Remote Access VPN

Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a computer or other supported devices connected to the Internet. This allows mobile workers to connect from their home networks or a public Wi-Fi network, for example.

The following topics explain how to configure remote access VPN for your network.

Remote Access VPN Overview

Secure Firewall Threat Defense provides secure gateway capabilities that support remote access SSL and IPsec-IKEv2 VPNs. The full tunnel client, AnyConnect Security Mobility Client, provides secure SSL and IPsec-IKEv2 connections to the security gateway for remote users. When the client negotiates an SSL VPN connection with threat defense, it connects using Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS)

AnyConnect is the only client supported on endpoint devices for remote VPN connectivity to threat defense devices. The client gives remote users the benefits of an SSL or IPsec-IKEv2 VPN client without the need for network administrators to install and configure clients on remote computers. The AnyConnect Security Mobility Client for Windows, Mac, and Linux is deployed from the secure gateway upon connectivity. The AnyConnect apps for Apple iOS and Android devices are installed from the platform app store.

Use the Remote Access VPN policy wizard to set up SSL and IPsec-IKEv2 remote access VPNs with basic capabilities. Then, enhance the policy configuration as you want and deploy it to your threat defense secure gateway devices.

Remote Access VPN Features

The following table describes the features of Secure Firewall Threat Defense remote access VPN:

Table 1. Remote access VPN features

Description

Secure Firewall Threat Defense remote access VPN features

  • SSL and IPsec-IKEv2 remote access using the AnyConnect Security Mobility Client.

  • Secure Firewall Management Center supports all combinations such as IPv6 over an IPv4 tunnel.

  • Configuration support on both management center and device manager. Device-specific overrides.

  • Support for both Secure Firewall Management Center and threat defense HA environments.

  • Support for multiple interfaces and multiple AAA servers.

  • Rapid Threat Containment support using RADIUS CoA or RADIUS dynamic authorization.

  • Support for DTLS v1.2 protocol with Cisco AnyConnect Security Mobility Client version 4.7 or higher.

  • AnyConnect Client modules support for additional security services for remote access VPN connections.

  • VPN load balancing.

AAA features

  • Server authentication using self-signed or CA-signed identity certificates.

  • AAA username and password-based remote authentication using RADIUS server or LDAP or AD.

  • RADIUS group and user authorization attributes, and RADIUS accounting.

  • Double authentication support using an additional AAA server for secondary authentication.

  • NGFW Access Control integration using VPN Identity.

  • LDAP or AD authorization attributes using Secure Firewall Management Center web interface.

  • Support for single sign-on using SAML 2.0.

  • Support for multiple identity provider trustpoints with Microsoft Azure that can have multiple applications for the same Entity ID, but a unique identity certificate.

VPN tunneling features

  • Address assignment.

  • Split tunneling.

  • Split DNS.

  • Client Firewall ACLs.

  • Session Timeouts for maximum connect and idle time.

Remote access VPN monitoring features

  • New VPN Dashboard Widget showing VPN users by various characteristics such as duration and client application.

  • Remote access VPN events including authentication information such as username and OS platform.

  • Tunnel statistics available using the threat defense Unified CLI.

AnyConnect Components

AnyConnect Security Mobility Client Deployment

Your remote access VPN policy can include the AnyConnect Client Image and the AnyConnect Client Profile for distribution to connecting endpoints. Or, the client software can be distributed using other methods. See the Deploy AnyConnect chapter in the appropriate version of the Cisco AnyConnect Secure Mobility Client Administrator Guide.

Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL or IPsec-IKEv2 VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, remote users must enter the URL in the form https://address. After the user enters the URL, the browser connects to that interface and displays the login screen.

After a user logs in, if the secure gateway identifies the user as requiring the VPN client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure connection, and either remains or uninstalls itself (depending on the security appliance configuration) when the connection stops. In the case of a previously installed client, after login, the threat defense security gateway examines the client version and upgrades it as necessary.

AnyConnect Security Mobility Client Operation

When the client negotiates a connection with the security appliance, the client connects using Transport Layer Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

When an IPsec-IKEv2 VPN client initiates a connection to the secure gateway, negotiation consists of authenticating the device through Internet Key Exchange (IKE), followed by user authentication using IKE Extended Authentication (Xauth). The group profile is pushed to the VPN client and an IPsec security association (SA) is created to complete the VPN.

AnyConnect Client Profile and Editor

The AnyConnect Client Profile is a group of configuration parameters, stored in an XML file that the VPN client uses to configure its operation and appearance. These parameters (XML tags) include the names and addresses of host computers and settings to enable more client features.

You can configure a profile using the AnyConnect Profile Editor. This editor is a convenient GUI-based configuration tool that is available as part of the AnyConnect software package. It is an independent program that you run outside of the management center.

Remote Access VPN Authentication

Remote Access VPN Server Authentication

Secure Firewall Threat Defense secure gateways always use certificates to identify and authenticate themselves to the VPN client endpoint.

While you use the Remote Access VPN Policy Wizard, you can enroll the selected certificate on the targeted threat defense device. In the wizard, under Access & Certificate phase, select “Enroll the selected certificate object on the target devices” option. The certificate enrollment gets automatically initiated on the specified devices. As you complete the remote access VPN policy configuration, you can view the status of the enrolled certificate under the device certificate homepage. The status provides a clear standing as to whether the certificate enrollment was successful or not. Your remote access VPN policy configuration is now fully completed and ready for deployment.

Obtaining a certificate for the secure gateway, also known as PKI enrollment, is explained in Certificates. This chapter contains a full description of configuring, enrolling, and maintaining gateway certificates.

Remote Access VPN Client AAA

For both SSL and IPsec-IKEv2, remote user authentication is done using usernames and passwords only, certificates only, or both.


Note


If you are using client certificates in your deployment, they must be added to your client's platform independent of the Secure Firewall Threat Defense or Secure Firewall Management Center. Facilities such as SCEP or CA Services are not provided to populate your clients with certificates.


AAA servers enable managed devices acting as secure gateways to determine who a user is (authentication), what the user is permitted to do (authorization), and what the user did (accounting). Some examples of the AAA servers are RADIUS, LDAP/AD, TACACS+, and Kerberos. For Remote Access VPN on threat defense devices, AD, LDAP, and RADIUS AAA servers are supported for authentication.

Refer to the section Understanding Policy Enforcement of Permissions and Attributes to understand more about remote access VPN authorization.

Before you add or edit the remote access VPN policy, you must configure the Realm and RADIUS server groups you want to specify. For more information, see Create an LDAP Realm or an Active Directory Realm and Realm Directory and Add a RADIUS Server Group.

Without DNS configured, the device cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames, it can only resolve IP addresses.

The login information provided by a remote user is validated by an LDAP or AD realm or a RADIUS server group. These entities are integrated with the Secure Firewall Threat Defense secure gateway.


Note


If users authenticate with remote access VPN using Active Directory as the authentication source, users must log in using their username; the format domain\username or username@domain fails. (Active Directory refers to this username as the logon name or sometimes as sAMAccountName.) For more information, see User Naming Attributes on MSDN.

If you use RADIUS to authenticate, users can log in with any of the preceding formats.


Once authenticated via a VPN connection, the remote user takes on a VPN Identity. This VPN Identity is used by identity policies on the Secure Firewall Threat Defense secure gateway to recognize and filter network traffic belonging to that remote user.

Identity policies are associated with access control policies, which determine who has access to network resources. It is in this way that the remote user blocked or allowed to access your network resources.

For more information, see the About Identity Policies and Access Control Policies sections.

Understanding Policy Enforcement of Permissions and Attributes

The Secure Firewall Threat Defense device supports applying user authorization attributes (also called user entitlements or permissions) to VPN connections from an external authentication server and/or authorization AAA server (RADIUS) or from a group policy on the threat defense device. If the threat defense device receives attributes from the external AAA server that conflicts with those configured on the group policy, then attributes from the AAA server always take the precedence.

The threat defense device applies attributes in the following order:

  1. User attributes on the external AAA server—The server returns these attributes after successful user authentication and/or authorization.

  2. Group policy configured on the Firepower Threat Defense device—If a RADIUS server returns the value of the RADIUS Class attribute IETF-Class-25 (OU= group-policy) for the user, the threat defense device places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.

  3. Group policy assigned by the Connection Profile (also known as Tunnel Group)—The Connection Profile has the preliminary settings for the connection, and includes a default group policy applied to the user before authentication.


Note


The threat defense device does not support inheriting system default attributes from the default group policy, DfltGrpPolicy. The attributes on the group policy assigned to the connection profile are used for the user session, if they are not overridden by user attributes or the group policy from the AAA server as indicated above.

Understanding AAA Server Connectivity

LDAP, AD, and RADIUS AAA servers must be reachable from the threat defense device for your intended purposes: user-identity handling only, VPN authentication only, or both activities. AAA servers are used in remote access VPN for the following activities:

  • User-identity handling— the servers must be reachable over the Management interface.

    On the threat defense, the Management interface has a separate routing process and configuration from the regular interfaces used by VPN.

  • VPN authentication—the servers must be reachable over one of the regular interfaces: the Diagnostic interface or a data interface.

    For regular interfaces, two routing tables are used. A management-only routing table for the Diagnostic interface as well as any other interfaces configured for management-only, and a data routing table used for data interfaces. When a route-lookup is done, the management-only routing table is checked first, and then the data routing table. The first match is chosen to reach the AAA server.


    Note


    If you place a AAA server on a data interface, be sure the management-only routing policies do not match traffic destined for a data interface. For example, if you have a default route through the Diagnostic interface, then traffic will never fall back to the data routing table. Use the show route management-only and show route commands to verify routing determination.


For both activities on the same AAA servers, in addition to making the servers reachable over the Management interface for user-identity handling, do one of the following to provide VPN authentication access to the same AAA servers:

  • Enable and configure the Diagnostic interface with an IP address on the same subnet as the Management interface, and then configure a route to the AAA server through this interface. The Diagnostic interface access will be used for VPN activity, the Management interface access for identity handling.


    Note


    When configured this way, you cannot also have a data interface on the same subnet as the Diagnostic and Management interfaces. If you want the Management interface and a data interface on the same network, for example when using the device itself as a gateway, you will not be able to use this solution because the Diagnostic interface must remain disabled.


  • Configure a route through a data interface to the AAA server. The data interface access will be used for VPN activity, the Management interface access for user-identity handling.

For more information about various interfaces, see Regular Firewall Interfaces.

After deployment, use the following CLI commands to monitor and troubleshoot AAA server connectivity from the threat defense device:

  • show aaa-server to display AAA server statistics.

  • show route management-only to view the management-only routing table entries.

  • show network and show network-static-routes to view the Management interface default route and static routes.

  • show route to view data traffic routing table entries.

  • ping system and traceroute system to verify the path to the AAA server through the Management interface.

  • ping interface ifname and traceroute destination to verify the path to the AAA server through the Diagnostic and data interfaces.

  • test aaa-server authentication and test aaa-server authorization to test authentication and authorization on the AAA server.

  • clear aaa-server statistics groupname or clear aaa-server statistics protocol protocol to clear AAA server statistics by group or protocol.

