27.14 Configuring Integration with Cisco AnyConnect

This section provides the configuration information on integrating Advanced Authentication with Cisco AnyConnect. This integration secures the Cisco AnyConnect VPN connection.

To configure the Advanced Authentication integration with Cisco AnyConnect perform the following tasks:

Ensure that you meet the following requirements:

  • Install and configure Cisco ASA 5555-X with Firepower

  • Install Cisco ISE

  • Install Advanced Authentication appliance

  • Configure a repository with the user data in the Advanced Authentication server

27.14.1 Configuring the Advanced Authentication RADIUS Server

  1. Open the Advanced Authentication Administration portal.

  2. Click Events > RADIUS Server.

  3. Set Is enabled to ON.

  4. Move one or more chains from Available to Used list. Ensure that the chains are assigned to the appropriate group of users in Roles & Groups of the Chains section.

  5. Click Save in Edit Event.

  6. Click Policies > Radius Options.

  7. Click Add in Clients.

  8. Specify an IP address of the Cisco ISE server.

  9. Specify Name of the Client.

  10. Specify the RADIUS shared secret and confirm it.

  11. Set Enabled to ON.

  12. Click icon to save the Client details.

  13. Click Save in Radius Options.

27.14.2 Enabling the Connection Profile in Cisco ASA

  1. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.

  2. Select the AnyConnect VPN profile in Connection Profiles and click Edit.

    The Edit AnyConnect Connection Profile window is displayed.

  3. Set the Method as AAA in the Authentication.

  4. Select the group created for Advanced Authentication server from AAA Server Group.

  5. Click OK.

  6. Click Apply.

27.14.3 Creating a Group Policy in Cisco ASA

  1. Navigate to Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add > Servers.

  2. Specify the name of policy in Name.

  3. Specify the text to display as message in Banner.

  4. Click More Options then select Clientless SSL VPN and SSL VPN client as the Tunneling Protocols.

  5. Click OK and Apply.

27.14.4 Adding a RADIUS Token Server in Cisco ISE

  1. Navigate to Administration > Identity Management > External Identity Sources in Cisco ISE.

  2. Click RADIUS Token from the External Identity Sources navigation pane on the left.

  3. Click Add.

  4. Specify the following details in the Connection tab:

    • Host IP: IP address or host name of the Advanced Authentication server.

    • Shared Secret: Secret set in the RADIUS server to establish a connection.

    • Authentication Port: Port to communicate with the RADIUS server. The default port is 1812.

    • Server Timeout: Time in seconds that Cisco ISE should wait for a response from the RADIUS token server before it determines that the primary server is down. The default timeout value is 5 secs.

    • Connection Attempts: The number of times that Cisco ISE should reconnect to the primary server before moving on to the secondary server (if configured) or dropping the request if there is no secondary server. The default is 3.

  5. Click Save and Submit.

27.14.5 Configuring Policy Sets in Cisco ISE

  1. Navigate to Work Centers > Network Access > Policy Sets.

  2. From the Status column, click the current Status icon and from the dropdown list update the status for the policy set as necessary.

  3. Specify Policy Set Name and Description.

  4. Select the Network Access: Device IP Address attribute and Equals operator.

  5. Click Save.

After you complete all the above tasks, configure an authorization policy for the preferred VPN profile and user group in the repository.

27.14.6 Authenticating to Cisco AnyConnect Using Advanced Authentication

  1. Launch Cisco AnyConnect Client.

  2. Specify the credentials and click Login.

  3. Specify the input for second-factor authenticator as the administrator has configured.

  4. Click Login.