Anyconnect Remote



Introduction

Anyconnect Remote

This document describes how to configure AnyConnect Modules for Remote Access VPN (RA VPN) configuration that pre-exists on a Firepower Threat Defense (FTD) managed by a Firepower Management Center (FMC) through Firepower Device Manager (FDM).

Prerequisites

Requirements

Installing The New Cisco Anyconnect or Upgrading. Then when downloaded click open folder. Then double click on the Install-emis-Secure-Remote-Access file. All the installer to complete that step. At this point you may be asked to allow the system to stop a component that needs. Anyconnect VPN offers full network access. The remote user will use the anyconnect client to connect to the ASA and will receive an IP address from a VPN pool, allowing full access to the network. In this lesson we will use clientless WebVPN only for the installation of the anyconnect VPN client.

Cisco recommends that you have knowledge of these topics:

  • Basic understanding of RA VPN working.
  • Understanding of navigation through the FMC/FDM.
  • Basic knowledge of REST API and FDM Rest API Explorer.

Cisco AnyConnect - Empower your employees to work from anywhere, on company laptops or personal mobile devices, at any time. AnyConnect simplifies secure endpoint access and provides the security necessary to help keep your organization safe and protected. Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization. On-call, remote operator to help solve autonomous vehicles’ edge cases The AnyConnect Smarter AI™ Camera Platform enables connected, autonomous vehicles to request a human operator to intervene if the vehicle believes that there is a need to do so. Some reasons are that the autonomous vehicle.

Anyconnect Remote

Components Used

The information in this document is based on these software versions:

  • Cisco Firepower Management Center (FMC) version 6.7.0
  • Cisco Firepower Threat Defense (FTD) version 6.7.0
  • Cisco Firepower Device Manager (FDM) version 6.7.0
  • Cisco AnyConnect Secure Mobility Client running 4.9.0086
  • Postman or any other API development tool

Note: FMC/FDM do not have an inbuilt Profile Editor and the AnyConnect Profile Editor for Windows has to be used to create a profile.

Note: The information in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any configuration change.

Background Information

The Cisco AnyConnect Secure Mobility Client is not limited to its support as a VPN client, it has a number of other options that can be integrated as modules. Following modules are supported for Anyconnect :

  • Start Before Login (SBL):This module allows the user to establish a VPN connection into the enterprise before logging into Windows.
  • Diagnostic and Reporting Tool (DART): This module is used to perform both diagnostics and reporting about the AnyConnect installation and connection. DART works by assembling the logs, status, and diagnostic information for analysis.
  • Advanced Malware Protection (AMP): This module provides a cloud-delivered next-generation solution to detect, prevent, and respond to various threats.
  • ISE Posture: Cisco Identity Services Engine (ISE) provides a next-generation identity and access control policy. This module provides the ability to identify the Operating System (OS), the AntiVirus, the AntiSpyware, etc that are currently installed on a host. This information is then used along with a policy to determine whether the host will be able to connect to the network.
  • Network Visibility Module: The network visibility module monitors an endpoint application usage to uncover potential behavior anomalies and to make more informed network design decisions.
  • Umbrella: Cisco Umbrella Roaming is a cloud-delivered security service that protects devices when they are off the corporate network.
  • Web Security: Cisco Web Security Appliance (WSA), powered by Cisco Talos, protects the endpoint by automatically blocking risky sites and testing unknown sites.
  • Network Access Manager: Network Access Manager provides a secure Layer 2 network in accordance with its policies. It detects and selects the optimal Layer 2 access network and performs device authentication for access to both wired and wireless networks.
  • Feedback: This module collects the information and periodically sends it to the server. It helps the product team to improve the quality, reliability, performance, and user experience of AnyConnect.

In Firepower 6.7, FMC UI, and FTD Device REST API support is added to enable seamless deployment of all the mentioned AnyConnect Modules.

This table lists the Profiles Extensions and associated Module types needed to successfully deploy the endpoint functionality.

Cisco anyconnect remote access
Profile ExtensionsModule Type
.fspFEEDBACK
.asp or .xmlAMP_ENABLER
ISE_POSTURE
.nvmsp or .xml
NETWORK_VISIBILITY
NETWORK_ACCESS_MANAGER
.json or .xml
UMBRELLA
WEB_SECURITY
Remote

Note: DART and SBL modules do not require any Profile.

Note: No additional licensing is required for the use of this feature.

Configuration

Configuration on Firepower Management Center (FMC)

Step 1. Navigate to Device> VPN >Remote Access and click on Edit for the RA VPN configuration.

Step 2. Navigate to Advanced> Group Policies and click on Edit for the concerned Group-policy, as shown in this image.

Step 3. Navigate to AnyConnect>Client Modules and click on + to add the Modules, as shown in this image.