  • aaa-server groupname active host hostname to activate a failed AAA server, or aaa-server groupname fail host hostname to fail a AAA server.

  • debug ldap level , debug aaa authentication , debug aaa authorization , and debug aaa accounting .

License Requirements for Remote Access VPN

Threat Defense License

Threat Defense remote access VPN requires Strong Encryption and one of the following licenses for AnyConnect:

  • AnyConnect Plus

  • AnyConnect Apex

  • AnyConnect VPN Only

Requirements and Prerequisites for Remote Access VPN

Model Support

Threat Defense

Supported Domains

Any

User Roles

Admin

Guidelines and Limitations for Remote Access VPNs

Remote Access VPN Policy Configuration

  • You can add a new remote access VPN policy only by using the wizard. You must proceed through the entire wizard to create a new policy; the policy will not be saved if you cancel before completing the wizard.

  • Two users must not edit a remote access VPN policy at the same time; however, the web interface does not prevent simultaneous editing. If this occurs, the last saved configuration persists.

  • Moving a Secure Firewall Threat Defense device from one domain to another domain is not possible if remote access VPN policy is assigned to that device.

  • Remote access VPN does not support SSL while using SaaS or ECMP. We recommend that you use IPsec-IKEv2.

  • Firepower 9300 and 4100 series in cluster mode do not support remote access VPN configuration.

  • Remote access VPN connectivity could fail if there is a misconfigured threat defense NAT rule.

  • If you are using DHCP to provide IP addresses to the client, and the client cannot obtain an address, check the NAT rules. Any NAT rule that applies to the RA VPN network should include the route lookup option. Route lookup can help ensure the DHCP requests are sent to the DHCP server through an appropriate interface.

  • Whenever IKE ports 500/4500 or SSL port 443 is in use or when there are some PAT translations that are active, the AnyConnect IPSec-IKEv2 or SSL remote access VPN cannot be configured on the same port as it fails to start the service on those ports. These ports must not be used on the threat defense device before configuring remote access VPN policy.

  • While configuring remote access VPNs using the wizard, you can create in-line certificate enrollment objects, but you cannot use them to install the identity certificate. Certificate enrollment objects are used for generating the identity certificate on the threat defense device being configured as the remote access VPN gateway. Install the identity certificate on the device before deploying the remote access VPN policy to the device.

    For more information about how to install the identity certificate based on the certificate enrollment object, see The Object Manager.

  • The ECMP zone interfaces can be used in remote access VPN with IPsec enabled.

  • The ECMP zone interfaces cannot be used in remote access VPN with SSL enabled. Deployment of remote access VPN (SSL enabled) configuration fails if all the remote access VPN interfaces that belong to security zones or interface groups also belong to one or more ECMP zones. However, if only some of the remote access VPN interfaces belonging to the security zones or interface groups also belongs to one or more ECMP zones, deployment of the remote access VPN configuration succeeds excluding those interfaces.

  • After you change the remote access VPN policy configurations, re-deploy the changes to the threat defense devices. The time it takes to deploy configuration changes depends on multiple factors such as complexity of the policies and rules, type and volume of configurations you send to the device, and memory and device model. Before deploying remote access VPN policy changes, review the Best Practices for Deploying Configuration Changes.

  • Issuing commands such as curl against the RA VPN headend is not directly supported, and might not have desirable results. For example, the headend does not respond to HTTP HEAD requests.

Concurrent VPN Sessions Capacity Planning (threat defense virtual Models)

The maximum concurrent VPN sessions are governed by the installed threat defense virtual smart-licensed entitlement tier, and enforced via a rate limiter. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the licensed device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.

Device Model

Maximum Concurrent Remote Access VPN Sessions

Threat Defense Virtual5

50

Threat Defense Virtual10

250

Threat Defense Virtual20

250

Threat Defense Virtual30

250

Threat Defense Virtual50

750

Threat Defense Virtual100

10,000

Concurrent VPN Sessions Capacity Planning (Hardware Models)

The maximum concurrent VPN sessions are governed by platform-specific limits and have no dependency on the license. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.

Device Model

Maximum Concurrent Remote Access VPN Sessions

Firepower 1010

75

Firepower 1120

150

Firepower 1140

400

Firepower 2110

1500

Firepower 2120

3500

Firepower 2130

7500

Firepower 2140

10,000

Secure Firewall 3110

3000

Secure Firewall 3120

6000

Secure Firewall 3130

15,000

Secure Firewall 3140

20,000

Firepower 4100, all models

10,000

Firepower 9300 appliance, all models

20,000

ISA 3000

25

For capacity of other hardware models, contact your sales representative.


Note


The threat defense device denies the VPN connections once the maximum session limit per platform is reached. The connection is denied with a syslog message. Refer the syslog messages %ASA-4-113029 and %ASA-4-113038 in the syslog messaging guide. For more information, see Cisco Secure Firewall ASA Series Syslog Messages.

Controlling Cipher Usage for VPN

To prevent use of ciphers greater than DES, pre-deployment checks are available at the following locations in the management center:

Devices > Platform Settings > Edit > SSL.

Devices > VPN > Remote Access > Edit > Advanced > IPsec.

For more information about SSL settings and IPsec, see SSL and Configure Remote Access VPN IPsec/IKEv2 Parameters.

Authentication, Authorization, and Accounting

Configure DNS on each device in the topology in to use remote access VPN. Without DNS, the device cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames; it can only resolve IP addresses.

You can configure DNS using the Platform Settings. For more information, see DNS and DNS Server Group.

Client Certificates

If you are using client certificates in your deployment, they must be added to your client's platform independent of the Secure Firewall Threat Defense or Secure Firewall Management Center. Facilities such as SCEP or CA Services are not provided to populate your clients with certificates.

Unsupported Features of AnyConnect

The only supported VPN client is the Cisco AnyConnect Security Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect Client using a web browser.

Using multiple AnyConnect packages on threat defense devices can increase memory usage and affect the device's performance.

The following AnyConnect features are not supported when connecting to a threat defense secure gateway:

  • AnyConnect Customization and Localization support. The threat defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

  • TACACS, Kerberos (KCD Authentication and RSA SDI).

  • Browser Proxy.

Configuring a New Remote Access VPN Connection

This section provides instructions to configure a new remote access VPN policy with Secure Firewall Threat Defense devices as VPN gateways and Cisco AnyConnect as the VPN client.

Step

Do This

More Info

1

Review the guidelines and prerequisites.

Guidelines and Limitations for Remote Access VPNs

Prerequisites for Configuring Remote Access VPN

2

Create a new remote access VPN policy using the wizard.

Create a New Remote Access VPN Policy

3

Update the access control policy deployed on the device.

Update the Access Control Policy on the Secure Firewall Threat Defense Device

4

(Optional) Configure a NAT exemption rule if NAT is configured on the device.

(Optional) Configure NAT Exemption

5

Configure DNS.

Configure DNS

6

Add AnyConnect Client Profile.

Add AnyConnect Client Profile XML File

7

Deploy the remote access VPN policy.

Deploy Configuration Changes

8

(Optional) Verify the remote access VPN policy configuration.

Verify the Configuration

Prerequisites for Configuring Remote Access VPN

  • Deploy Secure Firewall Threat Defense devices and configure Secure Firewall Management Center to manage the device with required licenses with export-controlled features enabled. For more information, see VPN Licensing.

  • Configure the certificate enrollment object that is used to obtain the identity certificate for each threat defense device that act as a remote access VPN gateway.

  • Configure the RADIUS server group object and any AD or LDAP realms being used by remote access VPN policies.

  • Ensure that the AAA Server is reachable from the threat defense device for the remote access VPN configuration to work. Configure routing (at Devices > Device Management > Edit Device > Routing) to ensure connectivity to the AAA servers.

    For remote access VPN double authentication, ensure that both the primary and secondary authentication servers are reachable from the threat defense device for the double authentication configuration to work.

  • Purchase and enable one of the following Cisco AnyConnect Client licenses: AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only to enable the threat defense remote access VPN.

  • Download the latest AnyConnect Client image files from Cisco Software Download Center.

    On your Secure Firewall Management Center web interface, go to Objects > Object Management > VPN > AnyConnect File and add the new AnyConnect Client image files.

  • Create a security zone or interface group that contains the network interfaces that users will access for VPN connections. See Interface.

  • Download the AnyConnect Profile Editor from Cisco Software Download Center to create the AnyConnect client profile. You can use the standalone profile editor to create a new or modify an existing AnyConnect profile.

Create a New Remote Access VPN Policy

The Remote Access VPN Policy Wizard guides you to quickly and easily set up remote access VPNs with basic capabilities. You can further enhance the policy configuration by specifying additional attributes as you want and deploy it to your Secure Firewall Threat Defense secure gateway devices.

Before you begin

Procedure


Step 1

Choose Devices > VPN > Remote Access.

Step 2

Click Add to create a new remote access VPN policy with basic policy configuration, using the Remote Access VPN Policy wizard.

You must proceed through the entire wizard to create a new policy; the policy is not saved if you cancel before you complete the wizard.

Step 3

Select the target devices and protocols.

The threat defense devices that you select here functions as your remote access VPN gateways for the VPN client users.

You can select threat defense devices when you create a remote access VPN policy or change them later. See Set Target Devices for a Remote Access VPN Policy.

You can select SSL or IPSec-IKEv2, or both the VPN protocols. Threat Defense supports both the protocols to establish secure connections over a public network through VPN tunnels.

Note

 

Threat Defense does not support IPSec tunnels with NULL encryption. If you have selected IPSec-IKEv2, make sure that you do not choose NULL encryption for IPSec IKEv2 proposal. See Configure IKEv2 IPsec Proposal Objects.

For SSL settings, see SSL.

Step 4

Configure the Connection Profile and Group Policy settings.

A connection profile specifies a set of parameters that define how the remote users connect to the VPN device. The parameters include settings and attributes for authentication, address assignments to VPN clients, and group policies. Threat Defense device provides a default connection profile named DefaultWEBVPNGroup when you configure a remote access VPN policy.

For more information, see Configure Connection Profile Settings.

For information about configuring,

A group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience for VPN users. You configure attributes such as user authorization profile, IP addresses, AnyConnect settings, VLAN mapping, and user session settings and so on using the group policy. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile.

For more information, see Configuring Group Policies.

Step 5

Select the AnyConnect Client Image that the VPN users will use to connect to the remote access VPN.

The AnyConnect Security Mobility Client provides secure SSL or IPSec (IKEv2) connections to the Secure Firewall Threat Defense device for remote users with full VPN profiling to corporate resources. After the remote access VPN policy is deployed on the threat defense device, VPN users can enter the IP address of the configured device interface in their browser to download and install the AnyConnect Client.

For information about configuring the client profile and client modules, see Group Policy AnyConnect Client Options.

Step 6

Select the Network Interface and Identity Certificate.

Interface objects segment your network to help you manage and classify traffic flow. A security zone object simply groups interfaces. These groups may span multiple devices; you can also configure multiple zones interface objects on a single device. There are two types of interface objects:

  • Security zones—An interface can belong to only one security zone.

  • Interface groups—An interface can belong to multiple interface groups (and to one security zone).

Step 7

View the Summary of the remote access VPN policy configuration.

