• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Troubleshooting Remote Access SSL VPN and Secure Mobility (2012 San Diego)
 
« »
   

Troubleshooting Remote Access SSL VPN and Secure Mobility (2012 San Diego)

on

  • 7,036 views

Cisco remote access VPN solutions provide users secure and flexible channels to an organization's network and sensitive applications. Cisco SSL VPN and Secure Mobility solutions provide a flexible and ...

Cisco remote access VPN solutions provide users secure and flexible channels to an organization's network and sensitive applications. Cisco SSL VPN and Secure Mobility solutions provide a flexible and secure way to extend networking resources to virtually any remote user with access to the Internet. This session provides techniques for troubleshooting on Cisco 5500 Series Adaptive Security Appliance (ASA) and Cisco AnyConnect Secure Mobility Client. The Cisco AnyConnect Secure Mobility client is the next-generation VPN client, providing remote users with secure IPsec (IKEv2) or SSL VPN connections to the Cisco ASA. AnyConnect provides end users with a connectivity experience that is intelligent, seamless and always-on, with secure mobility across today's proliferating managed and unmanaged mobile devices. In this session, you will learn numerous tips and best practices when troubleshooting problems related to SSL VPN and Secure Mobility. This session is designed for networking and security professionals who have deployed or are planning to deploy remote access SSL VPN solutions.

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4382

Statistics

Views

Total Views
7,036
Views on SlideShare
7,033
Embed Views
3

Actions

Likes
6
Downloads
0
Comments
0

3 Embeds 3

http://www.slashdocs.com 1
http://www.docseek.net 1
https://duckduckgo.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
    More…

    Troubleshooting Remote Access SSL VPN and Secure Mobility (2012 San Diego) Troubleshooting Remote Access SSL VPN and Secure Mobility (2012 San Diego) Presentation Transcript

