Hướng dẫn cài đặt cisco vpn client Informational năm 2024

Trong Windows 10, việc cài đặt Cisco VPN Client có thể gặp sự cố. Khi bạn tiến hành cài đặt, chương trình thông báo lỗi “Error 27850. Không thể quản lý thành phần mạng. Có thể do hệ điều hành bị hỏng đang ngăn cản quá trình cài đặt. “ Vậy làm thế nào để sửa lỗi Error 27850 này và tiếp tục cài đặt Cisco VPN Client? Theo dõi bài viết dưới đây của Mytour nhé.

Cisco VPN Client là công cụ giúp bạn kết nối đến cổng mạng được mã hóa mạnh mẽ với độ bảo mật cao cho thiết bị di động của bạn. Nó hỗ trợ trên nhiều hệ điều hành như Windows, Mac, Linux, Solaris,… Tuy nhiên, để sử dụng công cụ này trên Windows 10, bạn cần khắc phục lỗi Error 27850 trước.

HƯỚNG DẪN SỬA LỖI ERROR 27850 KHI CÀI CISCO VPN Client

Bước 1: Đảm bảo rằng bạn đang sử dụng phiên bản Cisco VPN Client từ 5.0.0.7 trở lên. Bạn có thể tải phiên bản mới nhất tại trang chính thức của Cisco VPN Client

Bước 2: Nếu bạn đã cài đặt Cisco VPN Client phiên bản 5.0.0.7 trở lên và vẫn gặp lỗi Error 27850, hãy thử tải và cài đặt phiên bản mới nhất của DNE. Đây là công cụ hỗ trợ hệ điều hành, giao thức mạng kiểm soát và đo lường cơ sở hạ tầng mạng.

Tải DNE cho Windows 32-bit tại đây: Download DNE 32-bit

Tải DNE cho Windows 64-bit tại đây: Download DNE 64-bit

Bước 3: Thực hiện cài đặt DNE từ tệp tin đã được tải về để khắc phục lỗi Error 27850.

Bước 4: Sau khi hoàn tất cài đặt DNE, thử lại việc cài đặt Cisco VPN Client và kiểm tra xem lỗi Error 27850 còn xuất hiện không.

Dưới đây là hướng dẫn giúp bạn khắc phục sự cố 27850 khi cài đặt Cisco VPN Client - một công cụ mạnh mẽ để thiết lập và quản lý máy chủ VPN. Tuy nhiên, nếu bạn đang tìm kiếm một giải pháp kết nối đến máy chủ VPN, thì SoftEther VPN Server là sự lựa chọn phù hợp, dễ cài đặt và sử dụng trên Windows 10. Chúc bạn thành công!

Nội dung được phát triển bởi đội ngũ Mytour với mục đích chăm sóc và tăng trải nghiệm khách hàng.

The AnyConnect client provides many options for automatically connecting, reconnecting, or disconnecting VPN sessions. These options provide a convenient way for your users to connect to your VPN, and they also support your network security requirements.

Starting and Restarting AnyConnect Connections

to provide the names and addresses of the secure gateways your users will manually connect to.

Choose from the following AnyConnect capabilities to provide convenient, automatic VPN connectivity:

Also, consider using the following Automatic VPN Policy options to enforce greater network security or restrict network access to the VPN only:

Renegotiating and Maintaining the AnyConnect Connection

You can limit how long the ASA keeps an AnyConnect VPN connection available to the user even with no activity. If a VPN session goes idle, you can terminate the connection or re-negotiate the connection.

• Keepalive—The ASA sends keepalive messages at regular intervals. These messages are ignored by the ASA, but are useful in maintaining connections with devices between the client and the ASA. For instructions to configure Keepalive with the ASDM or CLI, see the Enable Keepalive section in the Cisco ASA Series VPN Configuration Guide.
• Dead Peer Detection—The ASA and AnyConnect client send "R-U-There" messages. These messages are sent less frequently than IPsec's keepalive messages. You can enable both the ASA [gateway] and the AnyConnect client to send DPD messages, and configure a timeout interval.
  • If the client does not respond to the ASA’s DPD messages, the ASA tries once more before putting the session into "Waiting to Resume" mode. This mode allows the user to roam networks, or enter sleep mode and later recover the connection. If the user does not reconnect before the idle timeout occurs, the ASA will terminate the tunnel. The recommended gateway DPD interval is 300 seconds.
  • If the ASA does not respond to the client's DPD messages, the client tries again before terminating the tunnel. The recommended client DPD interval is 30 seconds. For instructions to configure DPD within the ASDM, refer to Configure Dead Peer Detection in the appropriate release of the Cisco ASA Series VPN Configuration Guide.
• Best Practices:
  • Set Client DPD to 30 seconds [Group Policy > Advanced > AnyConnect Client > Dead Peer Detection].
  • Set Server DPD to 300 seconds [Group Policy > Advanced > AnyConnect Client > Dead Peer Detection].
  • Set Rekey, for both SSL and IPsec to 1 hour [Group Policy > Advanced > AnyConnect Client > Key Regeneration].

Terminating an AnyConnect Connection

Terminating an AnyConnect connection requires the user to re-authenticate their endpoint to the secure gateway and create a new VPN connection.

The following connection parameters terminate the VPN session based on timeouts:

• Maximum Connect Time—Sets the maximum user connection time in minutes. At the end of this time, the system terminates the connection. You can also allow unlimited connection time[default].
• VPN Idle Timeout—Terminates any user’s session when the session is inactive for the specified time. If the VPN idle timeout is not configured, then the default idle timeout is used.
• Default Idle Timeout—Terminates any user’s session when the session is inactive for the specified time. The default value is 30 minutes. The default is 1800 second.

See the Specify a VPN Session Idle Timeout for a Group Policy section in the appropriate release of the Cisco ASA Series VPN Configuration Guide to set these parameters.

Configure VPN Connection Servers

The AnyConnect VPN server list consists of host name and host address pairs identifying the secure gateways that your VPN users will connect to. The host name can be an alias, an FQDN, or an IP address.

The hosts added to the server list display in the Connect to drop-down list in the AnyConnect GUI. The user can then select from the drop-down list to initiate a VPN connection. The host at the top of the list is the default server, and appears first in the GUI drop-down list. If the user selects an alternate server from the list, the selected server becomes the new default server.

Once you add a server to the server list, you can view its details and edit or delete the server entry. To add a server to the server list, follow this procedure.

Procedure

Step 1

Open the VPN Profile Editor and choose Server List from the navigation pane.

Step 2

Click Add.

Step 3

Configure the server’s host name and address:

1. Enter a Host Display Name, an alias used to refer to the host, an FQDN, or an IP address. Do not use "&" or " Internet Options > Connections tab. When exposed, this tab lets the user set proxy information. Hiding this tab prevents the user from intentionally or unintentionally circumventing the tunnel. The tab lockdown is reversed on disconnect, and it is superseded by any administrator-defined policies applied to that tab. The conditions under which this lock down occurs are the following:
   • The ASA configuration specifies Connections tab lockdown.
   • The ASA configuration specifies a private-side proxy.
   • A Windows group policy previously locked down the Connections tab [overriding the no lockdown ASA group policy setting].