The Summary page displays all the remote access VPN settings you have configured so far and provides links to the additional configurations that need to be performed before deploying the remote access VPN policy on the selected devices.

Click Back to make changes to the configuration, if required.

Step 8

Click Finish to complete the basic configuration for the remote access VPN policy.

When you complete the Remote Access VPN Policy Wizard, the policy listing page appears. Later, set up DNS configuration, configure access control for VPN users, and enable NAT exemption (if necessary) to complete a basic remote access VPN Policy configuration.


Update the Access Control Policy on the Secure Firewall Threat Defense Device

Before deploying the remote access VPN policy, you must update the access control policy on the targeted Secure Firewall Threat Defense device with a rule that allows VPN traffic. The rule must allow all traffic coming in from the outside interface, with source as the defined VPN pool networks and destination as the corporate network.


Note


If you have selected the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) option on the Access Interface tab, you need not update the access control policy for remote access VPN.

Enable or disable the option for all your VPN connections. If you disable this option, make sure that the traffic is allowed by the access control policy or pre-filter policy.

For more information, see Configure Access Interfaces for Remote Access VPN.


Before you begin

Complete the remote access VPN policy configuration using the Remote Access VPN Policy wizard.

Procedure


Step 1

On your Secure Firewall Management Center web interface, choose Policies > Access Control.

Step 2

Click Edit on the access control policy that you want to update.

Step 3

Click Add Rule to add a new rule.

Step 4

Specify the Name for the rule and select Enabled.

Step 5

Select the Action, Allow or Trust.

Step 6

Select the following on the Zones tab:

  1. Select the outside zone from Available Zones and click Add to Source.

  2. Select the inside zone from Available Zones and click Add to Destination.

Step 7

Select the following on the Networks tab:

  1. Select the inside network (inside interface and/or a corporate network) from Available networks and click Add to Destination.

  2. Select the VPN address pool network from Available Networks and click Add to Source Networks.

Step 8

Configure other required access control rule settings and click Add.

Step 9

Save the rule and access control policy.


(Optional) Configure NAT Exemption

NAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections with your protected hosts. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption enables you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT). Use static identity NAT to consider ports in the access list.

When you configure static identity NAT for remote access or site-to-site VPN, you must configure NAT with the route lookup option. Without route lookup, the threat defense sends traffic out of the interface specified in the NAT command, regardless of what the routing table says. For example, you do not want the threat defense to send the DHCP scope traffic through an incorrect interface; it will never return to the interface IP address. The route lookup option lets the threat defense send, or intercept, the traffic directly on the interface IP address instead of through the interface. For traffic from the VPN client to a host on the inside network, the route lookup option will still result in the correct egress interface (inside), so normal traffic flow is not affected.

Before you begin

Check if NAT is configured on the targeted devices where remote access VPN policy is deployed. If NAT is enabled on the targeted devices, you must define a NAT policy to exempt VPN traffic.

Procedure


Step 1

On your Secure Firewall Management Center web interface, click Devices > NAT.

Step 2

Select a NAT policy to update or click New Policy > Threat Defense NAT to create a NAT policy with a NAT rule to allow connections through all interfaces.

Step 3

Click Add Rule to add a NAT rule.

Step 4

On the Add NAT Rule window, select the following:

  1. Select the NAT Rule as Manual NAT Rule.

  2. Select the Type as Static.

  3. Click Interface Objects and select the Source and destination interface objects.

Note

 

This interface object must be the same as the interface selected in the remote access VPN policy.

For more information, see Configure Access Interfaces for Remote Access VPN.
  1. Click Translation and select the source and destination networks:

    • Original Source and Translated Source

    • Original Destination and Translated Destination

Step 5

On the Advanced tab, select Do not proxy ARP on Destination Interface.

Do not proxy ARP on Destination Interface—Disables proxy ARP for incoming packets to the mapped IP addresses. If you use addresses on the same network as the mapped interface, the system uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the device does not have to be the gateway for any additional networks. You can disable proxy ARP if desired, in which case you need to be sure to have proper routes on the upstream router.

Step 6

Click OK.


Configure DNS

Configure DNS on each threat defense device in order to use remote access VPN. Without DNS, the devices cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames. It can only resolve IP addresses.

Procedure


Step 1

Configure DNS server details and domain-lookup interfaces using the Platform Settings. For more information, see DNS and DNS Server Group.

Step 2

Configure split-tunnel in group policy to allow DNS traffic through remote access VPN tunnel if the DNS server is reachable through VNP network. For more information, see Configure Group Policy Objects.


Add AnyConnect Client Profile XML File

The AnyConnect Client Profile is a group of configuration parameters stored in an XML file that the client uses to configure its operation and appearance. These parameters (XML tags) include the names and addresses of host computers and settings to enable more client features.

You can create the AnyConnect Client Profile using the AnyConnect Client Profile Editor, a GUI-based configuration tool that is available as part of the AnyConnect software package. It is an independent program that you run outside of the management center. For more information about AnyConnect Client Profile Editor, see Cisco AnyConnect Secure Mobility Client Administrator Guide.

Before you begin

A Secure Firewall Threat Defense remote access VPN policy requires assignment of the AnyConnect Client Profile to the VPN clients. You can attach the client profile to a group policy.

Download the AnyConnect Client Profile Editor from Cisco Software Download Center.

Procedure


Step 1

Choose Devices > Remote Access.

Step 2

Click Edit on the remote access VPN policy which you want to update.

Step 3

Click Edit on the connection profile to which you want to add the AnyConnect Client profile.

Step 4

Click Edit Group Policy. If you choose to add a new group policy, click Add.

Step 5

Choose AnyConnect > Profile.

Step 6

Choose a profile from the Client Profile drop-down list. If you choose to add a new client profile, click Add and do the following:

  1. Specify the profile Name.

  2. Click Browse and select the AnyConnect Client Profile XML file.

    Note

     

    For two-factor authentication, make sure that the timeout is set to 60 seconds or more in the AnyConnect Client profile.

  3. Click Save.

Step 7

Save your changes.


(Optional) Configure Split Tunneling

Split tunnel allows VPN connectivity to a remote network across a secure tunnel and also to a network outside VPN tunnel. Configure split tunneling if you want to allow your VPN users to access an outside network while they remain connected to the remote access VPN. To configure a split-tunnel list, you must create a Standard Access List or Extended Access List.

For more information, see Configuring Group Policies.

Procedure


Step 1

Choose Devices > Remote Access.

Step 2

Click Edit on the remote access VPN policy for which you want to configure split tunneling.

Step 3

Click Edit on the required connection profile.

Step 4

Click Add to add a group policy or click Edit Group Policy.

Step 5

Choose General > Split Tunneling.

Step 6

From the IPv4 Split Tunneling or IPv6 Split Tunneling list, select Exclude networks specified below and then select the networks that you want to exclude from VPN traffic.

The default setting allows all traffic over the VPN tunnel.

Step 7

Click Standard Access List or Extended Access List, and select an access list from the drop-down or add a new one.

Step 8

If you choose to add a new standard or extended access list, do the following:

  1. Specify the Name for the new access list and click Add.

  2. Choose Allow from the Action drop-down.

  3. Select the network traffic that you want to allow over the VPN tunnel and click Add.

Step 9

Save your changes.


(Optional) Configure Dynamic Split Tunneling

Dynamic split tunneling allows you to fine-tune split tunneling based on DNS domain names. You can configure domains that must be included or excluded in the remote access VPN tunnel. Excluded domains are not blocked. Instead, traffic to those domains is kept outside the VPN tunnel. For example, you could send traffic to Cisco WebEx on the public Internet, thus freeing bandwidth in your VPN tunnel for traffic that is targeted to servers within your protected network. For more information about configuring this feature, see Configure AnyConnect Dynamic Split Tunnel on FTD Managed by FMC.

Before you begin

You can configure this feature using the management center and threat defense from versions 7.0 or later. If you have an older version of the management center, you can configure it using FlexConfig as instructed in the Advanced AnyConnect VPN Deployments for Firepower Threat Defense with FMC.

Procedure


Step 1

Configure the group policy to use Dynamic Split Tunnel.

  1. Choose Devices > Remote Access.

  2. Click Edit on the remote access VPN policy for which you want to configure dynamic split tunneling.

  3. Click Edit on the required connection profile.

  4. Click Edit Group Policy.

Step 2

Configure the AnyConnect custom attribute in the Add/Edit Group Policy dialog box.

  1. Click the AnyConnect tab.

  2. Click Custom Attributes and click +.

  3. Choose Dynamic Split Tunneling from the AnyConnect Attribute drop-down list.

  4. Click + to create a new custom attribute object.

  5. Enter the name for the custom attribute object.

  6. Include domains—Specify domain names that will be included in the remote access VPN tunnel.

    You can include domains in the tunnel that will be excluded based on IP addresses.

  7. Exclude domains—Specify domain names that will be excluded from the remote access VPN.

    Excluded domains are not blocked, traffic to these domains is kept outside the VPN tunnel.

  8. Click Save.

  9. Click Add.

Step 3

Verify the configured custom attribute and click Save to save the group policy.

Step 4

Click Save to save the connection profile.

Step 5

Click Save to save the remote access VPN policy.


What to do next

  1. Deploy the configuration to threat defense.

  2. Verify the configured dynamic split tunnel configuration on the threat defense and the AnyConnect Client. For more information, see Verify Dynamic Split Tunneling Configuration.

Verify Dynamic Split Tunneling Configuration

On the Threat Defense

Use the following commands to verify the dynamic split tunneling configuration:

  • show running-config webvpn

  • show running-config anyconnect-custom-data

  • show running-config group-policy <group-policy-name>

On the AnyConnect Client

Click the Statistics () icon and choose VPN > Statistics. You can confirm the domains under the Dynamic Split Exclusion/Inclusion category.

Verify the Configuration

Procedure


Step 1

Open a web browser on a machine on the outside network.

Step 2

Enter the URL of the threat defense remote access VPN gateway device.

Step 3

Enter the username and password when prompted, and click Logon.

Note

 

Connection to the VPN establishes automatically if you install AnyConnect on the system.

The VPN prompts you to download AnyConnect if AnyConnect is not installed.

Step 4

Download AnyConnect if it is not installed and connect to the VPN.

The AnyConnect installs itself. On successful authentication, you establish connection to the Secure Firewall Threat Defense remote access VPN gateway. The remote access VPN enforces the applicable identity or QoS policy according to your VPN policy configuration.

Create a Copy of an Existing Remote Access VPN Policy

You can copy an existing remote access VPN policy to create a new one with all the settings, including the connection profiles and access interfaces. You can then assign devices to the new policy and deploy the VPN on the assigned devices as required.


Note


Users with read-only permission for remote access VPN cannot create copy of the VPN. Users with read-only privileges in the domain can copy the remote access VPNs.


Procedure


Step 1

Choose Devices > VPN > Remote Access.

Step 2

Click Copy on the policy that you want to copy.

Step 3

Specify a Name for the new remote access VPN.

Step 4

Click OK.


What to do next

To assign devices to the new policy, see Set Target Devices for a Remote Access VPN Policy.

Set Target Devices for a Remote Access VPN Policy

After you create remote access VPN policy, you can assign the policy to threat defense devices.

