Cisco Anyconnect 4.4



Give any user highly secure access to the enterprise network, from any device, at any time, in any location.

Android 4.4 and 4.4.1 have a serious TCP MSS bug which causes stalled connections and/or poor performance. 4.4 / 5 'AnyConnect is super easy to install, log in to the portal and down load the client. From there it is really quick and easy to establish your vpn connection.' 'It provides great protection options like multi-factor authentication and cisco identity services engine. It has a Simplified usage user interface.'

Cisco AnyConnect - Empower your employees to work from anywhere, on company laptops or personal mobile devices, at any time. AnyConnect simplifies secure endpoint access and provides the security necessary to help keep your organization safe and protected.

Gain more insight into user and endpoint behavior with full visibility across the extended enterprise. With AnyConnect's Network Visibility Module (NVM), you can defend more effectively and improve network operations.

Defend against threats, no matter where they are. For example, with Cisco Identity Services Engine (ISE), you can prevent noncompliant devices from accessing the network. And with Cisco Umbrella Roaming, you can extend protection when users are off the VPN.

Provide a consistent user experience across devices, both on and off premises, without creating a headache for your IT teams. Simplify management with a single agent.

Fixed some bugs.
4.6.03049
09.20.18
Free
English
N/A
Windows XP/Vista/7/8/10
The free web debugging proxy for any browser, system or platform.
Extend LAN-like networks securely to distributed teams, mobile workers and your gamer friends alike.
Query tool to test the configuration of your BOOTP and DHCP servers.
Cisco Anyconnect 4.4
Most popular and professional Windows-based Bluetooth application
Winsock Packet Editor (WPE) Pro is a packet sniffing / editing tool
Free
Capture and analyze the traffic and protocols running on a computer network.
The industry's most valuable and complete solution for managing Wi-Fi network.
11th February 2020

As the 'cloud only' model continues to grow, we are starting to see an influx of environments where a legacy on-premise Active Directory domain does not exist. Whether this is your case, or you are just looking to utilize modern web based authentication - then this article is for you. Although i strongly believe that Azure AD is NOT a replacement for an on premise domain, Microsoft's continued development has proven it a viable solution for organizations of many sizes. I had some difficulty completing this setup process on ASDM, so this article will cover the steps to complete via SSH/CLI.

What You Need

1. Cisco ASA device with SSH/ASDM access
2. Azure AD (Free version will work, but paid versions are required in order to enforce conditional access policies like MFA)
3. Existing VPN tunnel group
(Make sure the tunnel group does not have spaces in the name otherwise you may run into issues accessing the metadata in section 3)

Section 1 : Azure AD Configuration

  1. Login to the Azure AD portal (https://aad.portal.azure.com)
  2. Browse to Enterprise Applications > All Applications > + New Application
  1. Under the 'Add an Application' menu, select 'Non-gallery application' and enter in a name for your application. In this example i have chose 'AnyConnect-SAMLSSO'. Once named press the blue 'Add' button at the bottom of the blade.
Anyconnect
  1. Once the application has been created, browse to 'Single sign-on' and then select 'SAML'.
  1. Once the SAML configuration page loads, we will need to download the Base64 certificate from box 3.
  1. From box 4, Record 1. Login URL, 2. Azure AD Identifier, and 3. Logout URL. See below for how these values translate in ASA terms.

Definitions
Azure AD Identifier (Azure AD) = IDP Entity ID (ASA)
Login URL (Azure AD) = Sign In URL (ASA)
Logout URL (Azure AD) = Sign Out URL (ASA)

Section 2: ASA Configuration

  1. SSH into your ASA device using your preferred SSH client.
  2. Below you will find the template commands to configure the CA trustpoint for Azure AD IDP and enroll the Base64 certificate you downloaded in Section 1, Step 5. In this example i named the trustpoint 'AzureAD-IDP-Trustpoint' but it can be named to your liking.
  1. Copy the commands above to your favorite text editor, so that you can paste in the contents of your Azure AD Base64 cert. Once you paste in your cert, it should look something like this:
  1. After filling in your certificate information, copy the whole block of commands and paste into your SSH client. Accept the certificate and make sure that it successfully installs.
  1. Next we will configure the SAML IDP provider. You will need to have ready the information from Section 1, Step 6. In the block below, '///xxx///' denotes information you must fill in.
  1. Copy the commands above to your favorite text editor, so that you can paste in the information from your Azure AD application. Once you paste in your information, the command block look something like this:
  1. After filling in your Azure AD application information, copy the whole block of commands and paste into your SSH client. This will create the SAML Identity provider on the ASA.
  2. Next you will need to apply the SAML IDP to your existing VPN tunnel group. Creating a tunnel group is not covered in this guide. Copy the code block below and fill in your information.
  1. Once you fill in with your information, it should look something like this:
  1. After filling in your SAML IDP information, copy the whole block of commands and paste into your SSH client. This will configure the specified tunnel group to utilize SAML authentication and use your SAML IDP created in steps 5-7 as the source.
  2. Run the following command to save your configuration changes on the ASA:

Section 3: SAML Metadata

Now that we completed the required configurations on the ASA, we must retrieve the SAML metadata and input this information back into the Azure AD application.

