customization
 Translation Tables:
   fr                   customization        BWWodsOt1PbvDvYOp8hLb3W7a64=
   ja                   customization        lNvUk1+qTLNZyNrBcApMQPHnm1M=
   ru                   customization        UqyKyUAcjR+xTGUtdiIFnoIiW5U=

show import webvpn AnyConnect-customization detailed: Shows the details of the Secure Client customizations.

HQ-FTD# show import webvpn AnyConnect-customization detailed
OEM resources for AnyConnect client:
  linux-64/binary/scripts_OnConnect_conn.sh           w6+n7z80D/8AR+ul2f7DvTmcDTw=
  linux-64/binary/scripts_OnDisconnect_discon.sh      jx5LJC2XBEmEkGeww59CAkszvnI=
  linux-64/resource/company-logo.png                  GsfBDroqGSQEEwuBDS/3DJNVv88=
  win/binary/scripts_OnConnect_mount.bat              dzjfsLYYft/XMlPlzskKl+Wv1bw=
  win/binary/scripts_OnDisconnect_unmount.bat         k6xlKhF1l2IRyJu08+sdYXgKNgM=
  win/resource/company_logo.png                       cmEvxwqvtaS+Pz/6sb9n3NZudS4=

Verify Customizations in Secure Client

In Secure Client, click the Message History tab to verify that the customizations are downloaded.

Use the DART tool to view the client-side diagnostics.

Table 8. Verifying the Customizations in Secure Client
Customization	Verification
GUI text and message customizations	Verify if Secure Client has the language localization or customized files in the following locations: Windows: %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\l10n\<language-code>\LC_MESSAGES (AnyConnect versions 4.9 and earlier) Windows: %ProgramData%\Cisco\Cisco Secure Client\l10n\<language-code>\LC_MESSAGES (Secure Client versions 5.0 and later) For Mac OS and Linux: /opt/cisco/anyconnect/l10n/<LANGUAGE-CODE>/LC_MESSAGES Verify the contents of the localized or customized file and confirm if they have the customized or localized strings. For example: AnyConnect.mo
Image and icon customizations	Verify if Secure Client has the customized files in the following locations: Windows: %PROGRAMFILES%\ Cisco\Cisco AnyConnect Secure Mobility Client\res\ (AnyConnect versions 4.10 and earlier) Windows: %PROGRAMFILES%\ Cisco\Cisco Secure Client\UI\res (Cisco Secure Client 5.0 and above) Mac OS and Linux: /opt/cisco/anyconnect/res Verify the content of the customized icon or image file.
Customized OnConnect and OnDisconnect scripts	Verify if the customized scripts are in the following locations: Windows: %ProgramData%\Cisco\Cisco Secure Client\Script (Cisco Secure Client 5.0 and above) Windows: %ProgramData%\Cisco\ Cisco AnyConnect Secure Mobility Client\Script (AnyConnect versions 4.9 and earlier) Mac OS and Linux: /opt/cisco/anyconnect/Script Verify the script.

Configure Secure Client Management VPN Tunnel

A management VPN tunnel provides connectivity to the corporate network whenever a client system is powered up, without the VPN users having to connect to the VPN. This helps organizations keep their endpoints up-to-date with software patches and updates. Management tunnel disconnects when the user-initiated VPN tunnel is established.

This section provides information about configuring Secure Client management VPN tunnel on threat defense. Configuring the Secure Client management tunnel on threat defense using the management center web interface requires the following settings:

A Connection profile with certificate-based authentication and a group URL.
Secure Client management VPN profile file, configured a server with group URL and backup servers if required.
A Group policy with the management VPN profile, split tunneling with explicitly included networks, client bypass protocol, and no banner.

For detailed instructions on configuring the Secure Client Management VPN tunnel, see Configuring Secure Client Management VPN Tunnel on Threat Defense.

Requirements and Prerequisites for Secure Client Management VPN Tunnel

Software and Configuration Requirements

Ensure that you have the following before you configure the Secure Client Management tunnel on using the threat defense using the management center web interface:

Ensure that you are using threat defense and management center versions 6.7.0 or above.
Download the Secure ClientSecure Client VPN Webdeploy package 4.7 or above and upload it to threat defense remote access VPN.
Ensure that the certificate authentication is configured in the connection profile.
Ensure that no banner is configured in the group policy.
Check the split tunneling configuration in the management tunnel-group policy.

Certificate Requirements

Threat Defense must have a valid identity certificate for remote access VPN and the root certificate from the local certifying authority (CA) must be present on the threat defense.
Endpoints connecting to the management VPN tunnel must have a valid identity certificate.
CA certificate for threat defense's identity certificate must be installed on the endpoints and the CA certificate for the endpoints must be installed on the threat defense.
The identity certificate issued by the same local CA must be present in the Machine store.

Certificate Store (For Windows) and/or in System Keychain (For macOS).

Limitations of Secure Client Management VPN Tunnel

Secure Client Management VPN Tunnel supports only certificate authentication, it does not support AAA-based authentication.
Public or private proxy settings are not supported.
Secure Client upgrade and AnyConnect module download are not supported when the management VPN tunnel is connected.

Configuring Secure Client Management VPN Tunnel on Threat Defense

Procedure

Step 1

Create a remote access VPN policy configuration using the wizard:

For information about configuring a remote access VPN, see Configuring a New Remote Access VPN Connection.

Step 2

Configure connection profile settings for management VPN tunnel:

Note

It is advisable to create a new connection profile to be used only for Secure Client management VPN tunnel.

Edit the remote access VPN policy you have created.
Select and edit the connection profile that will be used for management VPN tunnel.
Click AAA > Authentication Method and select Client Certificate Only. Configure the authorization and accounting settings as required.
Click the Aliases tab of the connection profile.
Click Add (+) under URL Aliases and URL Alias for the connection profile.
Click Enabled to enable the URL.
Click OK and then click Save to save the connection profile settings.

For more information about connection profile settings, see Configure Connection Profile Settings.

Step 3

Create a management tunnel profile using the Secure Client profile editor:

Download the Secure Client VPN Management Tunnel Standalone Profile Editor from Cisco Software Download Center if you have not done already.
Create a management tunnel profile with the required settings for your VPN users and save the file.
Configure a server in the Server List with the group URL you have configured in the connection profile.

For information about creating a management profile using the Profile Editor, see the Cisco Secure Client (including AnyConnect) Administrator Guide.

Step 4

Create a management tunnel object:

On your Secure Firewall Management Center web interface, navigate to Object > Object Management > VPN > Secure Client File
Click Add Secure Client File.
Specify the Name for the Secure Client file.
Click Browse and select the management tunnel profile file you have saved.
Click the File Type drop-down and select Secure Client Management VPN Profile.
Click Save.

Note

You an also create the management tunnel object when you create or update Secure Client settings for a group policy. See Group Policy Secure Client Options.

Step 5

Associate a management profile with a group policy and configure group policy settings:

You must add the management VPN profile to the group policy associated with the connection profile used for the management tunnel VPN connection. When the user connects, the management VPN profile is downloaded along with the user VPN profile already mapped to the group policy, enabling the management VPN tunnel feature.

Caution

No Banner: Check and ensure that no banner is configured in the group policy settings. You can check the banner settings under Group Policy > General Settings > Banner.

Edit the connect profile you have created for management VPN tunnel.
Click Edit Group Policy > Secure Client > Management Profile.

Click the Management VPN Profile drop-down and select the management profile file object you have created.

Note

You can also click + and add a new Secure Client Management VPN Profile object.

Click Save.

Step 6

Configure split tunneling in group policy:

Click Edit Group Policy > General > Split Tunneling.
From the IPv4 or IPv6 split tunneling drop-down, select Tunnel networks specified below.
Select the Split Tunnel Network List Type: Standard Access List or Extended Access List, and then select the required access list to allow the traffic over the management VPN tunnel.
Click Save to save the split tunnel settings.

Secure Client Custom Attribute

Secure Client Management VPN tunnel requires split include tunneling configuration by default. If you are configuring Secure Client custom attribute in the group policy to deploy the management VPN tunnel with split tunneling to tunnel all, you can do so using FlexConfig because management center 6.7 web interface does not support Secure Client custom attribute.

The following is an example command for Secure Client custom attribute:

webvpn
	anyconnect-custom-attr ManagementTunnelAllAllowed description ManagementTunnelAllAllowed
anyconnect-custom-data ManagementTunnelAllAllowed true true
group-policy MGMT_Tunnel attributes
	anyconnect-custom ManagementTunnelAllAllowed value true

Step 7

Deploy, verify, and monitor the remote access VPN policy:

Deploy the management VPN tunnel configuration to threat defense.