Procedure


Step 1

Choose Devices > VPN > Remote Access.

Step 2

Click Edit (edit icon) next to the remote access VPN policy that you want to edit.

Step 3

Click Policy Assignments.

Step 4

Do any of the following:

  • To assign a device, high-availability pair, or device group to the policy, select it in the Available Devices list and click Add. You can also drag and drop the available devices to select.
  • To remove a device assignment, click Delete (delete icon) next to a device, high-availability pair, or device group in the Selected Devices list.

Step 5

Click OK.

Step 6

Click Save.


What to do next

Associate Local Realm with Remote Access VPN Policy

You can associate local realm to remote access VPN policy to enable local user authentication.

For information about creating and managing realms, see Manage a Realm.

For information about configuring local user authentication for remote access VPNs, see Configure AAA Settings for Remote Access VPN.

Procedure


Step 1

Choose Devices > VPN > Remote Access.

Step 2

Click Edit (edit icon) next to the remote access VPN policy that you want to edit.

Step 3

Click the link next to Local Realm.

Step 4

Select the Local Realm Server from the list, or click Add to add a new local realm.

Step 5

Click OK.

Step 6

Click Save.


What to do next

Additional Remote Access VPN Configurations

Configure Connection Profile Settings

Remote Access VPN policy contains the connection profiles targeted for specific devices. These policies pertain to creating the tunnel itself, such as, how AAA is accomplished, and how addresses are assigned (DHCP or Address Pools) to VPN clients. They also include user attributes, which are identified in group policies configured on the threat defense device or obtained from a AAA server. A device also provides a default connection profile named DefaultWEBVPNGroup. The connection profile that is configured using the wizard appears in the list.

If you decide to grant different rights to different groups of VPN users, then you can add specific connection profiles for each of the user groups and maintain multiple connection profiles in your remote access VPN policy.

Procedure


Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Select a Connection Profile and click Edit.

Step 4

(Optional) If you choose to add new connection profile, click Add.

Step 5

Configure IP Addresses for VPN Clients.

Configure IP Addresses for VPN Clients

Step 6

(Optional) Update AAA Settings for remote access VPNs.

Configure AAA Settings for Remote Access VPN

Step 7

(Optional) Create or update Aliases.

Create or Update Aliases for a Connection Profile

Step 8

Save your changes.


Configure IP Addresses for VPN Clients

Client address assignment allows you to assign IP addresses for the remote access VPN users.

You can assign IP Address for remote VPN clients from the local IP address pools, DHCP Servers, and AAA servers. The AAA servers are assigned first, followed by others. Configure the Client Address Assignment policy in the Advanced tab to define the assignment criteria. The IP pools defined in this connection profile will only be used if no IP pools are defined in group policy associated with the connection profile, or the system default group policy DfltGrpPolicy.

IPv4 Address Pools—SSL VPN clients receive new IP addresses when they connect to the Threat Defense device. Address pools define a range of addresses that remote clients can receive. You can add a maximum of six pools for IPv4 and IPv6 addresses each.


Note


You can use the IP address from the existing IP pools in the Management Center or create a new pool using the Add option. Also, you can create an IP pool in Management Center using the Objects > Object Management > Address Pools path. For more information, see Address Pools.
Procedure

Step 1

Choose Devices > VPN > Remote Access.

Existing remote access policies are listed.

Step 2

Select a remote access VPN policy and click the edit icon.

Step 3

Select the connection profile that you want to update and click the edit icon.

Step 4

Under the Client Address Assignment tab, do the following:

Step 5

Click + next to Address Pools:

  1. Click + next to Address Pools to add IP addresses, and select IPv4 or IPv6 to add the corresponding address pool. Select the IP address pool from Available Pools and click Add.

    Note

     
    If you share your remote access VPN policy among multiple Secure Firewall Threat Defense devices, bear in mind that all devices share the same address pool unless you use device-level object overrides to replace the global definition with a unique address pool for each device. Unique address pools are required to avoid overlapping addresses in cases where the devices are not using NAT.
  2. Click + next to Available Pools in the Address Pools window to add a new IPv4 or IPv6 address pool. When you choose the IPv4 pool, provide a starting and ending IP address. When you choose to include a new IPv6 address pool, enter Number of Addresses in the range 1-16384. Select the Allow Overrides option to avoid conflicts with IP address when objects are shared across many devices. For more information, see Address Pools.

  3. Click OK.

    If you plan to edit the IP address pools, we recommend that you perform the following steps during a maintenance window:

    1. Unassign the device from the remote access VPN.

    2. Select the device and click Deploy.

      This deployment removes all the remote access VPN configurations from the device, terminates the remote access VPN sessions, the sessions are not reestablished.

    3. Click the edit icon next to the IP address pools to edit it, edit any other remote access VPN configurations, if required, on the Management Center.

    4. Assign the device to the updated remote access VPN policy.

    5. Deploy the configurations on the device.

      The remote access VPN clients can connect to the device after the maintenance window.

Step 6

Click + next to DHCP Servers to add DHCP servers:

Note

 
The DHCP server address can be configured only with IPv4 address.
  1. Specify the name and DHCP (Dynamic Host Configuration Protocol) server address as network objects. Click Add to choose the server from the object list. Click Delete to delete a DHCP server.

  2. Click Add in the New Objects page to add a new network object. Enter the new object name, description, network, and select the Allow Overrides option as applicable. For more information, see Creating Network Objects and Allowing Object Overrides.

  3. Click OK.

Step 7

Click Save.


Configure AAA Settings for Remote Access VPN

Before you begin
  • Ensure that the required machine and user certificates are deployed on the endpoints. For information about Secure Firewall Threat Defense certificates, see Managing Threat Defense CertificatesManaging VPN Certificate.

  • Configure AnyConnect profiles with required certificates. For more information, see .

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Select a connection profile to update AAA settings, click Edit > AAA.

Step 4

Select the following for Authentication:

  • Authentication Method—Determines how a user is identified before being allowed access to the network and network services. It controls access by requiring valid user credentials, which are typically a username and password. It may also include the certificate from the client. Supported authentication methods are AAA only, Client Certificate only, and AAA + Client Certificate.

    When you select the Authentication Method as:

    • AAA Only—If you select the Authentication Server as RADIUS, by default, the Authorization Server has the same value. Select the Accounting Server from the drop-down list. Whenever you select AD and LDAP from the Authentication Server drop-down list, you must select the Authorization Server and Accounting Server manually.

    • SAML—Each user is authenticated using the SAML single sign-on server. For more information, see Single Sign-On Authentication with SAML 2.0.

      Override Identity Provider Certificate—Select to override the primary identity provider certificate of the SAML provider with an IdP certificate specific to a connection profile or SAML application. Select the IdP certificate from the drop-down.

      Microsoft Azure can support multiple applications for the same entity ID. Each application (mapped to a different connection profile) requires a unique certificate. If you want to retain an existing entity ID for the single-sign-on object in current connection profile and use a different IdP certificate, you can select this option.

      This enables support for multiple SAML applications per Microsoft Azure SAML identity provider.

      The primary identity certificate is configured in the single sign-on server object.

      For information about configuring a single sign-on server object, see Add a Single Sign-on Server.

      Choose your SAML Login Experience to configure a browser for SAML web authentication:

      • VPN client embedded browser—Choose this option to use the browser embedded with the VPN client for web authentication. The authentication applies to the VPN connection only.

      • Default OS Browser—Choose this option to configure the operating system that default or native browser that supports WebAuthN (FIDO2 standard for web authentication). This option enables single sign-on(SSO) support for web authentication methods such as biometric authentication.

        The default browser requires an external browser package for web authentication. The package Default-External-Browser-Package is configured by default. You can change the default external browser package by editing a remote access VPN policy and selecting the file under Advanced > AnyConnect Client Images > Package File.

        You can also add a new package file by selecting. Objects > Object Management > VPN > AnyConnect File > Add AnyConnect File.

    • Client Certificate Only—Each user is authenticated with a client certificate. The client certificate must be configured on VPN client endpoints. By default, the user name is derived from the client certificate fields CN and OU. If the user name is specified in other fields in the client certificate, use 'Primary' and 'Secondary' field to map appropriate fields.

      Select Enable multiple certificate authentication to authenticate the VPN client using the machine and user certificates.

      If have enabled multiple certificate authentication, you can select one of the following certificates to map the username and authenticate the VPN user:

      • First Certificate—Select this option to map the username from the machine certificate sent from the VPN client.

      • Second Certificate—Select this option to map the username from the user certificate sent from the client.

      Note

       

      If you do not enable multiple certificate authentication, the user certificate (second certificate) is used for authentication by default.

      If you select the Map specific field option, which includes the username from the client certificate, the Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN as username option, the system automatically retrieves the user identity. A distinguished name (DN) is a unique identification, made up of individual fields used as the identifier when matching users to a connection profile. DN rules are used for enhanced certificate authentication.

      The primary and Secondary fields pertaining to the Map specific field option contain these common values:

      • C (Country)

      • CN (Common Name)

      • DNQ (DN Qualifier)

      • EA (Email Address)

      • GENQ (Generational Qualifier)

      • GN (Given Name)

      • I (Initial)

      • L (Locality)

      • N (Name)

      • O (Organisation)

      • OU (Organisational Unit)

      • SER (Serial Number)

      • SN (Surname)

      • SP (State Province)

      • T (Title)

      • UID (User ID)

      • UPN (User Principal Name)

    • Client Certificate & AAA— Each user is authenticated with both a client certificate and AAA server. Select the required certificate and AAA configurations for authentication.

      Whichever authentication method you choose, select or deselect Allow connection only if user exists in authorization database.

    • Client Certificate & SAML— Each user is authenticated with both a client certificate and SAML server. Select the required certificate and SAML configurations for authentication.

      • Allow connection only if username from certificate and SAML are the same—Select to allow VPN connection only if the username from the certificate matches the SAML single sign-on username.

      • Use username from client certificate for Authorization—When you choose the option to pick username from client certificate for authorization, you must configure the fields to pick from the client certificate.

        You can choose to map a specific filed as the username or use the entire distinguished name (DN) for authorization:

        • Map specific field— Select to include the username from the client certificate; the Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively.

        • Use entire DN as username— The system automatically retrieves the user identity for authorization.

      You can also create a Dynamic Access Policy (DAP) to match user-specific SAML assertion attributes or username to DAP certificate attributes. See Configure AAA Criteria Settings for DAP.

  • Authentication Server—Authentication is the way a user is identified before being allowed access to the network and network services. Authentication requires valid user credentials, a certificate, or both. You can use authentication alone, or with authorization and accounting.

    Select an authentication server from the list if you have added a server already or else create an authentication server:

Fallback to LOCAL Authentication— The user is authenticated using the local database and the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured.

  • Use secondary authentication — Secondary authentication is configured in addition to primary authentication to provide additional security for VPN sessions. Secondary authentication is applicable only to AAA only and Client Certificate & AAA authentication methods.

    Secondary authentication is an optional feature that requires a VPN user to enter two sets of username and password on the AnyConnect login screen. You can also configure to pre-fill the secondary username from the authentication server or client certificate. Remote access VPN authentication is granted only if both primary and secondary authentications are successful. VPN authentication is denied if any one of the authentication servers is not reachable or one authentication fails.

