Cisco AnyConnect Secure Mobility with AnyConnect Essential

Submitted by methachiew on Sun, 09/04/2011 - 22:50

     I have recently started looking into Cisco AnyConnect Secure Mobility, despite its existence for over a year now, to find out what features it has to offer as part of Cisco SSL VPN solution. My first misconception was, in order to use these features, the AnyConnect Secure Mobility license is required. As it turns out, there are some nice features that are available even without such license, and better yet, work with just AnyConnect Essential license, which, nowadays, is a more popular choice due to its cost effectiveness for those that do not need the add-ons of the clientless SSL VPN or Cisco Secure Desktop.
     In this article, we will review some features of the Cisco AnyConnect Secure Mobility release 3.0 that can be leveraged based on the AnyConnect Essential license. Specifically, these are the features that can be quickly enabled from the client profile configuration page on an ASDM. This article, however, will not go into more advanced security features that may either require elaborate configuration, or additional hardware device or license such as Host Scan, or web security with Ironport WSA.

Hardware/Software used in this lab
      - Cisco ASA 8.4(1)
      - Cisco ASDM 6.4(3)
      - Cisco AnyConnect Secure Mobility Client version 3.0.3054

Feature #1: IPSec with IKEv2
      AnyConnect Secure Mobility now inherently supports both SSL and IPSec with IKEv2 VPN on a single client. Which security protocol a client uses depends on the configuration of the client profile. From user experience point of view, there is no difference between these two protocols. IKEv2 can be configured similarly to the conventional IPSec with slight changes in ‘crypto’ command syntax that distinguishes between IKEv1 and IKEv2. Unless there is a security-specific requirement that can only be achieved through IKEv2, it might be better to stay with SSL to avoid the additional crypto configurations of IKEv2.
      Below are sample outputs of IPSec with IKEv2

TEST-FW1# sh vpn-s any

Session Type: AnyConnect

Username     : cisco              Index        : 104
Assigned IP  : 192.168.100.32           Public IP    : 1.1.1.100
Protocol     : IKEv2 IPsecOverNatT Clientless
License      : AnyConnect Essentials
Encryption   : RC4 AES128             Hashing      : SHA1
Bytes Tx     : 64824                  Bytes Rx     : 43157
Group Policy : SSLTEST                Tunnel Group : SSLTEST
Login Time   : 21:10:08 MST Sun Aug 21 2011
Duration     : 0h:00m:35s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
!
TEST-FW1# sh cry ikev2 sa

IKEv2 SAs:

Session-id:3, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
529010401    2.2.2.100/4500    1.1.1.100/63093      READY    RESPONDER
      Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: PSK
      Life/Active Time: 86400/82 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 192.168.100.32/0 - 192.168.100.32/65535
          ESP spi in/out: 0xbcc8ea3f/0x37f60b06  

Feature #2: Start Before Logon (SBL)
      With this feature enabled, users are able to initiate VPN connection and have access to remote network, typically for resources such as Active Directory, before Windows login. This is to support capabilities such as Windows logon script. User is required to have network connectivity at logon, which may not be a problem when using LAN, but can be challenging when using wireless LAN, especially when proper credential is required.



Feature #3: Trusted Network Detection (TND)
      An AnyConnect Secure Mobility client considers itself to be on a trusted network when it sees a predetermined domain name and/or DNS server IPs returned from a DHCP server. When the client detects a trusted network, it will not try to initiate a VPN connection. In contrary, a VPN connection is initiated automatically if an untrusted network is detected. When used with ‘Auto Reconnect’ feature described in later section, the VPN connection is automatically disconnected when a user roam from an untrusted network to a trusted network.
      This feature is used to raise user awareness when users no longer have access to corporate resources by prompting them VPN login. This can, however, become annoying when users are continuously prompted even when no corporate access is desired.


Feature #4: Auto Connect On Start
      This feature is basically the TND without a concept of trusted network. Users are always prompted VPN login as soon as network connectivity is detected. This may be ideal in an environment where a security policy always needs to be enforced, otherwise, this can certainly increase user annoyance. For this reason, it is recommended to use TND, and this feature can be considered redundant.