  1. To access your metadata, fill in your fields and then copy the URL below:

For example, using our sample data the link would be:

  1. Browse to your respective link and your SAML metadata XML should load.
  2. On this page locate the 'AssertionCustomerService' element and in this element look for the 'Location' field. This will be added on the Azure AD application as the reply URL. On the metadata page, also locate the entityID at the top. This will also need to be entered on the Azure AD application settings.
  1. On the Azure AD portal, open your enterprise application and go to the 'Single sign-on' settings page. On box 1 'Basic SAML Configuration' press the pencil icon in the top right to edit.
  1. With the data copied from your ASA metdata page, fill in the Identifier (Entity ID) and Reply URL (Assertion Customer Service URL) fields. Press save when done.
Cisco

Section 4: Users and Groups

Now that you have the ASA configured and the Azure AD SAML application set up, you have to specific which users/groups can access that application and in turn, access your VPN. Alternatively, you can disable user/group assignment, which would allow all users in your Azure Active Directory to access the application.

Cisco Anyconnect 4.4

Enable Sign In for the Application:

In Azure AD, browse to your SAML application and go to the 'Properties' tab. Ensure that 'Enabled for users to sign-in?' is set to 'Yes'. This setting ensures that sign in is globally enabled, wether you are looking to restrict access to certain users/groups or permit all users.

To Permit Certain Users/Groups:

If you would like to assign specific users/groups to access the SAML application, make sure that 'User assignment required?' is set to 'Yes'.

Once enabled, be sure that you assign your users (free Azure AD) and/or Groups (premium Azure Ad) on the 'Users and groups' settings tab.

To Allow All Users/Groups:

If you would like to allow all users/groups in your Azure Active Directory forest to access the SAML application, make sure that 'User assignment required?' is set to 'No'.

Section 5: Azure AD Conditional Access

OPTIONAL SECTION

If you have Azure AD Premium, you can utilize conditional access policies to enforce certain controls to permit/deny user access.

  1. On your SAML application in Azure AD, select the 'Conditional Access' settings pane and select 'New Policy'.
  1. On the 'new' menu, select 'Cloud apps or actions', select 'Cloud apps', then 'Include', then select 'Select apps' and finally under the select menu, search for your SAML application.
  1. Next select 'Grant', select 'Grant Access' and then select the required controls for users trying to authenticate. In this case i am only requiring users to pass an MFA challenge. If using multiple controls, make sure to choose whether or not you want to require one or all of them.

    Lastly, make sure your policy is enabled in the bottom left and provide a name for it in the top left. Once satisfied, press the blue save button in the bottom left of your screen.

Wrapping Things Up

Forced Re-Authentication

  • OPTIONAL: To force users to reauthenticate every single time they connect to VPN, enter in the following commands (replace /// with your information):
  • With forced reauthentication, credential caching will be ignored and users will be forced to re-authenticate with their credentials + conditional access (if enabled) every time they connect to VPN.

Important to know:

  • If you make any changes to the SAML IDP (like we did above) you must remove it from any tunnel groups where it is currently applied and re-apply in order for your changes to take effect.

Congratulations!

And thats it! You should now be able to connect to your AnyConnect VPN using a clean, modern, web based authentication via Azure AD! Please feel free to share any comments below and if you are experiencing issues, see the troubleshooting guide below.

Thanks for reading!
Jason @ Byte of Security

Cisco Anyconnect Windows 10

Common Issues + Fixes

1. When connecting to VPN, the SAML authentication window opens up in an external web browser or does not appear at all

Cisco Anyconnect 4.4 Pkg Download

If you are using SAML authentication with AnyConnect 4.4 or 4.5 and you deploy ASA version 9.7.1.24, 9.8.2.28, or 9.9.2.1 (Release Date: 18-APR-2018), the defaulted SAML behavior is the embedded browser, which is not supported on AnyConnect 4.4 and 4.5.

Options to Address the issue:

  • Enable the saml external-browser command in tunnel group configuration in order for AnyConnect 4.4 and 4.5 clients to authenticate with SAML using the external (native) browser.
  • Update your AnyConnect software version to 4.6 or above.

2. When looking at your tunnel group on ASDM, the SAML section is blank

  1. On the ASDM toolbar, select 'Tools' and then 'Show Commands Ignored by ASDM on Device'.
  1. In this section you should see your SAML IDP configuration. If so, this means that ASDM is ignoring these commands and not displaying them on the GUI. Not to worry, nothing is wrong and these commands are still applied to your device configuration.

3. Authentication failed due to problem retrieving the single sign-on cookie.

Cisco Anyconnect 4.4

Cisco Anyconnect 4.4.02039

This error will typically error when changes have been made to the SAML IDP, but the IDP has not been removed and reapplied to the tunnel group. To remediate this issue, you will remove and reapply the SAML IDP to your tunnel group using the command set below:

On some extra stubborn ASAs, i have seen cases where removing and reapplying does not fix the issue. At this point, i would recommend a reboot of your ASA device. Make sure to save your configuration before reloading!

Cisco Anyconnect 4.4.03034

Once the ASA reboots, test again and you should be able to connect.