-
Cisco AnyConnect 4.1 : 2014 05 04
: 2015 05 22
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan
Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800
553-NETS (6387)Fax: 408 527-0883
-
2015 Cisco Systems, Inc. All rights reserved.
-
AnyConnect 1
AnyConnect 1
AnyConnect 2
AnyConnect 2
Windows ASA Internet Explorer 3
Internet Explorer 3
AnyConnectWindows RDP 4
Windows DES SSL 6
AnyConnect 6
AnyConnect 7
AnyConnect 8
AnyConnect 9
Windows SMS 9
10
10
Windows 11
ISO AnyConnect 11
AnyConnect ISO 11
SMS AnyConnect 12
WindowsMSI 12
Windows 14
Windows AnyConnect 14
Mac OS X 15
Mac OS X AnyConnect 15
Mac OS X 15
Mac OS X 16
Linux 16
Cisco AnyConnect 4.1 iii
-
Linux 16
Linux 17
Firefox 17
Linux DART 18
AnyConnect 18
ASA 19
WebLaunch 19
AnyConnect 20
ASA AnyConnect 20
AnyConnect 20
ASDM 21
ISE 21
AnyConnect ISE 22
ISE AnyConnect 23
AnyConnect 24
AnyConnect 25
WebLaunch AnyConnect 26
26
ASA 26
ISE 27
GUI 28
28
28
29
29
30
31
AnyConnect 32
32
AnyConnect VPN 32
AnyConnect 35
AnyConnect 35
Cisco AnyConnect 4.1 iv
-
35
(Windows) 36
Windows 36
AnyConnectWindows 37
38
AnyConnect 39
AnyConnect 40
40
(Mac OSX) 42
ACTransforms.xmlMac OS X 42
42
(Linux) 43
ACTransform.xml Linux 43
AnyConnect GUI 43
AnyConnect 45
47
47
ASA 48
Windows 49
AnyConnect GUI 49
AnyConnect GUI 50
Windows AnyConnect 51
Linux AnyConnect 54
Mac OS X AnyConnect 56
AnyConnect 57
58
59
AnyConnect 61
61
AnyConnect API 62
AnyConnect ISE 63
AnyConnect 63
Cisco AnyConnect 4.1 v
-
AnyConnect 64
AnyConnect 67
67
AnyConnect 67
ASDM 68
68
AnyConnect 69
70
AnyConnect VPN 70
AnyConnect 1 71
AnyConnect 2 73
AnyConnect 77
AnyConnect 77
AnyConnect 80
AnyConnect 81
AnyConnect 82
AnyConnect/ 82
AnyConnect 84
84
87
MST 87
FIPS 88
VPN 91
VPN 91
AnyConnect VPN 91
VPN 93
Windows VPN 94
94
95
95
AnyConnect 95
AnyConnect SBL 96
Cisco AnyConnect 4.1 vi
-
97
AnyConnect VPN 97
Windows (PLAP) 97
PLAP 98
PLAPWindows PC 98
PLAP AnyConnect 99
VPN 99
100
100
100
101
VPN 102
VPN 102
VPN 103
VPN 103
VPN 104
AnyConnect VPN 104
104
VPN 105
106
106
106
107
108
108
108
109
L2TP PPTP AnyConnect 109
PPP 110
AnyConnect 111
AnyConnect 111
AnyConnect 112
Cisco AnyConnect 4.1 vii
-
112
112
112
Windows 113
Mac 113
Linux 113
113
114
Internet Explorer Connections 114
115
VPN 115
IPv4 IPv6 VPN 115
116
116
DNS 116
DNS 116
DNS 116
AnyConnect DNS 117
DNS 117
VPN 118
118
118
118
119
122
122
SCEP 123
SCEP 123
124
124
SCEP 125
SCEP VPN 125
Cisco AnyConnect 4.1 viii
-
ASA SCEP 125
SCEP 126
SCEP VPN 126
ASA SCEP 127
SCEPWindows 2008 127
SCEP 127
SCEP 128
129
129
Windows 130
Windows 131
Mac Linux PEM 132
133
133
133
134
134
SDI (SoftID) VPN 136
SDI 137
SDI RADIUS SDI 138
ASA RADIUS/SDI 139
141
141
B FIPS 142
142
143
143
144
(Client Policy) 144
(Authentication Policy) 146
(Networks) 147
(Networks)(Media Type) 148
Cisco AnyConnect 4.1 ix
-
(Networks)(Security Level) 149
149
802.1X Settings 149
Security 150
Port Authentication Exception Policy 151
151
151
152
NetworksNetwork Connection Type 153
NetworksUser or Machine Authentication 153
EAP 154
EAP-GTC 154
EAP-TLS 155
EAP-TTLS 155
EAP-TTLS 156
PEAP 157
PEAP 158
EAP-FAST 158
EAP-FAST 159
LEAP 160
160
160
163
164
Network Groups 165
167
ISE 168
168
168
169
170
VLAN 170
AnyConnect ISE 171
Cisco AnyConnect 4.1 x
-
ISE 171
173
173
173
OPSWAT 174
ASA 174
HostScan 174
175
175
175
HostScan 176
176
DAP BIOS 176
BIOS DAP 177
BIOS 177
ASA HostScan 177
ISE 177
179
181
181
182
182
183
183
184
185
HTTP(S) 185
Windows Internet 186
187
187
188
188
Cisco AnyConnect 4.1 xi
-
189
190
191
192
193
KDF 194
194
/ 195
DNS 195
196
196
196
196
196
DART 197
ASDM 197
197
198
198
Cisco AnyConnect 199
Windows 199
Mac OS X 200
200
AMP 201
AMP 201
AMP 201
AMP 202
AMP 202
FIPS 203
FIPSNGE AnyConnect 203
AnyConnect FIPS 204
AnyConnect FIPS 204
Cisco AnyConnect 4.1 xii
-
AnyConnect FIPS 205
AnyConnect FIPS 205
AnyConnect VPN FIPS 206
AnyConnect VPN FIPS 206
Windows FIPS 206
FIPS 207
FIPS 207
FIPS 208
Cisco AnyConnect 209
209
AnyConnect 211
AnyConnect 211
AnyConnect VPN 211
AnyConnect VPN 212
212
212
213
214
FIPS B 215
Windows Phone AnyConnect 216
Windows 10Windows Phone 8.1 AnyConnect 216
ASA VPN 216
AnyConnect VPN 218
AnyConnect 218
Anyconnect 220
AnyConnect 223
223
223
DART 224
225
Systeminfo 225
225
Cisco AnyConnect 4.1 xiii
-
AnyConnect 225
AnyConnect 226
AnyConnect 226
AnyConnect 227
VPN 228
VPN 228
229
VPNMicrosoft Windows 229
VPN 230
230
VPNVA.sys 230
vpnagent.exe 230
/ 231
231
AnyConnect 231
.log .dmp 231
vpndownloader AnyConnect (LSP) NOD32
AV 232
AT&T 232
232
Microsoft Internet Explorer 232
(Certified by an Unknown Authority) 232
232
233
Juniper Odyssey 233
Odyssey 233
ASA (Kaspersky AV Workstation 6.x) 234
UDP DTLS (McAfee Firewall 5) 234
Microsoft 234
/ 234
234
AnyConnect (Wave EMBASSY Trust Suite) 234
Cisco AnyConnect 4.1 xiv
-
235
Bonjour 235
TUNOpenVPN 235
WinsockLSP 2 235
LSP 3 235
SSL 235
DPDEVDO Venturi 236
DTLSDSL 236
NETINTERFACE_ERRORCheckPoint Kaspersky 236
236
237
Cisco AnyConnect 4.1 xv
-
Cisco AnyConnect 4.1 xvi
-
1 AnyConnect
AnyConnect 1
AnyConnect 2
AnyConnect 6
AnyConnect 18
AnyConnect 24
AnyConnect 32
AnyConnect AnyConnect AnyConnect
Cisco AnyConnect
- (SMS)
- AnyConnectASA ISE ASA ISEAnyConnect
AnyConnect
AnyConnectAnyConnectASA
AnyConnect VPN
ASAIOSMicrosoft WindowsLinuxMac OS X Cisco AnyConnect 4.1
Cisco AnyConnect 4.1 1
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/release/notes/b_Release_Notes_AnyConnect_4_1.html
-
AnyConnect
AnyConnect ISE 1.3 ASA
ASA - ASA AnyConnectAnyConnectASA AnyConnectAnyConnect VPN
ISE 1.3 - (NAD) ASANAD ISEAnyConnect VPN
AnyConnect
(SMS)Windows
-AnyConnectWindows ISOMac OS X DMG Linux gzip
AnyConnecthttp://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-feature-guides-list.html
AnyConnect
AnyConnect
AnyConnect AnyConnect
AnyConnect
AnyConnect
AnyConnect ISE (OPSWAT)
AnyConnect
AnyConnect 3G AnyConnectVZAccess Manager
(LAN adapter auto connect)NDISNDIS VZAccess VZAccess
Cisco AnyConnect 4.1 2
AnyConnect AnyConnect
http://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-feature-guides-list.html
-
AnyConnectAnyConnect3G AnyConnect
WiFiAnyConnect
Windows ASA Internet Explorer Active Directory ASA Internet
Explorer Internet Explorer
1 Windows
2 Active DirectoryMMC
3 Properties 4 Group Policy New 5 Enter 6 Properties
Security
Allow Read Apply Group Policy OK 7 EditUserConfiguration>
Windows Settings> Internet ExplorerMaintenance> Security 8
Security Zones and Content Ratings Properties 9 Import the current
security zones and privacy settings Continue 10 Modify Settings
Trusted Sites Sites 11 URL Add
(https://vpn.mycompany.com) IP (https://192.168.1.100)
(https://vpn.mycompany.com) (https://*.mycompany.com)
12 Close OK 13
14 Internet OK
Internet Explorer AnyConnectInternet Explorer Tools >
Internet Options > Connections
ASA Connections
Cisco AnyConnect 4.1 3
AnyConnect Windows ASA Internet Explorer
-
ASA
Windows Connections ASA
1 ASDMConfiguration > RemoteAccess VPN > Network (Client)
Access > Group Policies 2 Edit Add 3 Advanced > Browser Proxy
Proxy Server Policy 4 Proxy Lockdown 5 Inherit
YesAnyConnect Internet ExplorerConnections
NoAnyConnect Internet ExplorerConnections
6 OK 7 Apply
AnyConnect Windows RDP AnyConnectWindows RDP VPN RDP Cisco
AnyConnect VPN RDPVPN VPN
Cisco AnyConnect 4.1 4
AnyConnect AnyConnect Windows RDP
-
SBL
Single Local Logon- VPN
PC VPN VPN
VPN VPNPCVPN
VPN
Single Logon - VPN
VPN VPN VPN VPN VPN
Windows LogonEnforcement
