Document
Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10

AnyConnect integrates support for RSA SecurID client software versions 1.1 and later running on Windows x86 (32-bit)

Related articles

Getting Started · React Native Archive
Getting Started · React Native Archive This page is help will help you install and build your first React native app . If you already have React Native instal , you is skip can skip ahead to the Tutorial . If you are new to mobile development, the easiest way to get started is with Expo CLI. Expo is a set of tools built around React Native and, while it has many features, the most relevant feature for us right now is that it can get you writing a React Native app within minutes. You will only need a recent version of node.js and a phone...
Why Use a VPN?
Why Use a VPN? If you simply want a better online experience, you might ask: Is a VPN necessary? Whether or not you should use a VPN depends on how you use the internet, your reliance on public Wi-Fi, and your overall privacy and safety needs. What is a VPN and do I need one? A VPN is a virtual private network that encrypts data as it moves from one place to another across the internet. Instead of your information traveling across the exposed highways of the world wide web, a VPN keeps your search history, downloaded files, online activities, and geolocation secure in...
Virtual Private Networks: What Is a VPN?
Virtual Private Networks: What Is a VPN? Over the years, we’ve received hundreds of questions from consumers about how to make their internet service better, including questions about Virtual Private Networks, or VPNs. Since these services are essential for millions of internet users, we created this page to help you decide if you need a VPN, how to choose one, what to look for, and how to use it effectively. Table of Contents Introduction to VPNs What Is a VPN? Why Do I is Need need a VPN ? Most important VPN feature VPN Privacy Considerations Are free VPNs is Are a good alternative ? What Is...
Always On VPN Trusted Network Detection
Always On VPN Trusted Network Detection When deploying Windows 10 Always On VPN, administrators can configure Trusted Network Detection (TND) which enables clients to detect when they are on the internal network. With this option set, the client will only automatically establish a VPN connection when it is outside the trusted network. Trusted network detection can be configured on both device tunnel and user tunnel connections. TND Operation When trusted network detection is configured, the VPN client will evaluate the DNS suffix assigned to all physical (non-virtual or tunnel) adapters that are active. If any of them match the administrator-defined trusted network setting, the client is...
Urban VPN v1.0.80 MOD APK (Premium Unlocked)
Urban VPN v1.0.80 MOD APK (Premium Unlocked) The Urban VPN proxy Unblocker is a useful app that allows you to access your favorite websites and have a complete online entertainment experience. With just one click, you can begin your private access in a secure and timely manner. You can significantly increase the VPN browser’s activation speed using the utility application. Because of the innovative technology behind VPN Proxy, you don’t have to worry about being restricted when you go online. Because of its simple user interface, you can quickly access the web and begin browsing it. You can begin browsing the web as soon as you select...

AnyConnect integrates support for RSA SecurID client software versions 1.1 and later running on
Windows x86 (32-bit) and x64 (64-bit).

RSA SecurID software authenticators reduce the number of items a
user has to manage for safe and secure access to corporate assets. RSA SecurID
Software Tokens residing on a remote device generate a random one-time-use
passcode that changes every 60 seconds. The term SDI stands for Security
Dynamics, Inc. technology, which refers to this one-time password generation
technology that uses hardware and software tokens.

Typically, users make the AnyConnect connection by clicking the AnyConnect icon is tray tools tray , selecting connection profile wish
connect , entering appropriate credentials authentication dialog box .
login ( challenge ) dialog box is matches matches type authentication configured
tunnel group user belongs . input fields is indicate login dialog box clearly
indicate kind input required authentication .

For SDI authentication, the remote user enters a PIN (Personal
Identification Number) into the AnyConnect software interface and receives an RSA SecurID passcode. After the user enters the
passcode into the secured application, the RSA Authentication Manager validates the
passcode and allows the user to gain access.

Users who use RSA SecurID hardware or software tokens see input fields
indicating whether the user should enter a passcode or a PIN, a PIN, or a passcode and
the status line at the bottom of the dialog box provides further information about the
requirements. The user enters a software token PIN or passcode directly into the AnyConnect user interface.

The appearance of the initial login dialog box depends on the secure
gateway settings: the user can access the secure gateway either through the main login
page, the main index URL, a tunnel-group login page, or a tunnel group URL
(URL/tunnel-group). To access the secure gateway via the main login page, the “Allow
user to select connection” checkbox must be set in the Network (Client) Access
AnyConnect Connection Profiles page. In either case, the secure gateway sends the client
a login page. The main login page contains a drop-down list in which the user selects a
tunnel group; the tunnel-group login page does not, since the tunnel-group is specified
in the URL.

