The Configuration > Remote Access > Network (Client) Access > Group Policies > Advanced > IPsec (IKEv1) Client Add or Edit Group Policy > IPsec dialog box lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified:

• Re-Authentication on IKE Re-key—Enables or disables reauthentication when IKE re-key occurs, unless the Inherit check box is checked. The user has 30 seconds to enter credentials, and up to three attempts before the SA expires at approximately two minutes and the tunnel terminates.

• Allow entry of authentication credentials until SA expires—Allows users the time to reenter authentication credentials until the maximum lifetime of the configured SA.

• IP Compression—Enables or disables IP Compression, unless the Inherit check box is checked.

• Perfect Forward Secrecy—Enables or disables perfect forward secrecy (PFS), unless the Inherit check box is selected. PFS ensures that the key for a given IPsec SA was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If PFS were not enabled, someone could hypothetically break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA secret to compromise the IPsec SAs set up by this IKE SA. With PFS, breaking IKE would not give an attacker immediate access to IPsec. The attacker would have to break each IPsec SA individually.

• Store Password on Client System—Enables or disables storing the password on the client system.

  Note	Storing the password on a client system can constitute a potential security risk.

• IPsec over UDP—Enables or disables using IPsec over UDP.

• IPsec over UDP Port—Specifies the UDP port to use for IPsec over UDP.

• Tunnel Group Lock—Locks the chosen tunnel group, unless the Inherit check box or the value None is selected.

• IPsec Backup Servers—Activates the Server Configuration and Server IP Addresses fields, so you can specify the UDP backup servers to use if these values are not inherited.

  • Server Configuration—Lists the server configuration options to use as an IPsec backup server. The available options are: Keep Client Configuration (the default), Use the Backup Servers Below, and Clear Client Configuration.

  • Server Addresses (space delimited)—Specifies the IP addresses of the IPsec backup servers. This field is available only when the value of the Server Configuration selection is Use the Backup Servers Below.

The Add or Edit Group Policy Client Firewall dialog box lets you configure firewall settings for VPN clients for the group policy being added or modified. Only VPN clients running on Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients.

Remote users connecting to the ASA with the VPN client can choose the appropriate firewall option.

In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the ASA. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic “are you there?” messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the ASA.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the ASA, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The ASA pushes this policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which enforces it.

Configuration > Remote Access > Network (Client) Access > Group Policies > Advanced > IPsec (IKEv1) Client > Client Firewall

Fields

• Inherit—Determines whether the group policy obtains its client firewall setting from the default group policy. This option is the default setting. When set, it overrides the remaining attributes in this dialog boxing dims their names.

• Client Firewall Attributes—Specifies the client firewall attributes, including what type of firewall (if any) is implemented and the firewall policy for that firewall.

• Firewall Setting—Lists whether a firewall exists, and if so, whether it is required or optional. If you choose No Firewall (the default), none of the remaining fields in this dialog box are active. If you want users in this group to be firewall-protected, choose either the Firewall Required or Firewall Optional setting.

  If you choose Firewall Required, all users in this group must use the designated firewall. The ASA drops any session that attempts to connect without the designated, supported firewall installed and running. In this case, the ASA notifies the VPN client that its firewall configuration does not match.

  Note	If you require a firewall for a group, make sure the group does not include any clients other than Windows VPN clients. Any other clients in the group (including ASA 5505 in client mode) are unable to connect.

  If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.

• Firewall Type—Lists firewalls from several vendors, including Cisco. If you choose Custom Firewall, the fields under Custom Firewall become active. The firewall you designate must correlate with the firewall policies available. The specific firewall you configure determines which firewall policy options are supported.

• Custom Firewall—Specifies the vendor ID, Product ID and description for the custom firewall.

  • Vendor ID—Specifies the vendor of the custom firewall for this group policy.

  • Product ID—Specifies the product or model name of the custom firewall being configured for this group policy.

