AnyConnect 4 – Plus and Apex Licensing Explained

KB ID 0001013 

Problem

(Updated 11/05/21)

Before version 4 we simply had AnyConnect Essentials and Premium licensing, now we have Plus and Apex licensing.

AnyConnect Plus and Apex

There are in fact three licensing options;

  • Cisco AnyConnect Plus Subscription Licenses
  • Cisco AnyConnect Plus Perpetual Licenses
  • Cisco AnyConnect Apex Subscription Licenses
  • NEW VPN Only perpetual Licences

Plus and Apex Contain;

AnyConnect PLUS (Cisco pitch “Equivalent to the old Essentials License”).

  • VPN functionality for PC and mobile platforms, including per-app VPN on mobile platforms.
  • Basic endpoint context collection (Note: NOT full ISE context support).
  • IEEE 802.1X Windows supplicant.
  • Cisco Cloud Web Security agent for Windows & Mac OS X platforms.
  • Cisco Web Security Appliance support.
  • FIPS compliance.

AnyConnect APEX (Cisco pitch “Equivalent to the old Premium License”).

  • Everything that’s included in AnyConnect Plus.
  • Clientless (browser-based) VPN termination on the Cisco ASA.
  • VPN Compliance/Posture agent in conjunction with the Cisco ASA.
  • Unified Compliance/Posture agent in conjunction with the Cisco ISE 1.3 or later.
  • Next Generation Encryption/Suite B.

Both licenses are available as 1, 2 and 5 (not 3 as listed on the Cisco website) year subscription, or you can buy Plus licenses with a perpetual license option.

Note: For PLUS Licences looks at SKUs starting  L-AC-PLS, for APEX Licences look SKUs starting at L-AC-APX

(Note: if you have a Plus Perpetual license you still need to purchase a software applications support plus upgrades (SASU) contract.

Regardless of which you buy, the SASU for AnyConnect is NOT included in the support contract for the parent device e.g. the SmartNet on your Cisco ASA Firewall.

To purchase support you order the parent license (SKU: L-AC-PLS-P-G) which has no cost, then you add in the relevant license for the amount of clients you have e.g. AC-PLS-P-500-S for 500 users, AC-PLS-P-2000-S for 2000 users etc.

BE AWARE: AnyConnect 4 Licenses will display as AnyConnect Premium licenses when you issue a ‘show version’ command. When adding an AnyConnect 4 License (regardless of the quantity of licenses added), will license to the maximum permitted AnyConnect Premium license count for the ASA hardware platform, those being;

New AnyConnect VPN Only Licences (Perpetual)

You can now purchase VPN Only perpetual licences, they are sold by ‘Concurrent VPN Connection‘. You order them like so;

L-AC-VPNO-25 (for 25 concurrent VPN connections) you can also buy in 50, 100, 250, 500, 1K, 2500, 5K ,and 10K versions. Depending on what you device will physically support (see below)

Cisco ASA Maximum VPN Peers / Sessions

Cisco Firepower Firewalls

FPR-1010 = 75
FPR-1120 = 150
FPR-1130 = 400
FPR-1140 = 800
FPR-2110 = 1500
FPR-2120 = 3500
FPR-2130 = 7500
FPR-2140 = 10,000
FPR-4110 = 10,000
FPR-4112 = 10,000
FPR-4115 = 15,000
FPR-4120 = 20,000
FPR-4125 = 20,000
FPR-4140 = 20,000
FPR-4145 = 20,000
FPR-4150 = 20,000
FPR-9300-SM24 = 20,000 
FPR-9300-SM36 = 20,000
FPR-9300-SM40 = 20,000
FPR-9300-SM44 = 20,000
FPR-9300-3xSM44 = 60,000
FPR-9300-SM48 = 20,000
FPR-9300-SM56 = 20,000
FPR-9300-SM3x56 = 60,000

Cisco ASA 5500-X Firewalls
5506-X = 50
5508-X = 100
5512-X = 250
5515-X = 250
5516-X = 300
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000
Cisco ASA 5500 Firewalls

5505 = 25 
5510 = 250 
5520 = 750 
5540 = 5,000 
5550 = 5,000 
5580 = 10,000

Cisco ASAv Firewalls

ASAv5  = 50
ASAv10 = 100
ASAv30 = 750
ASAv50 = 10,000
 

Related Articles, References, Credits, or External Links

Cisco AnyConnect – Essentials / Premium Licenses Explained

Cisco ASA 5500 – Adding Licenses

Cisco AnyConnect Ordering Guide

AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 2)

KB ID 0001156 

Problem

Carrying on from PART 1

Solution

Add  > Create Before.