Local Users Only-VPNAnyConnect
AllowRemoteUsers -VPN VPN VPN PC
VPNVPN 90
Windows VPNEstablishment
VPN AnyConnect VPN
Cisco AnyConnect 4.1 5
AnyConnect AnyConnect Windows RDP
-
Windows DES SSL Windows DES SSL ASA DESAnyConnect DES ASA DES
SSL
AnyConnectSMSAnyConnectAnyConnect
AnyConnect AnyConnect 8
VPNAnyConnect
AnyConnect ISE ISE
1 AnyConnect AnyConnect cisco.com
AnyConnect
anyconnect-win--pre-deploy-k9.isoWindows
anyconnect-macosx-i386--k9.dmgMac OS X
anyconnect-predeploy-linux-64--k9.tar.gzLinux64
Linux
2
AnyConnect VPN
Cisco AnyConnect
AnyConnect
Cisco AnyConnect 4.1 6
AnyConnectWindows DES SSL
-
AnyConnect ISE
AnyConnect AMP
AnyConnect
AnyConnect VPN
AnyConnect
AnyConnect
AnyConnect
ASDM PCWindows PCWindows
3 AnyConnect
4 AnyConnect
5 AnyConnectASA ISE AnyConnect
AnyConnect AMPISEWindows
1
AnyConnect NAMWINS x.x.x - k9msi
AnyConnect NAMWINS x.x.x - k9msi
anyconnect-websecurity-win-x.x.x-pre-deploy-k9.msianyconnect-websecurity-win-x.x.x-web-deploy-k9.exe
anyconnect-iseposture-win-x.x.x-pre-deploy-k9.msianyconnect-iseposture-win-x.x.x-web-deploy-k9.msiISE
anyconnect-amp-win-x.x.x-pre-deploy-k9.msianyconnect-amp-win-x.x.x-web-deploy-k9.exeAMP
Cisco AnyConnect 4.1 7
AnyConnect AnyConnect
-
Windows 2008R2 AnyConnectWLANPC
AnyConnect
2AnyConnect
AnyConnectanyfilename.xml
XMLAnyConnectAnyConnectProfile.xsd
3
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility
Client\Profile VPN
Windows 78.x
%ProgramData%\Cisco\ Cisco AnyConnect Secure
MobilityClient\NetworkAccessManager\newConfigFiles
%ProgramData%\Cisco\ Cisco AnyConnect Secure Mobility
Client\WebSecurity
%ProgramData%\Cisco\ Cisco AnyConnect Secure
MobilityClient\CustomerExperienceFeedback
%PROGRAMFILES%\Cisco\Cisco AnyConnect Secure
MobilityClient\opswat
OPSWAT
%ProgramData%\Cisco\CiscoAnyConnect SecureMobility
Client\ISEPostureISE
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility
Client\AMPEnabler
AMP
Cisco AnyConnect 4.1 8
AnyConnect AnyConnect
-
/opt/cisco/anyconnect/profile
Mac OS X
/opt/cisco/anyconnect/CustomerExperienceFeedback
/opt/cisco/anyconnect/bin
/opt/cisco/anyconnect/lib/opswaOPSWAT
/opt/cisco/anyconnect/lib
/Applications/Cisco/Cisco AnyConnect Secure
MobilityClient.app/Contents/Resources/
/opt/cisco/anyconnect/iseposture/ISE
/opt/cisco/anyconnect/ampenabler/AMP
/opt/cisco/anyconnect/profileLinux
AnyConnect AnyConnectVPN AnyConnect UI
Windows SMS
1 (SMS)MSI PRE_DEPLOY_DISABLE_VPN=1 VPNmsiexec /package
anyconnect-win-ver-pre-deploy-k9.msi /norestart /passive
PRE_DEPLOY_DISABLE_VPN=1 /lvx*
MSI VPNDisable_ServiceProfile.xml VPN
2 CLI
Cisco AnyConnect 4.1 9
AnyConnect AnyConnect
-
msiexec /package anyconnect-websecurity-win--pre-deploy-k9.msi
/norestart /passive
/lvx* c:\test.log
3 DARTmisexec /package annyconnect-dart-win--k9.msi /norestart
/passive /lvx* c:\test.log
4 Windows
5 Cisco AnyConnectWindows
AnyConnectDART
VPNDisable_ServiceProfile.xmlVPNAnyConnect
ISO
1 AnyConnect AnyConnect
2 Cisco AnyConnect VPN Module VPN VPN
3 LockDownComponentServicesWindows
4 VPN AnyConnect GUI Install Selecteda) /b) OK
PRE_DEPLOY_DISABLE_VPN=1AnyConnect
Cisco AnyConnect 4.1 10
AnyConnect AnyConnect
-
c) VPN VPNDisable_ServiceProfile.xmld) e) VPN
Windows
ISO AnyConnectISO AnyConnectMSI ISO (setup.exe)AnyConnect ISO
ISOHTA
ISO CD SlySoft PowerIS
ISO
ISO
HTA
AnyConnect ISO
AnyConnectGUI.ico
Setup.exe
DARTMSIanyconnect-dart-win-x.x.x-k9.msi
SBL SBLanyconnect-gina-win-x.x.x-pre-deploy-k9.msi
ISEMSIanyconnect-iseposture-win-x.x.x-pre-deploy-k9.msi
AMP EnablerMSIanyconnect-amp-win-x.x.x-pre-deploy-k9.msi
MSIanyconnect-nam-win-x.x.x.msi
MSIanyconnect-posture-win-x.x.x-pre-deploy-k9.msi
MSIanyconnect-websecurity-win-x.x.x-pre-deploy-k9.msi
AnyConnectMSIanyconnect-win-x.x.x-pre-deploy-k9.msi
Cisco AnyConnect 4.1 11
AnyConnect Windows
-
setup.exeautorun.inf
eula.html
HTML (HTA)
setup.hta
SMS AnyConnect ISO (*.msi)
2-24 SMS AnyConnect
Windows AnyConnect
AlwaysInstallElevatedWindows(UAC)AnyConnect
Microsoft Internet Explorer (MSIE) Java ActiveX
MSIMSI ProfilesCCOMSI
SMSAltiris
Windows MSI
msiexec /package anyconnect-win-x.x.x-pre-deploy-k9.msi
/norestart /passivePRE_DEPLOY_DISABLE_VPN=1 /lvx*
anyconnect-win-x.x.x-pre-deploy-k9-install-datetimestamp.log
VPNAnyConnect
Cisco AnyConnect 4.1 12
AnyConnect Windows
-
msiexec /package anyconnect-win-x.x.x-pre-deploy-k9.msi
/norestart /passive /lvx*
anyconnect-win-x.x.x-pre-deploy-k9-install-datetimestamp.log
VPNAnyConnect
msiexec /package anyconnect-win-x.x.x-pre-deploy-k9.msi
/norestart /passiveDISABLE_CUSTOMER_EXPERIENCE_FEEDBACK=1 /lvx*
anyconnect-win-x.x.x-pre-deploy-k9-install-datetimestamp.log
msiexec /package anyconnect-dart-win-x.x.x-k9.msi /norestart
/passive /lvx*
anyconnect-dart-x.x.x-pre-deploy-k9-install-datetimestamp.log(DART)
msiexec /package anyconnect-gina-win-x.x.x-k9.msi /norestart
/passive /lvx*
anyconnect-gina-x.x.x-pre-deploy-k9-install-datetimestamp.log
SBL
msiexec /package anyconnect-nam-win-x.x.x-k9.msi /norestart
/passive /lvx*
anyconnect-nam-x.x.x-pre-deploy-k9-install-datetimestamp.log
msiexec /package
anyconnect-websecurity-win-x.x.x-pre-deploy-k9.msi/norestart/passive
/lvx*
anyconnect-websecurity-x.x.x-pre-deploy-k9-install-datetimestamp.log
msiexec /package anyconnect-posture-win-x.x.x-pre-deploy-k9.msi
/norestart/passive/lvx*
anyconnect-posture-x.x.x-pre-deploy-k9-install-datetimestamp.log
ASA
msiexec /package
anyconnect-iseposture-win-x.x.x-pre-deploy-k9.msi/norestart/passive
/lvx*
anyconnect-iseposture-x.x.x-pre-deploy-k9-install-datetimestamp.log
ISE
msiexec /package anyconnect-amp-win-x.x.x-pre-deploy-k9.msi /
norestart/passive/lvx*
AnyConnect amp x.x.x - pre - deploy - k9 - install -
datetimestamp.log
AMP
AnyConnect Windows
Windows (_)Windows VPNsampleTransforms-x.x.x.zip
Cisco AnyConnect 4.1 13
AnyConnect Windows
-
Windows Cisco AnyConnect
Windows AnyConnect
Windows
MSI (LOCKDOWN)WindowsMSI ISO
/ AnyConnect
AnyConnectWindows/(Add/Remove
Program)ARPSYSTEMCOMPONENT=1Windows/(Add/Remove Program)
MSI
Windows AnyConnect
AnyConnect
1 AnyConnect GUI VPNSSL IPsec
2 AnyConnect (DART) AnyConnect
3 AMPSBL
4 AMP SBL
5 AnyConnect
6 DARTDART
Cisco AnyConnect 4.1 14
AnyConnect Windows
-
AnyConnect XML
Mac OS X
Mac OS X AnyConnectMac OS X AnyConnect DMG AnyConnect DMG
AnyConnect.pkgInstallation Type
AnyConnectApple pkgutil ACTransforms.xml Cisco AnyConnect
4.1
Mac OS X VPN VPN AnyConnect UI
DMG AnyConnect AnyConnect
1 ScanCenter Cisco.com Cisco AnyConnect DMG
2
3 hdiutil convert -format UDRW -o
4 Windows
5
6 WebSecurity_ServiceProfile.xmlWebSecurity_ServiceProfile.wso
WebSecurity_ServiceProfile.xml
7 WebSecurity_ServiceProfile.wsoWindows
AnyConnectx.x.x/Profiles/websecurityMac OS Xcp \Volumes\"AnyConnect
"\Profiles\websecurity\
Cisco AnyConnect 4.1 15
AnyConnect Mac OS X
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.html
-
8 Mac OS X AnyConnect x.x.x/Profiles TextEditACTransforms.xml
True VPN
True
9 Cisco.com Cisco AnyConnect x.x.xVPNDisable_ServiceProfile.xml
AnyConnect AnyConnect AnyConnect x.x.x/profiles/vpn
10 AnyConnect DMG
Mac OS X MacOSX 10.8Gatekeeper
Mac App Store
Mac App Store
Mac(Mac App Store and identified developers)
AnyConnect AppleMac App StoreGatekeeper(Anywhere)Ctrl
AnyConnecthttp://www.apple.com/macosx/mountain-lion/security.html
Linux
Linux Linux tar.gz
Cisco AnyConnect 4.1 16
AnyConnect Linux
http://www.apple.com/macosx/mountain-lion/security.html.http://www.apple.com/macosx/mountain-lion/security.html.