   You can configure the ASA to allow or not allow proxy lockdown, in the group policy. To do this using ASDM, follow this procedure:

   Procedure

   Step 1

   In ASDM go to .

   Step 2

   Select a group policy and click Edit or Add a new group policy.

   Step 3

   In the navigation pane, go to . The Proxy Server Policy pane displays.

   Step 4

   Click Proxy Lockdown to display more proxy settings.

   Step 5

   Uncheck Inherit and select Yes to enable proxy lockdown and hide the Internet Explorer Connections tab for the duration of the AnyConnect session or; select No to disable proxy lockdown and expose the Internet Explorer Connections tab for the duration of the AnyConnect session.

   Step 6

   Click OK to save the Proxy Server Policy changes.

   Step 7

   Click Apply to save the Group Policy changes.

   Verify the Proxy Settings

   • For Windows: Find the proxy settings in the registry under:

     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

   • For macOS: Open a terminal window, and type:

     scutil --proxy

   Select and Exclude VPN Traffic

   Configure IPv4 or IPv6 Traffic to Bypass the VPN

   You can configure how the AnyConnect client manages IPv4 traffic when the ASA is expecting only IPv6 traffic or how AnyConnect manages IPv6 traffic when the ASA is only expecting IPv4 traffic using the Client Bypass Protocol setting.

   When the AnyConnect client makes a VPN connection to the ASA, the ASA can assign the client an IPv4, IPv6, or both an IPv4 and IPv6 address.

   If Client Bypass Protocol is enabled for an IP protocol and an address pool is not configured for that protocol [in other words, no IP address for that protocol was assigned to client by the ASA], any IP traffic using that protocol will not be sent through the VPN tunnel. It will be sent outside the tunnel.

   If Client Bypass Protocol is disabled, and an address pool is not configured for that protocol, the client drops all traffic for that IP protocol once the VPN tunnel is established.

   For example, assume that the ASA assigns only an IPv4 address to an AnyConnect connection and the endpoint is dual stacked. When the endpoint attempts to reach an IPv6 address, if Client Bypass Protocol is disabled, the IPv6 traffic is dropped. If Client Bypass Protocol is enabled, the IPv6 traffic is sent from the client in the clear.

   If establishing an IPsec tunnel [as opposed to an SSL connection], the ASA is not notified whether or not IPv6 is enabled on the client, so ASA always pushes down the client bypass protocol setting.

   You configure the Client Bypass Protocol on the ASA in the group policies.

   Procedure

   Step 1

   In ASDM go to .

   Step 2

   Select a group policy and click Edit or Add a new group policy.

   Step 3

   Select .

   Step 4

   Next to Client Bypass Protocol, uncheck Inherit if this is a group policy other than the default group policy.

   Step 5

   Choose one of these options:

   • Click Disable to drop IP traffic for which the ASA did not assign an address.
   • Click Enable to send that IP traffic in the clear.

   Step 6

   Click OK.

   Step 7

   Click Apply.

   Configure a Client Firewall with Local Printer and Tethered Device Support

   See the section in the Cisco ASA Series Configuration Guide.

   Split DNS

   When split DNS is configured in the Network [Client] Access group policy, AnyConnect tunnels specific DNS queries to the private DNS server [also configured in the group policy]. All other DNS queries go to the DNS resolver on the client operating system, in the clear, for DNS resolution. If split DNS is not configured, AnyConnect tunnels all DNS queries.

   If split DNS is not configured, AnyConnect tunnels all DNS queries.

   Requirements for Split DNS

   Split DNS supports standard and update queries [including A, AAAA, NS, TXT, MX, SOA, ANY, SRV, PTR, and CNAME]. PTR queries matching any of the tunneled networks are allowed through the tunnel.

   Split DNS is supported on Windows and macOS platforms.

   • Limited support is available on Linux, namely only tunneled DNS requests are subject to the split DNS policy. Consequently, some DNS requests sent outside the tunnel may not comply with the split DNS policy.

   For macOS, AnyConnect can use true split-DNS for a certain IP protocol only if one of the following conditions is met:

   • Split-DNS is configured for one IP protocol [such as IPv4], and Client Bypass Protocol is configured for the other IP protocol [such as IPv6] in the group policy [with no address pool configured for the latter IP protocol].
   • Split-DNS is configured for both IP protocols.

   Configure Split DNS for Split Include Tunneling

   To configure split DNS for split include tunneling in the group policy, do the following:

   Procedure

   Step 1

   Configure at least one DNS server.

   See the Configure Server Attributes for an Internal Group Policy section in the Cisco ASA Series VPN Configuration Guide.

   Ensure the private DNS servers specified do not overlap with the DNS servers configured for the client platform. If they do, name resolution may not function properly.

   Step 2

   Configure split-include tunneling:

   On the Configuration > Remote Access VPN > Network [Client] Access > Group Policies > Advanced > Split Tunneling pane, choose theTunnel Network List Belowpolicy, and specify a Network List of addresses to be tunneled.

   Split-DNS does not support the Exclude Network List Below split-tunneling policy. You must use the Tunnel Network List Below split-tunneling policy to configure split-DNS.

   Step 3

   On the Configuration > Remote Access VPN > Network [Client] Access > Group Policies > Advanced > Split Tunneling pane, uncheck Send All DNS lookups through tunnel, and specify the names of the domains whose queries will be tunneled in DNS Names.

   What to do next

   After making changes to the group policy in ASDM, be sure the group policy is associated with a Connection Profile in Configuration > Remote Access VPN > Network [Client] Access > AnyConnect Connection Profiles > Add/Edit > Group Policy.

   Verify Split DNS Using AnyConnect Logs

   Check Which Domains Use Split DNS

   You can use any tool or application that relies on the operating system’s DNS resolver for domain name resolution. For example, you can use a ping or web browser to test the split DNS solution. Other tools such as nslookup or dig circumvent the OS DNS resolver.

   To use the client to check which domains are used for split DNS, follow these steps:

   Procedure

   Step 1

   Run ipconfig/all and record the domains listed next to DNS Suffix Search List.

   Step 2

   Establish a VPN connection and again check the domains listed next to DNS Suffix Search List.

   Those extra domains added after establishing the tunnel are the domains used for split DNS.

   Note

   This process assumes that the domains pushed from the ASA do not overlap with the ones already configured on the client host.

   Manage VPN Authentication

   Important Security Considerations

   We do not recommend using a self-signed certificate on your secure gateway

   • because of the possibility that a user could inadvertently configure a browser to trust a certificate on a rogue server, and
   • because of the inconvenience to users of having to respond to a security warning when connecting to your secure gateway.

   We strongly recommend that you enable Strict Certificate Trust for the AnyConnect client. To configure Strict Certificate Trust, see the Local Policy Parameters and Values section: .