Note

Client systems must connect to the threat defense remote access VPN once to download the management tunnel VPN profile to the client machines.

You can verify the Secure Client management VPN tunnel at Secure Mobility Client > VPN > Statistics.

You can also check the management VPN session details on the threat defense command prompt using the show vpn-sessiondb anyconnect command.
On your management center web interface, click Analysis to view the management tunnel session information.

Multiple Certificate Authentication

Multiple certificate based authentication gives the ability to have the threat defense validate the machine or device certificate, to ensure the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow VPN access using the Secure Client during SSL or IKEv2 EAP phase.

The multiple certificates option allows certificate authentication of both the machine and user via certificates. Without this option, you could only do certificate authentication of either machine or the user, but not both.

Guidelines and Limitations of Multiple Certificate Authentication

Note

When you configure multiple certificate authentication, ensure that you set the value of AutomaticCertSelection to true in the Cisco Secure Client Profile settings.

Multiple certificate authentication currently limits the number of certificates to two.
Secure Client must indicate support for multiple certificate authentication. If that is not the case then the gateway uses one of the legacy authentication methods or fails the connection. Secure Client version 4.4.04030 or later supports Multi-Certificate based authentication.
Secure Client supports only RSA-based certificates.
Only SHA256, SHA384, and SHA512 based certificate are supported during the Secure Client aggregate authentication.
Certificate authentication cannot be combined with SAML authentication.

Configuring Multiple Certificate Authentication

Before you begin

Before you configure multiple certificate authentication, ensure that you have configured the certificate enrollment object that is used to obtain the identity certificate for each threat defense device. For more information, see Certificate Map Objects.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select the remote access VPN policy and click Edit.

Note

If you have not configured a remote access VPN, click Add to create a new remote access VPN policy.

Step 3

Select and Edit a connection profile to configure multiple certificate authentication.

Step 4

Click AAA settings and select Authentication Method > Client Certificate Only or Client Certificate & AAA.

Note

Select the Authentication Server if you have selected the Client Certificate & AAA authentication method

Step 5

Select the Enable multiple certificate authentication checkbox.

Step 6

Choose one of the certificates to Map username from client certificate:

First Certificate— Select this option to map the username from the machine certificate sent from the VPN client.
Second Certificate— Select this option to map the username from the user certificate sent from the client.

The username sent from the client is used as the VPN session username when certificate only authentication is enabled. When AAA and certificate authentication is enabled, VPN session username will be based on prefill option.

Note

If you select the Map specific field option, which includes the username from the client certificate, the Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively.

If you select the Use entire DN (Distinguished Name) as username option, the system automatically retrieves the user identity. A distinguished name (DN) is a unique identification, made up of individual fields that can be used as the identifier when matching users to a connection profile DN rules are used for enhanced certificate authentication.

If you have selected the Client Certificate & AAA authentication, select the Prefill username from certificate on user login window option to prefill the secondary username from the client certificate when the user connects via AnyConnect VPN module of Cisco Secure Client.

Hide username in login window: The secondary username is pre-filled from the client certificate, but hidden to the user so that the user does not modify the pre-filled username.

Step 7

Configure the required AAA settings and connection profile settings for the remote access VPN.

Step 8

Save the connection profile and remote access VPN configuration and deploy it on your threat defense device.

Customizing Remote Access VPN AAA Settings

This section provides information about customizing your AAA preferences for remote access VPNs. For more information, see Configure AAA Settings for Remote Access VPN.

Authenticate VPN Users via Client Certificates

You can configure remote access VPN authentication using client certificate when you create a new remote access VPN policy using the wizard or by editing the policy later.

Before you begin

Configure the certificate enrollment object that is used to obtain the identity certificate for each threat defense device that acts as a VPN gateway.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.
Step 2	Select a remote access policy and click Edit; or click Add to create a new remote access VPN policy.
Step 3	For a new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit.
Step 4	Click AAA > Authentication Method > Client Certificate Only. With this authentication method, the user is authenticated using a client certificate. You must configure the client certificate on VPN client endpoints. By default, the user name is derived from client certificate fields CN and OU respectively. If the user name is specified in other fields in the client certificate, use 'Primary' and 'Secondary' field to map appropriate fields. If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display the following default values, respectively: CN (Common Name) and OU (Organisational Unit). If you select the Use entire DN as username option, the system automatically retrieves the user identity. A distinguished name (DN) is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a connection profile. DN rules are used for enhanced certificate authentication. Primary and Secondary fields pertaining to the Map specific field option contain these common values: C (Country) CN (Common Name) DNQ (DN Qualifier EA (Email Address) GENQ (Generational Qualifier) GN (Given Name) I (Initial) L (Locality) N (Name) O (Organisation) OU (Organisational Unit) SER (Serial Number) SN (Surname) SP (State Province) T (Title) UID (User ID) UPN (User Principal Name) Whichever authentication method you choose, select or deselect Allow connection only if user exists in authorization database. For more information, see Configure AAA Settings for Remote Access VPN.
Step 5	Save your changes.

Configure VPN User Authentication via Client Certificate and AAA Server

When you configure remote access VPN authentication to use both client certificate and authentication server, VPN client authentication is done using both the client certificate validation and AAA server.

Before you begin

Configure the certificate enrollment object that you use to obtain the identity certificate for each threat defense device that acts as a VPN gateway.
Configure the RADIUS server group object and any AD or LDAP realms to use in the remote access VPN policy configuration.
Ensure that the AAA Server is reachable from the Secure Firewall Threat Defense device for the remote access VPN configuration to work.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Devices > Remote Access.
Step 2	Click Edit on the remote access VPN policy for which you want to update the authentication or click Add to create new one.
Step 3	If you choose to create new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit.
Step 4	Go to AAA and from the Authentication Method drop-down, choose Client Certificate & AAA. When you select the Authentication Method as: Client Certificate & AAA—Both types of authentication are done. AAA—If you select the Authentication Server as RADIUS, by default, the Authorization Server has the same value. Select the Accounting Server from the drop-down list. Whenever you select AD and LDAP from the Authentication Server drop-down list, you must manually select the Authorization Server and Accounting Server respectively. Client Certificate—Authenticates the user with client certificate. You must configure client certificate on the VPN client endpoints. By default, the username is derived from client certificate fields CN & OU respectively. If you use any other field in the client profile to specify the username, use Primary Field and Secondary Field to map appropriate fields. If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN as username option, the system automatically retrieves the user identity. A distinguished name (DN) is a unique identification, made up of individual fields that can be used as the identifier when matching users to a connection profile. DN rules are used for enhanced certificate authentication. Primary and Secondary fields pertaining to the Map specific field option contains these common values: C (Country) CN (Common Name) DNQ (DN Qualifier EA (Email Address) GENQ (Generational Qualifier) GN (Given Name) I (Initial) L (Locality) N (Name) O (Organisation) OU (Organisational Unit) SER (Serial Number) SN (Surname) SP (State Province) T (Title) UID (User ID) UPN (User Principal Name) Whichever authentication method you choose, select or deselect Allow connection only if user exists in authorization database. For more information, see Configure AAA Settings for Remote Access VPN.
Step 5	Save your changes.

Manage Password Changes over VPN Sessions

Password management allows remote access VPN policy administrator to configure the notification settings for the remote access VPN users on their password expiry. Password management is available in AAA settings with authentication methods AAA Only and Client Certificate & AAA. For more information, see Configure AAA Settings for Remote Access VPN.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Devices > Remote Access.
Step 2	Click Edit on the remote access VPN policy that you want to update.
Step 3	Click Edit on the connection profile that includes AAA settings.
Step 4	Choose AAA > Advanced Settings >.
Step 5	Check the Enable Password Management check-box and select one of the following: Notify User - days ahead of password expiry and specify the number of days in the box. Notify user on the day of password expiration.
Step 6	Save your changes.

Send Accounting Records to the RADIUS Server

Accounting records in remote access VPN help the VPN administrator track the services that users access and the amount of network resources that they consume. Accounting information includes when user session start and stop, username, the number of bytes that pass through the device for each session, the service used, and the duration of each session.

You can use accounting alone or together with authentication and authorization. When you activate AAA accounting, the network access server reports the user activity to the configured accounting server. You can configure a RADIUS server as the accounting server so that the management center sends all the user activity information to the RADIUS server.

Note

You can use the same RADIUS server or separate RADIUS servers for authentication, authorization, and accounting in remote access VPN AAA settings.