-
1 AnyConnect GUI VPNSSL IPsec
2 DART AnyConnect
3
Linux AnyConnect
DART
1
2 AnyConnect
3 DART
Firefox AnyConnect AnyConnectAnyConnect Firefox
Firefox
Linux AnyConnect AnyConnect FirefoxFirefox
Firefox
Firefox Firefox PEM
WindowsMSI 12
VPN
Cisco AnyConnect 4.1 17
AnyConnect Linux
-
VPN AMP
Linux DART1 anyconnect-dart-linux-(ver)-k9.tar.gz 3.0.3050 DART
anyconnect-linux-(ver)-k9.pkg
2 tar -zxvf
-
URL Internet ExplorerWindows ASA Internet Explorer
ISE
ISE AnyConnect ISE AnyConnect ISE AnyConnect
InternetExplorerActiveX AnyConnect
ISE
ISE ASA AnyConnect
ISEAnyConnect ISE ISEISE(Agent Configuration) >(Policy)
>(Client Provisioning) NAC AnyConnect ISE
ASA
WebLaunch
4 Weblaunch AnyConnect
Internet Explorer 10
Firefox 9.0.1
Chrome 23.0.1271.95 m
Windows 8.x x8632 x6464
Internet Explorer 8 9
Firefox 3
Google Chrome 6
Windows 7 x8632 x6464
Safari 2
Google Chrome 6
Mac OS X 10.710.832 64
Firefox 3Linux64 VPN
Cisco AnyConnect 4.1 19
AnyConnect ASA
-
AnyConnect Cisco AnyConnect Cisco AnyConnect
AnyConnect
anyconnect-win-x.x.x-k9.pkgWindows
anyconnect-macosx-i386-x.x.x-k9.pkgMac OS X
anyconnect-linux-64-x.x.x-k9.pkgLinux64
ASA
ASA AnyConnect
1 Configuration > Remote Access > VPN > Network
(Client) Access > AnyConnect ClientSoftwareAnyConnect ASA
AnyConnect ASA
2 AnyConnect Add
Browse Flash ASA AnyConnect
Upload AnyConnect
3 OK Upload 4 Apply
AnyConnect
AnyConnect VPN
Start Before Logon AnyConnect
Cisco AnyConnect 4.1 20
AnyConnect ASA
http://www.cisco.com/cgi-bin/tablebuild.pl/anyconnect
-
1 ASDMConfiguration > RemoteAccess VPN > Network (Client)
Access > Group Policies 2 Edit Add 3 VPN Policy > AnyConnect
Client Client Modules to Download
Add ASA 4 Apply
ASDM AnyConnect ASA ASA
1 Configuration >Remote Access VPN >Network (Client)
Access >AnyConnect Client Profile 2 Change Group Policy 3 Change
Policy for Profile Available Group Policies
Policies
4 OK 5 AnyConnect Client Profile Apply 6 Save 7 OK
ISE ISE AnyConnectISE OPSWAT ISEISE ASA AnyConnect ISE
ISE ASA ASA AnyConnect VPNAnyConnect ISE ASA AnyConnect ISE
ISE ASA AnyConnect ISE AnyConnect AnyConnect ISE AnyConnect
ISE AnyConnect
Cisco AnyConnect 4.1 21
AnyConnect ISE
-
Internet Explorer ISE Anyconnect AnyConnect
ISE (NSA) NSA ISE Anyconnect
NSAWindowsMac OS X
ISE
ISE AnyConnect
AnyConnect ISE
AnyConnect
AnyConnect
ISE AnyConnect
AnyConnect ISE
AMPVPN AnyConnect ISE
AnyConnect gettext
Windows Installer
AnyConnect ISE
AnyConnect PC AnyConnect
AnyConnect ISE
ZIP ISE
AnyConnect UI
VPN
Cisco AnyConnect 4.1 22
AnyConnect ISE
-
AnyConnect
AnyConnect Gettext
AnyConnect ISE ISE
ISE AnyConnect AnyConnect ISE AnyConnect
ISE AnyConnectAnyConnect(AnyConnect ModuleSelection) VPN/
VPNVPNDisable_ServiceProfile.xml AnyConnect GUI
VPNVPNDisable_ServiceProfile.xml AnyConnect CCO
1 ISE (Policy) > (Policy Elements) > (results)(Client
Provisioning) (Resources) (Resources)
2 (Add) > (Agent resources from local disk) AnyConnect
AnyConnect
3 Add > AnyConnect Configuration AnyConnect/ Opswat
ISEASAWindows AnyConnect AnyConnect ISE ISE AnyConnect
5ISE AnyConnect
ISE
AnyConnectDesktopWindows
AnyConnectDesktopOSX
AnyConnectWebAgentWindows
AnyConnectWebAgentOSX
AnyConnect
AnyConnectComplianceModuleWindows
AnyConnectComplianceModuleOSX
Cisco AnyConnect 4.1 23
AnyConnect ISE
-
ISE
AnyConnectProfile
ISE AnyConnect
AnyConnect
AnyConnectCustomizationBundle
AnyConnectLocalizationBundle
4 AnyConnect ISE NAC/MACAnyConnect NAC/MAC AnyConnect 2
AnyConnect
AnyConnect AnyConnect
AnyConnect - AnyConnect ASAAnyConnect ASAAnyConnect VPN
ASA - ASA
ISE - ISEISE AnyConnect
ISE (DACL) ASA ISE AnyConnect
ISE ASA
AnyConnect
1 AnyConnect(Connect)
2 ASA SSL ISEISE
Cisco AnyConnect 4.1 24
AnyConnect AnyConnect
-
3 AnyConnect AnyConnect VPN
ASA ISE
1 DACL ISE AnyConnect
2 Internet ExplorerActiveXAnyConnect (NSA) AnyConnect
3 AnyConnect ISE AnyConnect AnyConnect ISE
4 ISE
AnyConnect
1 ASA
2 ISE
3 AnyConnect Internet Explorer ActiveX Java
4 AnyConnect ASA VPN
ASA ISE
1 ISE AnyConnect
2 Internet ExplorerActiveX AnyConnect AnyConnect
3 AnyConnectVPN ISEAnyConnectISE
4 ISE
AnyConnect AnyConnect
VPN
Auto UpdateAnyConnect
VPN
Bypass Downloader ASA
Update Policy
Cisco AnyConnect 4.1 25
AnyConnect AnyConnect
-
WebLaunch AnyConnectASA AnyConnect
AnyConnect
1 ASDMConfiguration > RemoteAccess VPN > Network (Client)
Access > Group Policies 2 Edit Add 3 Advanced > AnyConnect
Client > Login Settings Inherit
Post Login Default Post Login Selection
4 OK Save
AutoUpdateAnyConnectAnyConnectAutoUpdate
(DeferredUpdate)(DeferredUpdate)AnyConnectWindowsLinux OS X
Deferred Upgrade
ASA
ASA
ASA ASA/ASDM ASA/ASDM Cisco ASA VPN ASDM Cisco ASA VPN CLI
ASDM
*
True(false)
Falsetruefalse
DeferredUpdateAllowed
Cisco AnyConnect 4.1 26
AnyConnect WebLaunch AnyConnect
-
*
AnyConnect
VPN
0.0.0x.x.xDeferredUpdateMinimumVersion
DeferredUpdateMinimumVersion
DeferredUpdateDismissResponse
1500 - 300
DeferredUpdateDismissTimeout
DeferredUpdateDismissTimeout
DeferredUpdateDismissResponse
*
ISE
1 Policy > Resultsa)b) Client Provisioningc) Resources Add
> Agent Resources from Local Disk
Cisco AnyConnect 4.1 27
AnyConnect WebLaunch AnyConnect
-
d) AnyConnect pkg Submit
2 AnyConnect
3 Resources AnyConnect AnyConnect
ConfigurationAnyConnectConfiguration
GUI
DeferredUpdateDismissTimeout
AnyConnectAnyConnectVPN
(Server Name)AnyConnect
FQDN IP*.example.com
(Allow Software Updates FromAny Server) VPN
VPN (Allow VPN Profile Updates From AnyServer) VPN
(Allow Service Profile Updates From AnyServer)
ISE (Allow ISE Posture ProfileUpdates From Any Server) ISE
(AllowComplianceModuleUpdatesFromAnyServer)
Cisco AnyConnect 4.1 28
AnyConnect
-
(Server Name)
AnyConnect
AnyConnect
AnyConnect
AnyConnect
VPNISE
(Allow ... Updates From Any Server) AnyConnect
(Allow Software Updates From Any Server)
ASA
VPN
VPN (Allow VPN Profile Updates From Any Server)
VPNVPN
VPNVPN VPN
(Allow Service Profile Updates From Any Server)
Cisco AnyConnect 4.1 29
AnyConnect
-
ISE (Allow ISEPosture ProfileUpdates FromAny Server)
ISE ISE ISE
ISEISE ISE
(AllowComplianceModuleUpdates FromAnyServer)
ISE
(Server Name) IP IP IP FQDN
VPN VPN VPN
VPN
DNS
DNS
VPNPPP
VPN
(UpdateHistory.log) ASA
Cisco AnyConnect 4.1 30
AnyConnect
-
%AllUsers%\Application Data\Cisco\Cisco AnyConnect Secure
MobilityClient\Logs
AnyConnect ASA
VPN XML
falsefalsefalsefalsefalsefalse
truetruetruefalsetrue
seattle.example.comnewyork.example.com
ASA
AnyConnect ASA
VPN 3.1.05182seattle.example.com
VPN 3.1.06079newyork.example.com
VPN 3.1.07021raleigh.example.com
AnyConnect VPN
seattle.example.comAnyConnect VPN VPN
newyork.example.com AnyConnectASAVPN
raleigh.example.com ASAVPN VPN
Cisco AnyConnect 4.1 31
AnyConnect
-
VPN
AnyConnect
AnyConnectAnyConnect GUI Preferences
AnyConnect Start Before Logon AutoConnect OnStart
C:\Users\username\AppData\Local\Cisco\ Cisco AnyConnect VPN
Client \preferences.xml
Windows
C:\ProgramData\Cisco\CiscoAnyConnect VPNClient\
preferences_global.xml
/Users/username/.anyconnectMac OS X
/opt/cisco/anyconnect/.anyconnect_global
/home/username/.anyconnectLinux
/opt/cisco/anyconnect/.anyconnect_global
AnyConnect VPN Cisco VPN Cisco AnyConnect
Cisco AnyConnect
TCP 443TLS (SSL)
TCP 80SSL
UDP 443DTLS
UDP 500UDP 4500IPsec/IKEv2
Cisco AnyConnect 4.1 32
AnyConnectAnyConnect
-
Cisco VPN (IPsec)
UDP 500UDP 4500IPsec/NATT
UDP 500UDP 4500IPsec/NATT
TCPIPsec/TCP
UDP 500UDP XIPsec/UDP
Cisco AnyConnect 4.1 33
AnyConnectAnyConnect VPN
-
Cisco AnyConnect 4.1 34
AnyConnectAnyConnect VPN
-
2 AnyConnect
AnyConnect 35
AnyConnect GUI 43
AnyConnect GUI 49
AnyConnect 57
58
AnyConnect API 62
AnyConnect ISE 63
AnyConnect
Web AnyConnect Web SSLSSL AnyConnect
AnyConnect(StartAnyConnect)
-(Enable CustomerExperience Feedback Service)
Cisco AnyConnect 4.1 35
-
MST -
sampleTransforms-X.X.xxxxx.zipanyconnect-win-disable-customer-experience-feedback.mst
(Windows)Windows AnyConnect
- msiexecWeb
-Microsoft OrcaOrcaMicrosoft Windows Installer (SDK)Microsoft
Windows SDKWindows SDKhttp://msdn.microsoft.comWindows SDK
Web(Configuration)>VPN(RemoteAccessVPN)>(Network (Client)
Access) >AnyConnect/(AnyConnectCustomization/Localization)
>(Customized Installer Transforms)Web
ISO setup.hta HTML
AnyConnect
Windows Windows AnyConnectMicrosoftWindows
MTU - VPN (RESET_ADAPTER_MTU) 1WindowsMTU
Windows - Cisco AnyConnect
AnyConnect
VPNMSI (LOCKDOWN)LOCKDOWNWindowsMSICiscoAnyConnect
Cisco AnyConnect 4.1 36
AnyConnect (Windows)
-
AMP VPN
ActiveX - AnyConnect VPNVPNWebLaunch ActiveX AnyConnect 3.1 VPN
ActiveX
AnyConnectVPN ActiveXAnyConnect NOINSTALLACTIVEX=0 msiexec
AnyConnect/(Add/RemoveProgram) -AnyConnectWindows/(Add/Remove
Program) ARPSYSTEMCOMPONENT=1
MSI Cisco AnyConnect
AnyConnect Windows MSI
msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart
/passivePRE_DEPLOY_DISABLE_VPN=1 /lvx*
anyconnect-win--pre-deploy-k9-install-datetimestamp.log
VPNAnyConnect
msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart
/passive /lvx*
anyconnect-win--pre-deploy-k9-install-datetimestamp.log
VPNAnyConnect
msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart
/passiveDISABLE_CUSTOMER_EXPERIENCE_FEEDBACK=1 /lvx*
anyconnect-win--pre-deploy-k9-install-datetimestamp.log
msiexec /package anyconnect-dart-win-ver-k9.msi /norestart
/passive /lvx*
anyconnect-dart--pre-deploy-k9-install-datetimestamp.log(DART)
msiexec /package anyconnect-gina-win-ver-k9.msi /norestart
/passive /lvx*
