24
B28371, published December 14, 2015 AnyConnect Administrator Guide
B28371, published December 14, 2015
AnyConnect Administrator Guide
ii
© 2015 CDK Global, LLC. All rights reserved. The CDK logo is a trademark of CDK Global, LLC.
Search Keywords: AnyConnect Admin Guide, , B28371.
iii
Table of Contents My ASA Information ...................................................................................................... 5
Installing Cisco’s Adaptive Security Device Manager (ASDM) ................................. 6 Cisco ASDM Launch Administration Video Overview ................................................................................... 6 Prerequisites ................................................................................................................................................. 6 Installation Procedure ................................................................................................................................... 6
ASDM Administration ................................................................................................... 8 Adding Users within ASDM ........................................................................................................................... 8 Deleting Users within ASDM ....................................................................................................................... 10 Converting Existing IPSEC Users to AnyConnect ...................................................................................... 11
Prerequisites .......................................................................................................................................... 11 Installation Procedure ............................................................................................................................ 11
ASDM Troubleshooting .............................................................................................. 14 There is no ASDM icon or shortcut on the desktop. .............................................................................. 14 Receiving ‘Unable to Launch Device Manager from [IP Address]’ Error Message. .............................. 14 Stop Certificate Warnings from displaying at launch ............................................................................. 14
Installing AnyConnect ................................................................................................ 17 Windows Operating System ........................................................................................................................ 17
Prerequisites .......................................................................................................................................... 17 Supported Versions ............................................................................................................................... 17 Installation Procedure – Auto-Configure ................................................................................................ 17 Installation Procedure – Manually Configure ......................................................................................... 22 Connecting to the AnyConnect VPN after Install ................................................................................... 22
Apple (Mac) Operating System ................................................................................................................... 22 Prerequisites .......................................................................................................................................... 22 Supported Versions ............................................................................................................................... 22 Installation Procedure ............................................................................................................................ 23 Connecting to the AnyConnect VPN after Install ................................................................................... 23
Learn More ................................................................................................................... 24
5
My ASA Information Please note the following information for this installation. ASA External IP Address: ASA Internal IP Address: ASA Serial Number:
AnyConnect Administrator Guide
6
Installing Cisco’s Adaptive Security Device Manager (ASDM)
The ASDM Launcher is the tool used to administer your Adaptive Security Appliance (ASA), which manages your dealerships’ AnyConnect VPN client users.
Cisco ASDM Launch Administration Video Overview A video overview of the ASDM download, install, user management and troubleshooting steps is available as an additional resource to the instructions listed below. Click the following link to review this additional material: ASDM Launch Administration Overview
Prerequisites In order to install the Cisco ASDM, you must have the following: Login credentials with privilege-level 15 rights for your Cisco ASA
Important! If this is a new install, your Field Engineer will provide you with these level 15 credentials.
The latest version of Java Web browser The Internal IP Address of the ASA device Administrative rights to install software on the computer.
Installation Procedure 1. Open a web browser and browse to the Internal IP Address of your Cisco ASA
Device using the following format http: //< IP Address>/admin. 1. If you receive a website security certificate error, click on Continue to this
Website (not recommended) to temporarily bypass the error and continue.
Installing Cisco’s Adaptive Security Device Manager (ASDM)
7
2. Click on the Install ASDM Launcher button (screenshot on next page).
Note. This will install the required software needed to configure your Cisco ASA.
3. The ASA will prompt you to login and authenticate; please authenticate using your provided user credentials.
4. An Internet Explorer prompt will appear, asking if you want to run, save or cancel the needed file.
5. Click Run.
Note: If a security warning box appears, click Run again to continue.
6. At the installation setup screen, continue clicking Next to accept the installation defaults.
AnyConnect Administrator Guide
8
7. Once the files have installed, click Finish to complete. A Cisco-IDM Launcher shortcut icon will be placed on your desktop.
8. From your desktop or start menu, double click the newly created program shortcut, Cisco-ASDM-IDM Launcher.
9. At the ASDM-IDM Launcher login, enter the IP Address of the ASA and your user credentials.
Note. If you receive a security warning dialog box, click Continue to bypass.
10. The ASDM launcher will now update itself and connect to the ASA. This may take several minutes to complete.
11. The Home page of the ASDM launcher should appear; the installation and program launch was successful.
ASDM Administration User accounts on the ASDM enable dealership employees to access the dealership network using the AnyConnect VPN application.