    • Troubleshooting Remote Access SSL VPN and Secure Mobility BRKSEC-3050BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
    • Agenda Brief Introduction to SSL VPN and Secure Mobility Troubleshooting Clientless SSL VPN Sessions in the Cisco ASA The AnyConnect Secure Mobility Solution AnyConnect Installation Problems Troubleshooting AnyConnect Sessions Case Studies for Basic Troubleshooting Troubleshooting Split Tunneling Issues Network Access ModuleBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    • Agenda (continued) IKEv2 Support and Troubleshooting Host Scan and the Posture Module Dynamic Access Policies (DAP) Configuring and Troubleshooting Web Security Module Configuring and Troubleshooting Telemetry to the WSA Advanced Troubleshooting with DARTBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    • SSL VPN Introduction SSL VPN Solution Offerings/Categories Clientless Thin-Client Client-Based Port Redirection Basic Web, Email AnyConnect for TCP and CIFS Access Essentials Applications (only) Customized User Smart Tunnels AnyConnect ScreenBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
    • Clientless Access (Web-Based Applications) ‒ Support for Intranet HTML web pages and web-based (webified) applications  Applications ‒ Supports OWA, Windows file share (CIFS), and more. ‒ This is where a user can connect in, with little requirements beyond a basic web  Benefits ‒ Do not require admin rights on the machine browser ‒ Rewrite engine needs constant support due to dynamic content;  Restrictions common issues with embedded Java and Active X appletsBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    • SSL VPN Clientless (L7) Customization Fully Customized Screens Customizable BannerCustomizable MessageBanner GraphicCustomizableAccess MethodsCustomizable Links,Network Resource Customizable ColorsAccess and Sections BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
    • Troubleshooting Clientless SSL VPNs
    • The First Step In Troubleshooting Configuring the Feature Correctly ;-)ASDM Wizard can be used for simplicity and ease of useBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    • SSL VPN Wizard (Continued) SSL VPN Interface (Step 2 of 6) Connection Name Is an Arbitrarily Name Interface Where VPN Users Will Connect Select Installed Digital Certificate that VPN User’s Web Browser Will Use Connection Group Alias/URLBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    • SSL VPN Wizard (Continued) User Authentication (Step 3 of 6) This Option Allows You to Configure AAA Groups for External Authentication Servers (i.e., Radius, AD, SDI, LDAP, etc.) * More information in the next slide… In this Example Local Users Are CreatedBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    • User Authentication Support AAA Server Group You can configure external authentication servers such as: • RADIUS • Active Directory (NT Domain) • SecurID (SDI) • Kerberos • LDAP Note: For more information about AAA support refer to the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.htmlBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
    • SSL VPN Wizard (Continued) Group Policy (Step 4 of 6) A New Group Policy Is Created Called myclientlessgroup. A Group Policy Is a Collection of User Attributes and Value Pairs.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    • SSL VPN Wizard (Continued) Bookmark List (Step 5 of 6) 1 2 3 4BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    • SSL VPN Wizard & Final CLI Configuration CLI Configuration Simplified in 6 Easy Steps ASDM SummaryCLI Configurationwebvpn enable outside tunnel-group-list enablegroup-policy myclientlessgroup internalgroup-policy myclientlessgroup attributes vpn-tunnel-protocol webvpn webvpn url-list value IntranetSitesusername user1 password 08S9WUsiSMr3RauN encrypted privilege 0username user1 attributes vpn-group-policy myclientlessgroupusername user2 password 08S9WUsiSMr3RauN encrypted privilege 0username user2 attributes vpn-group-policy myclientlessgrouptunnel-group myclientlessvpn type remote-accesstunnel-group myclientlessvpn general-attributes default-group-policy myclientlessgrouptunnel-group myclientlessvpn webvpn-attributes group-alias vpn enable group-url https://209.165.201.1/vpn enableBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
    • Troubleshooting Authentication Problems
    • Authentication Problems Debug = debug webvpn 255 Good Authentication WebVPN: calling AAA with ewsContext (-925550560) and nh (-927982512)! WebVPN: started user authentication... WebVPN: AAA status = (ACCEPT) WebVPN: user: (user1) authenticated. Bad Authentication WebVPN: started user authentication... webvpn_free_auth_struct: net_handle = 0xc839fc30 webvpn_allocate_auth_struct: net_handle = 0xc839fc30 webvpn_free_auth_struct: net_handle = 0xc839fc30 webvpn_auth.c:webvpn_aaa_callback[5107] WebVPN: AAA status = (ERROR) WebVPN: callback data is not valid!! webvpn_remove_auth_handle: auth_handle = 5BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    • RADIUS Authentication Problems Debug = debug radiusRADIUS packet decode (authentication request)--------------------------------------Raw packet data (length = 150).....01 11 00 96 53 90 89 8e af bc 45 9a cb a8 c1 66 | ....S.....E....fa7 54 fd f2 01 07 75 73 65 72 31 02 12 07 6f 5c | .T....user1...oc4 03 ae cf cc bf df ec 1d 58 0f 31 38 05 06 00 | .........X.18...00 70 00 1e 11 32 30 39 2e 31 36 35 2e 32 30 30 | .p...209.165.2002e 32 32 35 1f 11 32 30 39 2e 31 36 35 2e 32 30 | .225..209.165.2030 2e 32 32 36 3d 06 00 00 00 05 42 11 32 30 39 | 0.226=.....B.2092e 31 36 35 2e 32 30 30 2e 32 32 36 04 06 0a 0a | .165.200.226....0a fe 1a 24 00 00 00 09 01 1e 69 70 3a 73 6f 75 | ...$......ip:sou72 63 65 2d 69 70 3d 32 30 39 2e 31 36 35 2e 32 | rce-ip=209.165.230 30 2e 32 32 36 | 00.226Parsed packet data.....Radius: Code = 1 (0x01)Radius: Identifier = 17 (0x11)Radius: Length = 150 (0x0096)Radius: Vector: 5390898EAFBC459ACBA8C166A754FDF2Radius: Type = 1 (0x01) User-NameRadius: Length = 7 (0x07)Radius: Value (String) =75 73 65 72 31 | user1Radius: Type = 2 (0x02) User-PasswordRadius: Length = 18 (0x12)send pkt 172.18.104.83/1645RADIUS_SENT:server response timeout RADIUS Server not RespondingRADIUS_DELETEremove_req 0xcbeb5d00 session 0x14 id 17BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    • Authentication Test UtilityUsing the CLI:test aaa-server authentication NYGroup host 172.18.85.123 user domainuser password 123qweasd BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    • Double AuthenticationDouble authentication or “secondary authentication” requires the user topresent two sets of valid authentication credentials.Restrictions1.Double Authentication is only supported on Clientless SSL VPN and the AnyConnect client. The feature is not supported with the Cisco VPN Client or any other authentication processing.2.Native RSA/SDI is not supported as the secondary authentication server. It must be configured as the primary authentication.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