   Configure Server Certificate Handling

   Server Certificate Verification

   • The AnyConnect client does not support certificate verification using certificate revocation lists [CRL]. Many sites position the Certificate Authority they use to validate server certificates inside the corporate network. That means that a client cannot verify CRL when it is trying to connect to a headend, since the CRL is not accessible on the public network. The client operating system can be configured to verify CRL in Windows and Mac OS X, but we ignore that setting.
   • [Windows only] For both SSL and IPsec VPN connections, you have the option to perform Certificate Revocation List [CRL] checking. When enabled in the profile editor, AnyConnect retrieves the updated CRL for all certificates in the chain. It then verifies whether the certificate in question is among those revoked certificates which should no longer be trusted; and if found to be a certificate revoked by the Certificate Authority, it does not connect. Refer to for further information.
   • When a user connects to an ASA that is configured with a server certificate, the checkbox to trust and import that certificate will still display, even if there is a problem with the trust chain [Root, Intermediate, etc.] If there are any other certificate problems, that checkbox will not display.
   • SSL connections being performed via FQDN do not make a secondary server certificate verification with the FQDN's resolved IP address for name verification if the initial verification using the FQDN fails.
   • IPsec and SSL connections require that if a server certificate contains Key Usage, the attributes must contain DigitalSignature AND [KeyAgreement OR KeyEncipherment]. If the server certificate contains an EKU, the attributes must contain serverAuth [for SSL and IPsec] or ikeIntermediate [for IPsec only]. Note that server certificates are not required to have a KU or an EKU to be accepted.
   • IPsec and SSL connections perform name verification on server certificates. The following rules are applied for the purposes of IPsec and SSL name verification:
     • If a Subject Alternative Name extension is present with relevant attributes, name verification is performed solely against the Subject Alternative Name. Relevant attributes include DNS Name attributes for all certificates, and additionally include IP address attributes if the connection is being performed to an IP address.
     • If a Subject Alternative Name extension is not present, or is present but contains no relevant attributes, name verification is performed against any Common Name attributes found in the Subject of the certificate.
     • If a certificate uses a wildcard for the purposes of name verification, the wildcard must be in the first [left-most] subdomain only, and additionally must be the last [right-most] character in the subdomain. Any wildcard entry not in compliance is ignored for the purposes of name verification.
   • For OSX, expired certificates are displayed only when Keychain Access is configured to “Show Expired Certificates.” Expired certificates are hidden by default, which may confuse users.

   Invalid Server Certificate Handling

   In response to the increase of targeted attacks against mobile users on untrusted networks, we have improved the security protections in the client to help prevent serious security breaches. The default client behavior has been changed to provide an extra layer of defense against Man-in-the-middle attacks.

   User Interaction

   When the user tries to connect to a secure gateway, and there is a certificate error [due to expired, invalid date, wrong key usage, or CN mismatch], the user sees a red-colored dialog with Change Settings and Keep Me Safe buttons.

   Note

   The dialogs for Linux may look different from the ones shown in this document.

   • Clicking Keep Me Safe cancels the connection.
   • Clicking Change Settings opens AnyConnect’s Advanced > VPN >Preferences dialog, where the user can enable connections to untrusted servers. The current connection attempt is canceled.

   If the user un-checks Block connections to untrusted servers, and the only issue with the certificate is that the CA is untrusted, then the next time the user attempts to connect to this secure gateway, the user will not see the Certificate Blocked Error Dialog dialog; they only see the following dialog:

   If the user checks Always trust this VPN server and import the certificate, then future connections to this secure gateway will not prompt the user to continue.

   Note

   If the user checks Block connections to untrusted servers in AnyConnect Advanced > VPN > Preferences, or if the user’s configuration meets one of the conditions in the list of the modes described under the guidelines and limitations section, then AnyConnect rejects invalid server certificates and connections to untrusted servers, regardless of whether the Strict Certificate Trust option in the Profile Editor is enabled.

   Improved Security Behavior

   When the client accepts an invalid server certificate, that certificate is saved in the client's certificate store. Previously, only the thumbprint of the certificate was saved. Note that invalid certificates are saved only when the user has elected to always trust and import invalid server certificates.

   There is no administrative override to make the end user less secure automatically. To completely remove the preceding security decisions from your end users, enable Strict Certificate Trust in the user’s local policy file. When Strict Certificate Trust is enabled, the user sees an error message, and the connection fails; there is no user prompt.

   For information about enabling Strict Certificate Trust in the local policy file, see the AnyConnect Local Policy Parameters and Values section: .

   Guidelines and Limitations

   Invalid server certificates are rejected when:

   • Always On is enabled in the AnyConnect VPN client profile and is not turned off by an applied group policy or DAP.
   • The client has a Local Policy with Strict Certificate Trust enabled.
   • AnyConnect is configured to start before logon.
   • A client certificate from the machine certificate store is used for authentication.

   Configure Certificate-Only Authentication

   You can specify whether you want users to authenticate using AAA with a username and password or using a digital certificate [or both]. When you configure certificate-only authentication, users can connect with a digital certificate and are not required to provide a user ID and password.

   To support certificate-only authentication in an environment where multiple groups are used, you may provision more than one group-url. Each group-url would contain a different client profile with some piece of customized data that would allow for a group-specific certificate map to be created. For example, the Department_OU value of Engineering could be provisioned on the ASA to place the user in this group when the certificate from this process is presented to the ASA.

   Note

   The certificate used to authenticate the client to the secure gateway must be valid and trusted [signed by a CA]. A self-signed client certificate will not be accepted.

   Procedure

   Step 1

   Go to . Select a connection profile and click Edit. The Edit AnyConnect Connection Profile window opens.

   Step 2

   If it is not already, click the Basic node of the navigation tree on the left pane of the window. In the right pane of the window, in the Authentication area, enable the methodCertificate.

   Step 3

   Click OK and apply your changes.

   Configure Certificate Enrollment

   The Cisco AnyConnect Secure Mobility Client uses the Simple Certificate Enrollment Protocol [SCEP] to provision and renew a certificate as part of client authentication. Certificate enrollment using SCEP is supported by AnyConnect IPsec and SSL VPN connections to the ASA in the following ways:

   • SCEP Proxy: The ASA acts as a proxy for SCEP requests and responses between the client and the Certificate Authority [CA].
     • The CA must be accessible to the ASA, not the AnyConnect client, since the client does not access the CA directly.
     • Enrollment is always initiated automatically by the client. No user involvement is necessary.
   • Legacy SCEP: The AnyConnect client communicates with the CA directly to enroll and obtain a certificate.
     • The CA must be accessible to the AnyConnect client, not the ASA, through an established VPN tunnel or directly on the same network the client is on.
     • Enrollment is initiated automatically by the client and may be initiated manually by the user if configured.

   SCEP Proxy Enrollment and Operation

   The following steps describe how a certificate is obtained and a certificate-based connection is made when AnyConnect and the ASA are configured for SCEP Proxy.