Before you begin

Configure a RADIUS group object with RADIUS servers to receive authentication requests or accounting records. For more information, see RADIUS Server Group Options.
Ensure that the RADIUS server is reachable from the threat defense device. Configure routing on your Secure Firewall Management Center at Devices > Device Management > Edit Device > Routing to ensure connectivity to the RADIUS server.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Devices > Remote Access.
Step 2	Click Edit on the remote access policy for which you want to configure RADIUS server, or create new remote access VPN policy.
Step 3	Click Edit on the connection profile that includes AAA settings and choose AAA.
Step 4	Select the RADIUS server from the Accounting Server drop-down.
Step 5	Save your changes.

Delegating Group Policy Selection to Authorization Server

The group policy applied to a user is determined when the VPN tunnel is being established. You can select a group policy for a connection profile while creating a remote access VPN policy using the wizard or update the connection policy for connection profiles later. However, you can configure the AAA (RADIUS) server to assign the group policy or it is obtained from the current connection profile. If the threat defense device receives attributes from the external AAA server that conflicts with those configured on the connection profile, then attributes from the AAA server always take the precedence.

You can configure ISE or the RADIUS Server to set the Authorization Profile for a user or user-group by sending IETF RADIUS Attribute 25 and map to the corresponding group policy name. You can configure specific group policy to a user or user group to push a Downloadable ACL, set a banner, Restrict VLAN, and configure the advanced option of applying an SGT to the session. These attributes are applied to all users that are part of that group when the VPN connection is established.

For more information, see the Configure Standard Authorization Policies section of Cisco Identity Services Engine Administrator Guide and RADIUS Server Attributes for Secure Firewall Threat Defense.

Figure 1. Remote Access VPN Group Policy Selection by AAA Server

Override the Selection of Group Policy or Other Attributes by the Authorization Server

When a remote access VPN user connects to the VPN, the group policy and other attributes configured in the connection profile are assigned to the user. However, the remote access VPN system administrator can delegate the selection of group policy and other attributes to the authorization server by configuring ISE or the RADIUS Server to set the Authorization Profile for a user or user-group. Once users are authenticated, these specific authorization attributes are pushed to the threat defense device.

Before you begin

Ensure that you configure a remote access VPN policy with RADIUS as the authentication server.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.
Step 2	Select a remote access policy and click Edit.
Step 3	Select RADIUS or ISE as the authorization server if not configured already.
Step 4	Select Advanced > Group Policies and add the required group policy. For detailed information about a group policy object, see Configure Group Policy Objects. You can map only one group policy to a connection profile; but you can create multiple group policies in a remote access VPN policy. These group policies can be referenced in ISE or the RADIUS server and configured to override the group policy configured in the connection profile by assigning the authorization attributes in the authorization server.
Step 5	Deploy the configuration on the target threat defense device.
Step 6	On the authorization server, create an Authorization Profile with RADIUS attributes for IP address and downloadable ACLs. When the group policy is configured in the authorization server selected for remote access VPN, the group policy overrides the group policy configured in the connection profile for the remote access VPN user after the user is authenticated.

Deny VPN Access to a User Group

When you do not want an authenticated user or user group to be able to use VPN, you can configure a group policy to deny VPN access. You can configure a group policy in a remote access VPN policy and reference it in the ISE or RADIUS server configuration for authorization.

Before you begin

Ensure that you have configured remote access VPN using the Remote Access Policy wizard and configured authentication settings for the remote access VPN policy.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.
Step 2	Select a remote access policy and click Edit.
Step 3	Select Advanced > Group Policies.
Step 4	Select a group policy and click Edit or add a new group policy.
Step 5	Select Advanced > Session Settings and set Simultaneous Login Per User to 0 (zero). This stops the user or user group from connecting to the VPN even once.
Step 6	Click Save to save the group policy and then save the remote access VPN configuration.
Step 7	Configure ISE or the RADIUS server to set the Authorization Profile for that user/user-group to send IETF RADIUS Attribute 25 and map to the corresponding group policy name.
Step 8	Configure the ISE or RADIUS server as the authorization server in the remote access VPN policy.
Step 9	Save and deploy the remote access VPN policy.

Restrict Connection Profile Selection for a User Group

When you want to enforce a single connection profile on a user or user group, you can choose to disable the connection profile so that the group alias or URLs are not available for the users to select when they connect using the AnyConnect VPN module of Cisco Secure Client.

For example, if your organization wants to use specific configurations for different VPN user groups such as mobile users, corporate-issued laptop users, or personal laptop users, you can configure connection a profile specific to each of these user groups and apply the appropriate connection profile when the user connects to the VPN.

The AnyConnect VPN module of Cisco Secure Client, by default, shows a list of the connection profiles ( by connection profile name, alias, or alias URL) configured in management center and deployed on threat defense. If custom connection profiles are not configured, AnyConnect VPN module of Cisco Secure Client shows the DefaultWEBVPNGroup connection profile. Use the following procedure to enforce a single connection profile for a user group.

Before you begin

On your Secure Firewall Management Center web interface, configure remote access VPN using the remote access VPN policy wizard with Authentication Method as 'Client Certificate Only' or 'Client Certificate + AAA'. Choose the username fields from the certificate.
Configure ISE or RADIUS server for authorization and associate the group policy with the authorization server.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.
Step 2	Select a remote access policy and click Edit.
Step 3	Select Access Interfaces and disable Allow users to select connection profile while logging in.
Step 4	Click Advanced > Certificate Maps.
Step 5	Select Use the configured rules to match a certificate to a Connection Profile.
Step 6	Select the Certificate Map Name or click the Add icon to add a certificate rule.
Step 7	Select the Connection Profile, and click Ok. With this configuration, when a user connects from the AnyConnect VPN module of Cisco Secure Client, the user will have the mapped connection profile and will be authenticated to use the VPN.

Update the Secure Client Profile for Remote Access VPN Clients

Secure Client Profile is an XML file that contains an administrator-defined end user requirements and authentication policies to be deployed on a VPN client system as part of Secure Client. It makes the preconfigured network profiles available to end users.

You can use the GUI-based Secure Client Profile Editor, an independent configuration tool, to create them. The standalone profile editor can be used to create a new or modify existing Secure Client profile. You can download the profile editor from Cisco Software Download Center.

See the Secure Client Profile Editor chapter in the appropriate release of the Cisco Secure Client (including AnyConnect) Administrator Guide for details.

Before you begin

Ensure that you have configured remote access VPN using the Remote Access Policy wizard and deployed the configuration on threat defense device. See Create a New Remote Access VPN Policy.
On your Secure Firewall Management Center web interface, go to Objects > Object Management > VPN > Secure Client File and add the new Secure Client image.

Procedure

Step 1	On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.
Step 2	Select a remote access VPN policy and click Edit.
Step 3	Select the connection profile that includes the client profile to be edited, and click Edit.
Step 4	Click Edit Group Policy > Secure Client > Profiles.
Step 5	Select the client profile XML file from the list or click Add to add a new client profile.
Step 6	Save the group policy, connection profile, and then the remote access VPN policy.
Step 7	Deploy the changes. Changes to the client profile will be updated on the VPN clients when they connect to the remote access VPN gateway.

RADIUS Dynamic Authorization

Secure Firewall Threat Defense has the capability to use RADIUS servers for user authorization of VPN remote access and firewall cut-through-proxy sessions using dynamic access control lists (ACLs) or ACL names per user. To implement dynamic ACLs for dynamic authorization or RADIUS Change of Authorization (RADIUS CoA), you must configure the RADIUS server to support them. When the user tries to authenticate, the RADIUS server sends a downloadable ACL or ACL name to the threat defense. Access to a given service is either permitted or denied by the ACL. Secure Firewall Threat Defense deletes the ACL when the authentication session expires.

Configuring RADIUS Dynamic Authorization

Before you begin:

Only one interface can be configured in the security zone or interface group if it is referred in a RADIUS Server.
A dynamic authorization enabled RADIUS server requires Secure Firewall Threat Defense 6.3 or later for the dynamic authorization to work.
Interface selection in RADIUS server is not supported on Secure Firewall Threat Defense 6.2.3 or earlier versions. The interface option will be ignored during deployment.
Threat Defense posture VPN does not support group policy change through dynamic authorization or RADIUS change of authorization (CoA).

Table 9. Procedure
	Do This	More Info
Step 1	Log on to your Secure Firewall Management Center web interface.
Step 2	Configure a RADIUS server object with dynamic authorization.	RADIUS Server Group Options
Step 3	Configure a route to ISE server through an interface enabled for change of authorization (CoA) to establish connectivity from threat defense to RADIUS server through routing or a specific interface.	RADIUS Server Group Options Ways to Configure the Cisco Identity Services Engine (Cisco ISE) Identity Source
Step 4	Configure a remote access VPN policy and select the RADIUS server group object that you have created with dynamic authorization.	Create a New Remote Access VPN Policy
Step 5	Configure the DNS server details and domain-lookup interfaces using the Platform Settings.	Configure DNS DNS Server Group
Step 6	Configure a split-tunnel in group policy to allow DNS traffic through Remote Access VPN tunnel if the DNS server is reachable through VNP network.	Configure Group Policy Objects
Step 7	Deploy the configuration changes.	Deploy Configuration Changes

Two-Factor Authentication

You can configure two-factor authentication for the remote access VPN. With two-factor authentication, the user must supply a username and static password, plus an additional item such as an RSA token or a passcode. Two-factor authentication differs from using a second authentication source in that two-factor is configured on a single authentication source, with the relationship to the RSA server tied to the primary authentication source.