Edit the Policy

Giv the policy set a name and description > Create a new condition.

Set Description to Device Type.

Equals > All Device Types (The Device Group You Created Above).

Add attribute value.

Set Description to RADIUS.

NAS-Port-Type-[61].

Equals  > Virtual.

Edit the Authentication Policy.

Change the identity source to the the identity source sequence you created above.

Authorisation Policy > Insert New Rule Above.

Give it a Name i.e. VPN-ADMIN-RULE > Create New Condition.

Set Description to your Active Directory.

External Groups.

Select your AD group (VPN-Admins).

Set Permissions to Standard.

Select your VPN-Admins authorisation profile.

Add another rule (directly below) of your VPN-Users and set this one to use the user profile.

Add a further rule (below that) for your LOCAL admin in the ISE database.

Set User Identity Groups to VPN-Admins.

Note: this is the LOCAL group in ISE, NOT the domain security group.

Again use the admin authorisation profile.

Finally you need to change the ‘Default’ rule to ‘Deny Access’, (or they will just hit the default allow and get in anyway!)

Now you can test.

Related Articles, References, Credits, or External Links

AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 1)

Securing Network Device Access With Cisco ACS (and Active Directory)

KB ID 0000942

Problem

For network identification I have tended to use RADIUS (in a Windows NPS or IAS flavour), in the past. I turned my back on Cisco TACACS+ back in my ‘Studying for CCNA’ days, because back then it was clunky and awful. I have a client that will be installing ACS in the near future, so I thought I would take a look at it again, and was surprised at how much more polished it is. As Cisco plans to roll ACS into Cisco ISE in the future, I’m not sure if it will remain as a separate product. So we may find people using version 5 for a long time yet.

Solution

I’m deploying ACS version 5.5 as a virtual appliance, remember to give it at least 60GB of hard drive or the install will fail. If you are installing on VMware workstation, choose the ‘I will install the operating system later’ option and manually present the CD image or it will also fail.

When you have run through the initial setup on the appliance it will set;

  • Hostname.
  • IP Address.
  • Subnet Mask.
  • Default Gateway.
  • DNS Domain Name.
  • DNS IP Address.
  • Secondary DNS (if required).
  • NTP Server IP address. (Ensure UDP port 123 is open or this will fail).
  • Secondary NTP (if required).
  • Timezone.
  • Username.
  • Password.

Then connect via a web browser (https);

  • Username: ACSAdmin
  • Password: default

1. Join the ACS appliance to your domain. Users and Identity Stores > External Identity Stores > Active Directory > Join/Test Connection > Enter Domain Credentials > Join.

2. Be patient it can take a couple of minutes, wait till it says ‘Joined and Connected’.

3. Make sure you already have some groups in active directory that you want to grant access to, here I’ve got a full-access group and a read-only access group.

Note: I’m going to grant privilege level 15 to full-access, and privilege level 1 to read-only, (yes I know they can still escalate to configure terminal mode, but you can always restrict level 1 so it can only use the show command if you like).

4. Back in ACS > Directory Groups > Add > Add in your Groups > OK.

5. Create a Shell Policy: Policy Elements > Authorization and Permissions > Shell Profiles > Create > First create one for level 15 (full-access).

6. Common Tasks tab > Default Privilege > Static > 15 > Submit.

7. Then repeat to create a profile for read-only (level 1) access.

8. Common Tasks tab > Default Privilege > Static > 1 > Submit.

9. Access Policies > Access Services > Default Device Admin > Identity >Select > AD1 (this got created when you joined the domain earlier) > OK.

