Cisco Vpn Access Manager Download



Introduction

This document provides a sample configuration that shows how to configure the Adaptive Security Appliance (ASA) and CallManager devices to provide certificate authentication for AnyConnect clients that run on Cisco IP Phones. After this configuration is complete, Cisco IP Phones can establish VPN connections to the ASA that make use of certificates in order to secure the communication.

Prerequisites

Client Download. Unlike the ASA, the MX does not support web deploy or web launch, a feature that allows end users to access a web page on the AnyConnect server to download the AnyConnect client. We recommend downloading the AnyConnect client directly from Cisco.com as there may be an updated version in the. For client VPN functionality. End-of-Life Announcement for the Cisco AnyConnect VPN Client 2.5 (for Desktop) EOL/EOS for the Cisco AnyConnect VPN Client 2.3 and Earlier (All Versions) and 2.4 (for Desktop) 13-Mar-2015 EOL/EOS for the Cisco Secure Desktop 3.4.x and Earlier 13-Mar-2015.

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • AnyConnect Premium SSL License

  • AnyConnect for Cisco VPN Phone License

Dependent upon the ASA version, you will see either 'AnyConnect for Linksys phone' for ASA Release 8.0.x or 'AnyConnect for Cisco VPN Phone' for ASA Release 8.2.x or later.

Components Used

The information in this document is based on these software and hardware versions:

  • ASA - Release 8.0(4) or later

  • IP Phone Models - 7942 / 7962 / 7945 / 7965 / 7975

  • Phones - 8961 / 9951 / 9971 with Release 9.1(1) firmware

  • Phone - Release 9.0(2)SR1S - Skinny Call Control Protocol (SCCP) or later

  • Cisco Unified Communications Manager (CUCM) - Release 8.0.1.100000-4 or later

The releases used in this configuration example include:

  • ASA - Release 9.1(1)

  • CallManager - Release 8.5.1.10000-26

Vpn access manager download

For a complete list of supported phones in your CUCM version, complete these steps:

  1. Open this URL: https://<CUCM Server IP Address>:8443/cucreports/systemReports.do

  2. Choose Unified CM Phone Feature List > Generate a new report > Feature: Virtual Private Network.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Phone Certificate Types

Cisco uses these certificate types in phones:

  • Manufacturer Installed Certificate (MIC) - MICs are included on all 7941, 7961, and newer model Cisco IP phones. MICs are 2048-bit key certificates that are signed by the Cisco Certificate Authority (CA). When a MIC is present, it is not necessary to install a Locally Significant Certificate (LSC). In order for the CUCM to trust the MIC certificate, it utilizes the pre-installed CA certificates CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA in its certificate trust store.

  • LSC - The LSC secures the connection between CUCM and the phone after you configure the device security mode for authentication or encryption.

    The LSC possesses the public key for the Cisco IP phone, which is signed by the CUCM Certificate Authority Proxy Function (CAPF) private key. This is the preferred method (as opposed to the use of MICs) because only Cisco IP phones that are manually provisioned by an administrator are allowed to download and verify the CTL file.

    Note: Due to the increased security risk, Cisco recommends the use of MICs solely for LSC installation and not for continued use. Customers who configure Cisco IP phones to use MICs for Transport Layer Security (TLS) authentication or for any other purpose do so at their own risk.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Configurations

This document describes these configurations:

  • ASA Configuration

  • CallManager Configuration

  • VPN Configuration on CallManager

  • Certificate Installation on IP Phones

ASA Configuration

The configuration of the ASA is almost the same as when you connect an AnyConnect client computer to the ASA. However, these restrictions apply:

  • The tunnel-group must have a group-url. This URL will be configured in CM under the VPN Gateway URL.

  • The group policy must not contain a split tunnel.

This configuration uses a previously configured and installed ASA (self-signed or third party) certificate in the Secure Socket Layer (SSL) trustpoint of the ASA device. For more information, refer to these documents:

The relevant configuration of the ASA is:

CallManager Configuration

In order to export the certificate from the ASA and import the certificate into CallManager as a Phone-VPN-Trust certificate, complete these steps:

Cisco vpn access manager download windows 7

  1. Register the generated certificate with CUCM.

  2. Check the certificate used for SSL.

  3. Export the certificate.

    The Privacy Enhanced Mail (PEM) encoded identity certificate follows:

  4. Copy the text from the terminal and save it as a .pem file.

  5. Log in to CallManager and choose Unified OS Administration > Security > Certificate Management > Upload Certificate > Select Phone-VPN-trust in order to upload the certificate file saved in the previous step.

VPN Configuration on CallManager

  1. Navigate to Cisco Unified CM Administration.

  2. From the menu bar, choose Advanced Features > VPN > VPN Gateway.

  3. In the VPN Gateway Configuration window, complete these steps:

    1. In the VPN Gateway Name field, enter a name. This can be any name.

    2. In the VPN Gateway Description field, enter a description (optional).

    3. In the VPN Gateway URL field, enter the group-url defined on the ASA.

    4. In the VPN Certificates in this Location field, select the certificate that was uploaded to CallManager previously to move it from the truststore to this location.