Secure Firewall Threat Defense supports RSA tokens and Duo Push authentication requests to Duo Mobile for the second factor in conjunction with any RADIUS or AD server as the first factor in the two-factor authentication process.

Configuring RSA Two-Factor Authentication

About this task:

You can configure the RADIUS or AD server as the authentication agent in the RSA server, and use the server in Secure Firewall Management Center as the primary authentication source in the remote access VPN.

When using this approach, the user must authenticate using a username that is configured in the RADIUS or AD server, and concatenate the password with the one-time temporary RSA token, separating the password and token with a comma: password,token.

In this configuration, it is typical to use a separate RADIUS server (such as one supplied in Cisco ISE) to provide authorization services. You would configure the second RADIUS server as the authorization and, optionally, accounting server.

Before you begin:

Ensure that the following configurations are complete before configuring RADIUS two-factor authentication on Secure Firewall Threat Defense:

On the RSA Server

Configure RADIUS or Active Directory server as an authentication agent.
Generate and download the configuration (sdconf.rec) file.
Create a token profile, assign the token to the user, and distribute the token to the user. Download and install the token on the remote access VPN client system.

For more information, see RSA SecureID Suite documentation.

On the ISE Server

Import the configuration (sdconf.rec) file generated on the RSA server.
Add the RSA server as the external identity source and specify the shared secret.

Table 10. Procedure

Do This

More Info

Step 1

Log on to your Secure Firewall Management Center web interface.

Step 2

Create a RADIUS server group.

RADIUS Server Group Options

Step 3

Create a RADIUS Server object within the new RADIUS server group, with RADIUS or AD server as the host and with a timeout of 60 seconds or more.

RADIUS Server Group Options

Note

The RADIUS or AD server must be the same server that is configured as the authentication agent in RSA server.

For two-factor authentication, make sure that the timeout is updated to 60 seconds or more in the Secure Client Profile XML file as well.

Step 4

Configure a new remote access VPN policy using the wizard or edit an existing remote access VPN policy.

Create a New Remote Access VPN Policy

Step 5

Select RADIUS as the authentication server and then select the newly-created RADIUS server group as the authentication server.

Configure AAA Settings for Remote Access VPN

Step 7

Deploy the configuration changes.

Deploy Configuration Changes

Configuring Duo Two-Factor Authentication

About this task:

You can configure the Duo RADIUS server as the primary authentication source. This approach uses the Duo RADIUS Authentication Proxy. (You cannot use a direct connection with the Duo Cloud Service over LDAPS.)

For the detailed steps to configure Duo, see https://duo.com/docs/cisco-firepower.

You would then configure Duo to forward authentication requests directed to the proxy server to use another RADIUS server, or an AD server, as the first authentication factor, and the Duo Cloud Service as the second factor.

When using this approach, the user must authenticate using a username that is configured on both the Duo Cloud or web server, and the associated RADIUS server. The user must enter the password configured in the RADIUS server, followed by one of the following Duo codes:

Duo-passcode. For example, my-password,123456.
push. For example, my-password,push. Use push to tell Duo to send a push authentication to the Duo Mobile app, which the user must have already installed and registered.
sms. For example, my-password,sms. Use sms to tell Duo to send an SMS message with a new batch of passcodes to the user’s mobile device. The user’s authentication attempt will fail when using sms. The user must then re-authenticate and enter the new passcode as the secondary factor.
phone. For example, my-password,phone. Use phone to authenticate using phone callback.

For more information on login options with examples, see https://guide.duo.com/anyconnect.

Before you begin:

Before configuring two-factor authentication with Duo Authentication Proxy on threat defense, ensure that you complete the following configurations:

Configure a working primary authentication (RADIUS or AD) for your remote access VPN users before you begin to deploy Duo.
Install Duo proxy service on a Windows or Linux machine within your network to integrate Duo with Secure Firewall Threat Defense remote access VPN. This Duo proxy server also acts as a RADIUS server.

Download and install the most recent Duo authentication proxy from the following location:
- Windows: https://dl.duosecurity.com/duoauthproxy-latest.exe
- Linux: https://dl.duosecurity.com/duoauthproxy-latest-src.tgz
- Verify the checksum at https://duo.com/docs/checksums#duo-authentication-proxy.
Configure Duo authentication file authproxy.cfg. Follow instructions on the https://duo.com/docs/cisco-firepower#configure-the-proxy page to configure the authentication configuration settings.

The authproxy.cfg configuration file must contain the details for RADIUS or ISE server, threat defense device, Duo proxy server details, Integration Key, Secret key, and API host details.
Ensure that you have the right API host information in the authproxy.cfg file.
Configure other required settings such as secondary authentication factor in the newly installed Duo proxy server at Duo Security Server > Duo Admin Panel > Applications > CISCO RADIUS VPN.

Table 11. Procedure

Do This

More Info

Step 1

Log on to your Secure Firewall Management Center web interface.

Step 2

Create a RADIUS server group.

RADIUS Server Group Options

Step 3

Create a RADIUS Server object within the new RADIUS server group with Duo proxy server as the host with a timeout of 60 seconds or more.

RADIUS Server Options

Note

For two-factor authentication, make sure that the timeout is updated to 60 seconds or more in the Secure Client Profile XML file as well.

Step 4

Configure a new remote access VPN policy using the wizard or edit an existing remote access VPN policy.

Create a New Remote Access VPN Policy

Step 5

Select RADIUS as the authentication server and then select the RADIUS server group created with the Duo proxy server as the authentication server.

Configure AAA Settings for Remote Access VPN

Step 7

Deploy the configuration changes.

Deploy Configuration Changes

Secondary Authentication

Secondary authentication or double authentication in Secure Firewall Threat Defense adds an additional layer of security to remote access VPN connections by using two different authentication servers. With secondary authentication enabled, the Secure Client VPN users must provide two sets of credentials to login to the VPN gateway.

Secure Firewall Threat Defense remote access VPN supports secondary authentication in AAA Only and Client Certificate & AAA authentication methods.

Figure 2. Remote Access VPN Secondary or Double Authentication

Configure Remote Access VPN Secondary Authentication

When remote access VPN authentication is configured to use both client certificate and authentication sever, VPN client authentication is done using both the client certificate validation and AAA server.

Before you begin

Configure two authentication (AAA) servers— the primary and secondary authentication servers, and required identity certificates. The authentication servers can be RADIUS server, and AD or LDAP realms.
Ensure that the AAA servers are reachable from the Secure Firewall Threat Defense device for the remote access VPN configuration to work. Configure routing (at Devices > Device Management > Edit Device > Routing) to ensure connectivity to the AAA servers.

Procedure

Step 1

On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.

Step 2

Select a remote access policy and click Edit; or click Add to create a new remote access VPN policy.

Step 3

For a new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit.

Step 4

Click AAA > Authentication Method, AAA or Client Certificate & AAA.

When you select the Authentication Method as:

Client Certificate & AAA—Authentication is done using both client certificate and AAA server.
- AAA—If you select the Authentication Server as RADIUS, by default, the Authorization Server has the same value. Select the Accounting Server from the drop-down list. Whenever you select AD and LDAP from the Authentication Server drop-down list, you must manually select the Authorization Server and Accounting Server respectively.
- Whichever authentication method you choose, select or deselect Allow connection only if user exists in authorization database.

Note

By default, secondary authentication is not required.

Authentication Server— Secondary authentication server to provide secondary username and password for VPN users.

Select the following under Username for secondary authentication:

Prompt: Prompts the users to enter the username and password while logging on to VPN gateway.
Use primary authentication username: The username is taken from the primary authentication server for both primary and secondary authentication; you must enter two passwords.
Map username from client certificate: Prefills the secondary username from the client certificate.
- If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN (Distinguished Name) as username option, the system automatically retrieves the user identity.
  
  See Authentication Method descriptions for more information about primary and secondary field mapping.
- Prefill username from certificate on user login window: Prefills the secondary username from the client certificate when the user connects via Secure Client.
  - Hide username in login window: The secondary username is pre-filled from the client certificate, but hidden to the user so that the user does not modify the pre-filled username.
Use secondary username for VPN session: The secondary username is used for reporting user activity during a VPN session.

