Cisco Anyconnect Clientless IOS Implementation¶
TBC
Configuration Steps¶
- Generate RSA Keys for use with SSL/TLS
- Enable AAA
- Enable the HTTP/HTTPS Server
- Configure the WebVPN Gateway
- Configure the WebVPN Context
- Configure Local Accounts
Generate RSA Keys¶
In order for the HTTP Server to also provide SSL/TLS services we need to generate the public and private keys that it will use:
crypto key generate rsa modulus <bit-size>
Enable AAA¶
So that users can be authenticated and authorised, its necessary to enable the AAA sub-system and optionally different a method list specifying how users should be authenticated.
! Enable the AAA sub-system
aaa new-model
! Optional - Define a specific method list for WebVPN authentication
aaa authentication login <webvpn-method-list-name> local
Enable the HTTP/HTTPS Server¶
In order for users to be able to access the SSL Portal, an HTTP/HTTPS server must be enabled on the IOS router as follows:
ip http server
ip http secure-server
Configure the WebVPN Gateway¶
To accomplish this the following information is needed:
- IP Address
- Port Number
webvpn gateway <web-gw-name>
ip address <web-gw-ip> port <web-gw-port>
! Optional - Configure gateway hostname, should match certificate used
hostname <web-gw-hostname>
! Optional - Redirect HTTP to HTTPS
http-redirect <http-port>
! Optional - Specify supported cipher suites
ssl encryption [aes-sha1] [3des-sha1] [rc4-md5]
! Enable the gateway
inservice
Configure the WebVPN Context¶
A WebVPN context is a means by which a certain portal type can be displayed to users. The context can either be specified by the user or provided as part of the users authorization properties (e.g. from RADIUS).
webvpn context <web-cxt-name>
! Optional Specify how users should be authenticated, global config will
! be used if not specified
aaa authentication list <webvpn-method-list-name>
! Create a policy for this context (multiples can exist)
policy group <webvpn-policy-group-name>
! All the below settings are optional
banner <login banner string>
hide-url-bar
port-forward <port-list-name>
timeout [idle <seconds] [session <seconds>]
url-list <url-list-name>
! Specifies the default policy to use if nothing is specified from AAA
default-group-policy <web-vpn-policy-group-name
! Associates this context with a specifiic SSL VPN gateway
gateway <web-gw-name> [domain <domain-name>]
! Optional - Display a message on the login screen
login-message
! Optional - Maximum allowed users under this context
max-users <no-of-users>
! Enable the context
inservice
Configure Local Accounts¶
If user accounts will not be configured on a central authentication server, it is necessary to configure the users locally on the IOS router.
username <webvpn-username> <webvpn-password>
Troubleshooting¶
The following commands can be useful in troubleshooting WebVPN
debug webvpn aaa
debug aaa accounting