    You must configure a secondary authentication server group (AAA server) for the second username and password before configuring secondary authentication. For example, you can set the primary authentication server to an LDAP or Active Directory realm and the secondary authentication to a RADIUS server.

    Note

     

    By default, secondary authentication is not required.

    Authentication Server— Secondary authentication server to provide secondary username and password for VPN users.

    • Fallback to LOCAL Authentication— This user is authenticated using the local database and the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured.

    Select the following under Username for secondary authentication:

    • Prompt: Prompts the users to enter the username and password while logging on to VPN gateway.

    • Use primary authentication username: The username is taken from the primary authentication server for both primary and secondary authentication; you must enter two passwords.

    • Map username from client certificate: Prefills the secondary username from the client certificate.

      If you have enabled multiple certificate authentication, you can select one of the following certificates:

      • First Certificate— Select this option to map the username from the machine certificate sent from the VPN client.

      • Second Certificate— Select this option to map the username from the user certificate sent from the client.

      • If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN (Distinguished Name) as username option, the system automatically retrieves the user identity.

        See Authentication Method descriptions for more information about primary and secondary field mapping.

      • Prefill username from certificate on user login window: Prefills the secondary username from the client certificate when the user connects via AnyConnect.

        • Hide username in login window: The secondary username is pre-filled from the client certificate, but hidden to the user so that the user does not modify the pre-filled username.

    • Use secondary username for VPN session: The secondary username is used for reporting user activity during a VPN session.

Step 5

Select the following for Authorization:

  • Authorization Server—After authentication is complete, authorization controls the services and commands available to each authenticated user. Authorization works by assembling a set of attributes that describe what the user is authorized to perform, their actual capabilities, and restrictions. When you do not use authorization, authentication alone provides the same access to all authenticated users. Authorization requires authentication.

    To know more about how remote access VPN authorization works, see Understanding Policy Enforcement of Permissions and Attributes.

    When a RADIUS Server is configured for user authorization in the connection profile, the remote access VPN system administrator can configure multiple authorization attributes for users or user-groups. The authorization attributes that are configured on the RADIUS server can be specific for a user or a user-group. Once users are authenticated, these specific authorization attributes are pushed to the threat defense device.

    Note

     

    The AAA server attributes obtained from the authorization server override the attribute values that may have been previously configured on the group policy or the connection profile.

  • Check Allow connection only if user exists in authorization database if desired.

    When enabled, the system checks the username of the client must exist in the authorization database to allow a successful connection. If the username does not exist in the authorization database, then the connection is denied.

  • When you select a realm as the Authorization Server, you must configure an LDAP attribute map. You can choose a single server for authentication and authorization or a different servers. Click Configure LDAP Attribute Map to add LDAP attribute maps for authorization.

    Note

     

    Threat Defense does not support SAML Identity Provider as the Authorization server. If the Active Directory behind the SAML Identity Provider is reachable via management center and threat defense, you can configure authorization following these steps:

    For information about configuring LDAP attribute maps, see Configuring LDAP Attribute Mapping.

Step 6

Select the following for Accounting:

  • Accounting Server—Accounting is used to track the services that users are accessing and the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS server. Accounting information includes when sessions start and stop, usernames, the number of bytes that pass through the device for each session, the services used, and the duration of each session. This data can then be analyzed for network management, client billing, or auditing. You can use accounting alone or together with authentication and authorization.

    Specify the RADIUS Server Group object that will be used to account for the remote access VPN session.

Step 7

Select the following Advanced Settings:

  • Strip Realm from username—Select to remove the realm from the username before passing the username on to the AAA server. For example, if you select this option and provide domain\username, the domain is stripped off from the username and sent to AAA server for authentication. By default this option is unchecked.

  • Strip Group from username—Select to remove the group name from the username before passing the username on to the AAA server. By default this option is unchecked.

    Note

     
    A realm is an administrative domain. Enabling these options allows the authentication to be based on the username alone. You can enable any combination of these options. However, you must select both check boxes if your server cannot parse delimiters.
  • Password Management—Enable managing the password for the remote access VPN users. Select to notify ahead of the password expiry or on the day the password expires.

Step 8

Click Save.


RADIUS Server Attributes for Secure Firewall Threat Defense

The threat defense device supports applying user authorization attributes (also called user entitlements or permissions) to VPN connections from the external RADIUS server that are configured for authentication and/or authorization in the remote access VPN policy.


Note


Secure Firewall Threat Defense devices support attributes with vendor ID 3076.


The following user authorization attributes are sent to the threat defense device from the RADIUS server.

  • RADIUS attributes 146 and 150 are sent from threat defense devices to the RADIUS server for authentication and authorization requests.

  • All three (146, 150, and 151) attributes are sent from threat defense devices to the RADIUS server for accounting start, interim-update, and stop requests.

Table 2. RADIUS Attributes Sent from Secure Firewall Threat Defense to RADIUS Server

Attribute

Attribute Number

Syntax, Type

Single or Multi-valued

Description or Value

Connection Profile Name or Tunnel Group Name

146

String

Single

1-253 characters

Client Type

150

Integer

Single

2 = AnyConnect Client SSL VPN, 6 = AnyConnect Client IPsec VPN (IKEv2)

Session Type

151

Integer

Single

1 = AnyConnect Client SSL VPN, 2 = AnyConnect Client IPsec VPN (IKEv2)

Table 3. Supported RADIUS Authorization Attributes

Attribute Name

Threat Defense

Attr. No.

Syntax/Type

Single or Multi-
Valued

Description or Value

Access-Hours

Y

1

String

Single

Name of the time range, for example, Business-hours

Access-List-Inbound

Y

86

String

Single

Both of the Access-List attributes take the name of an ACL that is configured on the threat defense device. Create these ACLs using the Smart CLI Extended Access List object type (select Device > Advanced Configuration > Smart CLI > Objects).

These ACLs control traffic flow in the inbound (traffic entering the threat defense device) or outbound (traffic leaving the threat defense device) direction.

Access-List-Outbound

Y

87

String

Single

Address-Pools

Y

217

String

Single

The name of a network object defined on the threat defense device that identifies a subnet, which will be used as the address pool for clients connecting to the remote access VPN. Define the network object on the Objects page and then associate the network object with a group policy or a connection profile.

Allow-Network-Extension-Mode

Y

64

Boolean

Single

0 = Disabled
1 = Enabled

Authenticated-User-Idle-Timeout

Y

50

Integer

Single

1-35791394 minutes

Authorization-DN-Field

Y

67

String

Single

Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name

Authorization-Required

66

Integer

Single

0 = No
1 = Yes

Authorization-Type

Y

65

Integer

Single

0 = None
1 = RADIUS
2 = LDAP

Banner1

Y

15

String

Single

Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL

Banner2

Y

36

String

Single

Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string , if configured.

Cisco-IP-Phone-Bypass

Y

51

Integer

Single

0 = Disabled
1 = Enabled

Cisco-LEAP-Bypass

Y

75

Integer

Single

0 = Disabled
1 = Enabled

Client Type

Y

150

Integer

Single

1 = Cisco VPN Client (IKEv1)
2 = AnyConnect Client SSL VPN
3 = Clientless SSL VPN
4 = Cut-Through-Proxy
5 = L2TP/IPsec SSL VPN
6 = AnyConnect Client IPsec VPN (IKEv2)

Client-Type-Version-Limiting

Y

77

String

Single

IPsec VPN version number string

DHCP-Network-Scope

Y

61

String

Single

IP Address

Extended-Authentication-On-Rekey

Y

122

Integer

Single

0 = Disabled
1 = Enabled

Framed-Interface-Id

Y

96

String

Single

Assigned IPv6 interface ID. Combines with Framed-IPv6-Prefix to create a complete assigned IPv6 address. For example: Framed-Interface-ID=1:1:1:1 combined with Framed-IPv6-Prefix=2001:0db8::/64 gives the assigned IP address 2001:0db8::1:1:1:1.

Framed-IPv6-Prefix

Y

97

String

Single

Assigned IPv6 prefix and length. Combines with Framed-Interface-Id to create a complete assigned IPv6 address. For example: prefix 2001:0db8::/64 combined with Framed-Interface-Id=1:1:1:1 gives the IP address 2001:0db8::1:1:1:1. You can use this attribute to assign an IP address without using Framed-Interface-Id, by assigning the full IPv6 address with prefix length /128, for example, Framed-IPv6-Prefix=2001:0db8::1/128.

Group-Policy

Y

25

String

Single

Sets the group policy for the remote access VPN session. You can use one of the following formats:

  • group policy name

  • OU=group policy name

  • OU=group policy name;

IE-Proxy-Bypass-Local

83

Integer

Single

0 = None
1 = Local

IE-Proxy-Exception-List

82

String

Single

New line (\n) separated list of DNS domains

IE-Proxy-PAC-URL

Y

133

String

Single

PAC address string

IE-Proxy-Server

80

String

Single

IP address

IE-Proxy-Server-Policy

81

Integer

Single

1 = No Modify
2 = No Proxy
3 = Auto detect
4 = Use Concentrator Setting

IKE-KeepAlive-Confidence-Interval

Y

68

Integer

Single

10-300 seconds

IKE-Keepalive-Retry-Interval

Y

84

Integer

Single

2-10 seconds

IKE-Keep-Alives

Y

41

Boolean

Single

0 = Disabled
1 = Enabled

Intercept-DHCP-Configure-Msg

Y

62

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Allow-Passwd-Store

Y

16

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Authentication

13

Integer

Single

0 = None
1 = RADIUS
2 = LDAP (authorization only)
3 = NT Domain
4 = SDI
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos/Active Directory

IPsec-Auth-On-Rekey

Y

42

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Backup-Server-List

Y

60

String

Single

Server Addresses (space delimited)

IPsec-Backup-Servers

Y

59

String

Single

1 = Use Client-Configured list
2 = Disable and clear client list
3 = Use Backup Server list

IPsec-Client-Firewall-Filter-Name

57

String

Single

Specifies the name of the filter to be pushed to the client as firewall policy

IPsec-Client-Firewall-Filter-Optional

Y

58

Integer

Single

0 = Required
1 = Optional

IPsec-Default-Domain

Y

28

String

Single

Specifies the single default domain name to send to the client (1-255 characters).

IPsec-IKE-Peer-ID-Check

Y

40

Integer

Single

1 = Required
2 = If supported by peer certificate
3 = Do not check

IPsec-IP-Compression

Y

39

Integer

Single

0 = Disabled
1 = Enabled

IPsec-Mode-Config

Y

31

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Over-UDP

Y

34

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Over-UDP-Port

Y

35

Integer

Single

4001- 49151. The default is 10000.

IPsec-Required-Client-Firewall-Capability

Y

56

Integer

Single

0 = None
1 = Policy defined by remote FW Are-You-There (AYT)
2 = Policy pushed CPP
4 = Policy from server

IPsec-Sec-Association

12

String

Single

Name of the security association

IPsec-Split-DNS-Names

Y

29

String

Single

Specifies the list of secondary domain names to send to the client (1-255 characters).

