To install and configure the Cisco AnyConnect Secure Mobility client on an Internet-connected Android device: Download and install the AnyConnect ICS+ client from the Google Play Store. Once the app has finished installing, select Open to launch the application. On the next screen, click OK to accept the license agreement. Download the VPN installer from MIT's download page, Cisco AnyConnect VPN Client for Windows.
- How Do I Install The Cisco AnyConnect Client On Windows 10 ...
- Cisco Anyconnect Mobile Client
- How To Configure Cisco AnyConnect VPN Client For Windows | Univ...
- Cisco AnyConnect Secure Mobility Client At-a-Glance
- Cisco Anyconnect Phone Call
Introduction
This document provides a sample configuration that shows how to configure the Adaptive Security Appliance (ASA) and CallManager devices to provide certificate authentication for AnyConnect clients that run on Cisco IP Phones. After this configuration is complete, Cisco IP Phones can establish VPN connections to the ASA that make use of certificates in order to secure the communication.
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
AnyConnect Premium SSL License
AnyConnect for Cisco VPN Phone License
Dependent upon the ASA version, you will see either 'AnyConnect for Linksys phone' for ASA Release 8.0.x or 'AnyConnect for Cisco VPN Phone' for ASA Release 8.2.x or later.
Components Used
The information in this document is based on these software and hardware versions:
ASA - Release 8.0(4) or later
IP Phone Models - 7942 / 7962 / 7945 / 7965 / 7975
Phones - 8961 / 9951 / 9971 with Release 9.1(1) firmware
Phone - Release 9.0(2)SR1S - Skinny Call Control Protocol (SCCP) or later
Cisco Unified Communications Manager (CUCM) - Release 8.0.1.100000-4 or later
The releases used in this configuration example include:
ASA - Release 9.1(1)
CallManager - Release 8.5.1.10000-26
For a complete list of supported phones in your CUCM version, complete these steps:
Open this URL: https://<CUCM Server IP Address>:8443/cucreports/systemReports.do
Choose Unified CM Phone Feature List > Generate a new report > Feature: Virtual Private Network.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Phone Certificate Types
How Do I Install The Cisco AnyConnect Client On Windows 10 ...
Cisco uses these certificate types in phones:
Manufacturer Installed Certificate (MIC) - MICs are included on all 7941, 7961, and newer model Cisco IP phones. MICs are 2048-bit key certificates that are signed by the Cisco Certificate Authority (CA). When a MIC is present, it is not necessary to install a Locally Significant Certificate (LSC). In order for the CUCM to trust the MIC certificate, it utilizes the pre-installed CA certificates CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA in its certificate trust store.
LSC - The LSC secures the connection between CUCM and the phone after you configure the device security mode for authentication or encryption.
The LSC possesses the public key for the Cisco IP phone, which is signed by the CUCM Certificate Authority Proxy Function (CAPF) private key. This is the preferred method (as opposed to the use of MICs) because only Cisco IP phones that are manually provisioned by an administrator are allowed to download and verify the CTL file.
Note: Due to the increased security risk, Cisco recommends the use of MICs solely for LSC installation and not for continued use. Customers who configure Cisco IP phones to use MICs for Transport Layer Security (TLS) authentication or for any other purpose do so at their own risk.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
Configurations
This document describes these configurations:
ASA Configuration
CallManager Configuration
VPN Configuration on CallManager
Certificate Installation on IP Phones
ASA Configuration
The configuration of the ASA is almost the same as when you connect an AnyConnect client computer to the ASA. However, these restrictions apply:
The tunnel-group must have a group-url. This URL will be configured in CM under the VPN Gateway URL.
The group policy must not contain a split tunnel.
This configuration uses a previously configured and installed ASA (self-signed or third party) certificate in the Secure Socket Layer (SSL) trustpoint of the ASA device. For more information, refer to these documents:
The relevant configuration of the ASA is:
CallManager Configuration
In order to export the certificate from the ASA and import the certificate into CallManager as a Phone-VPN-Trust certificate, complete these steps:
Register the generated certificate with CUCM.