   1. The user connects to the ASA headend using a connection profile configured for both certificate and AAA authentication. The ASA requests a certificate and AAA credentials for authentication from the client.
   2. The user enters his/her AAA credentials, but a valid certificate is not available. This situation triggers the client to send an automatic SCEP enrollment request after the tunnel has been established using the entered AAA credentials.
   3. The ASA forwards the enrollment request to the CA and returns the CA’s response to the client.
   4. If SCEP enrollment is successful, the client presents a [configurable] message to the user and disconnects the current session. The user can now connect using certificate authentication to an ASA tunnel group. If SCEP enrollment fails, the client displays a [configurable] message to the user and disconnects the current session. The user should contact his/her administrator.

   Other SCEP Proxy operational considerations:

   • If configured to do so, the client automatically renews the certificate before it expires, without user intervention.
   • SCEP Proxy enollment uses SSL for both SSL and IPsec tunnel certificate authentication.

   Legacy SCEP Enrollment and Operation

   The following steps describe how a certificate is obtained and a certificate-based connection is made when AnyConnect is configured for Legacy SCEP.

   1. When the user initiates a connection to the ASA headend using a tunnel group configured for certificate authentication, the ASA requests a certificate for authentication from the client.
   2. A valid certificate is not available on the client. The connection cannot be established. This certificate failure indicates that SCEP enrollment needs to occur.
   3. The user must then initiate a connection to the ASA headend using a tunnel group configured for AAA authentication only whose address matches the Automatic SCEP Host configured in the client profile. The ASA requests the AAA credentials from the client.
   4. The client presents a dialog box for the user to enter AAA credentials.

      If the client is configured for manual enrollment and the client knows it needs to initiate SCEP enrollment [see Step 2], a Get Certificate button displays on the credentials dialog box. If the client has direct access to the CA on his/her network, the user will be able to manually obtain a certificate by clicking this button at this time.

      Note

      If access to the CA relies on the VPN tunnel being established, manual enrollment cannot be done at this time because there is currently no VPN tunnel established [AAA credentials have not been entered].

   5. The user enters AAA credentials and establishes a VPN connection.
   6. The client knows it needs to initiate SCEP enrollment [see Step 2]. It initiates an enrollment request to the CA through the established VPN tunnel, and a response is received from the CA.
   7. If SCEP enrollment is successful, the client presents a [configurable] message to the user and disconnects the current session. The user can now connect using certificate authentication to an ASA tunnel group. If SCEP enrollment fails, the client displays a [configurable] message to the user and disconnects the current session. The user should contact his/her administrator.

   Other Legacy SCEP operational considerations:

   • If the client is configured for manual enrollment and the Certificate Expiration Threshold value is met, a Get Certificate button displays on a presented tunnel group selection dialog box. Users can manually renew their certificate by clicking this button.
   • If the certificate expires and the client no longer has a valid certificate, the client repeats the Legacy SCEP enrollment process.

   Certificate Authority Requirements

   • All SCEP-compliant CAs, including IOS CS, Windows Server 2003 CA, and Windows Server 2008 CA, are supported.
   • The CA must be in auto-grant mode; polling for certificates is not supported.
   • You can configure some CAs to email users an enrollment password for an additional layer of security. The CA password is the challenge password or token that is sent to the certificate authority to identify the user. The password can then be configured in the AnyConnect client profile, which becomes part of SCEP request that the CA verifies before granting the certificate.

   Guidelines for Certificate Enrollment

   • Clientless [browser-based] VPN access to the ASA does not support SCEP proxy, but WebLaunch [clientless-initiated AnyConnect] does.
   • ASA Load balancing is supported with SCEP enrollment.
   • The ASA does not indicate why an enrollment failed, although it does log the requests received from the client. Connection problems must be debugged on the CA or the client.
   • Certificate-Only Authentication and Certificate Mapping on the ASA: To support certificate-only authentication in an environment where multiple groups are used, you may provision more than one group-url. Each group-url would contain a different client profile with some piece of customized data that would allow for a group-specific certificate map to be created. For example, the Department_OU value of Engineering could be provisioned on the ASA to place the user in this tunnel group when the certificate from this process is presented to the ASA.
   • Identifying Enrollment Connections to Apply Policies: On the ASA, the aaa.cisco.sceprequired attribute can be used to catch the enrollment connections and apply the appropriate policies in the selected DAP record.
   • Windows Certificate Warning: When Windows clients first attempt to retrieve a certificate from a certificate authority they may see a warning. When prompted, users must click Yes. This allows them to import the root certificate. It does not affect their ability to connect with the client certificate.

   Configure SCEP Proxy Certificate Enrollment

   Configure a VPN Client Profile for SCEP Proxy Enrollment

   Procedure

   Step 1

   Open the VPN Profile Editor and choose Certificate Enrollment from the navigation pane.

   Step 2

   Select Certificate Enrollment.

   Step 3

   Configure the Certificate Contents to be requested in the enrollment certificate. For definitions of the certificate fields, see .

   Note

   • If you use %machineid%, then Hostscan/Posture must be loaded for the desktop client.
   • For mobile clients, at least one certificate field must be specified.

   Configure the ASA to Support SCEP Proxy Enrollment

   For SCEP Proxy, a single ASA connection profile supports certificate enrollment and the certificate authorized VPN connection.

   Procedure

   Step 1

   Create a group policy, for example, cert_group. Set the following fields:

   • On General, enter the URL to the CA inSCEP Forwarding URL.
   • On the Advanced > AnyConnect Client pane, uncheck Inherit for Client Profiles to Download and specify the client profile configured for SCEP Proxy. For example, specify the ac_vpn_scep_proxy client profile.

   Step 2

   Create a connection profile for certificate enrollment and certificate authorized connection, for example, cert_tunnel.

   • Authentication: Both [AAA and Certificate].
   • Default Group Policy: cert_group.
   • On Advanced > General, check Enable SCEP Enrollment for this Connction Profile.
   • On Advanced > GroupAlias/Group URL, create a Group URL containing the group [cert_group] for this connection profile.

   Configure Legacy SCEP Certificate Enrollment

   Configure a VPN Client Profile for Legacy SCEP Enrollment

   Procedure

   Step 1

   Open the VPN Profile Editor and choose Certificate Enrollment from the navigation pane.

   Step 2

   Select Certificate Enrollment.

   Step 3

   Specify an Automatic SCEP Host to direct the client to retrieve the certificate.

   Enter the FQDN or IP address, and the alias of the connection profile [tunnel group] that is configured for SCEP certificate retrieval. For example, if asa.cisco.com is the host name of the ASA and scep_eng is the alias of the connection profile, enter asa.cisco.com/scep-eng.

   When the user initiates the connection, the address chosen or specified must match this value exactly for Legacy SCEP enrollment to succeed. For example, if this field is set to an FQDN, but the user specifies an IP address, SCEP enrollment will fail.

   Step 4

   Configure the Certificate Authority attributes:

   Note

   Your CA server administrator can provide the CA URL and thumbprint. Retrieve the thumbprint directly from the server, not from a “fingerprint” or “thumbprint” attribute field in an issued certificate.