anyconnect-gina--pre-deploy-k9-install-datetimestamp.log
SBL
Cisco AnyConnect 4.1 37
AnyConnect (Windows)
-
msiexec /package anyconnect-nam-win-ver-k9.msi /norestart
/passive /lvx*
anyconnect-nam--pre-deploy-k9-install-datetimestamp.log
msiexec /package
anyconnect-websecurity-win-ver-pre-deploy-k9.msi/norestart/passive
/lvx*
anyconnect-websecurity--pre-deploy-k9-install-datetimestamp.log
msiexec /package anyconnect-posture-win-ver-pre-deploy-k9.msi
/norestart/passive/lvx*
anyconnect-posture--pre-deploy-k9-install-datetimestamp.log
msiexec /package anyconnect-amp-win-ver-pre-deploy-k9.msi
/norestart/ passive/lvx*
anyconnect-amp--pre-deploy-k9-install-datetimestamp.log
AMP
Windows
1 ASDM Configuration > Remote Access VPN > Network
(Client) Access > AnyConnectCustomization/Localization >
Customized Installer Transforms
2 Import Import AnyConnect Customization Objects
Cisco AnyConnect 4.1 38
AnyConnect (Windows)
-
3 ASA
4 Import Now
AnyConnect
company_logo.bmpMyProfile.xml
DATA CHANGE - Component Component ComponentId+ MyProfile.xml
{39057042-16A2-4034-87C0-8330104D8180}
Directory_ Attributes Condition KeyPathProfile_DIR 0
MyProfile.xml
DATA CHANGE - FeatureComponents Feature_ Component_+ MainFeature
MyProfile.xml
DATA CHANGE - File File Component_ FileName FileSize Version
Language Attributes Sequence+ MyProfile.xml MyProfile.xml
MyProf~1.xml|MyProfile.xml 601 8192 35
company_logo.bmp 37302{39430} 8192{0}
DATA CHANGE - Media DiskId LastSequence DiskPrompt Cabinet
VolumeLabel Source+ 2 35
Cisco AnyConnect 4.1 39
AnyConnect (Windows)
-
AnyConnect AnyConnectASAMSI GUI
AnyConnectAnyConnect AnyConnect cisco.com
OrcaASA
30 cisco.comAnyConnect .zip
anyconnect-win--web-deploy-k9-lang.zip
AnyConnect 3.1.xxxxx
.mst30 ASAMicrosoftOrcaOrcaMicrosoftWindows (SDK)Microsoft
Windows SDK
ASDM ASA
1 ASDM Configuration > Remote Access VPN > Network
(Client) Access > AnyConnectCustomization/Localization >
Localized Installer Transforms
2 Import Import MST Language Localization
Cisco AnyConnect 4.1 40
AnyConnect (Windows)
-
3 Language
4 Import Now
5 Apply
(ES) LanguagesAnyConnect
Cisco AnyConnect 4.1 41
AnyConnect (Windows)
-
(Mac OSX)
AnyConnectMacAnyConnect
ACTransforms.xml Mac OS X Mac OS X .pkg ACTransforms.xml XML
1 .pkgProfile2 Profile3 .dmgProfile
XML
ValueValue
OS X ACTransforms.xml DisableVPNACTransforms.xml DMG
Profiles
Mac OS X
1 hdiutil dmg/hdiutil convert anyconnect-macosx-i386-ver-k9.dmg
-format UDRW -oanyconnect-macosx-i386-ver-k9-rw.dmg
2 ACTransforms.xmlfalse
Cisco AnyConnect 4.1 42
AnyConnect (Mac OSX)
-
(Linux)
ACTransform.xml Linux Linux .pkg ACTransforms.xml XML
.pkgProfile
Profile
.dmgProfile
Profiles XML ACTransforms.xml
ValueValue
AnyConnect GUI (ASA) AnyConnect ASDMWindows
Windows www.cisco.com
Windows
Windows
WindowsAnyConnectAnyConnectASAAnyConnectASA AnyConnect
www.cisco.com 47
)
Cisco AnyConnect 4.1 43
AnyConnect (Linux)
-
GUI
AnyConnect ID
47(Save to File) ASDM
ASA
ASAAltirisGettext AnyConnect (anyconnect.po) .mo .mo
AnyConnect
/
UI
Cisco AnyConnect 4.1 44
AnyConnect AnyConnect GUI
-
AnyConnect IDAnyConnectGUI
Save to File ASDM
1 ASDM Configuration > Remote Access VPN > Network
(Client) Access > AnyConnectCustomization/Localization > GUI
Text and Messages
2 Add Add Language Localization Entry
Cisco AnyConnect 4.1 45
AnyConnect AnyConnect
-
3 Language (en)
4 Edit Edit Language Localization Entrymsgidmsgstr msgid
msgstr
Call your network administrator at 800-553-2447
5 OK Apply
Cisco AnyConnect 4.1 46
AnyConnect AnyConnect
-
1 www.cisco.com
2 ASDM Configuration > Remote Access VPN > Network
(Client) Access > AnyConnectCustomization/Localization > GUI
Text and Messages
3 Import Import Language Localization Entry 4
5
6 Import Now AnyConnectAnyConnect
AnyConnect
ASA Altiris AgentGettextAnyConnect .po.mo
GettextGNUGNUgnu.orgGUIGettext Poeditpoedit.net Gettext
AnyConnectAnyConnect
\l10n l ("el")10 n
Windows - :\Program Data\Cisco\Cisco AnyConnect SecureMobility
Client\l10n\\LC_MESSAGES
Mac OS X Linux -/opt/cisco/anyconnect/l10n//LC_MESSAGES
Cisco AnyConnect 4.1 47
AnyConnect
-
1 http://www.gnu.org/software/gettext/ Gettext Gettext
2 AnyConnect AnyConnect AnyConnect.po
3 AnyConnect.po notepad.exe
4 Gettext .po .momsgfmt -o AnyConnect.mo AnyConnect.po
5 .mo
ASA AnyConnect
GNU GettextWindows GNU gnu.org GUI Gettext Poeditpoedit.net
AnyConnectASA
1 Remote Access VPN > Language Localization > Templates
AnyConnect AnyConnect.pot msgmerge.exe
2 AnyConnectWindows Gettext AnyConnect (.po) (.pot)
AnyConnect_merged.po
msgmerge -o AnyConnect_merged.po AnyConnect.po
AnyConnect.pot
C:\Program Files\GnuWin32\bin> msgmerge -o
AnyConnect_merged.po AnyConnect.po
AnyConnect.pot....................................... done.
Cisco AnyConnect 4.1 48
AnyConnect ASA
-
Poedit AnyConnect.po File > Open > POTCatalog >Update
PoeditUpdate Summary
3 Remote Access VPN > Language Localization Import AnyConnect
AnyConnect_merged.po
Windows ASAAnyConnect
Windows
1 Control Panel > Region and Languages Clock,Language, and
Region > Change display language
2 /
3
AnyConnectfr-caAnyConnectfr
AnyConnect GUI AnyConnect AnyConnect VPN
AnyConnect GUIMac LinuxWindows company_logo.png
AnyConnectGUI
company_logo.bmp AnyConnect company_logo.bmp
Cisco AnyConnect 4.1 49
AnyConnect Windows
http://www.cisco.com/en/us/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac06websecurity.html
-
AnyConnect GUI AnyConnect
1 ASDM Configuration > Remote Access VPN > Network
(Client) Access > AnyConnectCustomization/Localization >
Resources
2 ImportImport AnyConnect Customization Objects
3
4 Import Now
Cisco AnyConnect 4.1 50
AnyConnect AnyConnect GUI
-
Windows AnyConnect Windows
%PROGRAMFILES%\Cisco\Cisco AnyConnect Secure Mobility
Client\res\
%PROGRAMFILES%Windows C:\ProgramFiles
x
Windows
24 x 24
PNG
about.png
(Advanced)(About)
24 x 24
PNG
about_hover.png
(Advanced)(About)
128 x 128
PNG
app_logo.png
128 x 128 128 x128
Cisco AnyConnect 4.1 51
AnyConnect Windows AnyConnect
-
x
Windows
16 x 16
ICO
attention.ico
97 x 58
PNG
company_logo.png
(Advanced)
97 x 58 97 x 58
97 x 58
PNG
company_logo_alt.png
About
97 x 58 97 x 58
1260 x 1024
JPEG
cues_bg.jpg
(Advanced)(About)
Cisco AnyConnect 4.1 52
AnyConnect Windows AnyConnect
-
x
Windows
16 x 16
ICO
error.ico
16 x 16
ICO
neutral.ico
16 x 16
ICO
transition_1.ico
transition_2.ico transition_3.ico VPN3
16 x 16
ICO
transition_2.ico
transition_1.ico transition_3.ico VPN3
Cisco AnyConnect 4.1 53
AnyConnect Windows AnyConnect
-
x
Windows
16 x 16
ICO
transition_3.ico
transition_1.ico transition_2.ico VPN3
16 x 16
ICO
vpn_connected.ico
VPN
Linux AnyConnect Linux
/opt/cisco/anyconnect/pixmaps/
GUI
x
Linux
142 x 92
PNG
company-logo.png
AnyConnect 3.0 62x33 PNG
Cisco AnyConnect 4.1 54
AnyConnect Linux AnyConnect
-
x
Linux
16 x 16
PNG
CVCabout.png
About
16 x 16
PNG
cvc-connect.png
(Connect)(Connection)
16 x 16
PNG
CVCdisconnect.png
(Connection)
16 x 16
PNG
CVCinfo.png
(Statistics)
16 x 16
PNG
systray_connected.png
16 x 16
PNG
systray_notconnected.png
Cisco AnyConnect 4.1 55
AnyConnect Linux AnyConnect
-
x
Linux
16 x 16
PNG
systray_disconnecting.png
16x16
PNG
systray_quarantined.png
16 x 16
PNG
systray_reconnecting.png
48 x 48
PNG
vpnui48.png
Mac OS X AnyConnect OS X
/Cisco AnyConnect Secure Mobility Client/Contents/Resources
GUI
Cisco AnyConnect 4.1 56
AnyConnect Mac OS X AnyConnect
-
x Mac OS X
142 x 92
PNG
bubble.png
50 x 33
PNG
logo.png
128 x 128
ICNS
vpngui.icns
Mac OS X
16 x 16
PNGMac OS X
AnyConnect AnyConnectAnyConnectAnyConnectAnyConnect PDF HTML
Cisco AnyConnect 4.1 57
AnyConnect AnyConnect
-
1 help_AnyConnect.html HTML
2 ASDM Configuration > Remote Access VPN > Network
(Client) Access > AnyConnectCustomization/Localization >
Binary
3 help_AnyConnect.xxxPDFHTMLHTMMHT 4 PC AnyConnect PC
UI
5 AnyConnect
help_AnyConnect.html
Windows - C:\ProgramData\Cisco\Cisco AnyConnect Secure
MobilityClient\Help
Mac OS X - /opt/cisco/anyconnect/help
AnyConnect
VPN OnConnect
VPN OnDisconnect
VPNOnConnect VPN OnConnect
VPN
VPN
VPN
AnyConnectWebLaunch
Cisco AnyConnect 4.1 58
AnyConnect
-
AnyConnect
- AnyConnectOnConnectOnDisconnect
- AnyConnect OnConnect
onDisconnectOnConnectOnDisconnectAnyConnectAnyConnect VBSPerl
Bash
-
Windows -MicrosoftWindowsAnyConnectWindows VPNAnyConnectWindows
cmd .bat
-AnyConnect EnableScripting
GUI - GUI VPNOnDisconnect
64Windows - AnyConnect 32 64WindowsAnyConnect cmd.exe 32
32 cmd.exe 64 cmd.exe32Windows 7 64cmd.exe msg
%WINDIR%\SysWOW64
32 cmd.exe
AnyConnect
Cisco AnyConnect 4.1 59
AnyConnect
-
1
2
ASDM ASA
Network (Client) Access > AnyConnect
Customization/Localization > Script
ASDM6.3ASA scripts_OnConnect OnDisconnect scripts_ OnConnect
OnDisconnect myscript.bat scripts_OnConnect_myscript.bat
OnConnect_myscript.bat
ASDM 6.3
scripts_OnConnect
scripts_OnDisconnect
ASAASA
VPN
OnConnect
OnDisconnect
6
%ALLUSERSPROFILE%\Cisco\CiscoAnyConnect
SecureMobilityClient\Script
Microsoft Windows
/opt/cisco/anyconnectLinux
Linux
/opt/cisco/anyconnect/scriptMac OS X
Cisco AnyConnect 4.1 60
AnyConnect
-
AnyConnect
1 VPN Preferences (Part 2) 2 Enable Scripting VPN 3 User
Controllable On Connect OnDisconnect 4 Terminate Script On Next
Event
AnyConnectVPNVPNOnDisconnectOnConnectMicrosoftWindowsOnConnect
OnDisconnectMac OS LinuxOn Connect OnDisconnect
5 Enable Post SBL On Connect Script SBLVPN On Connect
ASA VPN
1 OnConnect OnDisconnect
2