    • Double Authentication Configuration If enabled, it will not display the secondary username on the login page.CLI: secondary-authentication-server-group [interface-id] { none | LOCAL | aaa-server-group [LOCAL] } [use-primary-username] BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    • Troubleshooting Tips for Double Auth If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by using the no mschapv2-capable command.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    • Additional Authentication Debugs For Your Reference You can combine the debugs listed above with the debug webvpn and debug aaa common when troubleshooting clientless authentication problems.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    • Additional Clientless SSL VPN Debugs For Your Reference Problem Debug Command Accessing CIFS Shares debug webvpn cifs (1-255) Accessing NFS Shares debug webvpn nfs (1-255) Citrix Connection Problems debug webvpn citrix (1-255) Javascript Mangling Problems debug webvpn javascript trace user user1 (user specific)BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
    • Useful Show Commands show webvpn statisticsasa# show webvpn statisticsTotal number of objects served 105 html 55 js 2 css 21 vb 0 java archive 3 java class 2 image 11 undetermined 1BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    • Useful Show Commands (cont.) show vpn-sessiondbasa# show vpn-sessiondb---------------------------------------------------------------------------VPN Session Summary--------------------------------------------------------------------------- Active : Cumulative : Peak Concur : Inactive ----------------------------------------------AnyConnect Client : 12 : 22 : 12 : 0 SSL/TLS/DTLS : 12 : 22 : 12 : 0---------------------------------------------------------------------------Total Active and Inactive : 12 Total Cumulative : 22Device Total VPN Capacity : 25Device Load : 0%---------------------------------------------------------------------------Tunnels Summary--------------------------------------------------------------------------- Active : Cumulative : Peak Concurrent ----------------------------------------------AnyConnect-Parent : 12 : 22 : 12SSL-Tunnel : 12 : 22 : 12DTLS-Tunnel : 12 : 22 : 12---------------------------------------------------------------------------Totals : 12 : 6BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    • …More Options show vpn-sessiondb asa# show vpn-sessiondb ? exec mode commands/options: anyconnect AnyConnect sessions detail Show detailed output email-proxy Email-Proxy sessions full Output formatted for data management programs index Index of session l2l IPsec LAN-to-LAN sessions license-summary Show VPN License summary ra-ikev1-ipsec IKEv1 IPsec/L2TP-IPsec Remote Access sessions ratio Show VPN Session protocol or encryption ratios summary Show VPN Session summary vpn-lb VPN Load Balancing Mgmt sessions webvpn WebVPN sessions | Output modifiers <cr>BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    • Capturing SSL VPN Data capture command for WebVPN The CLI capture command lets you log information about websites that Do Not display properly over an SSL VPN connection. This data is very helpful while troubleshoot problems. To start the WebVPN capture utility use the following command: capture <capture_name> type webvpn user <webvpn_username> For Example: hostname# capture mycapture type webvpn user user1 WebVPN capture started. capture name mycapture user name user1BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    • Troubleshooting Smart Tunnels 29
    • Troubleshooting Smart Tunnels Authorized Processes You must create list of Example: Launch Putty via putty.exe “authorized” processes Smart Tunnels loads a stub into putty.exe must be authorized each authorized process and process intercepts socket calls and redirects them through the Cisco ASA The parent of each authorized process passes on the information (cookie, etc.) to its children if a child is an authorized processBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    • Troubleshooting Smart Tunnels Authorized ProcessesPurely a Client Side Debug Process: Ensure the path to the executable is correct: Start > Run > executable-name.exe If not found then check path on this workstation Ensure that Active-X, Java or Javascript run correctly on the user’s machine. View the application and system logs from the event viewer for any error conditions Clear the browser cache and retryBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    • The AnyConnect Secure Mobility Client
    • AnyConnect 3.0 Features • Network Access Manager (Replacement for CSSC) in 3.0 • Telemetry • Host Scan • Web Security (ScanSafe Integration) • IPsec IKEv2 • DART Enhancements • Windows Services Lockdown • Software and Profile LocksNote: You can deploy the Web Security module and benefit from the ScanSafe web scanning serviceswithout having to install an ASA and without enabling the VPN capabilities of the AnyConnect SecureMobility Client. BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    • AnyConnect 3.0 Operating System Support For Your Reference CAPABILITY WINDOWS MAC LINUX Enhanced User Interface IPsec (IKEv2) and SSL (TLS and DTLS) Network Access Manager Web Security for ScanSafe Integrated Posture (Host Scan) Integrated Diagnostics and Reporting Pre-install Web-deploy and upgradeBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