   1. Specify a CA URL to identify the SCEP CA server. Enter an FQDN or IP address. For example: //ca01.cisco.com/certsrv/mscep/mscep.dll.
   2. [Optional] Check Prompt For Challenge PW to prompt users for their username and one-time password.
   3. [Optional] Enter a thumbprint for the CA certificate. Use SHA1 or MD5 hashes. For example: 8475B661202E3414D4BB223A464E6AAB8CA123AB. Step 5

   Configure which Certificate Contents to request in the enrollment certificate. For definitions of the certificate fields, see .

   Note

   If you use %machineid%, load HostScan/Posture on the client.

   Step 6

   [Optional] Check Display Get Certificate Button to permit users to manually request provisioning or renewal of authentication certificates. The button is visible to users if the certificate authentication fails.

   Step 7

   [Optional] Enable SCEP for a specific host in the server list. Doing this overrides the SCEP settings in the Certificate Enrollment pane described above.

   1. Choose Server List from the navigation pane.
   2. Add or Edit a server list entry.
   3. Specify the Automatic SCEP Host and Certificate Authority attributes as described in Steps 5 and 6 above.

   Configure the ASA to Support Legacy SCEP Enrollment

   For Legacy SCEP on the ASA, you must create a connection profile and group policy for certificate enrollment and a second connection profile and group policy for the certificate authorized VPN connection.

   Procedure

   Step 1

   Create a group policy for enrollment, for example, cert_enroll_group. Set the following fields:

   On the Advanced > AnyConnect Client pane, uncheckInherit for Client Profiles to Download and specify the client profile configured for Legacy SCEP. For example, specify the ac_vpn_legacy_scep client profile.

   Step 2

   Create a second group policy for authorization, for example, cert_auth_group.

   Step 3

   Create a connection profile for enrollment, for example, cert_enroll_tunnel. Set the following fields:

   • On the Basic pane, set the Authentication Method to AAA.
   • On the Basic pane, set the Default Group Policy to cert_enroll_group.
   • On Advanced > GroupAlias/Group URL, create a Group URL containing the enrollment group [cert_enroll_group] for this connection profile.
   • Do not enable the connection profile on the ASA. It is not necessary to expose the group to users in order for them to have access to it.

   Step 4

   Create a connection profile for authorization, for example, cert_auth_tunnel. Set the following fields.

   • On the Basic pane, set the Authentication Method to Certificate.
   • On the Basic pane, set the Default Group Policy to cert_auth_group.
   • Do not enable this connection profile on the ASA. It is not necessary to expose the group to users in order for them to access it.

   Step 5

   [Optional] On the General pane of each group policy, setConnection Profile [Tunnel Group] Lock to the corresponding SCEP connection profile, which restricts traffic to the SCEP-configured connection profile.

   Set Up a Windows 2008 Server Certificate Authority for SCEP

   If your Certificate Authority software is running on a Windows 2008 server, you may need to make one of the following configuration changes to the server to support SCEP with AnyConnect.

   Disable the SCEP Password on the Certificate Authority

   The following steps describe how to disable the SCEP challenge password, so that clients will not need to provide an out-of-band password before SCEP enrollment.

   Procedure

   Step 1

   On the Certificate Authority server, launch the Registry Editor. You can do this by selecting , typing regedit , and clicking OK.

   Step 2

   Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword.

   If the EnforcePassword key does not exist, create it as a new Key.

   Step 3

   Edit EnforcePassword, and set it to '0'. If it does not exist, create it as a REG-DWORD.

   Step 4

   Exit regedit, and reboot the certificate authority server.

   Setting the SCEP Template on the Certificate Authority

   The following steps describe how to create a certificate template, and assign it as the default SCEP template.

   Procedure

   Step 1

   Launch the Server Manager. You can do this by selecting Start > Admin Tools > Server Manager.

   Step 2

   Expand Roles > Certificate Services [or AD Certificate Services].

   Step 3

   Navigate to CA Name > Certificate Templates.

   Step 4

   Right-click Certificate Templates > Manage.

   Step 5

   From the Cert Templates Console, right-click User template and choose Duplicate

   Step 6

   Choose Windows Server 2008 version for new template, and click OK.

   Step 7

   Change the template display name to something descriptive, such as NDES-IPSec-SSL.

   Step 8

   Adjust the Validity Period for your site. Most sites choose three or more years to avoid expired certificates.

   Step 9

   On the Cryptography tab, set the minimum key size for your deployment.

   Step 10

   On the Subject Name tab, select Supply in Request.

   Step 11

   On the Extensions tab, set the Application Policies to include at least:

   • Client Authentication
   • IP security end system
   • IP security IKE intermediate
   • IP security tunnel termination
   • IP security user

   These values are valid for SSL or IPsec.

   Step 12

   Click Apply, then OK to save new template.

   Step 13

   From Server manager > Certificate Services-CA Name, right-click Certificate Templates. Select New > Certificate Template to Issue, select the new template you created [in this example, NDES-IPSec-SSL], and click OK.

   Step 14

   Edit the registry. You can do this by selecting Start > Run, regedit, and clicking OK.

   Step 15

   Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.

   Step 16

   Set the value of the following three keys to NDES-IPSec-SSL.

   • EncryptionTemplate
   • GeneralPurposeTemplate
   • SignatureTemplate

   Step 17

   Click Save, and reboot the certificate authority server.

   Configure a Certificate Expiration Notice

   Configure AnyConnect to warn users that their authentication certificate is about to expire. The Certificate Expiration Threshold setting specifies the number of days before the certificate’s expiration date that AnyConnect warns users that their certificate is expiring. AnyConnect warns the user upon each connect until the certificate has actually expired or a new certificate has been acquired.

   Note

   The Certificate Expiration Threshold feature cannot be used with RADIUS.

   Procedure

   Step 1

   Open the VPN Profile Editor and choose Certificate Enrollment from the navigation pane.

   Step 2

   Select Certificate Enrollment.

   Step 3

   Specify a Certificate Expiration Threshold.

   This is the number of days before the certificate expiration date, that AnyConnect warns users that their certificate is going to expire.

   The default is 0 [no warning displayed]. The range is 0 to 180 days.

   Step 4

   Click OK.

   Configure Certificate Selection

   The following steps show all the places in the AnyConnect profiles where you configure how certificates are searched for and how they are selected on the client system. None of the steps are required, and if you do not specify any criteria, AnyConnect uses default key matching.

   AnyConnect reads the browser certificate stores on Windows. For macOS and Unix, you must create a Privacy Enhanced Mail [PEM] formatted file store.

   Procedure

   Configure Which Certificate Stores to Use

   Windows provides separate certificate stores for the local machine and for the current user. Specify which certificate stores are used by AnyConnect in the VPN client profile. By default, it searches both, but you can configure AnyConnect to use only one.

   Users with administrative privileges on the computer have access to both certificate stores. Users without administrative privileges only have access to the user certificate store. Usually, Windows users do not have administrative privileges. SelectingCertificate Store Override allows AnyConnect to access the machine store, even when the user does not have administrative privileges.