3 VPN OnConnect OnDisconnectASA OnConnect ASA OnConnect
OnConnect OnDisconnect ASA VPN
Cisco AnyConnect 4.1 61
AnyConnect AnyConnect
-
OnConnect OnDisconnect VPN
4 Linux
5
AnyConnect API WindowsLinuxMacAnyConnectAPI (UI) AnyConnect
UI
CLI GUI
vpncli.exevpnui.exeWindows
vpnvpnuiLinux
vpnASAAltirisGUIMac
Mac
ASA
AnyConnectAnyConnectAnyConnectUI AnyConnect ASDMAnyConnect
Cisco AnyConnectGUI
Cisco AnyConnect 4.1 62
AnyConnect AnyConnect API
-
AnyConnect ISE
AnyConnect AnyConnect AnyConnect ISEAnyConnect ISEAnyConnect
AnyConnect
ISE AnyConnect Gettext .po .mo Gettextmsgfmt
http://www.gnu.org/software/gettext/ Gettext Gettext
1 AnyConnecta) www.cisco.com Cisco AnyConnect Software
Download
AnyConnect-Localization-(release).zip *.po
b) *.poc) Gettext *.po *.mo
msgfmt -o AnyConnect.mo AnyConnect.po
2 AnyConnecta) l10nb) l10nfr-ch
c)
l10n\fr-ch\AnyConnect.mo\he\AnyConnect.mo\ja\AnyConnect.mo
3 Windows AnyConnecta) www.cisco.comCiscoAnyConnect
anyconnect-win-(release)-web-deploy-k9-lang.zipanyconnect-gina-win-(release)-web-deploy-k9-lang.zip
AnyConnectAnyConnect
Cisco AnyConnect 4.1 63
AnyConnect AnyConnect ISE
-
b)
4 Windows AnyConnecta) mstb) mstfr-ch
c)
l10n\fr-ch\AnyConnect.mo\he\AnyConnect.mo\ja\AnyConnect.mo
mst\fr-ch\AnyConnect_fr-ca.mst\he\AnyConnect_he.mst\ja\AnyConnect_ja.mst
5 AnyConnect-Localization-Bundle-.zip AnyConnect
AnyConnect ISE AnyConnect AnyConnect ISE
AnyConnect AnyConnect AnyConnect GUIVPN ISE AnyConnect
ISEAnyConnectwin\resource\
\binary\transform
mac-intel\resource\binary\transform
AnyConnectWindowsMac OSX resourcebinary transform
resource AnyConnect GUI
AnyConnect GUI 49
binary VPN
AnyConnect AnyConnect 57
VPN 58
transform
Windows (Windows) 36
Cisco AnyConnect 4.1 64
AnyConnect AnyConnect
-
Max OSX ACTransforms.xmlMac OS X 42
AnyConnect
1
2 resourcesAnyConnect GUI
3 binary help_AnyConnect.html
4 binary VPN OnConnect OnDisconnect
5 transform
6 AnyConnect-Customization-Bundle.zip AnyConnect
AnyConnect ISE AnyConnect AnyConnect ISE
Cisco AnyConnect 4.1 65
AnyConnect AnyConnect
-
Cisco AnyConnect 4.1 66
AnyConnect AnyConnect
-
3 AnyConnect
67
68
AnyConnect VPN 70
AnyConnect 84
Cisco AnyConnect ASAAnyConnectASDM
AnyConnectASDM AnyConnect AnyConnect
Windows
AnyConnect AnyConnect VPN 70
AnyConnect 84
144
ISE 177
182
AMP 202
209
Cisco AnyConnect 4.1 67
-
ASDM
AnyConnect
AnyConnect ASDMWindows
ASDM ASA
1 ASDM Configuration > Remote Access VPN > Network
(Client) Access > AnyConnectClient Profile
2 Add 3
4 Profile Usage
5 Profile Location Browse Flash ASA XML
6 Upload 7 AnyConnect
8 OK
ASDMWindowsVPN
CiscoAnyConnect(AddorRemovePrograms) VPN
Java - JRE 1.6
JRE 1.6
Cisco AnyConnect 4.1 68
AnyConnect ASDM
-
-Windows 7MSIWindows
- Firefox Internet Explorer
- Cisco AnyConnect 5 MBJRE 1.6 100 MB
ASAVPNGUI ASA FQDN ASA
AnyConnect AnyConnect AnyConnect ISO
.pkgWindows(.exe)anyconnect-profileeditor-win--k9.exe
1 Cisco.com anyconnect-profileeditor-win--k9.exe
2 anyconnect-profileeditor-win--k9.exe
3 Welcome Next 4 Choose Setup Type Next
Typical -
(Custom) -
(Complete) -
5 TypicalComplete CustomWill be installed on local hard drive
Entire Feature willbe unavailable Next
6 Ready to Install Install 7 Finish
AnyConnectC:\Program Files\Cisco\Cisco AnyConnectProfile
Editor
(Start) > (All Programs) > (Cisco) >Cisco AnyConnect
(Cisco AnyConnect Profile Editor)
Cisco AnyConnect 4.1 69
AnyConnect AnyConnect
-
XMLASA XML
1 Start > All Programs > Cisco > Cisco AnyConnect
ProfileEditor
2 File > Open XML
VPN Schema Validation failed
3 File > Save
AnyConnect VPN AnyConnect Cisco AnyConnect
VPNISEAnyConnectASA
ASA ISE AnyConnectAnyConnect VPN VPN
AnyConnectGUI(Preferences)
/
Cisco AnyConnect 4.1 70
AnyConnect
-
AnyConnect 1 Use Start Before Logon
-WindowsWindowsAnyConnectWindows VPN
ShowPre-connectMessage -AnyConnect
Certificate Store - AnyConnect (All)
All- AnyConnect
Machine - AnyConnectWindows
User - AnyConnect
Certificate Store Override - AnyConnectWindows
WindowsWindows
Auto Connect on Start -AnyConnectAnyConnectVPN
Minimize On Connect - VPNAnyConnect GUI
Local LAN Access - ASA VPN LAN
LAN8.4(1)SSL AnyConnect VPN VPN 2
Auto Reconnect -AnyConnect VPN Auto Reconnect
Cisco AnyConnect 4.1 71
AnyConnect AnyConnect 1
-
DisconnectOnSuspend- AnyConnect VPN
ReconnectAfterResume -AnyConnect VPN
Auto Update - User Controllable
RSA Secure ID IntegrationWindows- RSAAnyConnect RSA
Windows Logon Enforcement - (RDP)VPNVPNAnyConnectVPN VPN
Single Local Logon-VPN PC VPNVPN
VPNVPN PC VPN VPN
Single Logon - VPNVPNVPNVPNVPN VPN
WindowsVPNEstablishment -PCVPNAnyConnect
Local Users Only- VPN AnyConnect
Allow Remote Users -VPNVPNVPNPCVPNVPN 90
Clear SmartCard PIN
IP Protocol Supported - IPv4 IPv6 AnyConnectASAAnyConnect
IPAnyConnect IPv4AnyConnect IPv6
IP
IPv4 - ASA IPv4
Cisco AnyConnect 4.1 72
AnyConnect AnyConnect 1
-
IPv6 - ASA IPv6
IPv4, IPv6 - ASA IPv4 IPv4 IPv6
IPv6, IPv4 - ASA IPv6 IPv6 IPv4
IPv4 IPv6 VPN IP IP VPN
AnyConnect 2 (Disable Automatic Certificate
Selection)Windows-
(Proxy Settings) - AnyConnect
(Native) - AnyConnect
(IgnoreProxy) - ASA
(Override) - LinuxWindows
(Allow Local Proxy Connections) -AnyConnectWindows PC VPN
(EnableOptimalGatewaySelection) (OGS) IPv4-AnyConnect (RTT) OGS
OGS(Automatic Selection) GUI(Connection)(Connect To)
Cisco AnyConnect 4.1 73
AnyConnect AnyConnect 2
-
OGS
(Always On)
(PAC)
AAA
(SuspensionTimeThreshold)-VPN
(Performance Improvement Threshold)
(Performance ImprovementThreshold) (%)-
20%
VPN (Automatic VPN Policy)WindowsMac- AnyConnect(Trusted Network
Detection allowing AnyConnect)(Trusted Network Policy)(Untrusted
Network Policy) VPN VPN Automatic VPNPolicy VPN
Trusted Network Policy -AnyConnect VPN
Disconnect- VPN
Connect - VPN
Do Nothing - Trusted Network PolicyUntrustedNetwork Policy Do
Nothing Trusted Network Detection
Pause - VPNAnyConnect VPNAnyConnect VPN
Untrusted Network Policy -AnyConnectVPNVPN
Connect- VPN
Cisco AnyConnect 4.1 74
AnyConnect AnyConnect 2
-
DoNothing -VPNTrustedNetwork PolicyUntrustedNetwork
PolicyDoNothingTrustedNetworkDetection
Trusted DNS Domains - DNS*.cisco.com (*) DNS
Trusted DNS Servers - DNS 192.168.1.2, 2001:DB8::1DNS (*)
Always On -WindowsMac OS XAnyConnect VPN
VPN AnyConnectVPN
VPN
Allow VPN Disconnect - AnyConnect VPN Disconnect VPN VPNVPN
Disconnect
DisconnectVPN Disconnect VPN
Connect Failure Policy - AnyConnect VPN ASA Allow VPN Disconnect
fail-openfail-close
Closed - VPN
Open - VPN
Cisco AnyConnect 4.1 75
AnyConnect AnyConnect 2
-
AnyConnect VPN
ACL VPNAnyConnect
VPN AnyConnect
VPN
Connect Failure Policy Closed
Allow Captive Portal Remediation -AnyConnect
VPN
Remediation Timeout - AnyConnect AllowCaptive Portal
Remediation5
Apply Last VPNLocal Resource Rules -VPNASA ASA LAN ACL
(Allow Manual Host Input) - AnyConnect UI VPN VPN VPN
PPP Exclusion - PPP VPNAnyConnectGUI Route Details PPP
Automatic - PPPAnyConnect PPP IP IP
Disabled - PPP
Override - PPP PPP IP PPP
Cisco AnyConnect 4.1 76
AnyConnect AnyConnect 2
-
PPP Exclusion
PPP Exclusion Server IP - PPP IP
PPP
Enable Scripting - OnConnect OnDisconnect
Terminate Script On Next Event -VPNAnyConnectOnConnect VPN
OnDisconnectMicrosoftWindows OnConnect OnDisconnectMac OS Linux
OnConnect OnDisconnect
Enable Post SBL On Connect Script - OnConnect SBLVPN
VPNMicrosoft Windows
VPN -Windows VPN
User Enforcement - VPN Retain VPNOn Logoff VPNWindows
Authentication Timeout Values -AnyConnect 12AnyConnect 0 -
20
AnyConnect
Host Address - IP (FQDN)
Add -
Move Up -
Move Down -
Delete -
AnyConnect
AnyConnect
Cisco AnyConnect 4.1 77
AnyConnect AnyConnect
-
Key UsageDigital_Signature
Extended Key UsageClient Auth
Key Usage -
Decipher_Only -Key_Agreement
Encipher_Only -Key_Agreement
CRL_Sign - CRL CA
Key_Cert_Sign - CA
Key_Agreement -
Data_Encipherment - Key_Encipherment
Key_Encipherment -
Non_Repudiation -Key_Cert_signCRL_Sign
Digital_Signature -Non_RepudiationKey_Cert_SignCRL_Sign
Extended Key Usage - Extended Key UsageOID
ServerAuth (1.3.6.1.5.5.7.3.1)
ClientAuth (1.3.6.1.5.5.7.3.2)
CodeSign (1.3.6.1.5.5.7.3.3)
EmailProtect (1.3.6.1.5.5.7.3.4)
IPSecEndSystem (1.3.6.1.5.5.7.3.5)
IPSecTunnel (1.3.6.1.5.5.7.3.6)
IPSecUser (1.3.6.1.5.5.7.3.7)
TimeStamp (1.3.6.1.5.5.7.3.8)
OCSPSign (1.3.6.1.5.5.7.3.9)
DVCS (1.3.6.1.5.5.7.3.10)
IKE Intermediate
Custom ExtendedMatch Key 10- 10 OID 1.3.6.1.5.5.7.3.11
Distinguished Name 10- (DN)
Name - (DN)
Cisco AnyConnect 4.1 78
AnyConnect AnyConnect
-
CN -
C -/
DC -
DNQ - DN
EA -
GENQ -
GN -
I -
L -
N -
O -
OU -
SN -
SP -/
ST -
T -
ISSUER-CN -
ISSUER-DC -
ISSUER-SN -
ISSUER-GN -
ISSUER-N -
ISSUER-I -
ISSUER-GENQ -
ISSUER-DNQ - DN
ISSUER-C -/
ISSUER-L -
ISSUER-SP -/
ISSUER-ST -
ISSUER-O -
ISSUER-OU -
ISSUER-T -
Cisco AnyConnect 4.1 79
AnyConnect AnyConnect
-
ISSUER-EA -
Pattern -
abc.cisco.com cisco.comcisco.com
Operator - DN
Equal - ==
Not Equal - !=
Wildcard -
Match Case -
133
AnyConnect AnyConnect (SCEP)
Certificate Expiration Threshold -AnyConnectRADIUS 0 180
Certificate Import Store -Windows
Automatic SCEPHost - SCEP SCEPASA ASA (FQDN)asa.cisco.com
scep_eng
CA URL - SCEP SCEP CA CA FQDN IPhttp://ca01.cisco.com
Prompt For Challenge PW - GetCertificate
Thumbprint - CA SHA1MD5
CACAURLfingerprintthumbprint
Certificate Contents - SCEP
Cisco AnyConnect 4.1 80
AnyConnect AnyConnect
-
(CN) -
(OU) -
(O) -
(ST) -
(SP) -
/ (C) -/
(EA) - (EA) %USER%@cisco.com%USER% ASA
(DC) - (DC) cisco.com
(SN) -
(GN) -
UnstructName (N) -
(I) -
(GEN) -Jr.III.