    • Main Screen Status, VPN, Networks, and Web SecurityBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    • Apple iOS Support Mobile Device Apple iOS Devices Support does not include the new features in 3.0. The latest iOS and Android clients are based on 2.5.x code.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    • iPad Support Detailed Statistics and Diagnostics Information that are useful for troubleshooting iPadBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    • Supported Apple iOS Devices System Requirements For Your Reference Device Apple iOS Release Required iPad/iPad 2/3 WiFi, 3G, and 4G 4.2.1 or later iPhone 3G/3GS/4 4.1 or later iPhone 4S 5.0 or later iPod Touch (2nd Generation or later) 4.1 or laterBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    • Android Support • Galaxy Note • Galaxy S • Galaxy S II • Galaxy Tab 7 (WiFi only) • Galazy Tab 7.0 Plus • Galaxy Tab 7.7 • Galaxy Tab 8.9 • Galaxy Tab 10.1 • Galaxy W • Galaxy Xcover • Galaxy Y Pro • Illusion • Infuse • Stratosphere • Rooted DevicesSupported Devices:http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/release/notes/rn-ac2.5-android.html BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    • AnyConnect Client Deployment Web-based, Pre-Deploy, and Mobile Users Web-based Pre-deploy (Standalone client)** Mobile users can download AnyConnectfrom Apple’s App Store or Android MarketBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
    • Web-Deploy Packages Web-Deploy Packages Contents For Your Reference headinfo.txt – OS definition and xml file sizes pkgversion.xml – version info VPNManifest.xml – package module contents Profile Schema files for Profile Editor ServiceProfileManifest.xml – profile info for Head-End and DownloaderBinaries (binaries)• anyconnect and optional module installers (will vary with OS)• anyconnectprof.sgz – profile editor• vpndownloader.exe – downloader• update.txt – build versionFiles for Web-Launch Presentation• images• locale (Windows Only)• profile (Mac & Linux)• Web-Deploy .pkg files - Zip files with a .pkg extension and can be opened and viewed using WinZip.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
    • Pre-Deploy Packages Pre-Deploy Packages Contents For Your Reference Windows anyconnect-NGC-win-3.0.xxxx-k9.iso • Anyconnect-dart-win-3.0.xxxx-k9.msi • Anyconnect-gina-win-3.0.xxxx-pre-deploy-k9.msi • Anyconnect-nam-win-3.0.xxxx-k9.msi • Anyconnect-posture-win-3.0.xxxx-pre-deploy-k9.msi • Anyconnect-telemetry-win-3.0.xxxx-pre-deploy-k9.msi • Anyconnect-win-3.0.xxxx-pre-deploy-k9.msi • Setup.exe • setup.hta – Pre-deploy Installer Utility code • update.txt – build version • autorun.inf • GUI.ico • cues_bg.jpgBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    • Pre-Deploy Packages Pre-Deploy Packages Contents (MAC & Linux) For Your Reference MAC (darwin-intel)• vpn.pkg – main Anyconnect VPN installer package• csd.pkg – Cisco Secure Desktop package• dart.pkg - Diagnostics and Reporting Tool (DART) that you can use to collect data useful for troubleshooting AnyConnect installation and connection problems. Linux• ciscovpn – main Anyconnect VPN installer binary• csd-3.0.x – Cisco Secure Desktop package (not supported on Linux-64)• dart – DART binaryBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    • AnyConnect Essentials AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured on the Cisco ASA, that provides the full AnyConnect capability, with the following exceptions: No CSD (including HostScan/Vault/Cache Cleaner) No clientless SSL VPN Optional Mobile SupportASDM: Configuration > Remote Access VPN > Advanced > AnyConnect Essentials LicenseCLI: webvpn anyconnect-essentialsBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    • AnyConnect User XML Profile …an XML File for User Profiles and Configuration Settings In Windows stored in:Documents and SettingsAll UsersApplication DataCiscoCisco AnyConnect VPNClientProfileAnyConnectProfile.tmpl Mac and Linux:/opt/cisco/vpn/profile/AnyConnectProfile.tmpl The profile may be validated using the AnyConnectProfile.xsd file. This file is installed during installation On Windows the preferences are stored in:Documents and Settings<user>Application DataCiscoCisco AnyConnect VPNClientpreferences.xmlBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
    • AnyConnect Profile Editor  Simplifies the act of creating valid client profiles for various AnyConnect components.  In AnyConnect 2.5, there was just one AnyConnect component (VPN) that could be configured using an ASDM-integrated Profile Editor.  In AnyConnect 3.0, there are four AnyConnect components that can be configured using the Profile Editor: 1. VPN 2. NAM (Network Access Manager) 3. Web Security (ScanSafe) 4. TelemetryBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    • Installation Issues Logging on Windows will utilize the Windows Event Viewer; review the log messages in Cisco AnyConnect VPN Client You can save the “Cisco AnyConnect VPN Client” log from the event viewer in “.evt” format Linux location: /var/log/messages Mac location: /var/log/system.logNOTE: More tips included in the AppendixBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
    • Event Viewer Example …search for “anyconnect”BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
    • Uninstalling AnyConnect Uninstall of AnyConnect Core is not supported via Web-Deploy. Pre-Deploy uninstall must be used Uninstall of optional components is effectively achieved when the Upgrade of AnyConnect Core removes the Plugins directory and its contents in order to remove optional component functionality.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    • Client GUI Statistics …You Can Even Ask Your User to Export Them and Send to You for Troubleshooting The Export Stats Saves the Information on the Statistics Screen, Along with Other Connection Information, to a Text File for TroubleshootingBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    • Configuration and Troubleshooting(with case studies)
    • Topology Topology Used in the Upcoming Examples 209.165.200.224/27 10.10.10.0/24 outside inside Internet .254 Corporate .225 Network Client .254 (AnyConnect) management 192.168.1.0/24 Management (ASDM)BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
    • AnyConnect VPN Wizard Select the AnyConnect VPN WizardBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
    • AnyConnect VPN Wizard Introduction Click Next to Start the WizardBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