   Note

   Access-control for the machine store can vary depending on the Windows version and security settings. Because of this, the user may be unable to use certificates in the machine store even though they have administrative privileges. In this case, select Certificate Store Override to allow machine store access.

   The following table describes how AnyConnect searches for certificates on a client based on whatCertificate Store is searched, and whetherCertificate Store Override is checked.

   Certificate Store Setting

   Certificate Store Override Setting

   AnyConnect Search Strategy

   All [for Windows]

   cleared

   AnyConnect searches all certificate stores. AnyConnect is not allowed to access the machine store when the user does not have administrative privileges.

   This setting is the default. This setting is appropriate for most cases. Do not change this setting unless you have a specific reason or scenario requirement to do so.

   All [for Windows]

   checked

   AnyConnect searches all certificate stores. AnyConnect is allowed to access the machine store when the user does not have administrative privileges.

   Machine

   [not a multi-cert option]

   checked

   AnyConnect searches the machine certificate store. AnyConnect is allowed to search the machine store when the user does not have administrative privileges.

   Machine

   [not a multi-cert option]

   cleared

   AnyConnect searches the machine certificate store. AnyConnect is not allowed to search the machine store when the user does not have administrative privileges.

   Note

   This configuration can be used when only a limited group of users is allowed to authenticate using a certificate.

   User [for Windows]

   does not apply

   AnyConnect searches in the user certificate store only. The certificate store override is not applicable because users without administrative rights can have access to this certificate store.

   All [for Linux]

   does not apply

   AnyConnect uses client certificates from both system and user PEM file stores, as well as the user Firefox NSS store.

   Machine [for Linux]

   does not apply

   AnyConnect uses client certificate stores only from the system PEM file store.

   User [for Linux]

   does not apply

   AnyConnect uses client certificates only from the user PEM file store, as well as the user Firefox NSS store.

   With Basic Certificate Authentication

   Procedure

   Step 1

   Set Certificate Store.

   • All—[Default] Directs the AnyConnect client to use all certificate stores for locating certificates.
   • Machine—Directs the AnyConnect client to restrict certificate lookup to the Windows local machine certificate store.
   • User—Directs the AnyConnect client to restrict certificate lookup to the local user certificate stores.

   Step 2

   Choose Certificate Store Override if you want to allow AnyConnect to search the machine certificate store when users do not have administrative privileges.

   Prompt Windows Users to Select Authentication Certificate

   You can configure the AnyConnect to present a list of valid certificates to users and let them choose the certificate to authenticate the session. An expired certificate is not necessarily considered invalid. For example, if you are using SCEP, the server might issue a new certificate to the client. Eliminating expired certificates might keep a client from connecting at all; thus requiring manual intervention and out-of-band certificate distribution. AnyConnect only restricts the client certificate based on security-related properties, such as key usage, key type and strength, and so on, based on configured certificate matching rules. This configuration is available only for Windows. By default, user certificate selection is disabled.

   Procedure

   Step 1

   Open the VPN Profile Editor and choose Preferences [Part 2] from the navigation pane.

   Step 2

   To enable certificate selection, uncheck Disable Certificate Selection.

   Step 3

   Uncheck User Controllable, unless you want users to be able to turn automatic certificate selection on and off in the pane.

   Create a PEM Certificate Store for macOS and Linux

   AnyConnect supports certificate retrieval from a Privacy Enhanced Mail [PEM] formatted file store. AnyConnect reads PEM-formatted certificate files from the file system on the remote computer, verifies, and signs them.

   Before you begin

   In order for the client to acquire the appropriate certificates under all circumstances, ensure that your files meet the following requirements:

   • All certificate files must end with the extension .pem.
   • All private key files must end with the extension .key.
   • A client certificate and its corresponding private key must have the same filename. For example: client.pem and client.key.
     Tip

     Instead of keeping copies of the PEM files, you can use soft links to PEM files.

   To create the PEM file certificate store, create the paths and folders listed below. Place the appropriate certificates in these folders:

   PEM File Certificate Store Folders

   Type of Certificates Stored

   ~/.cisco/certificates/ca

   Note

   .cisco/ is located in the home directory.

   Trusted CA and root certificates

   ~/.cisco/certificates/client

   Client certificates

   ~/.cisco/certificates/client/private

   Private keys

   Machine certificates are the same as PEM file certificates, except for the root directory. For machine certificates, substitute /opt/.cisco for ~/.cisco. Otherwise, the paths, folders, and types of certificates listed apply.

   Configure Certificate Matching

   AnyConnect can limit its search of certificates to those certificates that match a specific set of keys. Certificate matchings are global criteria that are set in an AnyConnect VPN client profile, in the Certificate Matching pane. The criteria are:

   • Key Usage
   • Extended Key Usage
   • Distinguished Name
   Configure Key Usage

   Selecting the Key Usage keys limits the certificates that AnyConnect can use to those certificates that have at least one of the selected keys. The supported set is listed in the Key Usage list on the VPN client profile, and it includes:

   • DECIPHER_ONLY
   • ENCIPHER_ONLY
   • CRL_SIGN
   • KEY_CERT_SIGN
   • KEY_AGREEMENT
   • DATA_ENCIPHERMENT
   • KEY_ENCIPHERMENT
   • NON_REPUDIATION
   • DIGITAL_SIGNATURE

   If one or more criteria are specified, a certificate must match at least one to be considered a matching certificate.

   Configure Extended Key Usage

   Selecting the Extended Key Usage keys limits the certificates that AnyConnect can use to the certificates that have these keys. The following table lists the well-known set of constraints with their corresponding object identifiers [OIDs].

   Constraint

   OID

   ServerAuth

   1.3.6.1.5.5.7.3.1

   ClientAuth

   1.3.6.1.5.5.7.3.2

   CodeSign

   1.3.6.1.5.5.7.3.3

   EmailProtect

   1.3.6.1.5.5.7.3.4

   IPSecEndSystem

   1.3.6.1.5.5.7.3.5

   IPSecTunnel

   1.3.6.1.5.5.7.3.6

   IPSecUser

   1.3.6.1.5.5.7.3.7

   TimeStamp

   1.3.6.1.5.5.7.3.8

   OCSPSign

   1.3.6.1.5.5.7.3.9

   DVCS

   1.3.6.1.5.5.7.3.10

   IKE Intermediate

   1.3.6.1.5.5.8.2.2

   Configure Custom Extended Match Key

   All other OIDs [such as 1.3.6.1.5.5.7.3.11, used in some examples in this document] are considered “custom.” As an administrator, you can add your own OIDs if the OID that you want is not in the well-known set.

   Configure Certificate Distinguished Name

   The Distinguished Name table contains certificate identifiers that limit the certificates that the client can use to the certificates that match the specified criteria and criteria match conditions. Click the Add button to add criteria to the list and to set a value or wildcard to match the contents of the added criteria.