IPsec-Split-Tunneling-Policy

Y

55

Integer

Single

0 = No split tunneling
1 = Split tunneling
2 = Local LAN permitted

IPsec-Split-Tunnel-List

Y

27

String

Single

Specifies the name of the network or ACL that describes the split tunnel inclusion list.

IPsec-Tunnel-Type

Y

30

Integer

Single

1 = LAN-to-LAN
2 = Remote access

IPsec-User-Group-Lock

33

Boolean

Single

0 = Disabled
1 = Enabled

IPv6-Address-Pools

Y

218

String

Single

Name of IP local pool-IPv6

IPv6-VPN-Filter

Y

219

String

Single

ACL value

L2TP-Encryption

21

Integer

Single

Bitmap:
1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Req
15= 40/128-Encr/Stateless-Req

L2TP-MPPC-Compression

38

Integer

Single

0 = Disabled
1 = Enabled

Member-Of

Y

145

String

Single

Comma-delimited string, for example:


Engineering, Sales

An administrative attribute that can be used in dynamic access policies. It does not set a group policy.

MS-Client-Subnet-Mask

Y

63

Boolean

Single

An IP address

NAC-Default-ACL

92

String

ACL

NAC-Enable

89

Integer

Single

0 = No
1 = Yes

NAC-Revalidation-Timer

91

Integer

Single

300-86400 seconds

NAC-Settings

Y

141

String

Single

Name of the NAC policy

NAC-Status-Query-Timer

90

Integer

Single

30-1800 seconds

Perfect-Forward-Secrecy-Enable

Y

88

Boolean

Single

0 = No
1 = Yes

PPTP-Encryption

20

Integer

Single

Bitmap:
1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Required
15= 40/128-Encr/Stateless-Req

PPTP-MPPC-Compression

37

Integer

Single

0 = Disabled
1 = Enabled

Primary-DNS

Y

5

String

Single

An IP address

Primary-WINS

Y

7

String

Single

An IP address

Privilege-Level

Y

220

Integer

Single

An integer between 0 and 15.

Required-Client- Firewall-Vendor-Code

Y

45

Integer

Single

1 = Cisco Systems (with Cisco Integrated Client)
2 = Zone Labs
3 = NetworkICE
4 = Sygate
5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)

Required-Client-Firewall-Description

Y

47

String

Single

String

Required-Client-Firewall-Product-Code

Y

46

Integer

Single

Cisco Systems Products:

1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)

Zone Labs Products:
1 = Zone Alarm
2 = Zone AlarmPro
3 = Zone Labs Integrity

NetworkICE Product:
1 = BlackIce Defender/Agent

Sygate Products:
1 = Personal Firewall
2 = Personal Firewall Pro
3 = Security Agent

Required-Individual-User-Auth

Y

49

Integer

Single

0 = Disabled
1 = Enabled

Require-HW-Client-Auth

Y

48

Boolean

Single

0 = Disabled
1 = Enabled

Secondary-DNS

Y

6

String

Single

An IP address

Secondary-WINS

Y

8

String

Single

An IP address

SEP-Card-Assignment

9

Integer

Single

Not used

Session Subtype

Y

152

Integer

Single

0 = None
1 = Clientless
2 = Client
3 = Client Only

Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4.

Session Type

Y

151

Integer

Single

0 = None
1 = AnyConnect Client SSL VPN
2 = AnyConnect Client IPSec VPN (IKEv2)
3 = Clientless SSL VPN
4 = Clientless Email Proxy
5 = Cisco VPN Client (IKEv1)
6 = IKEv1 LAN-LAN
7 = IKEv2 LAN-LAN
8 = VPN Load Balancing

Simultaneous-Logins

Y

2

Integer

Single

0-2147483647

Smart-Tunnel

Y

136

String

Single

Name of a Smart Tunnel

Smart-Tunnel-Auto

Y

138

Integer

Single

0 = Disabled
1 = Enabled
2 = AutoStart

Smart-Tunnel-Auto-Signon-Enable

Y

139

String

Single

Name of a Smart Tunnel Auto Signon list appended by the domain name

Strip-Realm

Y

135

Boolean

Single

0 = Disabled
1 = Enabled

SVC-Ask

Y

131

String

Single

0 = Disabled
1 = Enabled
3 = Enable default service
5 = Enable default clientless
(2 and 4 not used)

SVC-Ask-Timeout

Y

132

Integer

Single

5-120 seconds

SVC-DPD-Interval-Client

Y

108

Integer

Single

0 = Off
5-3600 seconds

SVC-DPD-Interval-Gateway

Y

109

Integer

Single

0 = Off)
5-3600 seconds

SVC-DTLS

Y

123

Integer

Single

0 = False
1 = True

SVC-Keepalive

Y

107

Integer

Single

0 = Off 15-600 seconds

SVC-Modules

Y

127

String

Single

String (name of a module)

SVC-MTU

Y

125

Integer

Single

MTU value
256-1406 in bytes

SVC-Profiles

Y

128

String

Single

String (name of a profile)

SVC-Rekey-Time

Y

110

Integer

Single

0 = Disabled
1-10080 minutes

Tunnel Group Name

Y

146

String

Single

1-253 characters

Tunnel-Group-Lock

Y

85

String

Single

Name of the tunnel group or “none”

Tunneling-Protocols

Y

11

Integer

Single

1 = PPTP
2 = L2TP
4 = IPSec (IKEv1)
8 = L2TP/IPSec
16 = WebVPN
32 = SVC
64 = IPsec (IKEv2)
8 and 4 are mutually exclusive.
0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values.

Use-Client-Address

17

Boolean

Single

0 = Disabled
1 = Enabled

VLAN

Y

140

Integer

Single

0-4094

WebVPN-Access-List

Y

73

String

Single

Access-List name

WebVPN ACL

Y

73

String

Single

Name of a WebVPN ACL on the device

WebVPN-ActiveX-Relay

Y

137

Integer

Single

0 = Disabled
Otherwise = Enabled

WebVPN-Apply-ACL

Y

102

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Auto-HTTP-Signon

Y

124

String

Single

Reserved

WebVPN-Citrix-Metaframe-Enable

Y

101

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Content-Filter-Parameters

Y

69

Integer

Single

1 = Java ActiveX
2 = Java Script
4 = Image
8 = Cookies in images

WebVPN-Customization

Y

113

String

Single

Name of the customization

WebVPN-Default-Homepage

Y

76

String

Single

A URL such as http://example-example.com

WebVPN-Deny-Message

Y

116

String

Single

Valid string (up to 500 characters)

WebVPN-Download_Max-Size

Y

157

Integer

Single

0x7fffffff

WebVPN-File-Access-Enable

Y

94

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Browsing-Enable

Y

96

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Entry-Enable

Y

95

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List

Y

78

String

Single

Comma-separated DNS/IP with an optional wildcard (*) (for example *.cisco.com, 192.168.1.*, wwwin.cisco.com)

WebVPN-Hidden-Shares

Y

126

Integer

Single

0 = None
1 = Visible

WebVPN-Home-Page-Use-Smart-Tunnel

Y

228

Boolean

Single

Enabled if clientless home page is to be rendered through Smart Tunnel.

WebVPN-HTML-Filter

Y

69

Bitmap

Single

1 = Java ActiveX
2 = Scripts
4 = Image
8 = Cookies

WebVPN-HTTP-Compression

Y

120

Integer

Single

0 = Off
1 = Deflate Compression

WebVPN-HTTP-Proxy-IP-Address

Y

74

String

Single

Comma-separated DNS/IP:port, with http= or https= prefix (for example http=10.10.10.10:80, https=11.11.11.11:443)

WebVPN-Idle-Timeout-Alert-Interval

Y

148

Integer

Single

0-30. 0 = Disabled.

WebVPN-Keepalive-Ignore

Y

121

Integer

Single

0-900

WebVPN-Macro-Substitution

Y

223

String

Single

Unbounded.

WebVPN-Macro-Substitution

Y

224

String

Single

Unbounded.

WebVPN-Port-Forwarding-Enable

Y

97

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding-Exchange-Proxy-Enable

Y

98

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding-HTTP-Proxy

Y

99

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding-List

Y

72

String

Single

Port forwarding list name

WebVPN-Port-Forwarding-Name

Y

79

String

Single

String name (example, “Corporate-Apps”).

This text replaces the default string, “Application Access,” on the clientless portal home page.

WebVPN-Post-Max-Size

Y

159

Integer

Single

0x7fffffff

WebVPN-Session-Timeout-Alert-Interval

Y

149

Integer

Single

0-30. 0 = Disabled.

WebVPN Smart-Card-Removal-Disconnect

Y

225

Boolean

Single

0 = Disabled
1 = Enabled

WebVPN-Smart-Tunnel

Y

136

String

Single

Name of a Smart Tunnel

WebVPN-Smart-Tunnel-Auto-Sign-On

Y

139

String

Single

Name of a Smart Tunnel auto sign-on list appended by the domain name

WebVPN-Smart-Tunnel-Auto-Start

Y

138

Integer

Single

0 = Disabled
1 = Enabled
2 = Auto Start

WebVPN-Smart-Tunnel-Tunnel-Policy

Y

227

String

Single

One of “e networkname,” “i networkname,” or “a,” where networkname is the name of a Smart Tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels.

WebVPN-SSL-VPN-Client-Enable

Y

103

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SSL-VPN-Client-Keep- Installation

Y

105

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SSL-VPN-Client-Required

Y

104

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SSO-Server-Name

Y

114

String

Single

Valid string

WebVPN-Storage-Key

Y

162

String

Single

WebVPN-Storage-Objects

Y

161

String

Single

WebVPN-SVC-Keepalive-Frequency

Y

107

Integer

Single

15-600 seconds, 0=Off

WebVPN-SVC-Client-DPD-Frequency

Y

108

Integer

Single

5-3600 seconds, 0=Off

WebVPN-SVC-DTLS-Enable

Y

123

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SVC-DTLS-MTU

Y

125

Integer

Single

MTU value is from 256-1406 bytes.

WebVPN-SVC-Gateway-DPD-Frequency

Y

109

Integer

Single

5-3600 seconds, 0=Off

WebVPN-SVC-Rekey-Time

Y

110

Integer

Single

4-10080 minutes, 0=Off

WebVPN-SVC-Rekey-Method

Y

111

Integer

Single

0 (Off), 1 (SSL), 2 (New Tunnel)

WebVPN-SVC-Compression

Y

112

Integer

Single

0 (Off), 1 (Deflate Compression)

WebVPN-UNIX-Group-ID (GID)

Y

222

Integer

Single

Valid UNIX group IDs

WebVPN-UNIX-User-ID (UIDs)

Y

221

Integer

Single

Valid UNIX user IDs

WebVPN-Upload-Max-Size

Y

158

Integer

Single

0x7fffffff

WebVPN-URL-Entry-Enable

Y

93

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-URL-List

Y

71

String

Single

URL list name

WebVPN-User-Storage

Y

160

String

Single

WebVPN-VDI

Y

163

String

Single

List of settings

Table 4. RADIUS Attributes Sent to Secure Firewall Threat Defense

Attribute

Attribute Number

Syntax, Type

Single or Multi-valued

Description or Value

Address-Pools

217

String

Single

The name of a network object defined on the threat defense device that identifies a subnet, which will be used as the address pool for clients connecting to the remote access VPN. Define the network object on the Objects page.