    • AnyConnect VPN Wizard Connection Profile Identification Enter the connection profile Select the Interface where VPN clients will conect toBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
    • AnyConnect VPN Wizard Adding the AnyConnect Client Image Select the Anyconnect Image to be used You can also select the operating system of the client to give the user the options to select the Anyconnect image that is appropriate for his/her environmentBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
    • AnyConnect VPN Wizard Authentication Methods Select the authentication method In this example LOCAL auth is used user1 is used in this exampleBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
    • AnyConnect VPN Wizard Creating an IPv4 or IPv6 Address Pool…BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
    • AnyConnect VPN Wizard Network Name Resolution Servers Enter the DNS and WINS servers and enter the domain name to be used.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
    • AnyConnect VPN Wizard NAT Exempt If NAT is being used this step allows you to create a NAT exemption rule (to bypass NAT)BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
    • AnyConnect VPN Wizard Client Deployment Click Next to advance to the Summary of configuration changes that will be appliedBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
    • AnyConnect VPN Wizard Summary Screen Summary of everything that will be configured (as per your entries in previous steps)BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
    • AnyConnect Connection Profiles Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Profiles After the changes are applied to the ASA you can see the new connection profileBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
    • CLI Configuration Configuring the ASA via the CLIwebvpn enable outside anyconnect image disk0:/anyconnect-win-3.0.1047-k9.pkg 1 anyconnect enable tunnel-group-list enablegroup-policy GroupPolicy_my-connection-profile internalgroup-policy GroupPolicy_my-connection-profile attributes wins-server value 10.10.10.123 dns-server value 8.8.8.8 vpn-tunnel-protocol ssl-client default-domain value cisco.comusername user1 password 08S9WUsiSMr3RauN encryptedtunnel-group my-connection-profile type remote-accesstunnel-group my-connection-profile general-attributes address-pool my-pool default-group-policy GroupPolicy_my-connection-profiletunnel-group my-connection-profile webvpn-attributes group-alias my-connection-profile enableBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
    • AnyConnect Statistics After SuccessfulConnectionBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
    • Route Details In this Example Everything is “Tunneled”BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
    • Message HistoryBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
    • Case Study 1: Authentication Problems
    • Problem Summary User calls your VPN support staff and complains that his AnyConnect VPN connection “is not working”! What can you do to troubleshoot?BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
    • Debug and Show Command Toolkit First, Let’s Take a Look at Some Debugs You Can Use. show vpn-sessiondb anyconnect filter p-ipaddress 100.1.1.1 debug webvpn anyconnect debug aaa commonBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
    • debug webvpn anyconnect 255 …good authenticationciscoasa# webvpn_rx_data_tunnel_connectCSTP state = HEADER_PROCESSINGhttp_parse_cstp_method()...input: CONNECT /CSCOSSLC/tunnel HTTP/1.1webvpn_cstp_parse_request_field()...input: Host: 209.165.200.225Processing CSTP header line: Host: 209.165.200.225webvpn_cstp_parse_request_field()...input: User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629Processing CSTP header line: User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629Setting user-agent to: Cisco AnyConnect VPN Agent for Windows 3.0.0629…<output omited>Validating address: 0.0.0.0CSTP state = WAIT_FOR_ADDRESSwebvpn_cstp_accept_address: 10.10.20.1/255.255.255.0webvpn_cstp_accept_ipv6_address: No IPv6 AddressCSTP state = HAVE_ADDRESS…<output omited>SVC: adding to sessmgmtSVC: Sending responseSending X-CSTP-FW-RULE msgs: StartSending X-CSTP-FW-RULE msgs: DoneSending X-CSTP-Quarantine: falseSending X-CSTP-Disable-Always-On-VPN: falsevpn_put_uauth success!CSTP state = CONNECTED BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
    • debug aaa common …bad communication to the serverradius mkreq: 0x19alloc_rip 0xcbeb5d00 new request 0x19 --> 20 (0xcbeb5d00)got user user1got passwordadd_req 0xcbeb5d00 session 0x19 id 20RADIUS_REQUESTradius.c: rad_mkpktRADIUS packet decode (authentication request)--------------------------------------Raw packet data (length = 63).....01 14 00 3f b2 03 80 b9 fe 5f ac 75 0a 7b 98 f1 | ...?....._.u.{..d6 57 44 2d 01 07 75 73 65 72 31 02 12 5e 31 87 | .WD-..user1..^1.3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78 04 06 0a | =.........L.x...0a 0a fe 05 06 00 00 00 02 3d 06 00 00 00 05 | .........=.....Parsed packet data.....Radius: Code = 1 (0x01)Radius: Identifier = 20 (0x14)Radius: Length = 63 (0x003F)Radius: Vector: B20380B9FE5FAC750A7B98F1D657442DRadius: Type = 1 (0x01) User-NameRadius: Length = 7 (0x07)Radius: Value (String) =75 73 65 72 31 | user1Radius: Type = 2 (0x02) User-PasswordCONTINUED IN THE NEXT SLIDEBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
    • debug aaa common …bad communication to the server…CONTINUED FROM THE PREVIOUS SLIDERadius: Length = 18 (0x12)Radius: Value (String) =5e 31 87 3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78 | ^1.=.........L.xRadius: Type = 4 (0x04) NAS-IP-AddressRadius: Length = 6 (0x06)Radius: Value (IP Address) = 10.10.10.254 (0x0A0A0AFE)Radius: Type = 5 (0x05) NAS-PortRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x2Radius: Type = 61 (0x3D) NAS-Port-TypeRadius: Length = 6 (0x06)Radius: Value (Hex) = 0x5send pkt 172.18.104.83/1645RADIUS_SENT:server response timeoutcallback_aaa_task: status = -2, msg =RADIUS_DELETEremove_req 0xcbeb5d00 session 0x19 id 20free_rip 0xcbeb5d00radius: send queue emptyBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