   Identifier

   Description

   CN

   SubjectCommonName

   SN

   SubjectSurName

   GN

   SubjectGivenName

   N

   SubjectUnstructName

   I

   SubjectInitials

   GENQ

   SubjectGenQualifier

   DNQ

   SubjectDnQualifier

   C

   SubjectCountry

   L

   SubjectCity

   SP

   SubjectState

   ST

   SubjectState

   O

   SubjectCompany

   OU

   SubjectDept

   T

   SubjectTitle

   EA

   SubjectEmailAddr

   DC

   DomainComponent

   ISSUER-CN

   IssuerCommonName

   ISSUER-SN

   IssuerSurName

   ISSUER-GN

   IssuerGivenName

   ISSUER-N

   IssuerUnstructName

   ISSUER-I

   IssuerInitials

   ISSUER-GENQ

   IssuerGenQualifier

   ISSUER-DNQ

   IssuerDnQualifier

   ISSUER-C

   IssuerCountry

   ISSUER-L

   IssuerCity

   ISSUER-SP

   IssuerState

   ISSUER-ST

   IssuerState

   ISSUER-O

   IssuerCompany

   ISSUER-OU

   IssuerDept

   ISSUER-T

   IssuerTitle

   ISSUER-EA

   IssuerEmailAddr

   ISSUER-DC

   IssuerDomainComponent

   Distinguished Name can contain zero or more matching criteria. A certificate must match all specified criteria to be considered a matching certificate. Distinguished Name matching specifies that a certificate must or must not have the specified string, and whether wild carding for the string is allowed.

   VPN Authentication Using SDI Token [SoftID] Integration

   AnyConnect integrates support for RSA SecurID client software versions 1.1 and later running on Windows 7 x86 [32-bit] and x64 [64-bit].

   RSA SecurID software authenticators reduce the number of items a user has to manage for safe and secure access to corporate assets. RSA SecurID Software Tokens residing on a remote device generate a random one-time-use passcode that changes every 60 seconds. The term SDI stands for Security Dynamics, Inc. technology, which refers to this one-time password generation technology that uses hardware and software tokens.

   Typically, users make an AnyConnect connection by clicking the AnyConnect icon in the tools tray, selecting the connection profile with which they wish to connect, and then entering the appropriate credentials in the authentication dialog box. The login [challenge] dialog box matches the type of authentication configured for the tunnel group to which the user belongs. The input fields of the login dialog box clearly indicate what kind of input is required for authentication.

   For SDI authentication, the remote user enters a PIN [Personal Identification Number] into the AnyConnect software interface and receives an RSA SecurID passcode. After the user enters the passcode into the secured application, the RSA Authentication Manager validates the passcode and allows the user to gain access.

   Users who use RSA SecurID hardware or software tokens see input fields indicating whether the user should enter a passcode or a PIN, a PIN, or a passcode and the status line at the bottom of the dialog box provides further information about the requirements. The user enters a software token PIN or passcode directly into the AnyConnect user interface.

   The appearance of the initial login dialog box depends on the secure gateway settings: the user can access the secure gateway either through the main login page, the main index URL, a tunnel-group login page, or a tunnel group URL [URL/tunnel-group]. To access the secure gateway via the main login page, the “Allow user to select connection” check box must be set in the Network [Client] Access AnyConnect Connection Profiles page. In either case, the secure gateway sends the client a login page. The main login page contains a drop-down list in which the user selects a tunnel group; the tunnel-group login page does not, since the tunnel-group is specified in the URL.

   In the case of a main login page [with a drop-down list of connection profiles or tunnel groups], the authentication type of the default tunnel group determines the initial setting for the password input field label. For example, if the default tunnel group uses SDI authentication, the field label is “Passcode;” but if the default tunnel group uses NTLM authentication, the field label is “Password.” In Release 2.1 and later, the field label is not dynamically updated with the user selection of a different tunnel group. For a tunnel-group login page, the field label matches the tunnel-group requirements.

   The client supports input of RSA SecurID Software Token PINs in the password input field. If the RSA SecurID Software Token software is installed and the tunnel-group authentication type is SDI, the field label is “Passcode” and the status bar states “Enter a username and passcode or software token PIN.” If a PIN is used, subsequent consecutive logins for the same tunnel group and username have the field label “PIN.” The client retrieves the passcode from the RSA SecurID Software Token DLL using the entered PIN. With each successful authentication, the client saves the tunnel group, the username, and authentication type, and the saved tunnel group becomes the new default tunnel group.

   AnyConnect accepts passcodes for any SDI authentication. Even when the password input label is “PIN,” the user may still enter a passcode as instructed by the status bar. The client sends the passcode to the secure gateway as is. If a passcode is used, subsequent consecutive logins for the same tunnel group and username have the field label “Passcode.”

   The RSASecureIDIntegration profile setting has three possible values:

   • Automatic—The client first attempts one method, and if it fails, the other method is tried. The default is to treat the user input as a token passcode [HardwareToken], and if that fails, treat it as a software token pin [SoftwareToken]. When authentication is successful, the successful method is set as the new SDI Token Type and cached in the user preferences file. For the next authentication attempt, the SDI Token Type defines which method is attempted first. Generally, the token used for the current authentication attempt is the same token used in the last successful authentication attempt. However, when the username or group selection is changed, it reverts to attempting the default method first, as shown in the input field label.
     Note

     The SDI Token Type only has meaning for the automatic setting. You can ignore logs of the SKI Token Type when the authentication mode is not automatic. HardwareToken as the default avoids triggering next token mode.

   • SoftwareToken—The client always interprets the user input as a software token PIN, and the input field label is “PIN:”.
   • HardwareToken—The client always interprets the user input as a token passcode, and the input field label is “Passcode:”.
     Note

   AnyConnect does not support token selection from multiple tokens imported into the RSA Software Token client software. Instead, the client uses the default selected via the RSA SecurID Software Token GUI.

   Categories of SDI Authentication Exchanges

   All SDI authentication exchanges fall into one of the following categories:

   • Normal SDI Authentication Login
   • New User mode
   • New PIN mode
   • Clear PIN mode
   • Next Token Code mode
   Normal SDI Authentication Login

   A normal login challenge is always the first challenge. The SDI authentication user must provide a user name and token passcode [or PIN, in the case of a software token] in the username and passcode or PIN fields, respectively. The client returns the information to the secure gateway [central-site device], and the secure gateway verifies the authentication with the authentication server [SDI or SDI via RADIUS proxy].

   If the authentication server accepts the authentication request, the secure gateway sends a success page back to the client, and the authentication exchange is complete.

   If the passcode is not accepted, the authentication fails, and the secure gateway sends a new login challenge page, along with an error message. If the passcode failure threshold on the SDI server has been reached, then the SDI server places the token into next token code mode.

   New User, Clear PIN, and New PIN Modes

   The PIN can be cleared only on the SDI server and only by the network administrator.

   In the New User, Clear PIN, and New PIN modes, AnyConnect caches the user-created PIN or system-assigned PIN for later use in the “next passcode” login challenge.