10. Access Policies > Access Services > Default Device Admin > Authorisation > Customise > Add ‘Compound Condition’ > OK.

11. Create > Tick ‘Compound Condition’ > Select > ExternalGroups > Select your full-access group.

12. Add > Shell Profile > Select > Select the full-access profile > OK.

13. Repeat for the read-only group.

14. Set the shell profile to read-only access > OK.

15. Access Policies > Service Selection Rules > Create > Set to Match Protocol TACACS > Set the service to Default Device Admin > OK.

16. Network Resources > Network Devices and AAA Clients > Enter the details of your Cisco device and set a shared key, (here I’m using 666999) > Submit.

17. Make the necessary changes on your Cisco devices, like so;

Cisco IOS TACACS+ Config

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default group tacacs+ local
Petes-Router(config)#aaa authorization exec default group tacacs+ local
Petes-Router(config)#aaa authorization console
Petes-Router(config)#tacacs-server host 10.254.254.22
Petes-Router(config)#tacacs-server key 666999
Petes-Router(config)#end
Petes-Router#
*Mar 1 00:10:24.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router# 

[/box]

Cisco ASA 5500 (and Next Generation) TACACS+ Config

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-AAA-TACACS protocol tacacs+
Petes-ASA(config-aaa-server-group)# aaa-server PNL-AAA-TACACS (inside) host 10.254.254.22
Petes-ASA(config-aaa-server-host)# key 666999
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

-=-=-=-=-Authentication-=-=-=-=-
ASDM Authentication

Petes-ASA(config)# aaa authentication http console PNL-AAA-TACACS LOCAL 
Console Authentication

Petes-ASA(config)# aaa authentication serial console PNL-AAA-TACACS LOCAL
SSH Authentication

Petes-ASA(config)# aaa authentication ssh console PNL-AAA-TACACS LOCAL
Telnet Authentication

Petes-ASA(config)# aaa authentication telnet console PNL-AAA-TACACS LOCAL

Enable Mode Command Protection Authentication

Petes-ASA(config)# aaa authentication enable console PNL-AAA-TACACS LOCAL
-=-=-=-=-Authorisation-=-=-=-=-

Petes-ASA(config)# aaa authorization command PNL-AAA-TACACS LOCAL
Petes-ASA(config)# privilege show level 5 mode configure configure command aaa

<repeat as necessary - Note: Turn it on with the ASDM with command preview enables and you can copy paste all the commands out and edit them accordingly>
-=-=-=-=-Accounting-=-=-=-=-

Petes-ASA(config)# aaa accounting command PNL-AAA-TACACS

[/box]

18. Now you can test, here I connect as a user with read-only access (Note: I have a greater than prompt, I’m in user EXEC mode). Then when I connect as a full-access user (Note: I have a hash prompt. I’m in privileged EXEC mode).

19. The results are the same if I connect via SSH.

Enabling TACACS+ Though a Firewall

Sometimes, e.g. you have a switch in a DMZ or a router outside your firewall that you want to secure with TACACS. To enable this you simply need to open TCP port 49, from the device you are securing with TACACS to the ACS server.

Related Articles, References, Credits, or External Links

JunOS – Using TACACS+ With Cisco ACS

Cisco ISE NFR Appliance Setup

KB ID 0001066

Problem

The Cisco ISE NFR appliance is for demos and test bench use, I’m currently building a test lab for ISE so I spun a copy up. I looked at the associated ReadMe.pdf for instructions on the basic setup, and found a hyper-link to the instructions, that didn’t work! bah.

Solution

The appliance comes as an OVA file for importation into vSphere/ESX, I’m assuming you have already imported the appliance.

VMware vSphere – How to Import and Export OVF and OVA Files

1. Default username and Password: Username admin Password ISEc0ld

Cisco ISE NFR Setup Basic IP Addressing.