  • Description—(Optional) Describes the custom firewall.

• Firewall Policy—Specifies the type and source for the custom firewall policy.

  • Policy defined by remote firewall (AYT)—Specifies that the firewall policy is defined by the remote firewall (Are You There). Policy defined by remote firewall (AYT) means that remote users in this group have firewalls located on their PCs. The local firewall enforces the firewall policy on the VPN client. The ASA allows VPN clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails. Once the connection is established, the VPN client polls the firewall every 30 seconds to make sure that it is still running. If the firewall stops running, the VPN client ends the session.

  • Policy pushed (CPP)—Specifies that the policy is pushed from the peer. If you choose this option, the Inbound Traffic Policy and Outbound Traffic Policy lists and the Manage button become active. The ASA enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down list. The choices available on the menu are filters defined in thisASA, including the default filters. Keep in mind that the ASA pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the ASA. For example, “in” and “out” refer to traffic coming into the VPN client or going outbound from the VPN client. If the VPN client also has a local firewall, the policy pushed from the ASA works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped.

  • Inbound Traffic Policy—Lists the available push policies for inbound traffic.

  • Outbound Traffic Policy—Lists the available push policies for outbound traffic.

  • Manage—Displays the ACL Manager dialog box, in which you can configure Access Control Lists (ACLs).

The Group Policy for Site-to-Site VPN connections specifies tunneling protocols, filters, and connection settings. For each of the fields in this dialog box, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Inherit is the default value for all of the attributes in this dialog box.

Fields

The following attributes appear in the Add Internal Group Policy > General dialog box. They apply to SSL VPN and IPsec sessions, or clientless SSL VPN sessions. Thus, several are present for one type of session, but not the other.

• Name—Specifies the name of this group policy. For the Edit function, this field is read-only.

• Tunneling Protocols—Specifies the tunneling protocols that this group allows. Users can use only the selected protocols. The choices are as follows:

  • Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to establish a secure remote-access tunnel to a ASA; requires neither a software nor hardware client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.

  • SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL VPN client. If you are using the AnyConnect client, you must choose this protocol for MUS to be supported.

  • IPsec IKEv1—IP Security Protocol. Regarded as the most secure protocol, IPsec provides the most complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and Cisco VPN client-to-LAN connections can use IPsec IKEv1.

  • IPsec IKEv2—Supported by the AnyConnect Secure Mobility Client. AnyConnect connections using IPsec with IKEv2 provide advanced features such as software updates, client profiles, GUI localization (translation) and customization, Cisco Secure Desktop, and SCEP proxy.

  • L2TP over IPsec—Allows remote users with VPN clients provided with several common PC 
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPsec transport mode.

• Filter—(Network (Client) Access only) Specifies which access control list to use, or whether to inherit the value from the group policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the ASA, based on criteria such as source address, destination address, and protocol. To configure filters and rules, see the Group Policy dialog box. Click Manage to open the ACL Manager, where you can view and configure ACLs.

• Idle Timeout—If the Inherit check box is not checked, this parameter sets the idle timeout in minutes.

  If there is no communication activity on the connection in this period, the system terminates the connection. The minimum time is 1 minute, the maximum time is 10080 minutes, and the default is 30 minutes. To allow unlimited connection time, check Unlimited.

• Maximum Connect Time—If the Inherit check box is not checked, this parameter sets the maximum user connection time in minutes.

  At the end of this time, the system terminates the connection. The minimum is 1minute, and the maximum is 35791394 minutes (over 4000 years). To allow unlimited connection time, check Unlimited (default).

• Periodic Certificate Authentication Interval—The interval of time in hours, before certificate authentication is redone periodically.

  If the Inherit check box is not checked, you can set the interval for performing periodic certificate verification. The range is between 1 and 168 hours, and the default is disabled. To allow unlimited verification, check Unlimited.

