Cisco Cisco AnyConnect Secure Mobility Client v2.x Technical Manual
AnyConnect image installed on headend will automatically be pushed down to the client machine
upon connection. Users that connect for the first time will be able to download the client from the
web portal and users that return will be able to upgrade, provided the AnyConnect package on the
headend is newer than what is installed on their client machine.
upon connection. Users that connect for the first time will be able to download the client from the
web portal and users that return will be able to upgrade, provided the AnyConnect package on the
headend is newer than what is installed on their client machine.
AnyConnect packages can be obtained through the AnyConnect Secure Mobility Client section of
the
the
which are to be installed on the headend will be labeled with the operating system and Head-end
deployment (PKG). AnyConnect packages are currently available for these operating system
platforms: Windows, Mac OS X, Linux (32-bit), and Linux 64-bit. Note that for Linux, there are both
32 and 64-bit packages. Each operating system requires the proper package to be installed on the
headend in order for connections to be permitted.
deployment (PKG). AnyConnect packages are currently available for these operating system
platforms: Windows, Mac OS X, Linux (32-bit), and Linux 64-bit. Note that for Linux, there are both
32 and 64-bit packages. Each operating system requires the proper package to be installed on the
headend in order for connections to be permitted.
Once the AnyConnect package has been downloaded, it can be uploaded to the Router's flash
with the copy command via TFTP, FTP, SCP, or a few other options. Here is an example:
with the copy command via TFTP, FTP, SCP, or a few other options. Here is an example:
After you copy the AnyConnect image to the flash of the Router, it must be installed via command
line. Multiple AnyConnect packages can be installed when you specify a sequence number at the
end of the installation command; this will allow for the Router to act as headend for multiple client
operating systems. When you install the AnyConnect package, it will also move it to the
flash:/webvpn/ directory if it was not copied there initially.
line. Multiple AnyConnect packages can be installed when you specify a sequence number at the
end of the installation command; this will allow for the Router to act as headend for multiple client
operating systems. When you install the AnyConnect package, it will also move it to the
flash:/webvpn/ directory if it was not copied there initially.
On versions of code which were released before 15.2(1)T, the command to install the PKG is
slightly different.
slightly different.
Step 3. Enable the http Server on the Router
Step 4. Generate RSA Keypair and Self-Signed Certificate
When you configure SSL or any feature which implements Public Key Infrastructure (PKI) and
digital certificates, a Rivest-Shamir-Adleman (RSA) keypair is required for the signing of the
certificate. The follow command will generate an RSA keypair which will then be used when the
self-signed PKI certificate is generated. When you make use of a modulus of 2048 bits, it is not a
requirement, it is recommended to use the largest modulus available for enhanced security and
compatibility with the AnyConnect client machines. To use a descriptive label is also
recommended as it will allow for ease of key management. The key generation can be confirmed
with the show crypto key mypubkey rsa command.
digital certificates, a Rivest-Shamir-Adleman (RSA) keypair is required for the signing of the
certificate. The follow command will generate an RSA keypair which will then be used when the
self-signed PKI certificate is generated. When you make use of a modulus of 2048 bits, it is not a
requirement, it is recommended to use the largest modulus available for enhanced security and
compatibility with the AnyConnect client machines. To use a descriptive label is also
recommended as it will allow for ease of key management. The key generation can be confirmed
with the show crypto key mypubkey rsa command.
Note: As there are many security risks associated with making RSA keys exportable, the
recommended practice is to ensure keys are configured to be not exportable which is the
default. The risks that are involved when you make the RSA keys exportable are discussed
in the this document:
recommended practice is to ensure keys are configured to be not exportable which is the
default. The risks that are involved when you make the RSA keys exportable are discussed
in the this document:
.
Once the RSA keypair has successfully been generated, a PKI trustpoint must be configured with
our router's information and RSA keypair. The Common Name (CN) in the Subject-Name should
be configured with the IP address or Full Qualified Domain Name (FQDN) which users use to
connect to the AnyConnect gateway; in this example, the clients use the FQDN of fdenofa-
SSLVPN.cisco.com when they attempt to connect. While it is not mandatory, when you correctly
our router's information and RSA keypair. The Common Name (CN) in the Subject-Name should
be configured with the IP address or Full Qualified Domain Name (FQDN) which users use to
connect to the AnyConnect gateway; in this example, the clients use the FQDN of fdenofa-
SSLVPN.cisco.com when they attempt to connect. While it is not mandatory, when you correctly