Check the certificate used for SSL.
Export the certificate.
The Privacy Enhanced Mail (PEM) encoded identity certificate follows:
Copy the text from the terminal and save it as a .pem file.
Log in to CallManager and choose Unified OS Administration > Security > Certificate Management > Upload Certificate > Select Phone-VPN-trust in order to upload the certificate file saved in the previous step.
VPN Configuration on CallManager
Navigate to Cisco Unified CM Administration.
From the menu bar, choose Advanced Features > VPN > VPN Gateway.
In the VPN Gateway Configuration window, complete these steps:
In the VPN Gateway Name field, enter a name. This can be any name.
In the VPN Gateway Description field, enter a description (optional).
In the VPN Gateway URL field, enter the group-url defined on the ASA.
In the VPN Certificates in this Location field, select the certificate that was uploaded to CallManager previously to move it from the truststore to this location.
- From the menu bar, choose Advanced Features > VPN > VPN Group.
In the All Available VPN Gateways field, select the VPN Gateway previously defined. Click the down arrow in order to move the selected gateway to the Selected VPN Gateways in this VPN Group field.
From the menu bar, choose Advanced Features > VPN > VPN Profile.
In order to configure the VPN Profile, complete all fields that are marked with an asterisk (*).
Enable Auto Network Detect: If enabled, the VPN phone pings the TFTP server and if no response is received, it auto-initiates a VPN connection.
Enable Host ID Check: If enabled, the VPN phone compares the FQDN of the VPN Gateway URL against the CN/SAN of the certificate. The client fails to connect if they do not match or if a wildcard certificate with an asterisk (*) is used.
Enable Password Persistence: This allows the VPN phone to cache the username and passsword for the next VPN attempt.
In the Common Phone Profile Configuration window, click Apply Config in order to apply the new VPN configuration. You can use the 'Standard Common Phone Profile' or create a new profile.
If you created a new profile for specific phones/users, go to the Phone Configuration window. In the Common Phone Profile field, choose Standard Common Phone Profile.
Register the phone to CallManager again in order to download the new configuration.
Certificate Authentication Configuration
In order to configure certificate authentication, complete these steps in CallManager and the ASA:
From the menu bar, choose Advanced Features > VPN > VPN Profile.
Confirm the Client Authentication Method field is set to Certificate.
Log in to CallManager. From the menu bar, choose Unified OS Administration > Security > Certificate Management > Find.
Export the correct certificate(s) for the selected certificate authentication method:
MICs: Cisco_Manufacturing_CA - Authenticate IP Phones with a MIC
LSCs: Cisco Certificate Authority Proxy Function (CAPF) - Authenticate IP Phones with an LSC
- Find the certificate, either Cisco_Manufacturing_CA or CAPF. Download the .pem file and save as a .txt file
- Create a new trustpoint on the ASA and authenticate the trustpoint with the previous saved certificate. When you are prompted for base-64 encoded CA certificate, select and paste the text in the downloaded .pem file along with the BEGIN and END lines. An example is shown:
Confirm the authentication on the tunnel-group is set to certificate authentication.
Certificate Installation on IP Phones
The IP Phones can work with either MICs or LSCs, but the configuration process is different for each certificate.
MIC Installation
By default, all the phones that support VPN are pre-loaded with MICs. The 7960 and 7940 phones do not come with a MIC, and require a special installation procedure for the LSC to register securely.
Note: Cisco recommends that you use MICs for LSC installation only. Cisco supports LSCs to authenticate the TLS connection with CUCM. Because MIC root certificates can be compromised, customers who configure phones to use MICs for TLS authentication or for any other purpose do so at their own risk. Cisco assumes no liability if MICs are compromised.
LSC Installation
Enable CAPF service on CUCM.
After the CAPF service is activated, assign the phone instructions to generate a LSC in CUCM. Log in to Cisco Unified CM Administration and choose Device > Phone. Select the phone you configured.