On the main pane of the AnyConnect Connection Profile you can enable client access on the interfaces, and add, edit, and delete connection profiles. You can also specify whether you want to allow a user to choose a particular connection at login.

• Access Interfaces—Lets you choose from a table the interfaces on which to enable access. The fields in this table include the interface name and check boxes specifying whether to allow access.

  • In the Interface table, in the row for the interface you are configuring for AnyConnect connections, check the protocols you want to enable on the interface. You can allow SSL Access, IPsec access, or both.

    When checking SSL, DTLS (Datagram Transport Layer Security) is enabled by default. DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

    When checking IPsec (IKEv2) access, client services are enabled by default. Client services include enhanced Anyconnect features including software updates, client profiles, GUI localization (translation) and customization, Cisco Secure Desktop, and SCEP proxy. If you disable client services, the AnyConnect client still establishes basic IPsec connections with IKEv2.

  • Device Certificate—Lets you specify a certificate for authentication for either an RSA key or an ECDSA key. See Specify a Device Certificate.

  • Port Setting—Configure port numbers for HTTPS and DTLS (RA client only) connections. See Connection Profiles, Port Settings.

  • Bypass interface access lists for inbound VPN sessions—Enable inbound VPN sessions to bypass interface ACLs is checked by default. The security appliance allows all VPN traffic to pass through the interface ACLs. For example, even if the outside interface ACL does not permit the decrypted traffic to pass through, the security appliance trusts the remote private network and permits the decrypted packets to pass through. You can change this default behavior. If you want the interface ACL to inspect the VPN protected traffic, uncheck this box.

• Login Page Setting

  • Allow the user to choose a connection profile, identified by its alias, on the login page. If you do not check this check box, the default connection profile is DefaultWebVPNGroup.

  • Shutdown portal login page.—Shows the web page when the login is disabled.

• Connection Profiles—Configure protocol-specific attributes for connections (tunnel groups).

  • Add/Edit—Click to Add or Edit a Connection Profile (tunnel group).

  • Name—The name of the Connection Profile.

  • Aliases—Other names by which the Connection Profile is known.

  • SSL VPN Client Protocol—Specifies whether SSL VPN client have access.

  • Group Policy—Shows the default group policy for this Connection Profile.

  • Allow user to choose connection, identified by alias in the table above, at login page—Check to enable the display of Connection Profile (tunnel group) aliases on the Login page.

• Let group URL take precedence if group URL and certificate map match different connection profiles. Otherwise, the connection profile matches the certificate map will be used.—This option specifies the relative preference of the group URL and certificate values during the connection profile selection process. If the ASA fails to match the preferred value, it chooses the connection profile that matches the other value. Check this option only if you want to rely on the preference used by many older ASA software releases to match the group URL specified by the VPN endpoint to the connection profile that specifies the same group URL. This option is unchecked by default. If it is unchecked, the ASA prefers to match the certificate field value specified in the connection profile to the field value of the certificate used by the endpoint to assign the connection profile.

Configure port numbers for SSL and DTLS connection (remote access only) connections in the connection profile panes in ASDM:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles

Fields

• HTTPS Port—The port to enable for HTTPS (browser-based) SSL connections. The range is 1-65535. The default is port 443.

• DTLS Port—The UDP port to enable for DTLS connections. The range is 1-65535. The default is port 443.

To set the basic attributes for an AnyConnect VPN connection, choose Add or Edit in the AnyConnect Connection Profiles section. The Add (or Edit) AnyConnect Connection Profile > Basic dialog box opens.

• Name—For Add, specify the name of the connection profile you are adding. For Edit, this field is not editable.

• Aliases—(Optional) Enter one or more alternative names for the connection. You can add spaces or punctuation to separate the names.

• Authentication—Choose one of the following methods to use to authenticate the connection and specify a AAA server group to use in authentication.