(DN) - DN
(L) -
(T) -
CA - SCEP CA
- RSA
DisplayGetCertificate Button -AnyConnect GUIGet Certificate
RADIUS
122
AnyConnect AnyConnect 3.0Windows Mobile Cisco AnyConnect
2.5Windows Mobile
Cisco AnyConnect 4.1 81
AnyConnect AnyConnect
-
AnyConnect GUIVPN
-IP (FQDN)
- IP FQDN
- URL
SCEP -
CA URL - (CA) URL
Add/Edit - Server List Entry
Delete -
Details - CA URL
VPN 93
AnyConnect /
Host Display Name -IP (FQDN)
FQDN or IP Address - IP FQDN
Host Address IP FQDN Host NameAnyConnect
Hostname FQDN Host Address IPHostname FQDN DNS
IP IPv4 IPv6
User Group -
URL Primary Protocol IPsecUser Group SSL URL
Additional mobile-only settings - Apple iOS Android
Backup Server List
Cisco AnyConnect 4.1 82
AnyConnect AnyConnect
-
Host Address - IP FQDN
Add -
Move Up -
Move Down -
Delete -
Load Balancing Server List
Host Address - IP FQDN
Add -
Delete -
Primary Protocol - SSL IPsec IKEv2 SSL
Standard Authentication Only (IOS Gateways)- IPsec IOS
ASAAnyConnectEAP ASA DNSMSIE
Auth Method During IKE Negotiation -
IKE Identity - EAP ID_GROUP IDi *$AnyConnectClient$*
Automatic SCEP Host - SCEP
CAURL - SCEP CAURL FQDN IPhttp://ca01.cisco.com
Prompt For Challenge PW - Get Certificate
CA Thumbprint - CA SHA1MD5
Cisco AnyConnect 4.1 83
AnyConnect AnyConnect
-
CA CA URLfingerprintthumbprint
VPN 93
AnyConnect AnyConnectLocalPolicy.xml XMLASA
VPN AnyConnectLocalPolicy.xmlXML
AnyConnect AnyConnect
acversion=""
FIPS Mode
FIPS FIPS
Bypass Downloader
VPNDownloader.exe ASA
Bypass Downloader ASA
ASA VPN VPN
ASA VPN VPN VPN
Cisco AnyConnect 4.1 84
AnyConnect AnyConnect
-
ASA VPNASABypassDownloader true ASA BypassDownloader true
Enable CRL Check
Windows SSL IPsec VPN(CRL)AnyConnectCRLAnyConnect
(CA)
CRLEnable CRL CheckAnyConnect CRL
CRLAnyConnect Strict Certificate Turst
CRLCRLAnyConnect Strict Certificate Turst StrictCertificate
Turst
Always OnAnyConnect CRL CRL AnyConnect
Restrict Web Launch
FIPSWebLaunch AnyConnect Cookie
Strict Certificate Trust
AnyConnect Local
policy prohibits the acceptance of untrusted server
certificates. A connection will
not be established.
AnyConnect Strict Certificate Trust
Strict Certificate Trust
AnyConnect
Strict Certificate Trust
Cisco AnyConnect 4.1 85
AnyConnect
-
AnyConnectAnyConnect
Credentials -
Thumbprints -
CredentialsAndThumbprints -
All -
false -
PEM (Exclude Pem File Cert Store)LinuxMac
PEM
FIPS OpenSSL PEM FIPS
Mac (Exclude Mac Native Cert Store)Mac
Mac
Firefox NSS (Exclude Firefox NSS Cert Store)LinuxMac
Firefox NSS
Update Policy
Allow Software Updates From AnyServer
VPN
Allow VPN Profile Updates From AnyServer
VPN
Allow Service Profile Updates FromAnyServer
Allow ISEPosture Profile Updates FromAny Server
ISE
Allow Compliance Module Updates From AnyServer
Cisco AnyConnect 4.1 86
AnyConnect
-
Server Name
VPNAnyConnect FQDNIP
1 AnyConnect (AnyConnectLocalPolicy.xml)
7 AnyConnect
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility
ClientWindows
/opt/cisco/anyconnectLinux
/opt/cisco/anyconnectMac OS X
2 AnyConnectLocalPolicy AnyConnect VPN
3 AnyConnectLocalPolicy.xml
4
MST
MSTMST AnyConnect(AnyConnectLocalPolicy.xml)
LOCAL_POLICY_BYPASS_DOWNLOADER
LOCAL_POLICY_FIPS_MODE
LOCAL_POLICY_RESTRICT_PREFERENCE_CACHING
LOCAL_POLICY_RESTRICT_TUNNEL_PROTOCOLS
Cisco AnyConnect 4.1 87
AnyConnect
-
LOCAL_POLICY_RESTRICT_WEB_LAUNCH
LOCAL_POLICY_STRICT_CERTIFICATE_TRUST
AnyConnect
FIPS FIPS FIPS AnyConnect FIPSWindows LinuxMac root
FIPS FIPS
EnableFIPSFIPS FIPS
FIPS vpnagent (Windows) vpnagentMac Linux
Windows FIPS
EnableFIPS rwl=false sct=true bd=true fm=false
LinuxMac
./EnableFIPS rwl=false sct=true bd=true fm=false
FIPS AnyConnect
fm=[true | false]FIPS
bd=[true | false]
rwl=[true | false]WebLaunch
sct=[true | false]
rpc=[Credentials | Thumbprints | CredentialsAndThumbprints | All
| false]
Cisco AnyConnect 4.1 88
AnyConnect FIPS
-
efn=[true | false] Firefox NSSLinuxMac
epf=[true | false] PEMLinuxMac
emn=[true | false]MacMac
Cisco AnyConnect 4.1 89
AnyConnect FIPS
-
Cisco AnyConnect 4.1 90
AnyConnect FIPS
-
4 VPN
VPN 91
VPN 115
VPN 118
VPN
AnyConnect VPN AnyConnect VPN VPN
AnyConnect
VPN
AnyConnect VPN
Windows VPN
AnyConnect VPN
VPN
VPN VPN
VPN
Cisco AnyConnect 4.1 91
-
AnyConnect
ASA AnyConnect VPN VPN
(Keepalive) - ASAASA ASA
ASDM(Keepalive) ASDM Cisco ASA 5500
CLI Keepalive CLI Cisco ASA 5500
(Dead PeerDetection) - ASAAnyConnectR-U-There IPsec
ASA DPDASA
ASA DPD 300
ASA DPDDPD 30
ASA DPDASDMDPDCisco ASA VPN ASDMCLIDPDCisco ASA VPNCLI
DPD30(GroupPolicy)>(Advanced)>AnyConnect(AnyConnect
Client) >(Dead Peer Detection)
DPD 300(Group Policy)
>(Advanced)>AnyConnect(AnyConnectClient)
>(DeadPeerDetection)
SSL IPsec 1(Group Policy) >(Advanced)
>AnyConnect(AnyConnect Client) >(KeyRegeneration)
AnyConnect
AnyConnect VPN
VPN
(Default Idle Timeout) - 30
CLI webvpn default-idle-timeout 1800
Cisco AnyConnect 4.1 92
VPN AnyConnect VPN
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_anyconnect.html#wp1090828http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_anyconnect.html#wp1090828http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_anyconnect.html#wp1090788http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_anyconnect.html#wp1090788
-
VPN(VPN Idle Timeout) - SSL VPN vpn-idle-timeout
default-idle-timeout
ASDM VPN ASDM Cisco ASA 5500
CLI VPN CLI Cisco ASA 5500
VPN AnyConnect VPN VPNFQDN IP
AnyConnect GUI Connect to VPN GUI
1 VPN Server List 2 Add 3
a) Host Display NameFQDN IP&
-
IPsec SSL URL
b) IPsec Standard Authentication OnlyAnyConnect EAP
AnyConnect EAP ASA DNSMSIE
7 SCEPa) SCEP CA URL FQDN IPhttp://ca01.cisco.comb) Prompt For
Challenge PW Get Certificate
c) CA SHA1MD5 CA CAURLfingerprintthumbprint
8 OK
AnyConnect 82AnyConnect/ 82
Windows VPN
(SBL)Windows VPN
SBLAnyConnectWindows VPNWindows
SBLSBL 802-1X
SBLWindowsWindows
Windows (PLAP) AnyConnect SBL
PLAP Ctrl+Alt+Del Network ConnectPLAP
PLAPWindows 32 64
SBL
Active Directory
Cisco AnyConnect 4.1 94
VPN Windows VPN
-
Microsoft Active Directory
SBL
Active Directory
MS NAP/CS NAC
AnyConnect
AnyConnect
1 AnyConnect
2 AnyConnect SBL
AnyConnect
AnyConnectAnyConnect SBLAnyConnect DLLWindows 7Windows 2008 32
64 PLAP vpnplap.dll vpnplap64.dll
VPNGINA PLAP AnyConnectVPNGINA PLAP
SBL ASA SBL AnyConnectMSIAnyConnect
Cisco AnyConnect 4.1 95
VPN Windows VPN
-
1 ASDMConfiguration > RemoteAccess VPN > Network (Client)
Access > Group Policies 2 Edit Add 3 Advanced > AnyConnect
Client 4 Optional Client Module for Download Inherit 5 AnyConnect
SBL
AnyConnect SBL
SBLSBL
SBL
1 VPN Preferences (Part 1) 2 Use Start Before Logon 3 SBL User
Controllable
SBL
Cisco AnyConnect 4.1 96
VPN Windows VPN
-
1 AnyConnect ASA
2 *.xml
3 Windows Add/Remove Programs SBL
4 AnyConnect
5 AnyConnect
6 Start Before Logon
7 DART AnyConnect
8 AnyConnect
Description: Unable to parse the profile C:\Documents and
Settings\All Users\ApplicationData\Cisco\Cisco AnyConnect Secure
Mobility Client\Profile\VABaseProfile.xml. Host data
notavailable.
9 .tmpl .xml XML
AnyConnect VPN Auto Connect On StartAnyConnectVPN VPN
Auto Connect On Start
1 VPN Preferences (Part 1) 2 Auto Connect On Start 3 Auto
Connect On Start User Controllable
Windows (PLAP) (SBL)Windows VPN
Cisco AnyConnect 4.1 97
VPN AnyConnect VPN
-
SBL AnyConnect (PLAP)PLAPWindows SBLPLAP vpnplap.dll
vpnplap64.dll 32 64PLAP x86 x64
PLAPvpnplap.dll vpnplap64.dll SBLPLAP DLLWindows 7Windows 2008
32 64 PLAP
PLAPAnyConnectPLAP
SBLPLAPAnyConnect SBL 96 Switch User Network Connect
Alt+Tab
PLAP Windows PC
1 Windows Ctrl+Alt+Del Switch User
2 Switch UserNetwork ConnectAnyConnect Switch User VPN Network
Connect VPN CancelVPN
3 NetworkConnectAnyConnectAnyConnect
4 GUIAnyConnect
5 Network ConnectMicrosoft Disconnect
6
Cisco AnyConnect 4.1 98
VPN Windows (PLAP)
-
AnyConnect PLAP VPN
PLAP AnyConnect VPNPLAP Disconnect
DisconnectVPN
Disconnect
PLAP PC Cancel
PC
WindowsPress CTRL + ALT + DEL to log on
Windows PLAP AnyConnect
VPN Auto ReconnectAnyConnectVPN 3GAutoReconnectWindowsMac OS
Linux
Auto Reconnect VPN
1 VPN Preferences (Part 1) 2 Auto Reconnect 3 Auto Reconnect
Behavior
Disconnect On Suspend -AnyConnect VPN
Reconnect After Resume -VPN
Cisco AnyConnect 4.1 99
VPN VPN
-
(TND) AnyConnect VPN VPN
TNDVPNVPNTND VPNVPN TNDVPN
AnyConnect VPN TND ASAAnyConnect
TNDAnyConnect GUIGUIGUI TND VPN
AnyConnect SBL
IPv4 IPv6 ASA IPv6 IPv4 VPN
TND
TNDAnyConnect
ASA TND
ASA ASA
ASA ASA
Cisco AnyConnect 4.1 100
VPN
-
1 VPN Preferences (Part 1) 2 Automatic VPN Policy 3 Trusted
Network Policy
Disconnect - VPN
Connect - VPN
Do Nothing - Trusted Network Policy UntrustedNetwork Policy Do
Nothing Trusted Network Detection (TND)
Pause -VPNAnyConnect VPNAnyConnect
VPN
4 Untrusted Network Policy
Connect - VPN
Do Nothing - VPNTrusted Network Policy Untrusted Network Policy
Do Nothing Trusted NetworkDetection
5 Trusted DNS Domains DNSDNS split-dns ASA DNS
AnyConnect DNS
DNS
DNS DNS Advanced TCP/IP Settings
TrustedDNSDomains DNS
*example.comexample.com
Cisco AnyConnect 4.1 101
VPN
-
TrustedDNSDomains DNS
*.example.com OR example.com,anyconnect.example.com
example.com AND anyconnect.cisco.com
*.example.com OR asa.example.com,anyconnect.example.com
asa.example.com AND example.cisco.com
(*) DNS
6 Trusted DNS Servers DNSDNS203.0.113.1,2001:DB8::1 (*) DNS
DNS DNS IPmus.cisco.com DNS DNSmus.cisco.com
TrustedDNSDomains/TrustedDNSServersTrustedDNSServers DNS
VPN
7 URLWeb (Add)URL (Set)
DNSDNS DNS DNS
VPN
VPN VPN VPN
VPNVPNASAAnyConnect VPN
VPNAnyConnect AnyConnect ASA
AnyConnect
Cisco AnyConnect 4.1 102
VPN VPN
-
VPNAnyConnect VPN VPN (Allow VPN Disconnect) AnyConnect
VPN(Disconnect)VPN Disconnect
DisconnectVPNVPNDisconnectVPN VPN
VPN AnyConnect VPN
VPN
AnyConnect VPNAnyConnect VPN
VPN
VPN VPN
(CA)ASDMConfiguration> Remote Access VPN > Certificate
Management > Identity Certificates EnrollASA SSL VPN with
Entrust
ASA
PC
Windows C:\ProgramData
AnyConnect
Windows (GPO)GUIMacOS
Cisco AnyConnect 4.1 103
VPN VPN
-
VPN
1 AnyConnect VPN
2
3 VPN
AnyConnect VPN
VPN ASA VPN VPN
1 VPN Preferences (Part 2) 2 Automatic VPN Policy 3
4 Always On 5 Allow VPN Disconnect 6
7
VPN AnyConnect VPN VPN
ASDM
Cisco AnyConnect 4.1 104
VPN VPN
-
1 VPN Server List 2 Edit 3 FQDN IP
VPN
VPN
ASA AnyConnectVPN
AAA
1 Configuration >Remote Access VPN >Network (Client)
Access >Dynamic Access Policies >Add Edit
2 VPN Selection Criteria ID AAA
3 Add or Edit Dynamic Access Policy AnyConnect
Cisco AnyConnect 4.1 105
VPN VPN
-
4 VPN for AnyConnect client Disable
VPN AnyConnect VPNAnyConnect
VPNAnyConnect
AnyConnect VPN
VPNWeb
Disconnect Disconnect
VPN
VPN
Cisco AnyConnect 4.1 106
VPN VPN
-
Web
Apply Last VPN Local Resources VPN
AnyConnect
AnyConnect
VPN
AnyConnect VPN
VPN
1 VPN Preferences (Part 2) 2 Connect Failure Policy
Closed-
Open -
3 a) b) VPNApplyLastVPNLocal
Resources
Cisco AnyConnect 4.1 107
VPN VPN
-
Wi-Fi/
VPN AnyConnectAnyConnect
AnyConnect
The service provider in your current location is restricting
access to the Internet.You need to log on with the service provider
before you can establish a VPN session.You can try this by visiting
any website with your browser.