Banner1

15

String

Single

The banner to display when the user logs in.

Banner2

36

String

Single

The second part of the banner to display when the user logs in. Banner2 is appended to Banner1.

Downloadable ACLs

Cisco-AV-Pair

merge-dacl {before-avpair | after-avpair}

Supported via Cisco-AV-Pair configuration.

Filter ACLs

86, 87

String

Single

Filter ACLs are referred to by ACL name in the RADIUS server. It requires the ACL configuration to be already present on the threat defense device, so that it can be used during RADIUS authorization.

86=Access-List-Inbound

87=Access-List-Outbound

Group-Policy

25

String

Single

The group policy to use in the connection. You must create the group policy on the remote access VPN Group Policy page. You can use one of the following formats:

  • group policy name

  • OU=group policy name

  • OU=group policy name;

Simultaneous-Logins

2

Integer

Single

The number of separate simultaneous connections the user is allowed to establish, 0 - 2147483647.

VLAN

140

Integer

Single

The VLAN on which to confine the user's connection, 0 - 4094. You must also configure this VLAN on a subinterface on the threat defense device.

You must set the values of the IE-Proxy-Server-Method attribute returned from ISE to one of the following:

  • IE_PROXY_METHOD_PACFILE: 8

  • IE_PROXY_METHOD_PACFILE_AND_AUTODETECT: 11

  • IE_PROXY_METHOD_PACFILE_AND_USE_SERVER: 12

  • IE_PROXY_METHOD_PACFILE_AND_AUTODETECT_AND_USE_SERVER: 15

Threat Defense will deliver a proxy setting only if one of the above values is used for the IE-Proxy-Server-Method attribute.

Create or Update Aliases for a Connection Profile

Aliases contain alternate names or URLs for a specific connection profile. Remote access VPN administrators can enable or disable the Alias names and Alias URLs. VPN users can choose an Alias name when they connect to the Secure Firewall Threat Defense device. Aliases names for all connections configured on this device can be turned on or off for display. You can also configure the list of Alias URLs, which your endpoints can select while initiating the remote access VPN connection. If users connect using the Alias URL, system will automatically log them using the connection profile that matches the Alias URL.

Procedure


Step 1

Choose Devices > VPN > Remote Access.

Step 2

Click Edit on the policy that you want to modify.

Step 3

Click Edit on the connection profile for which you want to create or update aliases.

Step 4

Click Aliases.

Step 5

To add an Alias name, do the following:

  1. Click Add under Alias Names.

  2. Specify the Alias Name.

  3. Select the Enabled check box in each window to enable the aliases.

  4. Click OK.

Step 6

To add an Alias URL, do the following:

  1. Click Add under URL Alias.

  2. Select the Alias URL from the list or create a new URL object. For more information see Creating URL Objects.

  3. Select the Enabled check box in each window to enable the aliases.

  4. Click OK.

Step 7

Save your changes.


Configure Access Interfaces for Remote Access VPN

The Access Interface table lists the interface groups and security zones that contain the device interfaces. These are configured for remote access SSL or IPsec IKEv2 VPN connections. The table displays the name of each interface group or security-zone, the interface trustpoints used by the interface, and whether Datagram Transport Layer Security (DTLS) is enabled.

Procedure


Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Click Access Interface.

Step 4

To add an access interface, select Add and specify values for the following in the Add Access Interface window:

  1. Access Interface—Select the interface group or security zone to which the interface belongs.

    The interface group or security zone must be a Routed type. Other interface types are not supported for remote access VPN connectivity.
  2. Associate the Protocol object with the access interface by selecting the following options:

    • Enable IPSet-IKEv2—Select this option to enable IKEv2 settings.

    • Enable SSL—Select this option to enable SSL settings.

      • Select Enable Datagram Transport Layer Security.

        When selected, it enables Datagram Transport Layer Security (DTLS) on the interface and allows the AnyConnect VPN client to establish an SSL VPN connection using two simultaneous tunnels—an SSL tunnel and a DTLS tunnel.

        Enabling DTLS avoids the latency and bandwidth problems associated with certain SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

        To configure SSL settings, and TLS and DTLS versions, see About SSL Settings.

        To configure SSL settings for the AnyConnect VPN client, see Group Policy AnyConnect Client Options.

      • Select the Configure Interface Specific Identity Certificate check box and select Interface Identity Certificate from the drop-down list.

        If you do not select the Interface Identity Certificate, the Trustpoint will be used by default.

        If you do not select the Interface Identity Certificate or Trustpoint, the SSL Global Identity Certificate will be used by default.

  3. Click OK to save the changes.

Step 5

Select the following under Access Settings:

  • Allow Users to select connection profile while logging in—If you have multiple connection profiles, selecting this option allows the user to select the correct connection profile during login. You must select this option for IPsec-IKEv2 VPNs.

Step 6

Use the following options to configure SSL Settings:

  • Web Access Port Number—The port to use for VPN sessions. The default port is 443.

  • DTLS Port Number—The UDP port to use for DTLS connections. The default port is 443.

  • SSL Global Identity Certificate— The selected SSL Global Identity Certificate will be used for all the associated interfaces if the Interface Specific Identity Certificate is not provided.

Step 7

For IPsec-IKEv2 Settings, select the IKEv2 Identity Certificate from the list or add an identity certificate.

Step 8

Under the Access Control for VPN Traffic section, select the following option if you want to bypass access control policy:

  • Bypass Access Control policy for decrypted traffic (sysopt permit-vpn) — Decrypted traffic is subjected to Access Control Policy inspection by default. Enabling the Bypass Access Control policy for decrypted traffic option bypasses the ACL inspection, but VPN Filter ACL and authorization ACL downloaded from AAA server are still applied to VPN traffic.

    Note

     

    If you select this option, you need not update the access control policy for remote access VPN as specified in Update the Access Control Policy on the Secure Firewall Threat Defense Device.

Step 9

Click Save to save the access interface changes.


Configure Advanced Options for Remote Access VPN

Cisco AnyConnect Security Mobility Client Image

AnyConnect Security Mobility Client Image

The AnyConnect Security Mobility Client provides secure SSL or IPsec (IKEv2) connections to the threat defense device for remote users with full VPN profiling to corporate resources. Without a previously-installed client, remote users can enter the IP address of an interface configured to accept clientless VPN connections in their browser to download and install the AnyConnect Client. The threat defense device downloads the client that matches the operating system of the remote computer. After downloading, the client installs and establishes a secure connection. In case of a previously installed client, when the user authenticates, the threat defense device, examines the version of the client, and upgrades the client if necessary.

The Remote Access VPN administrator associates any new or additional AnyConnect Client images to the VPN policy. The administrator can unassociate the unsupported or end of life client packages that are no longer required.

The Secure Firewall Management Center determines the type of operating system by using the file package name. If the user renamed the file without indicating the operating system information, the valid operating system type must be selected from the list box.

Download the AnyConnect Client image file by visiting Cisco Software Download Center.

Adding a AnyConnect Security Mobility Client Image to the Secure Firewall Management Center

You can upload the AnyConnect Security Mobility Client image to the Secure Firewall Management Center by using the AnyConnect File object. For more information, see File Objects. For more information about the client image, see Cisco AnyConnect Security Mobility Client Image.

Procedure

Step 1

Choose Devices > Remote Access, choose and edit a listed remote access policy, then choose the Advanced tab.

Step 2

Click Add to add a AnyConnect Security Mobility Client image.

Step 3

Click Add in the Available AnyConnect Images portion of the AnyConnect Images dialog.

Step 4

Enter the Name and Description(optional) for the available AnyConnect Image.

Step 5

Click Browse, locate and select the client image that you want to upload.

Step 6

Click Save to upload the image to the management center.

When you upload the client image to the Secure Firewall Management Center, the operating system information for the image appears automatically.

Step 7

To change the order of client images, Click Show Re-order buttons and move the client image up or down.


Update AnyConnect Client Image for Remote Access VPN Clients
When new AnyConnect updates are available in Cisco Software Download Center, you can download the packages manually and add them to the remote access VPN policy so that the new client packages are upgraded on the VPN client systems according to their operating systems.
Before you begin

Instructions in this section help you update new AnyConnect images to remote access VPN clients connecting to Secure Firewall Threat Defense VPN gateway. Ensure that the following configurations are complete before updating your AnyConnect images:

  • Download the latest AnyConnect image files from Cisco Software Download Center.

  • On your Secure Firewall Management Center web interface, go to Objects > Object Management > VPN > AnyConnect File and add the new AnyConnect client image files.

Procedure

Step 1

On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.

Step 2

Click Edit on the remote access VPN policy that you want to update.

Step 3

Click Advanced > AnyConnect Client Images > Add.

Step 4

Select a client image file from Available AnyConnect Images and click Add.

If the required client image is not listed, click Add to browse and upload an image.

Step 5

Click OK.

Step 6

Save the remote access VPN policy.

After the remote access VPN policy changes are deployed, the new AnyConnect images are updated on the Secure Firewall Threat Defense device that is configured as the remote access VPN gateway. When a new VPN user connects to the VPN gateway, the user gets the new AnyConnect Client image to download depending on the operating system of the client system. For existing VPN users, the AnyConnect Client image gets updated in their next VPN session.

Add a Cisco AnyConnect External Browser Package to the Secure Firewall Management Center

If you have the AnyConnect external browser package image on your local disk, use this procedure to upload the same to the Secure Firewall Management Center. After you upload the external browser package, you can update the external browser package for your remote access VPN connections.

You can upload the external browser package file to the Secure Firewall Management Center by using the AnyConnect object. For more information, see File Objects.

Points to Remember

  • Only one external browser package can be added to the threat defense device.

  • After the external browser package is added to the management center, the browser is pushed to the threat defense only after the external browser is enabled in the remote access VPN configuration.

Procedure

Step 1

On the Secure Firewall Management Center web interface, choose Devices > Remote Access, choose and edit a listed remote access policy, then choose the Advanced tab.

Step 2

Click Add in the AnyConnect External Browser Package portion of the AnyConnect Client Images page.

Step 3

Enter the Name and Description for the AnyConnect package.

Step 4

Click Browse and locate the external browser package file to upload.

Step 5

Click Save to upload the image to the Secure Firewall Management Center.

Note

 

If you want to update the remote access VPN connection with an existing external browser package, select the file from the Package File drop-down.

Step 6

Save the remote access VPN policy.


Remote Access VPN Address Assignment Policy

The threat defense device can use an IPv4 or IPv6 policy for assigning IP addresses to Remote Access VPN clients. If you configure more than one address assignment method, the threat defense device tries each of the options until it finds an IP address.

IPv4 or IPv6 Policy

You can use the IPv4 or IPv6 policy to address an IP address to remote access VPN clients. You must try with the IPv4 policy to begin and later followed by IPv6 policy.

  • Use Authorization Server—Retrieves the address from an external authorization server on a per-user basis. If you are using an authorization server that has IP address configured, we recommend using this method. Address assignment is supported by RADIUS-based authorization server only. It is not supported for AD/LDAP. This method is available for both IPv4 and IPv6 assignment policies.