  • Method— The authentication protocol has been extended to define a protocol exchange for multiple-certificate authentication and utilize this for both session types. You can validate multiple certificates per session with AnyConnect SSL and IKEv2 client protocols. Choose the type of authentication to use: AAA, AAA and certificate, Certificate only, SAML, Multiple certificates and AAA, or Multiple certificates. Depending on your selection, you may need to provide a certificate in order to connect.

  • AAA Server Group—Choose a AAA server group from the drop-down list. The default setting is LOCAL, which specifies that the ASA handles the authentication. Before making a selection, you can click Manage to open a dialog box over this dialog box to view or make changes to the ASA configuration of AAA server groups.

  • Choosing something other than LOCAL makes available the Use LOCAL if Server Group Fails check box.

  • Use LOCAL if Server Group fails—Check to enable the use of the LOCAL database if the group specified by the Authentication Server Group attribute fails.

• Client Address Assignment—Choose the DHCP servers, client address pools, and client IPv6 address pools to use.

  • DHCP Servers—Enter the name or IP address of a DHCP server to use.

  • Client Address Pools—Enter pool name of an available, configured pool of IPv4 addresses to use for client address assignment. Before making a selection, you can click Select to open a dialog box over this dialog box to view or make changes to the address pools. See for more information on adding or editing an IPv4 address pool.

  • Client IPv6 Address Pools—Enter the pool name of an available, configured pool of IPv6 addresses to use for client address assignment. Before making a selection, you can click Select to open a dialog box over this dialog box to view or make changes to the address pools. See for more information on adding or editing an IPv6 address pool.

• Default Group Policy—Select the group policy to use.

  • Group Policy—Select the VPN group policy that you want to assign as the default group policy for this connection. A VPN group policy is a collection of user-oriented attribute-value pairs that can be stored internally on the device or externally on a RADIUS server. The default value is DfltGrpPolicy. You can click Manage to open a dialog box over this one to make changes to the group policy configuration.

  • Enable SSL VPN client protocol—Check to enable SSL for this VPN connection.

  • Enable IPsec (IKEv2) client protocol—Check to enable IPsec using IKEv2 for this connection.

  • DNS Servers—Enter the IP address(s) of DNS servers for this policy.

  • WINS Servers—Enter the IP address(s) of WINS servers for this policy.

  • Domain Name—Enter a default domain name.

• Find—Enter a GUI label or a CLI command to use as a search string, then click Next or Previous to begin the search.

The Advanced menu items and their dialog boxes configure the following characteristics for this connection:

• General attributes

• Client Addressing attributes

• Authentication attributes

• Authorization attributes

• Accounting attributes

• Name server attributes

• Clientless SSL VPN attributes

Note	SSL VPN and secondary authentication attributes apply only to SSL VPN connection profiles.

• Enable Simple Certificate Enrollment (SCEP) for this Connection Profile

• Strip the realm from username before passing it on to the AAA server

• Strip the group from username before passing it on to the AAA server

• Group Delimiter

• Enable Password Management—Lets you configure parameters relevant to notifying users about password expiration.

  • Notify user __ days prior to password expiration—Specifies that ASDM must notify the user at login a specific number of days before the password expires. The default is to notify the user 14 days prior to password expiration and every day thereafter until the user changes the password. The range is 1 through 180 days.

  • Notify user on the day password expires—Notifies the user only on the day that the password expires.

    In either case, and, if the password expires without being changed, the ASA offers the user the opportunity to change the password. If the current password has not expired, the user can still log in using that password.

    This does not change the number of days before the password expires, but rather, it enables the notification. If you choose this option, you must also specify the number of days.

• Translate Assigned IP Address to Public IP Address—In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local IP address to access the inside network. However, you might want to translate the local IP address back to the peer’s real public IP address if, for example, your inside servers and network security is based on the peer’s real IP address. You can enable this feature on one interface per tunnel group.