For more information, see Configure AAA Settings for Remote Access VPN.

Single Sign-On Authentication with SAML 2.0

About SAML Single Sign-On Authentication

Security Assertion Markup Language (SAML) is an open standard for logging users into applications using their sessions in another context. Organizations already know the identity of users when users log in to their Active Directory (AD) domain or the intranet. They use this identity information to log in users to other applications, such as web-based applications using SAML. Individual applications do not need to store credentials and users do not have to remember and manage different sets of credentials for individual applications. SAML single sign-on (SSO) works by transferring the user’s identity from one place (the identity provider) to another (the service provider).

SAML Single Sign-On with Secure Firewall Threat Defense

The Secure Firewall Threat Defense device supports SAML 2.0 single sign-on (SSO) authentication for remote access VPN connections using the Secure Client. You need the following to configure SAML 2.0 SSO on Secure Firewall Threat Defense:

Identity Provider (IdP)—The Duo Access Gateway acts as the identity provider to perform user authentication and issues assertions.
Service Provider (SP)—The threat defense device acts as the service provider and obtains the authentication assertion from the identity provider.
VPN Client—The Secure Client performs SAML 2.0 authentication via the embedded browser.

Guidelines and Limitations for SAML 2.0

Threat Defense supports the following signatures for SAML authentication:
- SHA1 with RSA and HMAC
- SHA2 with RSA and HMAC
Threat Defense supports SAML 2.0 Redirect-POST binding , which is supported by all SAML IdPs.
The Threat Defense functions as a SAML SP only. It cannot act as an Identity Provider in gateway mode or peer mode.
You can enforce an access policy on a SAML-authenticated user if you have an associated identity policy with an AD realm matching the SAML domain. However, it does not work for Azure AD SAML because it requires additional mapping from the tenant ID of the Azure AD to an associated realm ID on the threat defense device.
Having SAML authentication attributes available in DAP evaluation (similar to RADIUS attributes sent in RADIUS auth response from AAA server) is not supported. Threat Defense supports SAML enabled group policy on DAP policy; however, you cannot check the username attribute while using SAML authentication, because the username attribute is masked by the SAML Identity provider.
Threat Defense administrators need to ensure clock synchronization between the threat defense and the SAML IdP for proper handling of authentication assertions and proper timeout behavior.
Threat Defense administrators have the responsibility to maintain a valid signing certificate on both threat defense and IdP considering the following:
- The IdP signing certificate is mandatory when configuring an IdP on the threat defense.
- The threat defense does not do a revocation check on the signing certificate received from the IdP.
In SAML assertions, there are NotBefore and NotOnOrAfter conditions. The threat defense SAML configured timeout interacts with these conditions as follows:
- Timeout overrides NotOnOrAfter if the sum of NotBefore and timeout is earlier than NotOnOrAfter.
- If NotBefore + timeout is later than NotOnOrAfter, then NotOnOrAfter takes effect.
- If the NotBefore attribute is absent, the threat defense denies the login request. If the NotOnOrAfter attribute is absent and SAML timeout is not set, threat defense denies the login request.
Threat Defense does not work with Duo in a deployment using an internal SAML, which forces the threat defense to proxy for the client to authenticate, due to the FQDN change that occurs during challenge/response for Two-factor authentication (push, code, password).
When using SAML with Secure Client, follow these guidelines:
- Untrusted server certificates are not allowed in the embedded browser.
- The embedded browser SAML integration is not supported in CLI or SBL modes.
- SAML authentication established in a web browser is not shared with Secure Client and vice versa.
- Depending on the configuration, various methods are used when connecting to the headend with the embedded browser. For example, while Secure Client might prefer an IPv4 connection over an IPv6 connection, the embedded browser might prefer IPv6, or vice versa. Similarly, Secure Client may fall back to no proxy after trying proxy and getting a failure, while the embedded browser may stop navigation after trying proxy and getting a failure.
- You must synchronize your threat defense's Network Time Protocol (NTP) server with the IdP NTP server in order to use the SAML feature.
- You cannot access internal servers with SSO after logging in using an internal IdP.
- The SAML IdP NameID attribute determines the user's username and is used for authorization, accounting, and VPN session database.
SAML does not support Start Before Logon (SBL).
Multiple attributes received with a SAML assertion are not supported.

Configuring a SAML Single Sign-On Authentication

Before you begin

Ensure that you have done the following before you configure SAML single sign-on with threat defense remote access VPN:

Create an account with Duo.
Download and install the Duo Access Gateway.
Obtain the following from your SAML identity provider (Duo).
- Identity Provider Entity ID URL
- Sign-in URL
- Sign-out URL
- Identity provider certificate

Create a SAML single sign-on server object. For more information, see Add a Single Sign-on Server.

Note

You can create a single sign-on server object in the Connection Profile settings when you create a new policy using the Remote Access VPN policy Wizard.

Procedure

Step 1	Choose Devices > VPN > Remote Access.
Step 2	Click Edit next to the remote access VPN policy for which you want to configure SAML authentication. If you want to create a new policy, click Add.
Step 3	Click Edit on the connection profile that you want to modify.
Step 4	Choose AAA settings and select SAML from the Authentication Method drop-down.
Step 5	Choose the required SAML single sign-on server as the Authentication Server.
Step 6	Configure the required settings for the remote access VPN.
Step 7	Save and deploy the remote access VPN policy on your threat defense device.

Configuring SAML Authorization

About SAML Authorization

SAML authorization supports user attributes delivered in SAML assertions within the AAA and Dynamic Access Policy (DAP) frameworks. You can configure the SAML assertion attributes on the Identity Provider as name-value pairs which then parses as strings. The attributes received are made available to DAP so that they can be used when defining selection criteria within a DAP record. The SAML assertion cisco_group_policy is used to determine the Group Policy to be applied to the VPN session.

Dynamic Access Policy Attribute Representation

In the DAP table, the DAP attributes are represented in the following format:

aaa.saml.name = "value”

Example, aaa.saml.department = ”finance"

This attribute can be used in DAP selection as follows:

<attr>
<name>aaa.saml.department</name>
<value>finance</value>
<operation>EQ</operation>
</attr>

Multi-Valued Attributes

Multi-valued attributes are also supported in DAP and the DAP table is indexed :

aaa.saml.name.1 = "value”
aaa.saml.name.2 = "value"

Active Directory memberOf Attributes

The Active Directory (AD) memberOf attribute receives a special processing that is consistent with the way it is handled through an LDAP query.

Group names are represented by the CN attribute of the DN.

Example Attributes received from the authorization server:

memberOf = "CN=FTD-VPN-Group,OU=Users,OU=TechspotUsers,DC=techspot,DC=us"
 memberOf = "CN=Domain Admins,OU=Users,DC=techspot,DC=us”

Dynamic Access Policy attributes:

aaa.saml.memberOf.1 = "FTD-VPN-Group”
aaa.saml.memberOf.2 = "Domain Admins"

Interpretation of the cisco_group_policy Attribute

A group-policy can be specified by a SAML assertion attribute. When an attribute "cisco_group_policy" is received by the threat defense, the corresponding value is used to select the connection group-policy

Configure SAML Authorization

Before you begin

Ensure that you have configured a single sign-on server like DUO and completed the required Identity Provider (IdP) and Service Provider (SP) settings.

For more information, see Single Sign-On Authentication with SAML 2.0.

Procedure

Step 1	Configure a single sign-on server object if not configured already. Choose Object > Object Management > AAA Server > Single Sign-on Server Click Add Single Sign-on Server. Enter the single sign-on server details and click Save. For more information, see Add a Single Sign-on Server.
Step 2	Configure SAML authentication in the remote access VPN connection profile. Choose Devices > Remote Access. Click Edit on the remote access VPN policy for which you want to configure SAML authorization or create a new policy. Edit the required connection profile and select AAA. Select the single sign-on server object from the Authentication Server drop-down. Save the remote access VPN configuration.
Step 3	Match a SAML criteria in DAP policy. Select Devices > Dynamic Access Policy. Create a new DAP or edit an existing one. Create a DAP record or edit and existing record. Click AAA Criteria > SAML Criteria > Add SAML Criteria. Create a SAML criteria based on the SAML assertions returned by the SSO server.
Step 4	Deploy the remote access VPN configuration.

Advanced Secure Client Configurations

Configure Secure Client Modules on a Threat Defense

Secure Client can integrate with various Cisco endpoint security solutions and offer enhanced security using different Secure Client modules.

You can use the managed headend threat defense to distribute and manage Secure Client modules to the endpoints. When a user connects to the threat defense, it downloads and installs Secure Client and the required modules on the endpoint.

