Cisco FMC – Anyconnect

Introduction

The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication with Cisco AnyConnect using Cisco FMC.

Prerequisites & general issues

A Mideye Server (any release). If there is a firewall between the Cisco FMC and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). The Cisco FMC acts as a RADIUS client towards the Mideye Server. Hence, the Cisco FMCmust be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Integration steps

Create a new VPN Policy

Navigate to Devices followed by Remote Access. Click “Add” in the top right corner. Give the Policy a name and a description. Select what VPN protocol that should be used and select the firewall that should be targeted. Click “Next”.

Create a new VPN policy

Enter a suitable Profile name and select AAA Only in the dropdown list. Click the + sign and select “RADIUS Server group”. Fill out the form to create a new RADIUS group and add the Mideye Servers with IP and shared secret. Make sure to set the RADIUS-timeout to at least 35 seconds.

If accounting and authorization should be in use, select the same RADIUS group or create a new one.

Last, select client address assignment and create a new policy or use the predefined.

Create a new RADIUS-group
Connection Profile

On the next page, select the Cisco Anyconnect images and click “Next” to select interface and certificate for the Remote Access. Complete the wizard.

Change timeout for Cisco Anyconnect

There are two different timeouts for Cisco Anyconnect. One, that is already configured in the stop above is for the web-based Anyconnect, but to change it for the desktop client, a client profile must be modified and selected.

Navigate to Devices followed by Remote Access. Edit the Anyconnect policy and click “Edit Group Policy” right under the Group Policy name. Select the Anyconnect tab.

Before adding a Client Profile, this must be created and uploaded to the Cisco FMC. Login to cisco.com and download and install the Profile Editor.

Open VPN profile Editor on your local machine and Navigate to Preferences (Part 2). Change the default timeout (12 sec) to 35 seconds. Save the file and upload it to the Cisco FMC.

Change the timeout to 35 seconds.
Add the created xml-file to Cisco FMC.

Add the firewall as a RADIUS client in the Mideye Server

See section RADIUS clients in the reference guide.

Troubleshoot

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs. These can be found in

Mideye Server\log\radius-messages.log

If nothing is logged, verify that udp/1812 is allowed between your Cisco ASA and Mideye Server.

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.