  • Enable the address translation on interface—Enables the address translation and allows you to choose which interface the address appears on. Outside is the interface to which the AnyConnect client connects, and inside is the interface specific to the new tunnel group.

    Note	Because of routing issues and other limitations, we do not recommend using this feature unless you know you need it.

• Find—Enter a GUI label or a CLI command to use as a search string, then click Next or Previous to begin the search.

On the Connection Profile > Advanced >Authentication tab, you can configure the following fields:

• Interface-specific Authentication Server Groups—Manages the assignment of authentication server groups to specific interfaces.

  • Add or Edit—Opens the Assign Authentication Server Group to Interface dialog box, in which you can specify the interface and server group, and specify whether to allow fallback to the LOCAL database if the selected server group fails. The Manage button in this dialog box opens the Configure AAA Server Groups dialog box. Your selections appear in the Interface/Server Group table.

  • Delete—Removes the selected server group from the table. There is no confirmation or undo.

• Username Mapping from Certificate—Lets you specify the methods and fields in a digital certificate from which to extract the username.

  Note	This feature is not supported in multiple context mode.

  • Pre-fill Username from Certificate—Extracts the username from the specified certificate field and uses it for username/password authentication and authorization, according to the options that follow in this panel.

  • Hide username from end user—Specifies to not display the extracted username to the end user.

  • Use script to choose username—Specify the name of a script to use to choose a username from a digital certificate. The default is --None--.

  • Add or Edit—Opens the Add or Edit Script Content dialog box, in which you can define a script to use in mapping the username from the certificate.

  • Delete—Deletes the selected script. There is no confirmation or undo.

  • Use the entire DN as the username—Specifies that you want to use the entire Distinguished Name field of the certificate as the username.

  • Specify the certificate fields to be used as the username—Specifies one or more fields to combine into the username.

    Possible values for primary and secondary attributes include the following:

    Attribute	Definition
    C	Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.
    CN	Common Name: the name of a person, system, or other entity. Not available a s a secondary attribute.
    DNQ	Domain Name Qualifier.
    EA	E-mail address.
    GENQ	Generational Qualifier.
    GN	Given Name.
    I	Initials.
    L	Locality: the city or town where the organization is located.
    N	Name.
    O	Organization: the name of the company, institution, agency, association or other entity.
    OU	Organizational Unit: the subgroup within the organization (O).
    SER	Serial Number.
    SN	Surname.
    SP	State/Province: the state or province where the organization is located
    T	Title.
    UID	User Identifier.
    UPN	User Principal Name.

  • Primary Field—Selects the first field to use from the certificate for the username. If this value is found, the secondary field is ignored.

  • Secondary Field—Selects the field to use if the primary field is not found.

• Find—Enter a GUI label or a CLI command to use as a search string, then click Next or Previous to begin the search.

Secondary Authentication under Connection Profile > Advanced lets you configure secondary authentication, which is also know as double authentication. When secondary authentication is enabled, the end user must present two sets of valid authentication credentials in order to log on. You can use secondary authentication in conjunction with pre-filling the username from a certificate. The fields in this dialog box are similar to those you configure for primary authentication, but these fields relate only to secondary authentication.

When double authentication is enabled, these attributes choose one or more fields in a certificate to use as the username. Configuring the secondary username from certificate attribute forces the security appliance to use the specified certificate field as the second username for the second username/password authentication.

Note	If you also specify the secondary authentication server group, along with the secondary username from certificate, only the primary username is used for authentication.

• Secondary Authorization Server Group—Specifies an authorization server group from which to extract secondary credentials.

  • Server Group—Select an authorization server group to use as the secondary server AAA group. The default is none. The secondary server group cannot be an SDI server group.

  • Manage—Opens the Configure AAA Server Groups dialog box.

  • Use LOCAL if Server Group fails—Specifies to fall back to the LOCAL database if the specified server group fails.

  • Use primary username—Specifies that the login dialog must request only one username.