In version 6.7 and later, you can use the headend threat defense, managed by a management center, to distribute and manage Secure Client modules to the endpoints. These modules then integrate with the corresponding Cisco endpoint security solution.

In versions 6.4 to 6.6, you can enable these modules and profiles on a threat defense using FlexConfig. For more information, see Configure AnyConnect Modules and Profiles Using FlexConfig.

Benefits

If you use a threat defense to distribute and manage Secure Client modules to the endpoints, you can easily perform the following tasks:

Distribute and manage Secure Client modules and profiles on each endpoint.
Upgrade Secure Client on each endpoint.

Types of Secure Client Modules

AMP Enabler

Use this module to deploy Cisco Secure Endpoint, formerly AMP for Endpoints, on endpoints. The module pushes Cisco Secure Endpoint to endpoints from a server hosted locally within the enterprise. This module provides an additional security agent that detects potential malware threats in the network, removes these threats, and protects the enterprise.

In Cisco Secure Client 5.0, AMP Enabler is only for macOS. Cisco Secure Client for Windows offers full integration with Cisco Secure Endpoint.

ISE Posture

Use this module to perform endpoint posture checks such as antivirus, antispyware, operating system and so on using Cisco Identity Services Engine (ISE) and assess the endpoint's compliance. ISE provides next generation identity and access control policy. ISE Posture performs a client-side evaluation. The client receives the posture requirement policy from the headend, performs the posture data collection, compares the results against the policy, and sends the assessment results back to the headend.

Network Visibility

Use this module to monitor the endpoint application usage using the Network visibility module. You can uncover potential behavior anomalies and make informed network design decisions. It enhances the enterprise administrator's ability to do capacity and service planning, auditing, compliance, and security analytics. You can share the usage data with NetFlow analysis tools such as Cisco Stealthwatch.

Umbrella Roaming Security

Use this module for a DNS-layer security using the Cisco Umbrella Roaming Security service. Cisco Umbrella provides content filtering, multiple policies, robust reporting, active directory integration, and much more.

Web Security

Use this module to enable Cisco Secure Web Appliance (SWA), powered by Cisco Talos. This module protects the endpoint by blocking risky sites and testing unknown sites before allowing users to access them. It can deploy web security either through the on-prem WSA or the cloud-based Cisco Cloud Web Security. This module is not part of the AnyConnect package from release 4.5 and in Secure Client 5.0.

Network Access Manager

This module provides a secure layer 2 network and performs device authentication to access wired and wireless networks. Network Access Manager manages user and device identity and the network access protocols required for secure access.

Network Access Manager is not supported on macOS or Linux.

Start Before Login

Start Before Login (SBL) allows users to establish their VPN connection to the enterprise infrastructure before logging onto Windows. After the SBL module installation, you must enable SBL in the Secure Client VPN profile and add it to the remote access VPN group policy.

DART

Diagnostics and Reporting Tool (DART) collates system logs and other diagnostic information to troubleshoot AnyConnect installation and connection problems. You can send this data to Cisco TAC for troubleshooting.

By default, DART is not enabled in new RA VPN group policies for 6.7 and later versions. In 6.6 and earlier versions, DART is enabled by default.

Feedback

The customer experience feedback (CEF) module provides information about which features and modules you use and have enabled. This information gives an insight into the user experience so that Cisco can continue to improve the quality, reliability, performance, and user experience of the Cisco Secure Client. Secure Client does not download the Feedback module to the endpoint. The feedback data is sent to the Cisco Feedback Server.

Prerequisites for Configuring Secure Client Modules

Configure the associated products depending on the module that you are going to use.

Download the following Secure Client-related packages from Cisco Software Download Center to your local host.

Cisco Secure Client Headend Deployment Package for the required platforms.

This package is for the headend and contains all the Secure Client modules. For Windows, the filename is cisco-secure-client-win-5.0.03076-webdeploy-k9.pkg.

Profile Editor: Create profiles for the modules that require profiles.

Secure Client needs a Secure Client profile for some of the modules. A profile contains configurations to enable the modules and connect to the corresponding security services. The profile editor supports only Windows.

The following table lists if the modules require a client profile:


Secure Client Module	Requires a Client Profile
AMP Enabler	Yes
ISE Posture	Yes
Network Access Manager	Yes
Network Visibility Module	Yes
Umbrella Roaming Secure Module	Yes
Feedback	Yes
Web Security	Yes
DART	No
Start Before Login	No

Licensing
- You need one of the following Secure Client licenses: Secure Client Premier, Secure Client Advantage, or Secure Client VPN Only
- Your management center Essentials license must allow export-controlled functionality.
  
  Choose System > Licenses > Smart Licenses to verify this functionality in the management center.

Guidelines for Configuring Secure Client Modules

All Secure Client modules are supported from AnyConnect 4.8 and later, and Secure Client 5.0.

Different modules support profiles with different file extensions. The following table lists the modules and the supported file extensions of their profiles:

Table 12. Supported File Extensions of Profiles
Module	File Extension
AMP Enabler	.xml, .asp
Feedback	*.xml
ISE Posture	.xml, .isp
Network Access Manager	.xml, .nsp
Network Visibility	.xml, .nvmsp
Umbrella Roaming Security	.xml, .json
Web Security	.xml, .wsp, *.wso

You can add only one entry per client module. You can edit or delete an entry for a module.
If you plan to use ISE posture and Network Access Manager modules on a Windows OS, you must install Network Access Manager before you use the ISE Posture module.
If you enable the Umbrella Roaming Security module, ensure that you disable the Always send DNS requests over tunnel option under split tunnelling in the VPN group policy.
If you want to use SBL, then you must enable SBL in the Secure Client VPN profile.

Install Secure Client Modules using a Threat Defense

Before you begin

Ensure that you review the Prerequisites for Configuring Secure Client Modules and Guidelines for Configuring Secure Client Modules topics.

Procedure

Step 1	The administrator creates profiles, if needed, for the required Secure Client modules.
Step 2	The administrator uses the management center to: Configure the modules and add the profiles in the remote access VPN group policy. Deploy the configuration on the threat defense.
Step 3	The user uses Secure Client to initiate a VPN connection to the threat defense.
Step 4	The threat defense authenticates the user.
Step 5	The Secure Client checks for updates.
Step 6	The threat defense distributes the Secure Client modules and the profiles on the endpoint.

What to do next

Configure a Remote Access VPN Group Policy with Secure Client Modules.

Configure a Remote Access VPN Group Policy with Secure Client Modules

To install and update the Secure Client modules on the endpoint using a threat defense managed by a management center, you must update the remote access VPN group policy with the Secure Client module configurations.

Before you begin

Ensure that you have configured a remote access VPN policy in the management center.

Procedure

Step 1	Choose Devices > Remote Access.
Step 2	Select a remote access VPN policy and click Edit.
Step 3	Select a connection profile and click Edit.
Step 4	Click Edit Group Policy.
Step 5	Click the Secure Client tab.
Step 6	Click Client Modules.
Step 7	Click +.
Step 8	Choose a module from the Client Module drop-down list.
Step 9	Choose a profile for the module from the Profile to download drop-down list or click + to add a profile.
Step 10	Check the Enable module download check box to download the module on the endpoint.
Step 11	Click Add.
Step 12	Repeat steps 7 to 11 if you want to add more modules.
Step 13	Click Save.

What to do next

Deploy the configuration on the threat defense.
Launch the Secure Client, select the VPN profile, and connect to the VPN. Secure Client installs the configured modules on it.
Verify the configuration. For more information, see Verify Secure Client Modules Configuration.

Verify Secure Client Modules Configuration

On the Threat Defense

Use the following commands on the threat defense to view the profiles and the Secure Client modules configuration:

show disk0:- View the profiles and their configuration.
show run webvpn - View details of the Secure Client configurations.
show run group-policy <ravpn_group_policy_name> - View details of the RA VPN group policy for Secure Client.
show vpn-sessiondb anyconnect - View details of the active Secure Client VPN sessions.

On the Endpoint

Use the Secure Client to establish a VPN connection to the threat defense.
Verify if the configured modules are downloaded and installed as part of the Secure Client.
Verify if the configured profiles, if any, are available in the locations documented in Profile Locations for all Operating Systems.

On the Management Center

You can monitor remote access VPN active sessions on the management center using the Remote Access VPN dashboard (Overview > Remote Access VPN). You can quickly determine problems related to user sessions and mitigate the problems for your network and users.

Configure Application-Based (Per App VPN) Remote Access VPN on Mobile Devices

When you use Secure Client to establish a VPN connection from a mobile device, all the traffic including the traffic from personal applications is routed through the VPN.