VPN
The service provider in your current location is restricting
access to the Internet.The AnyConnect protection settings must be
lowered for you to log on with the serviceprovider. Your current
enterprise security policy does not allow this.
AnyConnectVPNVPN
AnyConnect VPN
1 VPN Preferences (Part 1) 2 (Allow Captive Portal
Remediation)
3
Cisco AnyConnect 4.1 108
VPN
-
AnyConnect
AnyConnect
AnyConnect (CN) ASA AnyConnect
ASA CN VPN ASA
ASA ASA HTTPS ASA AnyConnect ASA
ASAASAHTTPHTTPS HTTP ASA HTTP/HTTPS ASA HTTP/HTTPS
HTTPIP
DoS HTTP
L2TP PPTP AnyConnect/ ISP 2 (L2TP) (PPTP)
(PPP)AnyConnect PPP VPN ASAASAAnyConnectPPP AnyConnect GUI Route
Details
1 VPN Preferences (Part 2) 2 PPPExclusionUserControllable
Cisco AnyConnect 4.1 109
VPN L2TP PPTP AnyConnect
-
Automatic - PPPAnyConnect PPP IP IP
Override -PPPPPP IPPPPExclusionUserControllable true
Disabled - PPP
3 PPP Exclusion Server IP PPP IP UserControllable
preferences.xml PPP IP
preferences.xml PPP
PPP PPP Exclusion AnyConnect
1 XML
Windows%LOCAL_APPDATA%\Cisco\CiscoAnyConnect SecureMobility
Client\preferences.xml
Mac OS X/Users/username/.anyconnect
Linux/home/username/.anyconnect
2 PPPExclusion Override PPP IP IPv4
Override192.168.22.44
3
4 AnyConnect
Cisco AnyConnect 4.1 110
VPN L2TP PPTP AnyConnect
-
AnyConnect
AnyConnect AnyConnect VPN
AnyConnectKaspersky
AnyConnectVPN
WindowsAnyConnectMac Linux
Windows
VPN
AnyConnect SBLWindowsMicrosoft
VPN
VPNWindows Linux
VPN AnyConnect 2
ASAAnyConnectAnyConnectAnyConnect (PAC) ASAAnyConnect
Cisco AnyConnect 4.1 111
VPN AnyConnect
-
AnyConnect
LinuxMac OS XWindows
Safari InternetExplorer
IE
IPv6
VPN
1 VPN Preferences (Part 2) 2 Allow Local Proxy Connections
Windows LinuxAnyConnect4.1Mac LinuxMac
Linux AnyConnect
AnyConnectNTLMAnyConnectAnyConnect ASA
Cisco AnyConnect 4.1 112
VPN AnyConnect
-
Windows
Windows
1 Internet Explorer Internet Options 2 Connections LAN Settings
3 IP
Mac
1
2 Advanced
3 Proxies
4 HTTPS
5 Secure Proxy Server
Linux
Linux
1 ASA Cisco ASA VPN ASDM
Mac scutil --proxy ASA VPN
2
3 Internet Explorer Connections
Cisco AnyConnect 4.1 113
VPN AnyConnect
http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1336831http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1336831
-
AnyConnect PCMicrosoft Internet Explorer SafariAnyConnect
1 VPN Preferences (Part 2) 2 Proxy Settings IgnoreProxyIgnore
Proxy
ASA
Internet Explorer Connections
AnyConnect Internet Explorer Tools > Internet Options >
Connections
ASA Connections
ASA
Windows Connections ASA
ASA ASDM
1 ASDMConfiguration > RemoteAccess VPN > Network (Client)
Access > Group Policies 2 Edit Add 3 Advanced > Browser Proxy
Proxy Server Policy 4 Proxy Lockdown 5 Inherit Yes AnyConnect
Internet Explorer
ConnectionsNoAnyConnect Internet ExplorerConnections
6 OK 7 Apply
Cisco AnyConnect 4.1 114
VPN AnyConnect
-
Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
Mac OS X
scutil --proxy
VPN
IPv4 IPv6 VPN Client Bypass Protocol AnyConnect ASA IPv6 IPv4
ASA IPv4 IPv6
AnyConnect ASA VPNASA IPv4/ IPv6
IP Client Bypass Protocol ASA IP IP VPN
Client Bypass Protocol VPNIP
ASA IPv4AnyConnectIPv6 Client Bypass ProtocolIPv6 Client Bypass
ProtocolIPv6
ASA Client Bypass Protocol
1 ASDMConfiguration > RemoteAccess VPN > Network (Client)
Access > Group Policies 2 Edit Add 3 Advanced > AnyConnect 4
Client Bypass Protocol Inherit 5
Disable ASA IP
Enable IP
Cisco AnyConnect 4.1 115
VPN VPN
-
6 OK 7 Apply
Cisco ASA VPN ASDM
Cisco ASA VPN ASDMAnyConnect
ASDM Configuration > Remote Access VPN > Network (Client)
Access >AnyConnect Connection Profiles > Add/Edit > Group
Policy
DNS DNSAnyConnect DNS DNS DNS DNS DNS DNSAnyConnect DNS
DNS DNS AAAAANSTXTMXSOAANYSRVPTRCNAME PTR
WindowsMac OS X AnyConnect DNS
Mac OS XAnyConnect IPDNS
IP IPv4 DNS IP IPv6 IP
IP DNS
DNS DNS
Cisco AnyConnect 4.1 116
VPN
http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1409337http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1543109http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1543109
-
1 DNS Cisco ASA VPN ASDM
DNS DNS
2 - Configuration > Remote Access VPN > Network (Client)
Access > Group Policies > Advanced >Split
TunnelingTunnelNetworkListBelowNetworkList
DNS Exclude Network List Below Tunnel Network List Below DNS
3 DNS Configuration > Remote Access VPN > Network (Client)
Access > Group Policies > Advanced >Split Tunneling Send
All DNS lookups through tunnel DNS Names
ASDM Configuration > Remote Access VPN > Network (Client)
Access >AnyConnect Connection Profiles > Add/Edit > Group
Policy
AnyConnect DNS DNS AnyConnectReceived VPN Session
ConfigurationSettings DNSIPv4 DNS IPv6 DNS
DNS DNS ping DNS nslookup dig DNS
DNS
1 ipconfig/all DNS 2 VPN DNS
Cisco AnyConnect 4.1 117
VPN DNS
http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1351696
-
DNS
ASA
VPN
AnyConnect Strict Certificate Trust
Strict Certificate Trust
AnyConnect
Strict Certificate Trust
Strict Certificate Trust Cisco AnyConnect4.1
AnyConnect (CRL)
CRLCRLWindowsMac OS X CRL
ASA
FQDN FQDN SSL FQDN IP
IPsec SSLDigitalSignature KeyAgreement KeyEncipherment EKU
Cisco AnyConnect 4.1 118
VPN VPN
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.htmlhttp://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.html
-
serverAuth SSL IPsec ikeIntermediate IPsecKU EKU
IPsec IPsec
DNS IPIP
OSXShow Expired Certificates()
CN(Change Settings)(Keep Me Safe)
Linux
Cisco AnyConnect 4.1 119
VPN
-
(Keep Me Safe)
(Change Settings) AnyConnect(Advance) > VPN
>(Preferences)
(Block connections to untrusted servers) CA(Certificate Blocked
Error Dialog)
Cisco AnyConnect 4.1 120
VPN
-
VPN (Always trust this VPN server and import thecertificate)
AnyConnect (Advanced) > VPN > (Preferences) (Block
connections to untrusted servers) AnyConnect
(Strict Certificate Trust)(Strict Certificate Trust)
(StrictCertificateTrust)CiscoAnyConnect 4.1 AnyConnect
AnyConnect VPN Always On DAP
(Strict Certificate Trust)
AnyConnect
Cisco AnyConnect 4.1 121
VPN
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.htmlhttp://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.html
-
AAA ID
URL URL
ASADepartment_OUASA
CA
1 Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect ConnectionProfiles Edit Edit AnyConnect
Connection Profile
2 Basic Authentication Certificate
3 OK
Cisco AnyConnect (SCEP) AnyConnect IPsec SSL VPN ASA SCEP
SCEPASA (CA) SCEP
CA ASA AnyConnect CA
SCEPAnyConnect CA
CA AnyConnect ASA VPN
Cisco AnyConnect 4.1 122
VPN
-
AnyConnect 80
SCEP SCEP AnyConnect ASA
1 AAA ASAASA AAA
2 AAA AAA SCEP
3 ASA CA CA
4 SCEP ASA
SCEP
SCEP
SCEP SSL SSL IPsec
SCEP AnyConnect SCEP
1 ASAASA
2 SCEP
3 AAASCEP ASAASA AAA
4 AAA
SCEP 2 Get Certificate CA
CA VPN VPNAAA
Cisco AnyConnect 4.1 123
VPN
-
5 AAA VPN
6 SCEP 2VPN CA CA
7 SCEP ASA
SCEP
SCEP
(Certificate Expiration Threshold) (Get Certificate)
SCEP
SCEP CA IOS CSWindows Server 2003 CAWindows Server 2008CA
CA
CACA AnyConnect CA SCEPSCEP CA
ASAVPN SCEPWebLaunch AnyConnect SCEP
ASA SCEP
ASACA
ASA
URL URL
ASA Engineering Department_OUASA
Cisco AnyConnect 4.1 124
VPN
-
ASAaaa.cisco.sceprequiredDAP
Windows
Windows Yes
SCEP
SCEP VPN
1 VPN Certificate Enrollment 2 Certificate Enrollment 3
Certificate ContentsAnyConnect
%machineid%HostScan/Posture
ASA SCEP
SCEP ASA VPN
1 cert_group
General SCEP Forwarding URL CA URL
Advanced > AnyConnect Client Inherit for Client Profiles to
Download SCEP ac_vpn_scep_proxy
2 cert_tunnel
AAA
cert_group
Advanced > General Enable SCEP Enrollment for this Connction
Profile
Cisco AnyConnect 4.1 125
VPN
-
Advanced >GroupAlias/GroupURL (cert_group)URL
SCEP
SCEP VPN
1 VPN Certificate Enrollment 2 Certificate Enrollment 3
Automatic SCEP Host
FQDN IP SCEPasa.cisco.com ASAscep_eng asa.cisco.com/scep-eng
SCEP FQDN IPSCEP
4 CA CA URLfingerprintthumbprint
a) CA URL SCEP CA FQDN
IPhttp://ca01.cisco.com/certsrv/mscep/mscep.dll
b) Prompt For Challenge PWc) CA SHA1MD5
8475B661202E3414D4BB223A464E6AAB8CA123AB
5 Certificate ContentsAnyConnect
%machineid%HostScan/Posture
