Use ACS to authorize Anyconnect3.0 DTLS and IK 01/16 Update SLTechnology News&Howtos

Use ACS to authorize Anyconnect3.0 DTLS and IK

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Experimental purpose:

1 use Anyconnect3.0 to dial DTLS

2 use Anyconnect3.0 to dial IPSec × ×

3 use ACS to delegate group-policy to users

Topology:

ASA configuration:

Interface GigabitEthernet0

Nameif inside

Security-level 100

Ip address 192.168.10.254 255.255.255.0

Interface GigabitEthernet1

Nameif outside

Security-level 0

Ip address 192.168.20.254 255.255.255.0

-- ASDM

Asdm p_w_picpath disk0:/asdm-645-206.bin

Http server enable 444

Http 0.0.0.0 0.0.0.0 outside

-since the certificate was issued-

Crypto ca trustpoint ssl***ca

Enrollment self

Fqdn asa.ssl***.net

Subject-name CN=asa.ssl***.net

Crypto ca enroll ssl***ca noconfirm

-- SSL × ×-

Web***

Enable outside

Anyconnect p_w_picpath disk0:/anyconnect-win-3.0.0629-k9.pkg 1

Anyconnect profiles ikev2group1 disk0:/ikev2group1.xml / / this command ASDM is generated automatically, and the configuration of ASDM will be given later.

Anyconnect enable

Tunnel-group-list enable

Group-policy ssl***policy internal

Group-policy ssl***policy attributes

* *-tunnel-protocol ikev2 ssl-client

Web***

Anyconnect profiles value ikev2group1 type user// this command is the same as above

Username root password N7HlIItY8AVJppkQ encrypted privilege 15

Tunnel-group ssl***tunnel type remote-access

Tunnel-group ssl***tunnel general-attributes

Authentication-server-group aaa

Tunnel-group ssl***tunnel web***-attributes

Group-alias hr enable

-IPSEC × × ×--

Crypto ikev2 policy 10

Encryption 3des

Integrity sha

Group 2

Prf sha

Crypto ikev2 enable outside client-services port 443

Crypto ikev2 remote-access trustpoint ssl***ca

Crypto ipsec ikev2ipsec-proposal ikev2ipsec

Protocol esp encryption 3des

Protocol esp integrity sha-1

Crypto dynamic-map dymap 100 set ikev2ipsec-proposal ikev2ipsec

Crypto map ssl***map 1000 ipsec-isakmp dynamic dymap

Crypto map ssl***map interface outside

-ACS devolves address pool

For detailed configuration, please refer to my other articles.

-configure USER GROUP-POLICY--

-configuration of users and groups-

This configuration is very simple in not giving the configuration.

-installation of Anyconnect and certificates-

This configuration is very simple in not giving the configuration.

-anyconnect profiles configuration-

Verify:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.