    • First Problem Fixed …but the User Still Cannot Connect We fixed the previous problem. The Cisco ASA had the wrong IP address for the AAA server. The correct IP address is 172.18.118.206 not 172.18.104.83. However, authentication still not successful. What’s the problem? <output omitted for brevity> Radius: Length = 6 (0x06) Radius: Value (Hex) = 0x5 send pkt 172.18.118.206/1645 fail request 0x1c (172.18.118.206 failed) callback_aaa_task: status = -2, msg = RADIUS_DELETE remove_req 0xcbeb5d00 session 0x1c id 23 free_rip 0xcbeb5d00 radius: send queue emptyBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
    • What was the Problem?The problem was that the AAA server didn’t have the correct NAS (AAAClient address) for the ASA. It had 10.10.10.54 instead of 10.10.10.254You can also use the show aaa-server command to view statistics onAAA transactionsasa# show aaa-server my-radiusServer Group: my-radiusServer Protocol: radiusServer Address: 172.18.118.206Server port: 1645(authentication), 1646(accounting)Server status: ACTIVE, Last transaction at 11:49:09 UTC Fri Jun 1 2012Number of pending requests 0Average round trip time 0msNumber of authentication requests 11Number of authorization requests 0Number of accounting requests 0Number of retransmissions 0Number of accepts 1Number of rejects 5Number of challenges 0Number of malformed responses 0Number of bad authenticators 0Number of timeouts 5Number of unrecognized responses 0BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
    • Case Study 2: User Connects But CannotPass Traffic 76
    • Problem SummaryUser is able to authenticate…but cannot pass traffic…. What can you do to troubleshoot?BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
    • Split Tunneling Issue? AnyConnect Route Details – Are We Doing Split Tunneling?BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
    • Statistics After Connection What’s the Problem Here? 0 0 0 0 0BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
    • Internal Routing Problem Routing Behind the ASA VPN Pool: 10.10.20.0/24 Where is 10.10.20.x? outside inside Internet .254 Client (AnyConnect) Corporate Network The internal router must have a route for the VPN IP Address Pool (10.10.20.0/24)BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
    • What Other Things Can Cause the SameSymptoms? ACLs Blocking Traffic I am a packet My name is ACLBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
    • Bypass Interface ACLs You can require an access rule to apply to the local IP addresses by unchecking this check box. The access rule applies to the assigned IP address, and not to the original client IP address used before the VPN packet was decrypted. ciscoasa# show run sysopt no sysopt connection permit-vpnBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
    • Troubleshooting Split Tunneling Issues 83
    • Split Tunneling IntroductionSplit tunneling lets you specify thatcertain data traffic is encrypted, whilethe remainder is sent in the clear(unencrypted).Split-tunneling network listsdistinguish networks that requiretraffic to go through the tunnel fromthose that do not require tunneling.The ASA makes split-tunnelingdecisions based on a network list,which is an ACL consisting of a list ofaddresses on the private network.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
    • Troubleshooting Split Tunneling Step 1: Ask your user to go to Route Details and check if the split tunneling list/routes are there…BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
    • Troubleshooting Split Tunneling …Continued Step 2. If your user’s client does not have the correct routes, check that your ASA has the correct access lists for split tunneling for the group the user is connecting. Step 3. Enable debug webvpn svc <1-255> and look for the following messages: SVC ACL Name: NULL SVC ACL ID: -1 SVC ACL ID: -1 If you see those messages, the split tunneling information is NOT being sent to the client.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
    • Overview of AnyConnect Network AccessManager (NAM)
    • Network Access Manager Intelligently detects and selects ‘best’ layer 2 access network(s) ‒ Wired is preferred over WiFi in automatic mode. Automatically connects to configured networks. Automates user-experience. ‒ Override with manual mode. ‒ All other connections are blocked One connection at a time ‒ Script runs on user context Post-connection script launch: ‒ Can be defined by admin or user (if allowed) ‒ Multiple validation rules per connection Enterprise-class Server Validation ‒ Extend User Connection beyond Logoff Remote desktop supportBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
    • NAM Features and Support Supports these main features: • Wired (IEEE 802.3) and wireless (IEEE 802.11) network adapters • Pre-login authentication using Windows machine credentials • Single sign-on user authentication using Windows logon credentials Simplified and easy-to-use IEEE 802.1X configuration IEEE MACsec wired encryption and enterprise policy control EAP methods: EAP-FAST, PEAP, EAP-TTLS, EAP-TLS, and LEAP (EAP- MD5, EAP-GTC, and EAP-MSCHAPv2 for IEEE 802.3 wired only)BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
    • NAM StatisticsBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
    • NAM Message HistoryBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
    • IKEv2 Support and Troubleshooting 92
    • IPSec IKEv2 Support (cont.)Some AnyConnect features require a parallel SSL connection: CSD HostScan Profile updates Language/Customization Application upgrades SCEPBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
    • IPSec IKEv2 SupportIKEv2 support uses Cisco’s IKEv2 implementation: IKEv2 toolkit is common in client, ASA and IOS Standards-based implementation Includes a few extensions (fragmentation, redirect) Same authentication methods supported previously with SSL VPN Uses proprietary EAP method (AnyConnect EAP)BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
    • Not Supported in IKEv2 Windows 7 IKEv2 client or any other 3rd-party IKEv2 client HW client support for IKEv2 (5505 as a head-end/Secure Gateway using IKEv2 is supported) Pre-shared-key authentication for client or server IKEv2 encryption for load-balancing link to other ASAs cTCP, L2TP Re-authentication Peer ID check Compression/IPcomp NAC 3rd party firewall configuration IPv6 (any form of IPv6 that is, IPV6-over-IPv4, IPv6-over-IPv6,etc)BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
