Cisco Cisco ASA 5525-X Adaptive Security Appliance - No Payload Encryption
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 9 of 16
Trusted Network Detection
16
for Windows, Mac OS X, and Android
The Trusted Network Detection (TND) feature enhances the user experience by automating the VPN connection
based on user location. When the user is inside the corporate network, Jabber can reach the Cisco Unified
Communications infrastructure and hence does not require VPN. However, as soon as the user leaves the
corporate network, the VPN will be initiated to ensure Jabber’s connectivity to the Unified Communications
corporate network, the VPN will be initiated to ensure Jabber’s connectivity to the Unified Communications
infrastructure. The TND feature is configured in the AnyConnect client profile using ASDM.
The administrator defines the list of trusted DNS servers and trusted DNS domain suffixes that an interface
may receive when the client is on a corporate network. The AnyConnect client will compare the current interface
DNS servers and domain suffix with the settings in the profile.
Note: You must specify all the DNS servers for TND to work. If you configure both the trusted DNS domains and
trusted DNS servers, sessions must match both settings to be considered in the trusted network.
Note: TND works for both certificate- and password-based authentication. However, certificate-based
authentication provides the most seamless experience.
authentication provides the most seamless experience.
Certificate-Based Authentication
The AnyConnect client supports many authentication methods, including Active Directory (AD)/Lightweight
Directory Access Protocol (LDAP) password, RADIUS-based one-time tokens, certificates, and more. Of all the
methods, client certificate authentication enables the most seamless experience. Please see the Cisco ASA
configuration guide
17
for a detailed explanation of certificates for VPN authentication.
Configuring ASA for Certificate Authentication
The Cisco ASA supports certificates issued by various standard certificate authority (CA) servers, such as Cisco
IOS
®
CA, Microsoft Windows 2003, Windows 2008 R2, Entrust, VeriSign, RSA Keon, etc. There are five steps to
enable certificate authentication on the ASA.
Step 1. Import a root certificate from the CA to the ASA.
Step 2. Generate an identity certificate for the ASA.
Step 3. Use the ASA identity certificate for SSL authentication.
Step 4. Configure the Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP).
Step 5. Configure the ASA to request client certificates for authentication.
16
TND:
17
Certificates on ASA: