KB ID 0001503
Problem
With the newest version of AnyConnect (4.7) there’s an added feature called ‘Management VPN’. It’s there, so that if you have remote users who don’t VPN in very often, then you may struggle to mange them, e.g. put software updates, AV updates, SCCM packages etc. down to them.
Before version 4.7 you could configure ‘Automatically Connect’, or ‘Start before Logon’ to handle these problems, well now you can use Management VPN. What it does is, it automatically connects (using the computer certificate to authenticate), and it automatically disconnects when a remote user brings up a normalAnyConnect VPN user connection. When they disconnect again, the Management VPN (after a few seconds) will re-establish again.
As usual the Cisco documentation is not brilliant! So I built it out in EVE-NG to test. Here’s the Lab I used;
I’ve got a Windows 2012 R2 Server that’s doing Certificate services and DHCP, I’ve also got an external (Windows 7) client with AnyConnect 4.7 installed.
Solution
My first task was to setup normal user AnyConnect, which I secured with certificates, (user certificates), I sent the certificates out using auto-enrollment. Also while I had my certificate hat on, I generated a certificate for the outside of the ASA as well. (I didn’t bother setting up NDES I just imported the CA Certificate eon the ASA).
Note: If you already have working AnyConnect, then you can skip this section.
Deploying Certificates via ‘Auto Enrollment’
Cisco AnyConnect – Securing with Microsoft Certificate Services
I’m also leasing my remote client’s IP addresses from my Windows DHCP server, so I’ve setup a DHCP scope on there as well (192.168.125.0/24)
As a pointer here is the config I’m using;
[box]
object network OBJ-AnyConnect-SN subnet 192.168.125.0 255.255.255.0 ! access-list SPLIT-TUNNEL standard permit 192.168.123.0 255.255.255.0 ! nat (inside,outside) source static any any destination static OBJ-AnyConnect-SN OBJ-AnyConnect-SN no-proxy-arp route-lookup ! webvpn enable outside anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1 ! group-policy GP-AnyConnect internal group-policy GP-AnyConnect attributes wins-server none dns-server value 192.168.123.10 dhcp-network-scope 192.168.125.0 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL default-domain value testrig.com ! tunnel-group TG-AnyConnect type remote-access tunnel-group TG-AnyConnect general-attributes default-group-policy GP-AnyConnect dhcp-server 192.168.123.10 tunnel-group TG-AnyConnect webvpn-attributes authentication certificate group-alias TG-AnyConnect enable group-url https://vpn.testrig.com/AnyConnect enable
[/box]
In addition, (much as I prefer to work at CLI, you need to go into the ASDM to do the following). Create a new connection profile and associate it with the group policy we just created (above).
Add to the ‘Server list‘ the URL you specified (above).
To avoid being prompted for which certificate to use, untick ‘Disable Automatic Certificate Selection’ (Yes the name makes no sense to me either!) Save the profile.
Then make sure the VPN works as expected.
Setup AnyConnect Management VPN
Prerequisites
Your ASA needs to be running newer than version 9, and your ASDM image needs to be 7.10(1) or newer.
You need to have the Anyconnect client software (4.7 or newer!)
I’ve already mentioned certificates, but you will need to have the CA certificate from the CA that’s generating your COMPUTER certificates installed and trusted, mine’s already there, as I’m already authenticating my USER certificates with it.
Add another Tunnel-Group and Group-Policy for your Management-VPN, I’ll drop back to CLI to do that (to keep things neat and tidy).
[box]
! group-policy GP-Management-VPN internal group-policy GP-Management-VPN attributes dns-server value 192.168.123.10 dhcp-network-scope 192.168.125.0 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL default-domain value testrig.com ! tunnel-group TG-Managemet-VPN type remote-access tunnel-group TG-Managemet-VPN general-attributes default-group-policy GP-Management-VPN dhcp-server 192.168.123.10 tunnel-group TG-Managemet-VPN webvpn-attributes authentication certificate group-alias TG-Managemet-VPN enable group-url https://vpn.testrig.com/Management-VPN enable !
[/box]
Add a new connection profile, set the type to ‘AnyConnect Management VPN Profile’, and link it to the Group-Policy for your AnyConnect USER connections.
As before add an entry to the server list with the same URL you specified in the Management VPN tunnel group.
Add an Automatic VPN policy, to connect whenever you are on a network that is NOT your corporate network. Here if a client sees my server, on the same network, or gets my domain name via DHCP it WONT connect.
Additional Settings Required for Management VPN
Edit the Group-Policy you are using for Management VPN > AnyConnect Client > Custom Attributes > Add > Create an Attribute called: ManagementTunnelAllAllowed.
Create a value for it called true/true.
In the ‘AnyConnect Client‘ section, ENABLE ‘Client Bypass Protocol’.
Your client will need to connect at least once to get the new settings, once they have when they disconnect the Management VPn will establish.
As soon as the user tunnel comes up, the Management VPN tunnel will drop.
Related Articles, References, Credits, or External Links
NA