    • New IKEv2 Configuration Commandscrypto ikev2 policy 1 crypto ikev2 remote-access trust-point my-ikev2-trustpoint encryption aes-256 integrity sha crypto ikev2 enable outside group 2 prf sha crypto ikev2 cookie-challenge 50 lifetime seconds 86400 crypto ikev2 limit max-sa 100crypto ikev2 policy 10 encryption aes-192 ikev2 remote-authentication certificate my-ikev2-trustpoint integrity sha group 2 prf sha More Configuration Tips and Examples at: lifetime seconds 86400 http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.htmlBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
    • IKEv2 Debug Commands …Debugs Specific for IKEv2 debug crypto ikev2 platform Debugs ASA processing of IKEv2, not protocol specific exchanges. This debug is useful for AAA and session management issues. Also to troubleshoot the ASA cryptographic module performing encryption and decryption. debug crypto ikev2 protocol Debugs IKEv2 protocol specific exchanges. debug crypto ikev2 timer Debugs IKEv2 timer expiration. Useful when clients are complaining that their connection is being timed-out too often.Note: debug crypto ike-common can be used for both IKEv1 and IKEv2 BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
    • Advanced Troubleshooting with DART
    • AnyConnect Diagnostics and Reporting Tool …Useful for Troubleshooting AnyConnect Installation and Connection Problems To Launch DART go to the Status Overview Tab and click on Diagnostics… 1BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
    • DART WizardUnder Bundle Creation Option, select Default or Custom. The Default option includes the typical log files anddiagnostic information. DARTBundle.zip is saved to the local desktop. If you choose Custom, the DART wizardallows you to specify where and what files want to include in the bundle. 2 3BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
    • DART Wizard …Continued3 4 BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
    • DART Bundled Files Advanced Detailed Logs for Each Installed Module in AnyConnectDART BUNDLE SUMMARYUsername: unknown (user is offline, or username was not specified in Request)Time: Tue Apr 05 17:12:17 2011OS: Win7 : WinNT 6.1.7600OS username: omarUpload URL: None (offline mode)DART Mode: User-Initiated/Offline ModeBundle on client computer: C:UsersomarDesktopDARTBundle_0405_1353.zip=============================================================================================================================================Cisco AnyConnect Secure Mobility Client:Files Included in Bundle:ID Filename Description Truncate? Final Size Orig. Size----------------------------------------------------------------------------------------------------------------------------ac-install update_pre3.0.txt AnyConnect install logs. Includes web No 10 bytes 10 bytes and standalone install logsac-install anyconnect-win-2.3.0254-web AnyConnect install logs. Includes web No 322.35K 322.35K -deploy-k9-install-22203701 and standalone install logs 062010.logac-install update.txt AnyConnect install logs. Includes web No 10 bytes 10 bytes and standalone install logsac-install VPNManifest.dat AnyConnect install logs. Includes web No 181 bytes 181 bytes and standalone install logsac-install AnyConnectLocalPolicy.xml AnyConnect install logs. Includes web No 589 bytes 589 bytes and standalone install logsac-install UpdateHistory_20110405_1244 AnyConnect install logs. Includes web No 705 bytes 705 bytes 00_log.txt and standalone install logsac-logs AnyConnect_pre3.0.txt AnyConnect application logs No 3.62M 3.62Mac-logs AnyConnect.txt AnyConnect application logs No 227.40K 227.40Kac-logs AnyConnect.evtx AnyConnect application logs No 1.06M 1.06Mac-profile CALO.xml AnyConnect Profile No 1.46K 1.46Kac-profile AnyConnectProfile.xsd AnyConnect Profile No 93.22K 93.22Kglobal-preferenc preferences_global.xml AnyConnect Global Preferences No 546 bytes 546 bytesesuser-preferences preferences.xml AnyConnect User Preferences No 590 bytes 590 bytesva-runtime setupapi.app.log Virtual Adapter runtime logs No 320.88K 320.88Kva-runtime setupapi.dev.log Virtual Adapter runtime logs No 9.70M 9.70M----------------------------------------------------------------------------------------------------------------------------MANY, MANY, MANY, MANY more…BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
    • Troubleshooting Trusted NetworkDetection
    • Persistent Security and Policy Enforcement Always-On VPN Internet Trusted Network News Email User Identity facebook.com User ASA WCCP Authenticates Cisco Web Security Appliance Corporate AD Untrusted Network Enterprise SaaS Social NetworkingBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
    • Always On Security with ScanSafe Integration of Anywhere+ features since AnyConnect version 3.0 ScanSafe Internet bound web communications Internal communications AnyConnectBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
    • Trusted Network Detection AnyConnect automatically disconnects a VPN connection when the user is inside the corporate network (the trusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network). This feature encourages greater security awareness by initiating a VPN connection when the user is outside the trusted network. NOTE: Because the TND feature controls the AnyConnect client GUI and automatically initiates connections, the GUI should run at all times.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
    • TND Configuration • You configure TND in the AnyConnect profile (AnyConnectProfile.xml) • No configuration is needed on the ASA. • The following text shows the Client Initialization section of the profile file with the TND parameters configured: <AutomaticVPNPolicy>true <TrustedDNSDomains>*.cisco.com</TrustedDNSDomains> <TrustedDNSServers>10.44.124.*,10.102.6.247</TrustedDNSServers> <TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy> <UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy> </AutomaticVPNPolicy>BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
    • Mobile User Security (MUS) Configuration ExampleMUS is a "solution" which provides an "always-on" SSL VPN connection from amobile user to the ASA, which then directs the traffic to one or more WSAs forcontent filtering.asa(config)# webvpnasa(config-webvpn)# mus 10.10.10.0 255.255.255.0 insideasa(config-webvpn)# mus password th1s!sap4sswdasa(config-webvpn)# mus server enable 960 (The default port is 610)asa(config-webvpn)# mus host mus.cisco.comBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