Feature #5: Auto Reconnect
      With this feature enabled, when a user loses connectivity to the ASA, the VPN session is cached by the ASA. The AnyConnect client continuously tries to resume the session without prompting the user to re-login, assuming the network connectivity is restored before the cached session is cleared. This can become useful when users often roam between, for example, wired and wireless. The caveat is if the user does not reconnect, the cached session remains on the ASA, as far as I can tell, until an idle timer expires. When used with TND, the AnyConnect client stops trying to reconnect once the user roam into a trusted network.
      This feature also works when a computer is temporarily suspended (ie. Sleep, Hibernate etc.). The AnyConnect can be configured to either terminate the VPN on suspend or to allow VPN reconnect.

Feature #6: Server List
      A Server List allows an administrator to configure a list of possible ASA with an appropriate tunnel-group for users to connect. The list of server is presented to users in a form of drop down. The server name on the list can be a meaningful alias to assist users in identifying a server instead of using a more cryptic actual url. Each server can also be configured with a backup server for failover reason.

Feature #7: Backup Servers
      A backup server is a server of last resort when servers in the Server List are exhausted. Usually, it is sufficient to define all possible servers users can connect to under the Server List. However, if you have a server that acts as a backup for various servers, you may assign it globally here.

Feature #8: Optimal Gateway Selection (OGS)
      An AnyConnect client with OGS enabled leverages the Server List by automatically connecting to a server with the best Round Trip Time (RTT). User is no longer able to choose a server. This eliminates a need for user to decide which VPN gateway they should connect. There are performance threshold and time period that can be set to ensure certain RTT improvement before changing to a different gateway and to control the frequency users can hop between the gateways. This feature works well when both resources and users are geographically dispersed. Instead of provisioning a different Server List for different group of users with gateways closest to them, a single client profile can be deployed and we can let the Anyconnect client pick an optimal gateway based on user location.
      The caveat is, without user being able to choose a gateway, troubleshooting a particular gateway may be difficult, in which case, you can make this feature user-selectable so it can temporarily be disabled from the AnyConnect client when required.

Feature #9: Windows VPN Establishment
      This feature allows a VPN connection to be initiated over a Windows RDP session. A split-tunnel is required to be configured under the target policy-group. You may lose RDP access if the network the user connects from is not exempted by the split-tunnel policy.

Feature #10: Show Pre-Connect Message
      This feature is nothing but a message prompt that pops up when the AnyConnect client first attempts to connect to VPN. This can be used as either a warning or a reminder to users.


Other features that requires either AnyConnect Premium or AnyConnect Secure Mobility license includes
      - Always-On VPN
      - Connect Failure Policy
      - Captive Portal Hotspot Detection/Remediation

Tips:
      Here are few other ideas of what you can use the AnyConnect Secure Mobility for.
      - Dynamically push an additional alternate VPN gateway to client
      - Dynamically push a new backup VPN gateway to client (unlike IPSec where user needs to manually add a second gateway to the client)
      - Dynamically delete a decommissioned VPN gateway from client
      - Dynamically update a server alias on client
      - Dynamically push an additional access to tunnel-group/group-policy to client
      - Restrict a group of user to only see a group of servers on the server list

Conclusions:
      As you can see, there are many features offered by the AnyConnect Secure Mobility that a current user of AnyConnect Essential can immediately enjoy without having to purchase the additional AnyConnect Secure Mobility license or upgrade to the more expensive Premium license. These will certainly be an added value to your current SSL VPN implementations.

Additional Resources:
     AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 3.0
     Release Notes for Cisco AnyConnect Secure Mobility Client, Release 3.0
     Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.0

Author: Metha Chiewanichakorn , CCIE#23585 (R&S/Security/Service Provider)

»

hi

Submitted by Anonymous on Fri, 10/21/2011 - 04:10.

Great info, thanks a lot!!! I wish I will have such a writing skills..
Sniper Games

»