For mobile devices that run on Android or iOS, you can restrict the applications that use the VPN tunnel. This application-based remote access VPN is called Per App VPN. To use Per App VPN, you must install and configure a third-party Mobile Device Manager (MDM) application. You must define the list of approved applications that can be used over the VPN tunnel in the MDM. You can enable Per App VPN on the threat defense headend so that your MDM can apply your policies on mobile devices.

Benefits

Benefits of restricting the remote access VPN to approved applications include:

Performance—Limits VPN traffic over the corporate network and frees up resources of the VPN headend.
Protection—Protects the corporate VPN tunnel from unapproved malicious applications on the mobile device.

Prerequisites and Licensing for Configuring Per App VPN Tunnels

Prerequisites

Install and configure a third-party Mobile Device Manager (MDM).

You must configure the applications that will be allowed in the VPN in the MDM itself, not on the threat defense headend device.
Download the Cisco AnyConnect Enterprise Application Selector from Cisco Software Download Center.

You need this tool to define the Per App VPN policy.

Licensing

Secure Client Premier, or Secure Client Advantage.
Essentials license must allow export-controlled functionality.

To verify this functionality in the management center, choose System > Licenses > Smart Licenses.

Determine the Application IDs for Mobile Applications

Before configuring the threat defense headend to allow application-based VPN from mobile devices, you must determine which applications should be allowed in the tunnel.

We strongly recommend that you configure the per-app policy in the MDM on the user’s mobile device. This simplifies the headend configuration. If you decide to configure the list of allowed applications on the headend, you must determine the application IDs for each application on each type of endpoint.

The application ID, called the bundle ID in iOS, is a reverse DNS name. You can use an asterisk as a wildcard. For example, *.* indicates all applications, com.cisco.* indicates all Cisco applications.

To determine the application IDs:

Android—Go to Google Play in a web browser and select the Apps category. Click (or hover over) an application that you want to allow, then look at the URL. The app id is in the URL, on the id= parameter. For example, the following URL is for Facebook Messenger, so the app id is com.facebook.orca.

https://play.google.com/store/apps/details?id=com.facebook.orca

For applications that are not available through Google Play, such as your own applications, download a package name viewer application to extract the app ID. There are many of these applications available, one of them should provide what you need, but Cisco does not endorse any of them.
iOS—There is no straight-forward way to get the bundle ID. Following is one way to find it:
1. Use a desktop web browser such as Chrome to search for the application name.
2. In the search results, look for the link to download the app from the Apple App Store. For example, Facebook Messager would be similar to:
  
  https://apps.apple.com/us/app/messenger/id454638411
3. Copy the number after the id string. In this example, 454638411.
4. Open a new browser window, and add the number to the end of the following URL:
  
  https://itunes.apple.com/lookup?id=
  
  For this example: https://itunes.apple.com/lookup?id=454638411
5. You will be prompted to download a text file, usually named 1.txt. Download the file.
6. Open the file in a text editor such as WordPad, and search for bundleId. For example:
  
  "bundleId":"com.facebook.Messenger",
  
  In this example, the bundle ID is com.facebook.Messenger. Use this as the app ID.

Once you have your list of application IDs, you can configure the policy as explained in .

Configure Application-Based VPN Tunnels

After you install and configure your MDM software, you can enable Per App VPN on the threat defense headend device. Once enabled on the headend, your MDM software will control which applications are tunneled over the VPN to the corporate network.

Before you begin

Ensure that you have a remote access VPN policy in the management center.
Configure Per App VPN using MDM and enroll each device to the MDM server.
Download the Cisco AnyConnect Enterprise Application Selector.

Procedure

Step 1

Use the Cisco AnyConnect Enterprise Application Selector to define the Per App VPN policy.

We recommend that you create a simple Allow All policy, and define the allowed applications in the MDM. However, you can specify a list of applications to allow and control the list from the headend. If you want to include specific applications, create a separate rule for each application, using a unique name and the application’s app ID. For more information on getting the app IDs, see Determine the Application IDs for Mobile Apps.

To create an Allow All policy that supports both Android and iOS platforms using the AnyConnect Enterprise Application Selector:

Choose Android from the drop-down list as the platform type and configure the following options:
- Friendly Name—Enter a name for the policy. For example, Allow_All.
- App ID—Enter *.* to match all possible applications.
- Leave the other options.
Choose iOS from the drop-down list as the platform type and configure the following options:
- Friendly Name—Enter a name for the policy. For example, Allow_All.
- App ID—Enter *.* to match all possible applications.
- Leave the other options.
Choose Policy > View Policy to get the base64 encoded string for the policy.

This string contains an encrypted XML file that allows the threat defense to see the policies. Copy this value. You need this string when you configure Per App VPN on the threat defense.

Step 2

Use the management center to enable the Per App on the threat defense headend device.

Choose Devices > Remote Access.
Select a remote access VPN policy and click Edit.
Select a connection profile and click Edit.
Click Edit Group Policy.
Click the Secure Client tab.
Click Custom Attributes and click +.
Choose Per App VPN from the Secure Client Attribute drop-down list.
Choose an object from the Custom Attribute Object drop-down list or click + to add an object.

When you add a new custom attribute object for Per App VPN, enter the name, description, and the base64 encoded policy string from the Cisco AnyConnect Enterprise Application Selector.
Click Save.
Click Add and click Save.

Step 3

Deploy your changes on the management center.

What to do next

Launch the Secure Client, select the VPN profile, and connect to the VPN.
Verify the configuration. For more information, see Verify Per App Configuration.

Verify Per App Configuration

On the Threat Defense

Use the following commands on the threat defense to view the Per App configuration:

show run webvpn
show run group-policy <ravpn_group_policy_name>
show run anyconnect-custom-data

On the Endpoint

After the endpoint establishes a VPN connection with the threat defense:

Click the Statistics icon of the Secure Client.
Tunnel Mode will be “Application Tunnel” instead of “Tunnel All Traffic.”
Tunneled Apps will list the applications you enabled for tunneling in the MDM.

Remote Access VPN Examples

How to Limit Secure Client Bandwidth Per User

This section provides instructions to limit the maximum bandwidth that the VPN users consume when they connect using the Secure Client to Secure Firewall Threat Defense remote access VPN gateway. You can limit the maximum bandwidth by using a Quality of service (QoS) policy in threat defense, to ensure that a single user or group or users do not take over the entire resource. This configuration lets you give priority to critical traffic, prevent bandwidth hogging, and manage the network. If a When traffic exceeds the maximum rate, the threat defense drops the excess traffic.


Step	Do This	More Info
1	Create and set up a realm.	Create an LDAP Realm or an Active Directory Realm and Realm Directory
2	Create a QoS policy and QoS rule for the user or group available in the newly created realm.	See Creating a QoS Policy to create a QoS policy. See Configuring QoS Rules to create a QoS rule.
3	Configure remote access VPN policy and select the newly created realm for user authentication.	Create a New Remote Access VPN Policy
4	Deploy the remote access VPN policy.	Deploy Configuration Changes

How to Use VPN Identity for User-Id Based Access Control Rules


Step	Do This	More Info
1	Create and set up a realm.	Create an LDAP Realm or an Active Directory Realm and Realm Directory.
2	Create an identity policy and add an identity rule.	See Create an Identity Policy to create an identity policy. See Create an Identity Rule to create an identity rule.
3	Associate the identity policy with an access control policy.	Associating Other Policies with Access Control
4	Configure remote access VPN policy and select the newly created realm for user authentication.	Create a New Remote Access VPN Policy
5	Deploy the remote access VPN policy.	Deploy Configuration Changes

Configure Threat Defense Multiple Certificate Authentication

Multiple Certificate-based Authentication

Multiple certificate-based authentication allows the threat defense to validate the machine or device certificate. Multiple certificates can be enabled for certificate-based authentication in the remote access VPN connection profile. It can be combined with AAA authentication. The multiple certificates option in the remote access VPN connection profile allows certificate authentication of both the machine and user via certificates. This ensures that the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow RA VPN access. The administrator can choose if the username for the session should be taken from the machine certificate or user certificate.

When multiple certificate-based authentication is configured, two certificates are obtained from the VPN client:

First Certificate —Machine certificate to authenticate the endpoint.
Second Certificate—User certificate to authenticate the VPN user.

For detailed information about threat defense certificates, see Managing Threat Defense Certificates.

Limitations

Multiple certificate authentication currently limits the number of certificates to two.
Secure Client supports only RSA-based certificates.
Only SHA256, SHA384, and SHA512 based certificates are supported during the Secure Client aggregate authentication.
Certificate authentication cannot be combined with SAML authentication.