  • Attributes Server—Select whether this is the primary or secondary attributes server.

    Note	If you also specify an authorization server for this connection profile, the authorization server settings take precedence—the ASA ignores this secondary authentication server.

  • Session Username Server—Select whether this is the primary or secondary session username server.

• Interface-Specific Authorization Server Groups—Manages the assignment of authorization server groups to specific interfaces.

  • Add or Edit—Opens the Assign Authentication Server Group to Interface dialog box, in which you can specify the interface and server group, and specify whether to allow fallback to the LOCAL database if the selected server group fails. The Manage button in this dialog box opens the Configure AAA Server Groups dialog box. Your selections appear in the Interface/Server Group table.

  • Delete—Removes the selected server group from the table. There is no confirmation or undo.

• Username Mapping from Certificate—Specify the fields in a digital certificate from which to extract the username.

• Pre-fill Username from Certificate—Check to extract the names to be used for secondary authentication from the primary and secondary fields specified in this panel. You must configure the authentication method for both AAA and certificates before checking this attribute. To do so, return to the Basic panel in the same window and check Both next to Method.

• Hide username from end user—Check to hide the username to be used for secondary authentication from the VPN user.

• Fallback when a certificate is unavailable —This attribute is configurable only if “Hide username from end user” is checked. Uses Cisco Secure Desktop Host Scan data to pre-fill the username for secondary authentication if a certificate is unavailable.

• Password—Choose one of the following methods to retrieve the password to be used for secondary authentication:

  • Prompt—Prompt the user for the password.

  • Use Primary—Reuse the primary authentication password for all secondary authentications.

  • Use—Enter a common secondary password for all secondary authentications.

• Specify the certificate fields to be used as the username—Specifies one or more fields to match as the username. To use this username in the pre-fill username from certificate feature for the secondary username/password authentication or authorization, you must also configure the pre-fill-username and secondary-pre-fill-username.

  • Primary Field—Selects the first field to use from the certificate for the username. If this value is found, the secondary field is ignored.

  • Secondary Field—Selects the field to use if the primary field is not found.

The options for primary and secondary field attributes include the following:

• Use the entire DN as the username—Uses the entire subject DN (RFC1779) to derive a name for an authorization query from a digital certificate.

• Use script to select username—Names the script from which to extract a username from a digital certificate. The default is --None--.

  • Add or Edit—Opens the Add or Edit Script Content dialog box, in which you can define a script to use in mapping the username from the certificate.

  • Delete—Deletes the selected script. There is no confirmation or undo.

The Authorization dialog box in an AnyConnect Connection profile lets you view, add, edit, or delete interface-specific authorization server groups. Each row of the table in this dialog box shows the status of one interface-specific server group: the interface name, its associated server group, and whether fallback to the local database is enabled if the selected server group fails.

The fields in this pane are identical for AnyConnect, IKEv1, IKEv2 and Clientless SSL connection profiles.

• Authorization Server Group—Specifies an authorization server group from which to draw authorization parameters.

  • Server Group—Selects an authorization server group to use. The default is none.

  • Manage—Opens the Configure AAA Server Groups dialog box. For information about configuring a AAA server, see Clientless SSL VPN Connection Profile, Authentication, Add a Server Group

  • Users must exist in the authorization database to connect—Select this check box to require that users meet this criterion.

• Interface-specific Authorization Server Groups—Manages the assignment of authorization server groups to specific interfaces.

  • Add or Edit—Opens the Assign Authentication Server Group to Interface dialog box, in which you can specify the interface and server group, and specify whether to allow fallback to the LOCAL database if the selected server group fails. The Manage button in this dialog box opens the Configure AAA Server Groups dialog box. Your selections appear in the Interface/Server Group table.

  • Delete—Removes the selected server group from the table. There is no confirmation or undo.

• Username Mapping from Certificate—Specify the fields in a digital certificate from which to extract the username.