6 DisplayGet Certificate Button
7 SCEP Certificate EnrollmentSCEPa) Server Listb) Add Editc) 5 6
Automatic SCEP Host Certificate Authority
Cisco AnyConnect 4.1 126
VPN
-
ASA SCEP
ASA SCEP VPN
1 cert_enroll_group Advanced > AnyConnect Client Inherit for
Client Profiles to Download SCEP ac_vpn_legacy_scep
2 cert_auth_group
3 cert_enroll_tunnel
Basic Authentication Method AAA
Basic Default Group Policy cert_enroll_group
Advanced > GroupAlias/Group URL URL (cert_enroll_group)
ASA
4 cert_auth_tunnel
Basic Authentication Method Certificate
Basic Default Group Policy cert_auth_group
ASA
5 GeneralConnection Profile (Tunnel Group) LockSCEP SCEP
SCEP Windows 2008 Windows 2008 SCEP AnyConnect
SCEP
SCEP SCEP
Cisco AnyConnect 4.1 127
VPN
-
1 (Start) > (Run) regedit (OK)
2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword
EnforcePassword
3 EnforcePassword0 REG-DWORD
4 regedit
SCEP
SCEP
1 Server Manager Start > Admin Tools > Server Manager
2 Roles > Certificate Services AD Certificate Services
3 CA Name > Certificate Templates
4 Certificate Templates > Manage 5 Cert Templates Console
Duplicate
6 Windows Server 2008 version OK 7 NDES-IPSec-SSL
8
9 Cryptography
10 Subject Name Supply in Request 11 Extensions Application
Policies
IP
IP IKE intermediate
IP
IP
SSL IPsec
Cisco AnyConnect 4.1 128
VPN
-
12 Apply OK 13 Servermanager >Certificate
Services-CANameCertificate TemplatesNew>Certificate
Template to Issue NDES-IPSec-SSL OK 14 Start > Runregedit OK
15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
16 NDES-IPSec-SSL
EncryptionTemplate
GeneralPurposeTemplate
SignatureTemplate
17 Save
AnyConnectCertificate Expiration
ThresholdAnyConnectAnyConnect
RADIUS
1 VPN Certificate Enrollment 2 Certificate Enrollment 3
Certificate Expiration Threshold
AnyConnect
0 0 180
4 OK
AnyConnectAnyConnect
Cisco AnyConnect 4.1 129
VPN
-
AnyConnectWindowsMac Unix Privacy EnhancedMail (PEM)
1 WindowsWindows 130 VPN AnyConnect
2 WindowsWindows 131 AnyConnect
3 Mac LinuxMac Linux PEM 132
4 Mac Linux VPN
5 133AnyConnect AnyConnect
Windows WindowsVPNAnyConnectAnyConnect
Windows Certificate Store Override AnyConnect
Windows Certificate Store Override
AnyConnect Certificate Store Certificate Store
OverrideWindows
AnyConnect Certificate StoreOverride
Certificate Store
AnyConnect AnyConnect
Cisco AnyConnect 4.1 130
VPN
-
AnyConnect Certificate StoreOverride
Certificate Store
AnyConnect AnyConnect
AnyConnect AnyConnect
Machine
AnyConnect AnyConnect
Machine
AnyConnect
1 Certificate Store AnyConnect (All)
All- AnyConnect
Machine - AnyConnectWindows
User - AnyConnect
2 AnyConnect Certificate StoreOverride
Windows AnyConnectSCEPAnyConnect
Windows
Cisco AnyConnect 4.1 131
VPN
-
1 VPN Preferences (Part 2) 2 Disable Certificate Selection 3
User Controllable Advanced > VPN > Preferences
Mac Linux PEM AnyConnect (PEM)AnyConnect PEM
.pem
.key
client.pem client.key
PEM PEM
PEM
PEM
CA~/.cisco/certificates/ca(1) ~
~/.cisco/certificates/client
~/.cisco/certificates/client/private
PEM /opt/.cisco ~/.cisco
Cisco AnyConnect 4.1 132
VPN
-
AnyConnect AnyConnect VPN Certificate Matching
AnyConnect 77
KeyUsageAnyConnectVPN Key Usage
DECIPHER_ONLY
ENCIPHER_ONLY
CRL_SIGN
KEY_CERT_SIGN
KEY_AGREEMENT
DATA_ENCIPHERMENT
KEY_ENCIPHERMENT
NON_REPUDIATION
DIGITAL_SIGNATURE
Extended Key Usage AnyConnect (OID)
OID
1.3.6.1.5.5.7.3.1serverAuth
1.3.6.1.5.5.7.3.2ClientAuth
1.3.6.1.5.5.7.3.3CodeSign
1.3.6.1.5.5.7.3.4EmailProtect
Cisco AnyConnect 4.1 133
VPN
-
OID
1.3.6.1.5.5.7.3.5IPSecEndSystem
1.3.6.1.5.5.7.3.6IPSecTunnel
1.3.6.1.5.5.7.3.7IPSecUser
1.3.6.1.5.5.7.3.8TimeStamp
1.3.6.1.5.5.7.3.9OCSPSign
1.3.6.1.5.5.7.3.10DVCS
1.3.6.1.5.5.8.2.2IKE Intermediate
OID 1.3.6.1.5.5.7.3.11 OID OID
Distinguished Name Add
SubjectCommonNameCN
SubjectSurNameSN
SubjectGivenNameGN
SubjectUnstructNameN
SubjectInitialsI
SubjectGenQualifierGENQ
SubjectDnQualifierDNQ
SubjectCountryC
SubjectCityL
SubjectStateSP
Cisco AnyConnect 4.1 134
VPN
-
SubjectStateST
SubjectCompanyO
SubjectDeptOU
SubjectTitleT
SubjectEmailAddrEA
DomainComponentDC
IssuerCommonNameISSUER-CN
IssuerSurNameISSUER-SN
IssuerGivenNameISSUER-GN
IssuerUnstructNameISSUER-N
IssuerInitialsISSUER-I
IssuerGenQualifierISSUER-GENQ
IssuerDnQualifierISSUER-DNQ
IssuerCountryISSUER-C
IssuerCityISSUER-L
IssuerStateISSUER-SP
IssuerStateISSUER-ST
IssuerCompanyISSUER-O
IssuerDeptISSUER-OU
IssuerTitleISSUER-T
IssuerEmailAddrISSUER-EA
IssuerDomainComponentISSUER-DC
Distinguished NameDistinguished Name
Cisco AnyConnect 4.1 135
VPN
-
SDI (SoftID) VPN AnyConnectWindows 7 x8632 x6464 RSA SecurID
1.1
RSA SecurIDRSA SecurID 60 SDI Security Dynamics, Inc.
AnyConnectAnyConnect
SDI AnyConnect PIN RSASecurIDRSA
RSASecurIDPINPINAnyConnect PIN
URLURLURL/()AnyConnect (Network (Client) Access AnyConnect
Connection Profiles) (Allow user to select connection)URL
SDIPasscode NTLMPassword 2.1
RSA SecurID PIN RSA SecurID SDIPasscodeEnter ausername and
passcode or software token PIN PINPIN PIN RSA SecurID DLL
AnyConnect SDIPIN
Passcode
RSASecureIDIntegration
Automatic - (HardwareToken) PIN (SoftwareToken) SDI
Cisco AnyConnect 4.1 136
VPN SDI (SoftID) VPN
-
SDI
SDISKIHardwareToken
SoftwareToken - PINPIN:
HardwareToken -Passcode:
AnyConnect RSA RSA SecurID GUI
SDI SDI
SDI
PIN
PIN
SDI
SDI PIN PINSDI RADIUS SDI
SDI SDI
PIN PIN
PIN SDI
Cisco AnyConnect 4.1 137
VPN SDI (SoftID) VPN
-
PINPINAnyConnectPINPIN
PIN PIN SDI PIN
PIN PIN PIN PIN (00000000) PINRSASDIPIN
SDI PIN PIN SDI PIN RSASDI PIN
PIN
PIN SDI
PIN
PIN
PIN PIN
SDI PIN PIN
PIN SDI PIN PIN
PIN AnyConnect PINPIN 48 PIN
RADIUSPIN PIN
PIN PIN RSA SecurIDDLL RSA SecurID DLL
SDI RADIUS SDI SDI
SDI SDI SDI
Cisco AnyConnect 4.1 138
VPN SDI (SoftID) VPN
-
RADIUS SDI RADIUS SDI SDI SDI
SDI RADIUS SDI SDI SDIASA SDIAnyConnect
RADIUS SDI SDI SDI
RADIUSASA SDIASA SDIRADIUS AnyConnect SDIASA RADIUS
SDI SDIASA SDI
AnyConnect
ASA RADIUS/SDI ASA SDI RADIUS AnyConnect SDI RADIUS SDI
1 Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect ConnectionProfiles
2 SDI RADIUS Edit 3 Edit AnyConnect Connection Profile
Advanced
Group Alias / Group URL 4 Enable the display of SecurID messages
on the login screen 5 OK 6 Configuration > Remote Access VPN
> AAA/Local Users > AAA Server Groups 7 Add AAA 8 Edit AAA
Server Group AAA OK 9 AAA Server Groups AAA Servers in the
Selected
Group Add 10 SDIMessage Table ASA
RADIUSRADIUS RADIUS
Cisco AnyConnect 4.1 139
VPN SDI (SoftID) VPN
-
ASA (ACS) ACS ASA
new PIN new-pin-sup next-ccode-and-reauth new-pin-supnew PIN
RADIUSnew PIN with the next card code
new-pin-supnext-ccode-and-reauth
RADIUS
PINEnter Next PASSCODEnext-code
PIN PIN PINnew-pin-sup
PIN PINPINnew-pin-meth
PIN PINAlpha-Numerical PIN
new-pin-req
ASA PINPIN
PINnew-pin-reenter
PIN PINnew-pin-sys-ok
PIN PIN
PIN
next-ccode-and-reauth
ASA PIN
PINready - for - sys -PIN
11 OK Apply Save
Cisco AnyConnect 4.1 140
VPN SDI (SoftID) VPN
-
5
141
143
144
2 2
Mac OS X Linux AnyConnect ISE AnyConnect ISE
Cisco AnyConnect
(IEEE 802.3) (IEEE 802.11)
Windows 7 (3G)MicrosoftAPIWAN
Windows
Windows
IEEE 802.1X
IEEE MACsec
EAP
Cisco AnyConnect 4.1 141
-
EAP-FASTPEAPEAP-TTLSEAP-TLS LEAPEAP-MD5EAP-GTCIEEE 802.3
EAP-MSCHAPv2
EAP
PEAP - EAP-GTCEAP-MSCHAPv2 EAP-TLS
EAP-TTLS - EAP-MD5 EAP-MSCHAPv2PAPCHAPMSCHAPMSCHAPv2
EAP-FAST - GTCEAP-MSCHAPv2 EAP-TLS
-WEPWEPTKIP AES
- WPAWPA2/802.11i
AnyConnect
WindowsMicrosoft CAPI 1.0 CAPI 2.0 (CNG)
WindowsECDSA (SSO)ECDSA
B FIPS FIPS
ACS ISE Suite B OpenSSL 1.x FreeRADIUS 2.x Suite BMicrosoftNPS
2008 Suite BNPS RSA
802.1X/EAP Suite B RFC 5430 TLS 1.2
MACsecWindows 7 FIPS
Windows 7 Elliptic Curve Diffie-Hellman (ECDH)
Windows 7 ECDSA
Windows 7 ECDSA CA
Windows 7 ECDSA CAPEM
Windows 7 ECDSA
Microsoft Windows Cisco AnyConnectAnyConnect
Cisco AnyConnect 4.1 142
B FIPS
-
Windows
Windows
RDP
user/example [email protected]
PIN
Windows EnforceSingleLogon
Windows EnforceSingleLogon OverlayIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\CredentialProviders\{B12744B8-5BB7-463a-B85E-BB7627E7