User Credentials Entered Anyconnect



  • Introducing Windows Servicing Suite 3.0
  • Implementation
  • Working with the Windows Servicing Suite
    • Creating OS Deployment task sequences
      • Creating an In-place Upgrade task sequence
      • Creating Task Sequences for New Computer and Computer Refresh scenarios
      • Creating Task Sequences for the Replace Computer scenario
      • Windows Servicing Assistant Scripts package
        • Scripts for Microsoft VPN client with username and password authentication
        • Scripts for Cisco AnyConnect with username and password authentication
        • Scripts for Cisco AnyConnect with PIN and secure ID authentication
        • Scripts for Cisco AnyConnect with computer certificate authentication
    • Self-service OS deployment
    • Admin initiated OS Deployments
  • Troubleshooting
  • Reference

Apr 06, 2018 Enter a name, browse to the AnyConnect client package file which can be downloaded using the link below (valid Cisco contract required) and select “AnyConnect Client Image” as the file type. When complete, select the “Save” button. Repeat this process for each client type that will be connecting (Windows, Mac, Linux). You and users with whom you share a session can login to the active session with Cisco AnyConnect VPN credentials (user IDs and password) unique to the session and the URL of the dCloud data center running the session.

This page provides links to Zips containing sample scripts that can be used in the following scenario:

  • You are using Cisco AnyConnect 4.5, 4.6 or 4.7
  • User Authentication requires the user to enter a PIN followed by a secure ID generated by a hardware token, where the secure ID changes frequently.

When a Task Sequence executes the Connect to VPN step, it will prompt the user to enter their combination of PIN and secure ID, which is then passed in a single string as a 'password'.

For this scenario, please ensure the WSA Scripts package contain the following files from CiscoAnyConnect_PinSecureID.zip

The Zip contains scripts that have the same names as scripts provided for other VPN connection scenarios. Ensure you use the correct versions, or modify the sample scripts to suit your scenarios.

Entered

Serviceui.exe required from MDT

As the task sequence executes in the system context, the scripts use Serviceui.exe from the Microsoft Deployment Toolkit (MDT) to pop up the password prompt so the user can see and interact with it. In addition to the files listed below, you must manually add Serviceui.exe from an existing MDT Tools package to the WSA Scripts Package source files. Alternatively, if you already have an MDT tools package, the WSA scripts can be added to that package, then you can specify the MDT tools package in the steps that use the WSA scripts.
FileDescription
CLI.exe

Custom client executable created by 1E, compiled using the Cisco AnyConnect SDK, that allows the VPN connection to be established by passing the username and password on the command line.

ConnectVPN.ps1Establishes a VPN connection using the connection credentials supplied by the user when they run the Windows Servicing Assistant, before the Task Sequence executes.
PromptForPassword.ps1This script is called from ConnectVPN.ps1 and ValidateWiFiVPNCreds.ps1 to display a prompt during Task Sequence execution for the user to enter a value that will be stored in the 1EWSA_VPNPassword Task Sequence variable. This script can be used when the user is required to enter a PIN followed by a secure ID that changes frequently rather than a password that would normally be entered once by the user when they run the Windows Servicing Assistant before the Task Sequence executes. The text displayed in the form can be modified in the script.
ValidateWiFiVPNCreds.ps1Used to validate connection credentials. The user will be prompted to enter their PIN and secure ID.

Removes the temporary file created by SetupWinPEBoot.ps1 to fill an attached USB disk.

This file is not specific to Cisco AnyConnect and is not included in the ZIP referenced above, but is required in the WSA Scripts package. Download it by clicking the link in the File column to the left.


User


Tachyon client required

Tachyon Agent 3.3 or later, or 1E Client 4.1 or later, is required to support Cisco AnyConnect in the Windows Servicing Suite.

AnyConnect supports authentication with either RADIUS, Active Directory, or Meraki Cloud. Cisco vpn anyconnect download. For more details on AnyConnect configuration, refer to the AnyConnect configuration guide.

Note: Systems Manager with Sentry is not supported with AnyConnect.
Note: SAML authentication is not supported at this time.

Meraki Cloud Authentication


Note: IPsec must be enabled and users must be authorized on the IPsec settings tab.
Use this option if an Active Directory or RADIUS server is not available, or if VPN users should be managed via the Meraki Cloud. To add or remove users, use the User Management section at the bottom of the page. Add a user by clicking 'Add new user' and entering the following information:

  • Name: Enter the user's name.

  • Email: Enter the user's email address.

  • Password: Enter a password for the user or click 'Generate' to automatically generate a password.

  • Authorized: Select whether this user is authorized to use the client VPN.

To edit an existing user, click on the user under the User Management section. To delete a user, click the X next to the user on the right side of the user list.

When using Meraki-hosted authentication, the user's email address is the username that is used for authentication.


RADIUS


Use this option to authenticate users on a RADIUS server. Click Add a RADIUS server to configure the server(s) to use. Enter in the IP address of the RADIUS server, the port to be used for RADIUS communication, and the shared secret for the RADIUS server.

Note: Only one RADIUS server is supported for authentication with AnyConnect today.


Add MX security appliance as RADIUS clients on the NPS server.