  4. From the menu bar, choose Advanced Features > VPN > VPN Group.

  5. In the All Available VPN Gateways field, select the VPN Gateway previously defined. Click the down arrow in order to move the selected gateway to the Selected VPN Gateways in this VPN Group field.

  6. From the menu bar, choose Advanced Features > VPN > VPN Profile.

  7. In order to configure the VPN Profile, complete all fields that are marked with an asterisk (*).

    Enable Auto Network Detect: If enabled, the VPN phone pings the TFTP server and if no response is received, it auto-initiates a VPN connection.

    Enable Host ID Check: If enabled, the VPN phone compares the FQDN of the VPN Gateway URL against the CN/SAN of the certificate. The client fails to connect if they do not match or if a wildcard certificate with an asterisk (*) is used.

    Enable Password Persistence: This allows the VPN phone to cache the username and passsword for the next VPN attempt.

  8. In the Common Phone Profile Configuration window, click Apply Config in order to apply the new VPN configuration. You can use the 'Standard Common Phone Profile' or create a new profile.

  9. If you created a new profile for specific phones/users, go to the Phone Configuration window. In the Common Phone Profile field, choose Standard Common Phone Profile.

  10. Register the phone to CallManager again in order to download the new configuration.

Certificate Authentication Configuration

In order to configure certificate authentication, complete these steps in CallManager and the ASA:

  1. From the menu bar, choose Advanced Features > VPN > VPN Profile.

  2. Confirm the Client Authentication Method field is set to Certificate.

  3. Log in to CallManager. From the menu bar, choose Unified OS Administration > Security > Certificate Management > Find.

  4. Export the correct certificate(s) for the selected certificate authentication method:

    • MICs: Cisco_Manufacturing_CA - Authenticate IP Phones with a MIC

    • LSCs: Cisco Certificate Authority Proxy Function (CAPF) - Authenticate IP Phones with an LSC

  5. Find the certificate, either Cisco_Manufacturing_CA or CAPF. Download the .pem file and save as a .txt file
  6. Create a new trustpoint on the ASA and authenticate the trustpoint with the previous saved certificate. When you are prompted for base-64 encoded CA certificate, select and paste the text in the downloaded .pem file along with the BEGIN and END lines. An example is shown:

  7. Confirm the authentication on the tunnel-group is set to certificate authentication.

Certificate Installation on IP Phones

Cisco Vpn Access Manager Download Free

The IP Phones can work with either MICs or LSCs, but the configuration process is different for each certificate.

MIC Installation

By default, all the phones that support VPN are pre-loaded with MICs. The 7960 and 7940 phones do not come with a MIC, and require a special installation procedure for the LSC to register securely.

Note: Cisco recommends that you use MICs for LSC installation only. Cisco supports LSCs to authenticate the TLS connection with CUCM. Because MIC root certificates can be compromised, customers who configure phones to use MICs for TLS authentication or for any other purpose do so at their own risk. Cisco assumes no liability if MICs are compromised.

LSC Installation

  1. Enable CAPF service on CUCM.

  2. After the CAPF service is activated, assign the phone instructions to generate a LSC in CUCM. Log in to Cisco Unified CM Administration and choose Device > Phone. Select the phone you configured.

  3. In the Certificate Authority Proxy Function (CAPF) Information section, ensure all settings are correct and the operation is set to a future date.

  4. If Authentication Mode is set to Null String or Existing Certificate, no further action is required.

  5. If Authentication Mode is set to a string, manually select Settings > Security Configuration > **# > LSC > Update in the phone console.

Verify

Use this section in order to confirm that your configuration works properly.

ASA Verification

CUCM Verification

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Vpn Access Manager Download

Related Bugs

  • Cisco bug ID CSCtf09529, Add support for VPN feature in CUCM for 8961, 9951, 9971 phones
  • Cisco bug ID CSCuc71462, IP phone VPN failover takes 8 minutes
  • Cisco bug ID CSCtz42052, IP Phone SSL VPN Support For Non Default Port Numbers
  • Cisco bug ID CSCth96551, Not all ASCII characters are supported during phone VPN user + password login.
  • Cisco bug ID CSCuj71475, Manual TFTP entry needed for IP Phone VPN
  • Cisco bug ID CSCum10683, IP phones not logging missed, placed, or received calls

Related Information

  • Cisco vpn download

Most people looking for Cisco vpn downloaded:

Download
3.5 on 203 votes
Cisco Vpn Access Manager Download

The Cisco VPN Client is a software that enables customers to establish secure, end-to-end encrypted tunnels to any Cisco Easy VPN server.

Download
3.5 on 2 votes

The Cisco AnyConnect VPN Client is the next-generation VPN client, providing remote users with secure VPN connections ...

Download
4 on 3 votes

Free Cisco Vpn Anyconnect Download

AnyConnect is a a free FTP/FTPS/SSH/Telnet/Terminal client software.

Download

Vpn Access Manager Windows 10

5 on 1 vote

This tool was designed to resolve the issues of Cisco VPN Client for Windows 8.

Download
3.2 on 6 votes

TheGreenBow IPSec VPN Client software is an on demand IPSec VPN Client providing remote access.

Similar choice