For the purpose of demonstration, Deployment of AMP, DART, and SBL modules are shown.

Step 4. Select the DART module and click on Add, as shown in this image.

Step 5. Click on + to add another module and select Start Before Login module, as shown in this image.

Note: This step allows you to download the SBL Module. SBL also has to enable in anyconnect client profile, which is uploaded as you navigate to AnyConnect>Profile under the Group Policy.

Step 6. Click on + to add another module and select AMP Enabler. Click on + to Add a Client Profile, as shown in this image.


Provide the Name of the Profile and upload the AMP Profile. Click on Save, as shown in this image.

Anyconnect Remote Session

Choose the profile created in the previous step and click on Enable Module download checkbox, as shown in this image.

Step 7. Click on Save once all the desired modules are added.

Step 8. Navigate to Deploy>Deployment and deploy the configuration to the FTD.

Configuration on Firepower Device Manager (FDM)

Step 1. Launch the API Explorer of the FTD on a Browser Window.

Anyconnect Remote Access

Navigate tohttps://<FTD Management IP>/api-explorer

This contains the entire list of API available on the FTD. It is divided based on the main feature with multiple GET/POST/PUT/DELETE requests which is supported by the FDM.

RaVpnGroupPolicy is the API used.

Step 2. Add a Postman collection for AnyConnect Modules. Provide a Name for the collection. Click on Create.

Step 3. Add a new request Auth to create a login POST request to the FTD in order to get the token to authorize any POST/GET/PUT requests. Click on Save.

The Body of the POST request must contain these:

Typeraw - JSON (application/json)
grant_typepassword
usernameAdmin Username in order to log in to the FTD
passwordThe password associated with the admin user account

POST Request:https://<FTD Management IP>/api/fdm/latest/fdm/token

The Body of the Response contains the access token which is used in order to send any PUT/GET/POST requests to/from the FTD.

Step 4. Create aGet Group Policyrequest to add get details of the existing Group Policies. Click on Save, as shown in this image.

The Authorization tab must contain this for all subsequent GET/POST requests:

TypeBearer Token
TokenThe access token received by running the Auth POST Request

GET REQUEST:https://<FTD Management IP>/api/fdm/latest/object/ravpngrouppolicies

The Body of the response shows all the Group Policies configured on the device. ID of the Group Policy is used to update the specific Group Policy.

For the purpose of demonstration, Deployment of AMP, DART, and SBL modules are shown.

Step 5. Create a request to Upload a Profile. This step is needed only for the modules which require a profile. Upload the Profile in filetoUpload section. Click on Save.

POST REQUEST:https://<FTD Management IP>/api/fdm/latest/action/uploaddiskfile

The Body of the Request must contain the Profile file added in Body in form-data format. The profile needs to be created using AnyConnect Profile Editor for Windows

The key type should beFileforfiletoUpload.

The body of the response gives an id/filename which is used to refer to the profile with the concerned module.

Step 6. Create a request to Update AnyConnect Profile. This step is needed only for the modules which require a profile. Click on Save., as shown in this image.

POST REQUEST: https://<FDM IP>/api/fdm/latest/object/anyconnectclientprofiles

The body of the request contains this information:

nameLogical name that you would call the file
diskFileNameNeeds to match the fileName that is received in the Upload Profile POST response
anyConnectModuleTypeMeeds to match the appropriate module shown in Module Type Table
typeanyconnectclientprofile

The Body of the response shows the Profile ready to be pushed to the device. Name, version, id, and type received in response are used in the next step to bind the profile to Group Policy.

Step 6. Create a PUT request to add Client Profile and Module to existing Group Policy. Click on Save, as shown in this image.

PUT REQUEST:https://<FDM IP>/api/fdm/latest/object/ravpngrouppolicies/{objId}

ObjId is the id obtained in Step 4. Copy the contents of the concerned Group-policy obtained in Step 4 to the body of the request and add this:

Client Profile

Name, version, id, and type of Profile received in the previous Step.

Anyconnect Remote

Client Modules

The name of the Module which needs to be enabled should match exactly as given in Module Table.

The Body of the response shows the Profile and Module successfully bound to Group-Policy.

Note: This step allows the download SBL Module. SBL also has to enable in anyconnect client profile which can be uploaded as you navigate to Devices > Remote Access VPN>Group Policies> Edit Group Policy > General >AnyConnect Client Profile.

Step 7. Deploy the configuration to the device through FDM. Pending changes show client profile and modules to be pushed.

Configuration pushed to the FTD CLI after successful deployment:

Verify

Establish a successful connection to the FTD.

Navigate to Settings>VPN>Message History to see the details about modules that were downloaded.

Troubleshoot

Collect DARTfor troubleshooting issues with the installation of client modules.