In order for the MX to act as an authenticator for RADIUS, it must be added as a client on NPS.

  1. Open the NPS server console by going to Start > Programs > Administrative Tools > Network Policy Server.

  2. In the left-side pane, expand the RADIUS Clients and Servers option.

  3. Right-click the RADIUS Clients option and select New.

  4. Enter a Friendly Name for the MX security appliance or Z teleworker gateway RADIUS client.

  5. Enter the IP address of your MX security appliance or Z teleworker gateway. This IP will differ depending on where the RADIUS server is located:

    • On a local subnet: use the IP address of the MX/Z on the subnet shared with the RADIUS server

    • Over a static route: use the IP address of the MX/Z on the subnet shared with the next hop

    • Over VPN: use the IP address of the MX/Z on the highest-numbered VLAN in VPN

  6. Create and enter a RADIUS Shared Secret (make note of this secret, you will need to add this to the dashboard).

Note: Currently only ASCII characters are supported for RADIUS shared secrets, unicode characters will not work correctly.

  1. Press OK when finished.

For additional information or troubleshooting assistance, please refer to Microsoft documentation on RADIUS clients.

Configure a RADIUS Connection Request

User credentials entered anyconnect password
  1. In the NPS server console, navigate to Policies > Connection Request Policies. Right-click the Connection Request Policies folder and select New.

  2. In the Connection Request Policy Wizard, enter a policy name and select the network access server type unspecified, then press Next.

  3. Click Add to add conditions to your policy. Access-request messages will need to meet these conditions to be allowed access.

  4. From the list of conditions, select the option for NAS-Port-Type. Select VPN Virtual and press Next

  5. Press Next on the next three pages of the wizard to leave the default settings intact.

  6. Review the settings, then press Finish.


Configure a RADIUS Network Policy.

  1. In the left-side pane of the NPS server console, right-click theNetwork Policies option and select New.

  2. In the Network Policy Wizard enter a policy name and select the network access server type unspecified, then press Next.

  3. Click Add to add conditions to your policy.

  4. From the list of conditions, select the option for Windows Groups. Click Add Groups and enter the name you would like to give client VPN permission to.

  5. From the list of conditions, select the option for NAS-Port-Type. Select VPN Virtual and press Next.

  6. Leave the default settings on the Specify Access Permission page and press Next.

  1. Deselect all checkboxes and select Unencrypted authentication (PAP, SPAP). An informational box will be displayed, press No to continue, and press Next. Refer to this doc for security information about using PAP.

  2. Press Next on the next two pages of the wizard to leave the default settings intact.

  3. Review the settings, then press Finish.


Active Directory

Use this option if user authentication should be done with Active Directory domain credentials. You will need to provide the following information:

User Credentials Entered Anyconnect Account

  • Short domain: The short name of the Active Directory domain.

  • Server IP: The IP address of an Active Directory server on the MX LAN.

  • Domain admin: The domain administrator account the MX should use to query the server.

  • Password: Password for the domain administrator account.

For example, considering the following scenario: Users in the domain test.company.com should be authenticated using an Active Directory server with IP 172.16.1.10. Users normally log in to the domain using the format 'test/username' and you have created a domain administrator account with username 'vpnadmin' and password 'vpnpassword'.

  • The Short domain would be 'test'

  • The Server IP would be 172.16.1.10.

  • The Domain admin would be 'vpnadmin'

  • The Password would be 'vpnpassword'

Anyconnect

Note: Only one AD server can be specified for authentication with AnyConnect at the moment. The MX does not support mapping group policies via Active Directory for users connecting through the client VPN. Refer to this document for more information on integrating with client VPN.


Certificate-based authentication

The AnyConnect server on the MX supports client certificate authentication as a factor of authentication. If certificate authentication is enabled, the AnyConnect server will use the uploaded trusted CA certificate to validate authenticating clients before requesting for the users' credentials. AnyConnect on the MX does not support certificate-only authentication at this time. Authenticating users must input credentials once certificate authentication succeeds. If certificate authentication fails, the AnyConnect client will report certificate validation failure.

Multi-Factor Authentication with RADIUS or Active Directory as a Proxy

MFA is not natively supported on the MX, however, you can configure MFA with your RADIUS or Active Directory server. The MFA challenge takes place between the RADIUS/Active Directory/Idp and the user. Microsoft excel download free. full version mac. The MX will not pass any OTP or PINs between the user and RADIUS. The user connects to the MX and gets prompted for username and password, the MX passes credentials to the RADIUS or AD server, then the RADIUS or AD server challenges the user directly (not through the MX). The user responds to RADIUS or AD server, possibly via push notification, etc, then the RADIUS or AD server tells the MX that the user has successfully authenticated. Only then is the user allowed access to the network. Refer to this document for more information on authentication.

User Credentials Entered Anyconnect Password

Credentials

RADIUS Time-Out

User Credentials Entered Anyconnect Download

The default RADIUS time-out is three seconds. This is how long the AnyConnect server will wait for a response from the RADIUS sever before failing over to a different RADIUS server or ignoring the response entirely. To support two-factor authentication, you can increase the RADIUS time-out by modifying the RADIUS time-out field on the AnyConnect Settings page. The configurable time-out range is 1 - 300 seconds.