   Clear PIN mode and New User mode are identical from the point of view of the remote user and are both treated the same by the secure gateway. In both cases, the remote user either must enter a new PIN or be assigned a new PIN by the SDI server. The only difference is in the user response to the initial challenge.

   For New PIN mode, the existing PIN is used to generate the passcode, as it would be in any normal challenge. For Clear PIN mode, no PIN is used at all for hardware tokens, with the user entering just a token code. A PIN of eight consecutive zeros [00000000] is used to generate a passcode for RSA software tokens. In either case, the SDI server administrator must inform the user of what, if any, PIN value to use.

   Adding a new user to an SDI server has the same result as clearing the PIN of an existing user. In both cases, the user must either provide a new PIN or be assigned a new PIN by the SDI server. In these modes, for hardware tokens, the user enters just a token code from the RSA device. In either case, the SDI server administrator must inform the user of what, if any, PIN value to use.

   Creating a New PIN

   If there is no current PIN, the SDI server requires that one of the following conditions be met, depending on how the system is configured:

   • The system must assign a new PIN to the user [Default]
   • The user must create a new PIN
   • The user can choose whether to create a PIN or have the system assign it

   If the SDI server is configured to allow the remote user to choose whether to create a PIN or have the system assign a PIN, the login screen presents a drop-down list showing the options. The status line provides a prompt message.

   For a system-assigned PIN, if the SDI server accepts the passcode that the user enters on the login page, then the secure gateway sends the client the system-assigned PIN. The client sends a response back to the secure gateway, indicating that the user has seen the new PIN, and the system continues with a “next passcode’ challenge.

   If the user chooses to create a new PIN, AnyConnect presents a dialog box on which to enter that PIN. The PIN must be a number from 4 to 8 digits long. Because the PIN is a type of password, anything the user enters into these input fields is displayed as asterisks.

   With RADIUS proxy, the PIN confirmation is a separate challenge, subsequent to the original dialog box. The client sends the new PIN to the secure gateway, and the secure gateway continues with a “next passcode” challenge.

   “Next Passcode” and “Next Token Code” Challenges

   For a “next passcode” challenge, the client uses the PIN value cached during the creation or assignment of a new PIN to retrieve the next passcode from the RSA SecurID Software Token DLL and return it to the secure gateway without prompting the user. Similarly, in the case of a “next Token Code” challenge for a software token, the client retrieves the next Token Code from the RSA SecurID Software Token DLL.

   Compare Native SDI with RADIUS SDI

   The network administrator can configure the secure gateway to allow SDI authentication in either of the following modes:

   • Native SDI refers to the native ability in the secure gateway to communicate directly with the SDI server for handling SDI authentication.
   • RADIUS SDI refers to the process of the secure gateway performing SDI authentication using a RADIUS SDI proxy, which communicates with the SDI server.

   Native SDI and RADIUS SDI appear identical to the remote user. Because the SDI messages are configurable on the SDI server, the message text on the ASA must match the message text on the SDI server. Otherwise, the prompts displayed to the remote client user might not be appropriate for the action required during authentication. AnyConnect might fail to respond and authentication might fail.

   RADIUS SDI challenges, with minor exceptions, essentially mirror native SDI exchanges. Since both ultimately communicate with the SDI server, the information needed from the client and the order in which that information is requested is the same.

   During authentication, the RADIUS server presents access challenge messages to the ASA. Within these challenge messages are reply messages containing text from the SDI server. The message text is different when the ASA is communicating directly with an SDI server from when communicating through the RADIUS proxy. Therefore, in order to appear as a native SDI server to AnyConnect, the ASA must interpret the messages from the RADIUS server.

   Also, because the SDI messages are configurable on the SDI server, the message text on the ASA must match [in whole or in part] the message text on the SDI server. Otherwise, the prompts displayed to the remote client user may not be appropriate for the action required during authentication. AnyConnect might fail to respond and authentication might fail.

   Configure the ASA to Support RADIUS/SDI Messages

   To configure the ASA to interpret SDI-specific RADIUS reply messages and prompt the AnyConnect user for the appropriate action, you must configure a connection profile [tunnel group] to forward RADIUS reply messages in a manner that simulates direct communication with an SDI server. Users authenticating to the SDI server must connect over this connection profile.

   Procedure

   Step 1

   Go to .

   Step 2

   Select the connection profile you want to configure to interpret SDI-specific RADIUS reply messages and click Edit.

   Step 3

   In the Edit AnyConnect Connection Profile window, expand the Advanced node in the navigation pane on the left and select Group Alias / Group URL.

   Step 4

   Check Enable the display of SecurID messages on the login screen.

   Step 5

   Click OK.

   Step 6

   Choose.

   Step 7

   Click Add to Add a AAA Server group.

   Step 8

   Configure the AAA server group in the Edit AAA Server Group dialog and click OK.

   Step 9

   In the AAA Server Groups area, select the AAA server group you just created and then click Add in the Servers in the Selected Group area.

   Step 10

   In the SDI Messages area, expand the Message Table area. Double-click a message text field to edit the message. Configure the RADIUS reply message text on the ASA to match [in whole or in part] the message text sent by the RADIUS server.

   The following table shows the message code, the default RADIUS reply message text, and the function of each message:

   Note

   The default message text used by the ASA is the default message text used by Cisco Secure Access Control Server [ACS]. If you are using Cisco Secure ACS, and it is using the default message text, you do not need to configure the message text on the ASA.

   Because the security appliance searches for strings in the order in which they appear in the table, you must ensure that the string you use for the message text is not a subset of another string. For example, “new PIN” is a subset of the default message text for both new-pin-sup and next-ccode-and-reauth. If you configure new-pin-sup as “new PIN,” when the security appliance receives “new PIN with the next card code” from the RADIUS server, it will match the text to the new-pin-sup code instead of the next-ccode-and-reauth code.

   Message Code

   Default RADIUS Reply Message Text

   Function

   next-code

   Enter Next PASSCODE

   Indicates the user must enter the NEXT tokencode without the PIN.

   new-pin-sup

   Please remember your new PIN

   Indicates the new system PIN has been supplied and displays that PIN for the user.

   new-pin-meth

   Do you want to enter your own pin

   Requests from the user which new PIN method to use to create a new PIN.

   new-pin-req

   Enter your new Alpha-Numerical PIN

   Indicates a user-generated PIN and requests that the user enter the PIN.

   new-pin-reenter

   Reenter PIN:

   Used internally by the ASA for user-supplied PIN confirmation. The client confirms the PIN without prompting the user.

   new-pin-sys-ok

   New PIN Accepted

   Indicates the user-supplied PIN was accepted.

   next-ccode-and-reauth

   new PIN with the next card code

   Follows a PIN operation and indicates the user must wait for the next tokencode and to enter both the new PIN and next tokencode to authenticate.

   ready-for-sys- pin

   ACCEPT A SYSTEM GENERATED PIN

   Used internally by the ASA to indicate the user is ready for the system-generated PIN.