Adding Users within ASDM To create and add a user, complete the steps below: 1. Open and login to the ASDM launcher. 2. Within the application, click Configuration. 3. Click Remote Access VPN. 4. Expand AAA/Local Users, and choose Local Users.
ASDM Administration
9
5. Click the Add button on the right.
Note. Be sure the user has not already be added.
6. Enter username and password information. 7. Mark No ASDM, SSH, Telnet or Console access.
8. Click the VPN Policy tab.
AnyConnect Administrator Guide
10
9. In the Group Policy section at the top, uncheck the checkbox, pull down the dropdown menu, and select the dealer group policy. This user then uses all of the characteristics configured in the dealer group policy.
10. Click OK 11. On the main ASDM screen, notice that the user has been added with the proper
access restrictions, and in the dealer group policy. 12. Click Apply at the bottom of the screen. 13. From the toolbar at the top, click the Save icon to save the changes to the ASA
configuration, or press CTRL + S from the main ASDM screen.
Deleting Users within ASDM To delete a user, complete the steps below: 1. Open and login to the ASDM launcher. 2. Within the application, click Configuration. 3. Click Remote Access VPN. 4. Expand AAA/Local Users, and choose Local Users. 5. Select the user you want to delete and click Delete. 6. Click Apply and then click Save.
Note. This permanently deletes the user from the ASA database and the user will no longer be able to use AnyConnect.
ASDM Administration
11
Converting Existing IPSEC Users to AnyConnect Prerequisites In order to convert IPSec User to AnyConnect, you must have the following: Cisco ASDM-IDM Launcher installed and working Login credentials with privilege-level 15 rights for your Cisco ASA The latest version of Java The Internal IP Address of the ASA device Your Group Policy name (generally named after the dealership).
Installation Procedure 1. Open the ASDM launcher and in left panel, verify that the highlighted IP Address
is the ASA you want to make changes to. 2. Click on Configuration. 3. Click on Remote Access VPN. 4. Click the + symbol to expand AAA/Local Users and click on Local Users. 5. Highlight or double click the user you wish to edit and click Edit.
6. Verify the user account is setup for No ASDM, SSH, Telnet or Console Access. If not, click the radio button to select this option.
AnyConnect Administrator Guide
12
7. Click on VPN Policy.
8. Check the Inherit box next to Connection Profile (Tunnel Group) Lock.
Result. The dropdown menu to the right of the selection will grey out.
9. Uncheck the Inherit box next to Group Policy.
Result. The dropdown menu to the right of the selection will become accessible.
ASDM Administration
13
10. Click the Group Policy dropdown menu 11. Select the dealer group policy 12. Click OK.
13. The selected user from step 5 should now appear in the VPN Group Policy column and Inherit Group Policy should now appear in the VPN Group Lock column.
AnyConnect Administrator Guide
14
ASDM Troubleshooting For additional training and information please access: http://blog.mynetworkphone.com/wordpress/network-and-security/anyconnect/
There is no ASDM icon or shortcut on the desktop. 1. Open a file explorer window. 2. Navigate to the location where the ASDM is stored: Local Disk > Programs Files
(x86) > Cisco Systems > ASDM. 3. Locate and right-click the asdm.launcher.jar file. 4. Left-click Create Shortcut. 5. Drag and drop the newly created shortcut to the desktop for easy navigation in
the future.
Receiving ‘Unable to Launch Device Manager from [IP Address]’ Error Message. If you attempt to log into the ASDM and receive the following error message, it’s possible you are using the incorrect IP address, such as the external IP address, rather than the internal IP address. Try logging in using the internal LAN IP address instead.
Stop Certificate Warnings from displaying at launch Each time you log into the ASDM Launcher, a Certificate Warning displays. To prevent this message from displaying in the future, follow the steps specific to your version of the ASDM Launcher below.
ASDM 7.19 and below 1. While logged into the ASDM Launcher, select Configuration from the
toolbar. 2. Click Device Management from the sidebar. 3. Click to expand the Certificate Management item and click Identify
Certificates.
Note. When selected, an existing certificate for the External interface should display in the right panel.
4. To add an Internal Certificate for the interface, click Add.
ASDM Troubleshooting
15
5. In the Add Identity Certificate pop-up window, enter a name for the certificate in the Trustpoint Name field.
6. Check the Add a new identity certificate radio button. 7. To choose the Certificate Subject DN:, click Select. 8. Within the Certificate Subject DN window, select Common Name from the
Attribute drop-down and enter the Internal LAN IP address into the Value field.