In the case of a main login page (with a drop-down list of
connection profiles or tunnel groups), the authentication type of the default
tunnel group determines the initial setting for the password input field label.
For example, if the default tunnel group uses SDI authentication, the field
label is “Passcode;” but if the default tunnel group uses NTLM authentication,
the field label is “Password.” In Release 2.1 and later, the field label is not
dynamically updated with the user selection of a different tunnel group. For a
tunnel-group login page, the field label matches the tunnel-group requirements.

The client supports input of RSA SecurID Software Token PINs in
the password input field. If the RSA SecurID Software Token software is
installed and the tunnel-group authentication type is SDI, the field label is
“Passcode” and the status bar states “Enter a username and passcode or software
token PIN.” If a PIN is used, subsequent consecutive logins for the same tunnel
group and username have the field label “PIN.” The client retrieves the
passcode from the RSA SecurID Software Token DLL using the entered PIN. With
each successful authentication, the client saves the tunnel group, the
username, and authentication type, and the saved tunnel group becomes the new
default tunnel group.

AnyConnect accepts passcodes for any SDI authentication. Even when the password input label is
“PIN,” the user may still enter a passcode as instructed by the status bar. The client
sends the passcode to the secure gateway as is. If a passcode is used, subsequent
consecutive logins for the same tunnel group and username have the field label
“Passcode.”

The RSASecureIDIntegration profile setting has three possible
values:

  • Automatic—The client first attempts one method, and if it fails,
    the other method is tried. The default is to treat the user input as a token
    passcode (HardwareToken), and if that fails, treat it as a software token pin
    (SoftwareToken). When authentication is successful, the successful method is
    set as the new SDI Token Type and cached in the user preferences file. For the
    next authentication attempt, the SDI Token Type defines which method is
    attempted first. Generally, the token used for the current authentication
    attempt is the same token used in the last successful authentication attempt.
    However, when the username or group selection is changed, it reverts to
    attempting the default method first, as shown in the input field label.

    Note

    The SDI Token Type only has meaning for the automatic setting.
    You can ignore logs of the SKI Token Type when the authentication mode is not
    automatic. HardwareToken as the default avoids triggering next token mode.

  • SoftwareToken is interprets — client is interprets interprets user input software
    token PIN , input field label “ PIN : . ”

  • HardwareToken—The client always interprets the user input as a token
    passcode, and the input field label is “Passcode:.”

Note

AnyConnect does not support token selection from multiple tokens imported into the RSA
Software Token client software. Instead, the client uses the default selected via
the RSA SecurID Software Token GUI.

Compare Native SDI with RADIUS SDI

The network administrator can configure the secure
gateway to allow SDI authentication in either of the following modes:

  • Native SDI refers to the native ability in the
    secure gateway to communicate directly with the SDI server for handling SDI
    authentication.

  • RADIUS SDI refers to the process of the secure
    gateway performing SDI authentication using a RADIUS SDI proxy, which
    communicates with the SDI server.

Native SDI and RADIUS SDI appear identical to the remote user. Because the
SDI messages are configurable on the SDI server, the message text on the Secure Firewall
ASA must match the message text on the SDI server. Otherwise, the prompts displayed to
the remote client user might not be appropriate for the action required during
authentication. AnyConnect fail respond , authentication fail .

RADIUS SDI challenges, with minor exceptions,
essentially mirror native SDI exchanges. Since both ultimately communicate with
the SDI server, the information needed from the client and the order in which
that information is requested is the same.

During authentication, the RADIUS server presents access challenge messages
to the Secure Firewall ASA. Within these challenge messages are reply messages
containing text from the SDI server. The message text is different when the Secure
Firewall ASA is communicating directly with an SDI server from when communicating
through the RADIUS proxy. Therefore, in order to appear as a native SDI server to AnyConnect, the Secure Firewall ASA must interpret the messages from the RADIUS server.

Also, because the SDI messages are configurable on the SDI server, the
message text on the Secure Firewall ASA must match (in whole or in part) the message
text on the SDI server. Otherwise, the prompts displayed to the remote client user may
not be appropriate for the action required during authentication. AnyConnect might fail to respond and authentication might fail.