  • Use script to select username—Specifies the name of a script to use to choose a username from a digital certificate. The default is --None--. For more information about creating scripts to select create a username from certificate fields, see

  • Add or Edit—Opens the Add or Edit Script Content dialog box, in which you can define a script to use in mapping the username from the certificate.

  • Delete—Deletes the selected script. There is no confirmation or undo.

  • Use the entire DN as the username—Specifies that you want to use the entire Distinguished Name field of the certificate as the username.

  • Specify the certificate fields to be used as the username—Specifies one or more fields to combine into the username.

  • Primary Field—Selects the first field to use in the certificate for the username. If this value is found, the secondary field is ignored.

  • Secondary Field—Selects the field to use if the primary field is not found.

• Find—Enter a GUI label or a CLI command to use as a search string, then click Next or Previous to begin the search.

The Accounting pane in Connection Profile > Advanced sets accounting options globally across the ASA.

• Accounting Server Group—Choose the previously-defined server group to use for accounting.

• Manage—Opens the Configure AAA Server Groups dialog box, where you can create an AAA server group.

The GroupAlias/Group URL dialog box in Connection Profile > Advanced configures attributes that affect what the remote user sees upon login.

The fields on this dialog are the same for the AnyConnect client and Clientless SSL VPN, except that Clientless SSL VPN has one additional field. The name of the tab in the connection profile is Group URL/Group Alias for AnyConnect, and Clientless SSL VPN for the Clientless SSL VPN.

• Login and Logout (Portal) Page Customization (Clientless SSL VPN only)—Configures the look and feel of the user login page by specifying which preconfigured customization attributes to apply. The default is DfltCustomization. Click Manage to create a new customization object.

• Enable the display of Radius Reject-Message on the login screen—Select this check box to display the RADIUS-reject message on the login dialog box when authentication is rejected.

• Enable the display of SecurId message on the login screen—Select this check box to display SecurID messages on the login dialog box.

• Connection Aliases—The connection aliases and their status. A connection alias appears on the user login page if the connection is configured to allow users to choose a particular connection (tunnel group) at login. Click the buttons to Add or Delete aliases. To edit an alias, double-click the alias in the table and edit the entry. To change the enabled status, select or deselect the checkbox in the table.

• Group URLs—The group URLs and their status. A group URL appears on the user login page if the connection is configured to allow users to choose a particular group at login. Click the buttons to Add or Delete URLs. To Edit a URL, double-click the URL in the table and edit the entry. To change the enabled status, select or deselect the checkbox in the table.

• Do not run Cisco Secure Desktop (CSD) on client machine when using group URLs defined above to access the ASA. (If a client connects using a connection alias, this setting is ignored.)—Select whether you want to run the Hostscan application of Cisco Secure Desktop on clients that connect to a group URL. These options are visible only if you add a group URL. If you exempt clients, the security appliance does not receive endpoint criteria from these users, so you might have to change the DAP configuration to provide them with VPN access. You have the following options.

  • Always run CSD—Run Hostscan on all clients that connect to the group URLs.

  • Disable CSD for both AnyConnect and clientless SSL VPN—Exempt all clients that connect to the group URLs from Hostscan processing.

  • Disable CSD for AnyConnect only—Exempt AnyConnect clients that connect to the group URLs from Hostscan processing, but use Hostscan for clientless connections.

The AnyConnect Secure Mobility Client with the posture module requires these minimum ASA components:

• ASA 8.4

• ASDM 6.4

These AnyConnect features require that you install the posture module.

• SCEP authentication

• AnyConnect Telemetry Module

Refer to Supported VPN Platforms, Cisco ASA Series for what operating systems are supported for posture module installation.

These are the AnyConnect licensing requirements for the posture module:

• AnyConnect Apex for basic HostScan.

• Advanced Endpoint Assessment license is required for remediation.

You can load the HostScan package on to the ASA as a standalone package: hostscan-version.pkg. This file contains the HostScan software as well as the HostScan library and support charts.