9. Click Add and then OK. 10. Now in the Add Identify Certificate window, check the Generate self-
signed certificate check box. 11. Click Add Certificate to finish and then click OK. 12. Confirm that the newly created certificate appears in the Identity Certificates
list. 13. Once confirmed, click Export to export the certificate as a file. 14. At the Export Certificate pop-up window, click Browse. 15. In the File Name field, type in the LAN IP address followed by .csr.
Example. 172.51.60.25.csr
16. Click Export ID certificate file. 17. At the next popup, select the PEM Format (Certificate Only) radio button
and click Export Certificate. 18. Now click OK in the confirmation dialog box. 19. To assign the newly created certificate to the interface, click to expand
Advanced in the Device Management section and select SSL Settings. 20. In the Certificates section, click to select the internal interface and click
Edit. 21. In the Select SSL Certificate pop-up window, select the certificate you just
created from the Primary Enrolled Certificate drop-down menu. 22. Click OK and verify the selection has been added to SSL Settings >
Certificates section. 23. Click Apply and then Save (this will add the certificate to the Java Control
Panel).
ASDM 7.20 and above 1. While logged into the ASDM Launcher, click the Wizards menu and select
ASDM Identity Certificate Wizard. 2. In the Wizard window, accept the default value Simple Mode and click Next. 3. At the Enrollment Status window, click OK. 4. Now, click the Export Generated Identity Certificate button. 5. Click Browse at the pop-up and in the File Name field enter the LAN IP
address followed by .csr.
Example. 172.51.60.25.csr
AnyConnect Administrator Guide
16
6. Click Export ID certificate file. 7. Click Export Certificate at the next pop-up window. 8. Click OK and then Finish. 9. To add the newly created certificate to your Java Control Panel, find the Java
folder on your work station and click Configure Java. 10. When the Java Control Panel appears, click the Security tab. 11. Within the tab click Manage Certificates and select Secure Site from the
Certificate Type drop-down menu. 12. Click Import, select the certificate file you just created and click Open. 13. Click Close and then click OK.
Installing AnyConnect
17
Installing AnyConnect Windows Operating System
The following sections describe AnyConnect installation for desktop and laptop systems with a Microsoft Windows Operating System.
Prerequisites Local Windows Administer Rights ASA Login Credentials Internal IP address of the ASA Internet Explorer 11 Latest version of Java.
Supported Versions Windows 10 Windows 8.1 x86 (32-bit) and (64-bit) Windows 8 x86 (32-bit) and (64-bit) Windows 7 x86 (32-bit) and (64-bit)
Installation Procedure – Auto-Configure 14. You will need to run Internet Explorer 11 as an Administrator. 15. Click on the Start Button and type Internet Explorer into the search field.
Result. You should see Internet Explorer appear as an available program option.
16. Right-click on the application and left-click on Run as Administrator.
AnyConnect Administrator Guide
18
17. Go to the address bar and securely browse to the Internal IP address of the ASA.
(In the example below, this address is https: //10.75.40.95/)
Note. If you are not currently on the same network as the ASA, use the External IP address, noted in the My ASA Information section above, to complete this install.
18. There will be a web page stating there is an issue with the website’s security certificate. Click on Continue to this Website (Not Recommended) to continue.
19. Using your provided credentials, login to the Cisco SSL VPN Service to begin installation.
20. You will see your company banner login message. Click Continue.
Installing AnyConnect
19
21. The program will now start an Auto-detect process and attempt to install the
AnyConnect client.
Note. For Internet Explorer 11, an ActiveX Control Module is needed to complete this process.
22. If this is your first time going through this process, the ActiveX control is not
installed. A prompt will display asking to install it, click Install to allow the installation.
23. Once ActiveX is installed, the process will restart and will recognize that
AnyConnect has not yet been installed.
AnyConnect Administrator Guide
20
24. The program will automatically download the AnyConnect client and will start installing.
25. On the displayed Security Warning pop up, check the Always trust this server and import the certificate check box and click Connect Anyway to continue the installation.
26. AnyConnect will continue downloading and installing the client. 27. Once complete, the client will automatically connect to the ASA to establish the
first VPN connection. 28. Once a connection is established, a Cisco icon with a lock will appear in the
taskbar.
Result. VPN connection is successful and in the next few seconds it will download the client profile.
Installing AnyConnect
21
29. After a few seconds, disconnect the VPN. The IP address of the ASA will appear in a dialog box, click the down-arrow button.