  • Use DHCP—Obtains IP addresses from a DHCP server configured in a connection profile. You can also define the range of IP addresses that the DHCP server can use by configuring DHCP network scope in the group policy. If you use DHCP, configure the server in the Objects > Object Management > Network pane. This method is available for IPv4 assignment policies.

    For more information about DHCP network scope configuration, see Group Policy General Options.

  • Use an internal address pool—Internally configured address pools are the easiest method of address pool assignment to configure. If you use this method, create the IP address pools in the Objects > Object Management >Address Pools pane and select the same in the connection profile. This method is available for both IPv4 and IPv6 assignment policies.

  • Allow reuse an IP address so many minutes after it is released—Delays the reuse of an IP address after its return to the address pool. Adding a delay helps to prevent problems firewalls can experience when an IP address is reassigned quickly. By default, the delay is set to zero. If you want to extend the delay, enter the number of minutes in the range of 0–480 to delay the IP address reassignment. This configurable element is available for IPv4 assignment policies.

Configure Certificate Maps

Certificate maps let you define rules matching a user certificate to a connection profile based on the contents of the certificate fields. Certificate maps provide certificate authentication on secure gateways.

The rules or the certificate maps are defined in Certificate Map Objects.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Choose Advanced > Certificate Maps.

Step 4

Select the following options from the General Settings for Connection Profile Mapping pane:

Selections are priority-based, matching continues down the list of options when the first selection does not match. Matching is complete when the rules are satisfied. If the rules are not satisfied, the default connection profile listed at the bottom of this page is used for the connection. Select any, or all of the following options to establish authentication and to determine which connection profile (tunnel group) must be mapped to the client.

  • Use Group URL if Group URL and Certificate Map match different Connection profiles

  • Use the configured rules to match a certificate to a Connection Profile—Enable this to use the rules defined in the Connection Profile Maps.

Note

 

Configuring a certificate mapping implies certificate-based authentication. The remote user will be prompted for a client certificate regardless of the configured authentication method.

Step 5

Under the Certificate to Connection Profile Mapping section, click Add Mapping to create certificate to connection profile mapping for this policy.

  1. Choose or create a Certificate Map Name object.

  2. Select the Connection Profile that want to use if the rules in the certificate map object are satisfied.

  3. Click OK to create the mapping.

Step 6

Click Save.


Configuring Group Policies

A group policy is a set of attribute and value pairs, stored in a group policy object, that define the remote access VPN experience. For example, in the group policy object, you configure general attributes such as addresses, protocols, and connection settings.

The group policy applied to a user is determined when the VPN tunnel is being established. The RADIUS authorization server assigns the group policy, or it is obtained from the current connection profile.


Note


There is no group policy attribute inheritance on the threat defense. A group policy object is used, in its entirety, for a user. The group policy object identified by the AAA server upon login is used, or, if that is not specified, the default group policy configured for the VPN connection is used. The provided default group policy can be set to your default values, but will only be used if it is assigned to a connection profile and no other group policy has been identified for the user.


Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Choose Advanced > Group Policies > Add.

Step 4

Select group policies from the Available Group Policy list and click Add. You can select one or more group policies to associate with this remote access VPN policy.

Step 5

Click OK to complete the group policy selection.

Step 6

Save your changes.


Configuring LDAP Attribute Mapping

An LDAP attribute name maps LDAP user or group attribute name to a Cisco-understandable name. The attribute map equates attributes that exist in the Active Directory (AD) or LDAP server with Cisco attribute names. You can map any standard LDAP attribute to a well-known vendor specific attribute (VSA). You can map one or more LDAP attributes to one or more Cisco LDAP attributes. When the AD or LDAP server returns authentication to the threat defense device during remote access VPN connection establishment, the threat defense device can use the information to adjust how the AnyConnect Client completes the connection.

When you want to provide VPN users with different access permissions or VPN content, you can configure different VPN policies on the VPN server and assign these policy-sets to each user based on their credentials. You can achieve this in threat defense by configuring LDAP authorization, with LDAP attribute maps. In order to use LDAP to assign a group policy to a user, you must configure a map that maps an LDAP attribute.

An LDAP attribute map consists of three components:

  • Realm—Specifies the name for the LDAP attribute map; the name is generated based on the selected realm.

  • Attribute Name Map—Maps the LDAP user or group attribute name to Cisco-understandable name.

  • Attribute Value Map—Maps value in the LDAP user or group attribute to the value of a Cisco attribute for the selected name mapping.

The group policies that are used in an LDAP attribute map get added to the list of group policies in the remote access VPN configuration. Removing a group policy from the remote access VPN configuration also removes the associated LDAP attribute mapping.

In versions 6.4 to 6.6, you can configure LDAP attribute maps only using FlexConfig. For more information, see Configure AnyConnect Modules and Profiles Using FlexConfig.

In versions 7.0 and later, you can use the following procedure:

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Click Advanced > LDAP Attribute Mapping.

Step 4

Click Add.

Step 5

On the Configure LDAP Attribute Map page, select a Realm to configure the attribute map.

Step 6

Click Add.

You can configure multiple attribute maps. Each attribute map requires that you configure a name map and value maps.

Note

 

Ensure that you follow these guidelines while creating an LDAP attribute map:

  • Configure at least one mapping for an LDAP attribute; multiple mappings with the same LDAP attribute name is not allowed.

  • Configure a minimum of one name map to create an LDAP attribute map.

  • You can remove any LDAP attribute map if the attribute map is not associated with any connection profile in the remote access VPN configuration.

  • Use the correct spelling and capitalization in the LDAP attribute map for both the Cisco and LDAP attribute names and values.

  1. Specify the LDAP Attribute Name and then select the required Cisco Attribute Name from the list.

  2. Click Add Value Map and Specify the LDAP Attribute Value and Cisco Attribute Value.

    Repeat this step to add more value maps.

Step 7

Click OK to complete LDAP attribute map configuration.

Step 8

Click Save to save the changes to the LDAP attribute mapping.


Example
For a detailed example, see Configure RA VPN with LDAP Authentication and Authorization for FTD.

Configuring VPN Load Balancing

About VPN Load Balancing

VPN load balancing in threat defense allows you group two or more devices logically and distribute remote access VPN sessions among the devices equally. VPN load balancing shares AnyConnect Client VPN sessions among the devices in a load balancing group.

VPN load balancing is based on simple distribution of traffic without taking into account throughput or other factors. A VPN load-balancing group consists of two or more threat defense devices. One device acts as the director, and the other devices are member devices. Devices in a group do not need to be of the exact same type, or have identical software versions or configurations. Any threat defense device that supports remote access VPN can participate in a load balancing group. Threat Defense supports VPN load balancing with AnyConnect SAML authentication.

All active devices in a VPN load-balancing group carry session loads. VPN load balancing directs traffic to the least-loaded device in the group, distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability.

Components of VPN Load Balancing

Following are the components of VPN load balancing:

  • Load-balancing group—A virtual group of two or more threat defense devices to share the VPN sessions.

    A VPN load-balancing group can consist of threat defense devices of the same release or of mixed releases; but the device must support remote access VPN configuration.

    See Configure Group Settings for VPN Load Balancing and Configure Additional Settings for Load Balancing.

  • Director—One device from the group acts a director. It distributes the load among other members in the group and participate is serving the VPN sessions.

    The director monitors all devices in the group, keeps track of how loaded each device is, and distributes the session load accordingly. The role of director is not tied to a physical device; it can shift among devices. For example, if the current director fails, one of the member devices in the group takes over that role and immediately becomes the new director.

  • Members—Devices other than the director in a group are called members. They participate in load balancing and share the remote access VPN connections.

    Configure Settings for Participating Devices.

Prerequisites for VPN Load Balancing
  • Certificatesthreat defense’s certificate must contain the IP addresses or FQDN of the director and members to which the connection is redirected. Or else, the certificate will be deemed untrusted. The certificate must use Subject Alternate Name (SAN) or wildcard certificate

  • Group URL—Add the group URL for VPN load-balancing group IP address to the connection profiles. Specify a group URL to eliminate the need for the user to select a group at login.

  • IP Address Pool—Choose unique IP address pool for member devices, and override the IP pool in management center for each of the member devices.

  • Devices that are behind Network Address Translation (NAT) can also be part of a load balancing group.

Guidelines and Limitations for VPN Load Balancing
  • VPN load balancing is disabled by default. You must explicitly enable VPN load balancing.

  • Only the threat defense devices that are co-located can be added to a load-balancing group.

  • A load-balancing group must have a minimum of two threat defense devices.

  • Devices in threat defense high availability can participate in a load-balancing group.

  • Devices that are behind Network Address Translation (NAT) can also be part of a load balancing group.

  • When a member or a director device goes down, remote access VPN connections that are served by that device will be dropped. You must initiate the VPN connection again.

  • Identity certificate on each device must have Subject Alternate Name (SAN) or wildcard.

Configure Group Settings for VPN Load Balancing
You can enable VPN load balancing and configure group settings that are applicable to all the members of the load-balancing group. When you create the group, you can configure participation settings for load balancing.
Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Click Edit on the remote access VPN policy that you want to update.

Step 3

Click Advanced > Load Balancing.

Step 4

Click the Enable Load balancing between member devices toggle button to enable load balancing.

The Edit Group Configuration page opens. Group parameters apply to all devices under the load-balancing group.

Step 5

Specify the Group IPv4 Address and Group IPv6 Address as applicable.

The IP address that you specify here is for the entire load-balancing group and the director opens this IP address for incoming VPN connections.

Step 6

Select the Communication Interface for the load-balancing group. Click Add to add an interface group or security zone.

Communication interface is a private interface through which the director and members share information about their load.

Step 7

Enter the UDP Port for communication between the director and members in a group. The default port is 9023.

Step 8

Enable the IPsec Encryption toggle button to activate IPsec encryption for the communication between the director and members.

Enabling the encryption establishes an IKEv1/IPsec tunnel between the director and members using a pre-shared key.

Step 9

Enter Encryption Key for IPsec encryption and confirm the encryption key.

Step 10

Click OK.


Configure Additional Settings for Load Balancing
The additional settings for VPN load balancing include FQDN and IKEv2 redirection.
Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Click Edit on the remote access VPN policy that you want to update.

Step 3

Click Advanced > Load Balancing.

Step 4

Turn on the Enable Load balancing between member devices toggle button to enable load balancing if not done already.

Step 5

Click Settings.

Step 6

Turn on the Send FQDN to peer devices instead of IP toggle button to enable redirection using a fully qualified domain name.

By default, threat defense sends only IP addresses in VPN load balancing redirection to a client.

Step 7

Select one of the IKEv2 Redirect phases:

  • Redirect during SA authentication

  • Redirect during SA initialization

Step 8

Click OK.

Step 9

Save your changes.


Configure Settings for Participating Devices

The device participation settings determine how the devices share load in VPN load balancing. Configure a participating device by enabling VPN load balancing on the device and defining device-specific properties. These values vary from device to device. You can provide a priority number for the devices participating in load balancing. A higher priority number gives the device a better chance to become the director over other devices. But you cannot select a device to be the director of the group.

Procedure