2. By default the appliance has an IP address of 10.1.100.21, you can see that at CLI.

[box]ise/admin# show interface[/box]

3. Or here you can see the IP address in the vSphere console.

4. To change the IP (Note: The ISE appliance has two virtual NIC’s I’m just changing the default ones IP address).

[box]
ise/admin# configure
ise/admin(config)# interface GigabitEthernet 0
ise/admin(config-GigabitEthernet)# ip address 192.168.200.12 255.255.255.0

Enter ‘Y’ to restart the services.

[/box]

[box] ise/admin(config-GigabitEthernet)# exit
ise/admin(config)#
ip default-gateway 192.168.200.1[/box]

Cisco ISE NFR Set Hostname and DNS Information

6. To change the appliances default domain;

[box]
ise/admin(config)# ip domain-name pnltest1.com

Enter ‘Y’ to restart the services.

[/box]

7. To set the DNS server to use for local lookups;

[box]ise/admin(config)# ip name-server 192.168.200.10

Enter ‘yes’ to restart the services.

[/box]

8. To set the Hostname, simply use the following syntax;

[box]ise/admin(config)# hostname ISE-01 [/box]

Cisco ISE NFR Set NTP Information

9. To set the timezone;

[box]ise/admin(config)# clock timezone GB [/box]

10. To set the NTP servers it’s a little more convoluted, you can have up to three, two are already configured. If you try and delete the pre-configured ones it will error. So you need to add one, then delete the two factory ones, then you can add up to another two.

[box]

To Add an NTP Server

ise/admin(config)# ntp server 123.123.123.123
To Remove an NTP Server

ise/admin(config)# no ntp server 123.123.123.123

[/box]

11. As usual NTP can take a while to synchronise, I’d go and have a coffee at this point, to test;

[box]ise/admin(config)# show ntp [/box]

12. Save your changes.

13. At this point you should be able to get to the web console.

14. Logged in successfully.

 

Related Articles, References, Credits, or External Links

NA

Cisco ISE – Upgrading

KB ID 0001071 

Problem

Just as I was hunting around for an NFR version of Cisco ISE 1.3, they released 1.4. I wasn’t sure if I could upgrade my NFR version without breaking it so I thought I would ‘have a go’.

Solution

If you read the documentation for the upgrade of 1.2 to 1.4, I suggest you skip straight to the tasks to do AFTER upgrade, as it has a habit of resetting things back to default, best to make sure you know how everything is setup that might break before you start.

This upgrade took me a long time! The best part of an afternoon!

1. Before we do anything let’s take a snapshot, just in case it all goes to hell in a hand cart.

2. Gotcha! The upgrade fails if you have any expired certificates, even disabling them wont help, you need to delete all expired root certs before you start.

3. Copy the upgrade file from an FTP server to the ISE device, it wont show you any progress bar, go and get a coffee, if it does not error it’s probably copying over OK :).

4. When you get the prompt back you can check it’s there with a ‘dir’ command.

5. Before you can upgrade you need to create a repository for the upgrade;

[box]

ISE-01/admin# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ISE-01(config)# repository upgrade
ISE-01(config-Repository)# url disk:
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes.
If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
ISE-01(config-Repository)# exit
ISE-01(config)# exit

[/box]

6. Then you need to ‘prepare’ for the upgrade.

[box]

ISE-01/admin# application upgrade prepare ise-upgradebundle-1.2.x-to-1.4.0.253.x86_64.tar.gz upgrade
Getting bundle to local machine...
md5: 35a159416afd0900c9da7b3dc6c72043
sha256: e3358ca424d977af67f8bb2bb3574b3e559ce9578d2f36c44cd8ba9e6dddfefd
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y

[/box]

7. Start the upgrade, this takes ages, go and have at least three coffees.

[box]ISE-01/admin# application upgrade proceed[/box]

8. The appliance will reboot and complete the upgrade, more waiting.

9. When it’s done log in and issue a show version command to check the new version.</p?

10. Follow the advice, check the article and complete any further steps as required.</p?

11. I wont list all the post install tasks, but you need to change the hardware version to ‘Red Hat Enterprise Linux 6 (64 bit).</p?

 

Related Articles, References, Credits, or External Links

NA