Pre-fill Username from Certificate

The Pre-fill username option allows a field from the certificates to be parsed and used for subsequent AAA authentication (primary and secondary). When two certificates are used for authentication, the Administrator can choose the certificate from which the username should be derived for the prefill functionality. By default, username for prefill is retrieved from the User certificate (second certificate received from Secure Client). The prefilled username is used as the VPN session username when the Certificate Only authentication method is enabled. When AAA and certificate authentication is enabled, VPN session username will be based on the pre-fill option.

Configure Multiple Certificate Authentication for Remote Access VPN

On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.
Edit an existing remote access policy, or create a new one and then edit.

See Create a New Remote Access VPN Policy.
Select the connection profile to configure multiple certificate authentication, and click Edit.
See Configure Connection Profile Settings.
Choose AAA, and then select an Authentication Method:

Figure 3.
- Client Certificate Only—User is authenticated using client certificate. Client certificate must be configured on VPN client endpoints. By default, the username is derived from client certificate fields CN & OU respectively. In case, the username is specified in other fields in the client certificate, use 'Primary' and 'Secondary' field to map appropriate fields.
- Client Certificate & AAA—User is authenticated using both the types of authentication, AAA and client certificate.
Select Enable multiple certificate authentication.
Select Map username from client certificate and select a certificate from the Certificate to choose drop-down to choose the username for the VPN session from the machine certificate or user certificate.
- First Certificate —Map the username from the Machine Certificate.
- Second Certificate—Map the username from the User certificate to authenticate the VPN user.
Configure the required connection profile settings and remote access VPN settings.
Save the connection profile and remote access VPN policy. Deploy the remote access VPN on threat defense.

For information about remote access VPN AAA settings, see Configure AAA Settings for Remote Access VPN.

Certificate Configuration in DAP

You can also configure certificate criteria attributes in a DAP record. The user and machine certificate received from the VPN client during multiple-certificate authentication is loaded into dynamic access policy (DAP) to allow policies to be configured based on the field of the certificate. You can make policy decisions based on the fields of a certificate used to authenticate that connection attempt.

Choose Devices > Dynamic Access Policy.
Edit an existing DAP policy or create a new one and then edit the policy.
Choose an existing DAP record, or create a new one and then edit the record.
Select Endpoint Criteria > Certificate.
Select the Match Criteria All or Any.
Click Add to add certificate attributes.

Figure 4.
Select the certificate, Cert1 or Cert2.
Select the Subject and specify the certificate subject value.
Select the Issuer and specify the certificate issuer name.
Select the Subject Alternate Name and specify the alternate name for the subject.
Specify the Serial Number.
Select the Certificate Store: None, Machine, or User.

This option adds a condition to check for the store from which the certificate is picked on the endpoint.
Click Save to complete the certificate criteria settings.

Configure the required DAP record settings and then associate the DAP with the remote access VPN.

For more information about DAP, see Dynamic Access Policies.

History for Remote Access VPNs


Feature	Minimum Management Center	Minimum Threat Defense	Details
IPsec flow offload on the VTI loopback interface	7.4	Any	On the Secure Firewall 3100 and Secure Firewall 4200 devices, IPsec flow offload is enabled automatically on the VTI loopback interface.
Secure Client Customizations	7.4	Any	You can configure Secure Client customizations and deploy them to the VPN headend. The threat defense distributes these customizations to the endpoint when a user connects from the Secure Client: GUI text and messages Icons and images Scripts Binaries Customized Installer Transforms Localized Installer Transforms New/Modified Screens: Objects > Object Management > VPN > Secure Client Customization Devices > Remote Access > Advanced > Secure Client Customizations
WAN Summary Dashboard	7.4	Any	The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. New/Modified Screen: Overview > Dashboards > WAN Summary
SAML with Certificate Support	7.2	Any	We have updated the remote access VPN configuration wizard to support user authentication with Certificate and SAML. You can configure a remote access VPN to authenticate machine or user certificate before a SAML authentication is initiated.
IPsec flow offload.	7.2	Any	On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance. You can change the configuration using FlexConfig and the flow-offload-ipsec command.
Multiple IDP trustpoint support	7.1	Any	Secure Firewall Management Center supports multiple identity provider trustpoints with Microsoft Azure that can have multiple applications for the same Entity ID, but a unique identity certificate.
AnyConnect VPN SAML External Browser	7.1	Any	You can now configure AnyConnect VPN SAML External Browser to enable additional authentication choices, such as password less authentication, WebAuthN, FIDO, SSO, U2F, and an improved SAML experience due to the persistence of cookies. When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication and Yubikeys, that cannot be performed in the embedded browser. We updated the remote access VPN connection profile wizard to allow you to configure the SAML Login Experience.
Multi-Certificate Authentication	7.0	Any	Secure Firewall Management Center now supports multiple certificate-based authentication for threat defense to validate the machine or device certificate, to ensure that the device is a corporate-issued device in addition to authenticating the user’s identity certificate to allow VPN access using AnyConnect client.
VPN Load balancing	7.0	Any	VPN load balancing logically group two or more devices and distributes remote access VPN sessions among the grouped devices equally without considering throughput and other traffic parameters.
AnyConnect Custom Attributes	7.0	Any	Secure Firewall Management Center now supported AnyConnect custom attributes and provides an infrastructure to configure the AnyConnect client feature without adding hard-coded support for these features on threat defense.
Local User Authentication	7.0	Any	You can now configure and manage users locally on threat defense using the Secure Firewall Management Center web interface, and configure the local users for primary and secondary remote access VPN authentication.
Selective Policy Deployment	7.0	Any	You can now choose to include or exclude changes to remote access VPN and site-to-site VPN configurations during the deployment.
Support for AnyConnect Modules Configuration	6.7	Any	Secure Firewall Management Center now supports configuring AnyConnect modules and profiles for additional security.
Support for LDAP Authorization	6.7	Any	You can configure LDAP authorization for remote access VPN using the Secure Firewall Management Center.
SAML single sign-on support for remote access VPN	6.7	Any	You can configure a SAML 2.0 server as the single sign-on authentication server for remote access VPNs.
AnyConnect Management VPN tunnel support	6.7	Any	Threat Defense remote access VPN supports configuring AnyConnect Management VPN tunnel that allows VPN connectivity to endpoints when the corporate endpoints are powered on, without the VPN users connecting to the VPN.
Support for Datagram Transport Layer Security (DTLS) 1.2	6.6	Any	DTLS 1.2 is now part of the default SSL cipher group and it can be configured along with TLS 1.2.

Cisco Secure Firewall Management Center Device Configuration Guide, 7.6

Bias-Free Language

Results

Chapter: Remote Access VPN

Remote Access VPN

Remote Access VPN Overview

Remote Access VPN Features

Secure Client Components

Secure Client Deployment

Secure Client Operation

Secure Client Profile and Editor

Remote Access VPN Authentication

Remote Access VPN Server Authentication

Remote Access VPN Client AAA

Understanding Policy Enforcement of Permissions and Attributes

Understanding AAA Server Connectivity

License Requirements for Remote Access VPN

Threat Defense License

Requirements and Prerequisites for Remote Access VPN

Model Support

Supported Domains

User Roles

Guidelines and Limitations for Remote Access VPNs

Remote Access VPN Policy Configuration

Concurrent VPN Sessions Capacity Planning (threat defense virtual Models)

Concurrent VPN Sessions Capacity Planning (Hardware Models)

Controlling Cipher Usage for VPN

Authentication, Authorization, and Accounting

Client Certificates

Unsupported Features of Secure Client

Configuring a New Remote Access VPN Connection

Prerequisites for Configuring Remote Access VPN

Create a New Remote Access VPN Policy

Before you begin

Procedure

What to do next

Update the Access Control Policy on the Secure Firewall Threat Defense Device

Before you begin

Procedure

(Optional) Configure NAT Exemption

Before you begin

Procedure

Configure DNS

Procedure

Add Secure Client Profile XML File

Before you begin

Procedure

(Optional) Configure Split Tunneling

Procedure

(Optional) Configure Dynamic Split Tunneling

Before you begin

Procedure

What to do next

Verify Dynamic Split Tunneling Configuration

On the Threat Defense

On the Secure Client

Verify the Configuration

Procedure

Create a Copy of an Existing Remote Access VPN Policy

Procedure

What to do next

Set Target Devices for a Remote Access VPN Policy

Procedure

What to do next

Associate Local Realm with Remote Access VPN Policy

Procedure

What to do next

Additional Remote Access VPN Configurations

Configure Connection Profile Settings

Procedure

Configure IP Addresses for VPN Clients

Procedure

Configure AAA Settings for Remote Access VPN

Before you begin

Procedure

RADIUS Server Attributes for Secure Firewall Threat Defense

Create or Update Aliases for a Connection Profile

Procedure

Configure Access Interfaces for Remote Access VPN

Procedure