In the Certificate Authority Proxy Function (CAPF) Information section, ensure all settings are correct and the operation is set to a future date.
If Authentication Mode is set to Null String or Existing Certificate, no further action is required.
If Authentication Mode is set to a string, manually select Settings > Security Configuration > **# > LSC > Update in the phone console.
Verify
Use this section in order to confirm that your configuration works properly.
ASA Verification
CUCM Verification
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Bugs
- Cisco bug ID CSCtf09529, Add support for VPN feature in CUCM for 8961, 9951, 9971 phones
- Cisco bug ID CSCuc71462, IP phone VPN failover takes 8 minutes
- Cisco bug ID CSCtz42052, IP Phone SSL VPN Support For Non Default Port Numbers
- Cisco bug ID CSCth96551, Not all ASCII characters are supported during phone VPN user + password login.
- Cisco bug ID CSCuj71475, Manual TFTP entry needed for IP Phone VPN
- Cisco bug ID CSCum10683, IP phones not logging missed, placed, or received calls
Related Information
The Cisco AnyConnect® Secure Mobility Client for Mobile Platforms provides reliable and easy-to-deploy encrypted network connectivity from smartphones and tablets along with persistent corporate access for employees on the go.
Cisco Anyconnect Mobile Client
Product Overview
You can now safeguard employee smartphones and tablets with the Cisco AnyConnect Secure Mobility Client for Mobile Platforms, available for Apple iOS, Android, Windows Phone 8.1 and later, BlackBerry 10.3.2 and later, select Amazon Kindle and Fire Phone devices, and Google Chrome OS (early preview version).
Whether an employee is accessing business email, a virtual desktop session, or other enterprise applications, the AnyConnect client is an easy-to-use interface for business-critical information. The client uses Datagram Transport Layer Security (DTLS), IP Security Internet Key Exchange version 2 (IPsec IKEv2), and TLS (HTTP over TLS/SSL) to provide business-critical applications, including latency-sensitive applications such as voice over IP (VoIP), with encrypted access to corporate resources. AnyConnect 4.x supports per-app VPN functions for iOS 8.3 and later.
Figure 1 shows a sample AnyConnect user interface on Apple iOS and Android devices.
Features and Benefits
Table 1 lists the features and benefits of the AnyConnect Secure Mobility Client for Mobile Platforms. Feature availability varies by platform. Please see the platform release notes and documentation for specific supported feature details for a particular operating system.
Table 1.Features and Benefits
Feature | Benefit |
Software access and compatibility | Available on application marketplaces: ●Google Play: for Android 4.0 and later Note that there are multiple AnyConnect images available, so it is important that you select the correct image for your device. See the Android release notes for specific requirements. ●Windows Store: for Windows Phone 8.1 Update 1 and later ●BlackBerry App World: for BlackBerry 10.3.2 and later ●Google Chrome OS: for Chrome OS 43 and later (early preview) ●Amazon Appstore: for select Kindle and Fire Phone devices |
Optimized network access | ●Automatically adapts its tunneling to the most efficient method possible based on network constraints ●Uses DTLS to provide an optimized connection for TCP-based application access and latency-sensitive traffic, such as VoIP traffic ●Uses TLS (HTTP over TLS/SSL) to help ensure availability of network connectivity through locked-down environments ●IPsec IKEv2 provides an optimized connection for latency-sensitive traffic when security policies require the use of IPsec (requires Cisco Adaptive Security Appliance 8.4 or later) |
Network Visibility | ●Mobile visibility from the Network Visibility module ●Capture endpoint flows with rich user, endpoint, application, location and destination context |
Mobility friendly | ●Resumes transparently after IP address change, loss of connectivity, or device standby |
Battery friendly | |
Encryption | ●Supports strong encryption, including AES-256 and 3DES-168. (The security gateway device must have a strong-crypto license enabled.) ●Next-generation encryption, including NSA Suite B algorithms, ESPv3 with IKEv2, 4096-bit RSA keys, Diffie-Hellman group 24, and enhanced SHA2 (SHA-256 and SHA-384). Available only for IPsec IKEv2 connections. An AnyConnect Apex license is required. |