    • Debugging MUS Connections debug webvpn mus asa# Listening WSA on 11999 MUS:timeout: Last update started 0; Next check in 5 MUS:timeout: Last update started 0; Next check in 5 MUS:timeout: Last update started 0; Next check in 5 show webvpn mus ciscoasa(config)# show webvpn mus No active WSA connectionsBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
    • MUS Routing ProblemsOne of the common problems in MUS implementations is routing issues due tomisconfigured or lack of the tunnel default gateway. Tunnel Default Gateway 209.165.200.224/27 10.10.10.0/24 outside inside Internet .225 .254 .123 Client .254 Web Security Appliance (AnyConnect) (WSA) management 192.168.1.0/24 Management (ASDM)route inside 0.0.0.0 0.0.0.0 10.10.10.123 tunneledBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
    • AnyConnect Telemetry Module
    • Introduction to the Telemetry Module The AnyConnect telemetry module for AnyConnect Secure Mobility Client sends information about the origin of malicious content to the web filtering infrastructure of the Cisco IronPort Web Security Appliance (WSA). The web filtering infrastructure uses this data to strengthen its web security scanning algorithms, improve the accuracy of the URL categories and web reputation database, and ultimately provide better URL filtering rules.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
    • Capabilities of the Telemetry Module The AnyConnect Telemetry Module Performs These Functions… Monitors the arrival of content on the endpoint. Identifies and records the origin of any content received by the endpoint whenever possible. Reports detection of malicious content, and its origin to Ciscos Threat Operations Center. Checks the ASA every 24 hours for an updated Host Scan image. If there is an updated Host Scan image available, it pulls down the image to the endpoint.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
    • Troubleshooting Telemetry Problems Important Files During Troubleshooting… For Your Referenceactsettings.xmlInstalled on the endpoint at: %ALLUSERSPROFILE%Application DataCiscoCisco AnyConnect Secure Mobility Client TelemetryFile contains the base configuration for Telemetry.telemetry_profile.tspThe name of this file is specified by the ASA administrator.Stored on the ASA. Its location is specified on the client profile screen (ASDM):Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client ProfileAll elements defined in this file overwrite those in the actsettings.xml file.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
    • Host Scan and DAP
    • Host Scan & Posture Module Introduction The Posture Module provides the ability to identify the operating system, antivirus, antispyware, and firewall software installed on the host. The Host Scan application is the application that gathers this information (it performs several pre-login checks). It integrates very well with dynamic access policies (DAP)BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
    • Dynamic Access Policies (DAP) What is DAP?  Authorizing users is much more complicated in a VPN environment than it is in a “static” network configuration  DAP makes authorization easier for the administratorBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
    • Example of a Pre-Login Assessment Configured in a graphical sequence to determine whether the pre-login assessment results in the assignment of a particular policy or a denied remote access connection.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
    • DAP AAA Configuration Attributes For Your ReferenceAttribute Type Attribute Name Source Value Max String Description LengthCisco aaa.cisco.grouppolicy AAA String 128 Group Policy Name aaa.cisco.username AAA String 64 Username value aaa.cisco.ipaddress AAA Number - Framed-ip address value aaa.cisco.tunnelgroup AAA String 64 Tunnel-group nameLDAP aaa.ldap.<label> LDAP String 128 LDAP attribute value pairRADIUS aaa.radius.<number> RADIUS String 128 Radius attribute value pairBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
    • Debugging CSD and DAP debug dap traceASA(config)# debug dap traceThe DAP policy contains the following attributes:-------------------------------------------------1: action = continueDAP_open: C9EEE930DAP_add_CSD: csd_token = [4287F77A4F7347A553F4619C][ 0]: aaa.cisco.username = user2[ 1]: aaa.cisco.tunnelgroup = DefaultWEBVPNGroupdap_add_to_lua_tree:aaa["cisco"]["username"] = "user2";dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"] = "DefaultWEBVPNGroup";dap_clienttype_to_string(3) returns CLIENTLESSdap_add_to_lua_tree:endpoint["application"]["clienttype"] = "CLIENTLESS";dap_add_csd_data_to_lua:endpoint.os.version = "Windows XP";endpoint.os.servicepack = "2";endpoint.location = "Default";endpoint.protection = "secure desktop";endpoint.fw["MSWindowsFW"] = {};endpoint.fw["MSWindowsFW"].exists = "true";BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
    • Debugging CSD and DAP Continuation of the “debug dap trace” Output…endpoint.fw["MSWindowsFW"].description = "Microsoft Windows Firewall";endpoint.fw["MSWindowsFW"].enabled = "true";endpoint.av["McAfeeAV"] = {};endpoint.av["McAfeeAV"].exists = "true";endpoint.av["McAfeeAV"].description = "McAfee VirusScan Enterprise";endpoint.av["McAfeeAV"].version = "7.0.0";endpoint.av["McAfeeAV"].activescan = "true";endpoint.av["McAfeeAV"].lastupdate = "132895";endpoint.as["SpyBot"] = {};endpoint.as["SpyBot"].exists = "true";endpoint.as["SpyBot"].description = "Spybot - Search & Destroy 1.4";endpoint.as["SpyBot"].version = "1.4";endpoint.as["SpyBot"].activescan = "false";endpoint.as["SpyBot"].lastupdate = "996895";endpoint.enforce = "success";Selected DAPs: McAfee-7,SpyBotdap_request: memory usage = 19%dap_process_selected_daps: selected 3 recordsdap_aggregate_attr: rec_count = 3DAP_close: C9EEE930BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
    • Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don’t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
    • Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! ‒ Facebook: https://www.facebook.com/ciscoliveus Follow Cisco Live! using social media: ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
    • BRKSEC-3050 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public