Note. If you successfully downloaded the profile, you should see the dealer name as an option to connect. You can now use this option to connect outside of the network.
AnyConnect Administrator Guide
22
Installation Procedure – Manually Configure In the event that the auto-configuration runs into an error, Cisco AnyConnect should be manually downloaded and configured. To manually install AnyConnect, follow the steps below. 30. Download the Cisco AnyConnect installer/executable file from the provided
download link when the web installation of the Cisco AnyConnect fails. It will download the install package from the ASA.
31. Run the executable and install until completion. Use default settings. 32. Run the Cisco AnyConnect application and input the external IP of the Cisco
ASA, then click Connect. It will connect to the VPN and download the necessary settings for future use.
Connecting to the AnyConnect VPN after Install 1. Run the Cisco AnyConnect application and select your VPN connection site from
the dropdown menu then click Connect.
2. Login using your VPN credentials. You will receive a banner message. Click
Accept to continue.
Result. You will be now connected by VPN to your office network. A popup will display you have successfully connected and there will also be an icon in the system tray.
Apple (Mac) Operating System The following sections describe AnyConnect installation for desktop and laptop systems with a Mac OS X Operating System.
Prerequisites Local Administer Rights ASA Login Credentials Internal IP address of the ASA Latest version of Java.
Supported Versions Mac OS X 10.10 Mac OS X 10.9 Mac OS X 10.8
Installing AnyConnect
23
Installation Procedure 1. Open a web browser and enter the following URL https://<ADDRESS of Cisco
ASA>, using the internal IP Address of the Cisco ASA as noted in the My ASA Information section above.
Important! If you are not currently on the same network as the ASA, use the External IP address, noted in the My ASA Information section above, to complete this install.
Note: You may receive a certificate error depending on if a valid certificate for Cisco ASA has been published. The engineer created a self-signed certificate on the ASA for SSL use. Check the box in the warning pop-up to accept and download the certificate to the computer the first time. This will prevent the warning message on future logins.
2. Login using your VPN username and password.
Note: You may receive a banner message or disclaimer, click Accept to continue.
3. The file will mount a disk image named AnyConnect <version number>. Open this disk image and launch the file AnyConnect.pkg. Note: If the web installation was unsuccessful, download the Cisco AnyConnect installer/executable file from the provided download link to conduct a manual installation. The provided link will download the install package from the ASA. Open your download folder, open the AnyConnect.pkg file and continue with the steps below.
4. Click Continue on the Install VPN Client pop-up window that appears. 5. Click Continue on the remaining prompts, until you get to the Software License
Agreement. At this page, click Agree on the slide-down menu. 6. From the Standard Install window, click Install and enter your computer
username and password. Once the install is complete, click Close.
Note: You must be the Administrator of the machine to install.
7. Navigate to Applications > Cisco and open Cisco AnyConnect VPN Client. 8. In the Connect To field, enter the internal or external IP Address of the Cisco
ASA (used in step 1) and click Select. 9. Enter your VPN username and password and click Connect. 10. Once the connection is established, Cisco AnyConnect will minimize and you
will see the AnyConnect logo with a small lock in your menu bar.
Connecting to the AnyConnect VPN after Install 1. Run the Cisco AnyConnect application and select your VPN connection site from
the drop-down menu then click Connect. 2. Login using your VPN credentials.
Note: You may receive a banner message or disclaimer, click Accept to continue.
3. You will now be connected by VPN to your office network. A pop-up will display advising you have successfully connected and there will be an icon in the system tray.
AnyConnect Administrator Guide
24
Learn More
Release Essentials For information about new product releases, go to your application Help menu and select Release Essentials.
Online Help
Get instant information about your application screen. Click the Help button or F1 for context help in CDK Drive and other applications.
Service Connect Get expert support and guidance without picking up the phone or leaving your desktop. You can search the document library, collaborate with industry peers in the Service Connect Community, web chat with Support, and more. Click the Service Connect tab on your desktop to get started, or download the mobile app for Apple or Android.
CDK Learning Connect Access hundreds of training courses, easy-to-use tools, and interactive resources. Log in for current schedules, registration, instructor-led learning, and e-Learning. USA and Canada: cdklearningconnect.com Canada Français: cdklearningconnect.fr
Additional Resources Forms and Supplies Call the number below and request supplies using the EasySource catalog number, or send an email to [email protected] with the following information: CMF number, dealership name, contact name, phone. USA: 800-237-2372 Canada: 877.847.9276