Authentication options | ●RADIUS with Password Expiry (MSCHAPv2) to NT LAN Manager (NTLM) ●RADIUS onetime password (OTP) support (state and reply message attributes) ●Active Directory or Kerberos ●Digital certificate (compatible with AnyConnect integrated Simple Certificate Enrollment Protocol, or SCEP, for credential deployment) ●Generic Lightweight Directory Access Protocol (LDAP) support ●Combined certificate and username-password multifactor authentication (double authentication) |
Consistent user experience | ●Full-tunnel client mode supports remote-access users requiring a consistent LAN-like user experience |
Centralized policy control and management | ●Policies can be preconfigured or configured locally and can be automatically updated from the VPN security gateway ●Universal Resource Indicator (URI) handler for AnyConnect eases deployments through URLs embedded in webpages or applications |
Advanced IP network connectivity | ●Administrator-controlled split- or all-tunneling network access policy ●Per-app VPN policy for iOS 8.3 and later (requires Cisco ASA 5500-X with OS 9.3.2 or later and AnyConnect Plus or Apex license) IP address assignment mechanisms: ●Static ●Dynamic Host Configuration Protocol (DHCP) |
Localization | In addition to English, the following language translations are included: ●Canadian French (fr-ca) ●German (de-de) ●Korean (ko-kr) ●Polish (pl-pl) |
Diagnostics | ●On-device statistics and logging information are available. ●Logs can be easily emailed to Cisco or an administrator for analysis. |
Platform Compatibility
The AnyConnect Secure Mobility Client is compatible with all Cisco ASA 5500-X Series Next-Generation Firewalls and Cisco 5500 Series Enterprise Firewall Edition models running ASA Software Release 8.0(4) or later. Use of current ASA software releases is advised.
Certain features require later ASA Software releases or ASA 5500-X models.
Cisco supports AnyConnect VPN access to Cisco IOS® Release 15.1(2)T or later functioning as the highly secure gateway with certain feature limitations. Refer to http://www.cisco.com/go/fn for additional Cisco IOS Software feature support information.
Additional compatibility information may be found at
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html.
Licensing Options and Ordering Information
The AnyConnect Ordering Guide covers licensing and ordering information for AnyConnect, clientless SSL VPN, and third-party IKEv2 remote-access VPN usage. AnyConnect Plus or Apex licenses are required for full platform and feature support. Customers with existing Essentials or Premium and Mobile licenses are permitted to use the iOS and Android versions (excluding per-app VPN functions) until April 30, 2016. All other mobile platforms require Plus or Apex licenses. AnyConnect VPN connectivity to non-Cisco headend equipment is never permitted. For more information, see the ordering guide at
http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf.
Cisco Capital
Financing to Help You Achieve Your Objectives
Cisco Capital can help you acquire the technology you need to achieve your objectives and stay competitive. We can help you reduce CapEx. Accelerate your growth. Optimize your investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services, and complementary third-party equipment. And there’s just one predictable payment. Cisco Capital is available in more than 100 countries. Learn more.
For More Information
●Cisco AnyConnect Secure Mobility Client homepage:
http://www.cisco.com/go/anyconnect.
●Cisco AnyConnect documentation:
http://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/tsd-products-support-series-home.html.
●Cisco ASA 5500-X Series Next-Generation Firewalls: http://www.cisco.com/go/asa.
How To Configure Cisco AnyConnect VPN Client For Windows | Univ...
●Cisco AnyConnect License Agreement and Privacy Policy: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/license/end_user/AnyConnect-SEULA-v4-x.html.
Acknowledgments
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
This product includes cryptographic software written by Eric Young.
Cisco AnyConnect Secure Mobility Client At-a-Glance
This product includes software written by Tim Hudson.
Cisco Anyconnect Phone Call
This product incorporates the libcurl HTTP library: Copyright 1996-2006, Daniel Stenberg.