The filenames of the custom components that you import must match the filenames used by the AnyConnect GUI, which are different for each operating system and are case sensitive for Mac and Linux. For example, if you want to replace the corporate logo for Windows clients, you must import your corporate logo as company_logo.png. If you import it as a different filename, the AnyConnect installer does not change the component. However, if you deploy your own executable to customize the GUI, the executable can call resource files using any filename.

If you import an image as a resource file (such as company_logo.bmp), the image you import customizes AnyConnect until you reimport another image using the same filename. For example, if you replace company_logo.bmp with a custom image, and then delete the image, the client continues to display your image until you import a new image (or the original Cisco logo image) using the same filename.

AnyConnect Customization/Localization, Binary

For Windows, Linux, or Mac (PowerPC or Intel-based) computers, you can deploy your own client that uses the AnyConnect client API. You replace the AnyConnect GUI and the AnyConnect CLI by replacing the client binary files.

Fields for the Import dialog:

• Name Enter the name of the AnyConnect file that you are replacing.

• Platform Select the OS platform that your file runs on.

• Select a file The filename does not need to be the same as the name of the imported file.

AnyConnect Customization/Localization, Script

For complete information about deploying scripts, and their limitations and restrictions, see the AnyConnect VPN Client Administrators Guide.

Fields for the Import dialog:

• Name —Enter a name for the script. Be sure to specify the correct extension with the name. For example, myscript.bat.

• Script Type —Choose when to run the script.

  AnyConnect adds the prefix scripts_ and the prefix OnConnect or OnDisconnect to your filename to identify the file as a script on the ASA. When the client connects, the ASA downloads the script to the proper target directory on the remote computer, removing the scripts_ prefix and leaving the remaining OnConnect or OnDisconnect prefix. For example, if you import the script myscript.bat, the script appears on the ASA as scripts_OnConnect_myscript.bat. On the remote computer, the script appears as OnConnect_myscript.bat.

  To ensure the scripts run reliably, configure all ASAs to deploy the same scripts. If you want to modify or replace a script, use the same name as the previous version and assign the replacement script to all of the ASAs that the users might connect to. When the user connects, the new script overwrites the one with the same name.

• Platform —Select the OS platform that your file runs on.

• Select a file —The filename does not need to be the same as the name you provided for the script.

ASDM imports the file from any source file, creating the new name you specify for Name.

You can edit the default translation table, or create new ones, to change the text and messages displayed on the AnyConnect client GUI. This pane also shares functionality with the Language Localization pane. For more extensive language translation, go to Configuration > Remote Access VPN > Language Localization.

In addition to the usual buttons on the top toolbar, this pane also has an Add button, and a Template area with extra buttons.

Add —The Add button opens a copy of the default translation table, which you can edit directly, or save. You can choose the language of the saved file, and edit the language of the text inside the file later.

When you customize messages in the translation table, do not change msgid. Change the text in msgstr.

Specify a language for the template. The template becomes a translation table in cache memory with the name you specify. Use an abbreviation that is compatible with the language options for your browser. For example, if you are creating a table for the Chinese language, and you are using IE, use the abbreviation zh, that is recognized by IE.

Template Section

• Click Template to expand the template area, which provides access to the default English translation table.

• Click View to view, and optionally save, the default English translation table

• Click Export to save a copy of the default English translation table without looking at it.

You can perform more extensive customizing of the AnyConnect client GUI (Windows only) by creating your own transform that deploys with the client installer program. You import the transform to the ASA, which deploys it with the installer program.

Windows is the only valid choice for applying a transform. For more information about transforms, see the Cisco AnyConnect Secure Mobility Client Administration Guide.

You can translate messages displayed by the client installer program with a transform. The transform alters the installation, but leaves the original security-signed MSI intact. These transforms only translate the installer screens and do not translate the client GUI screens.