asa

The video takes you through the Cisco ASA AnyConnect VPN abilities to gather VPN client information using Hostscan and basic Endpoint Assessment features. We will be deploying a Hostscan agent as part of an AnyConnect Posture module, and creating a pre-login policy from device registry and OS checks to categorize the endpoint and allow or deny VPN access accordingly. The video finishes with enabling Host Scan extension as a preparation to the next lab video.

The video walks you through an installation of Cisco Prime Security Manager (PRSM) server for managing multiple CX devices. You will get to see the start, where a virtual machine is created, to the finish, where the web interface can be accessed. Since the installation is performed in VMware, a knowledge of VMware ESXi is recommended.

The video introduces you to Cisco ASA CX monitor-only mode and help you understand what you can do when your CX operates under this mode. We will demonstrates primarily how network traffic can be monitored without interfering with the actual traffic. In addition, we will attempt to integrate CX to CDA and obtain user identity via passive authentication in order to see username instead of source IP of the traffic.

The video shows you how to install Cisco ASA CX software service version 9.3 from scratch. Here we assume to have a blank SSD although the same procedure also applies if you want to perform a module recovery. We will be able to access the CX web interface by the end of this video.

The video demonstrates different ways that you can leverage client-based certificate authentication with Cisco ASA AnyConnect VPN. Some of things that we will be configuring includes certificate attribute mapping to tunnel-group, authorization against Cisco ISE, dual-factor authentication with certificate and AD credential, and finally, secondary authentication. These are inherent features to the AnyConnect VPN. Additional certificate features related to AnyConnect Secure Mobility will be explored in the future videos.

The video demonstrates different ways that you can leverage client-based certificate authentication with Cisco ASA AnyConnect VPN. Some of things that we will be configuring includes certificate attribute mapping to tunnel-group, authorization against Cisco ISE, dual-factor authentication with certificate and AD credential, and finally, secondary authentication. These are inherent features to the AnyConnect VPN. Additional certificate features related to AnyConnect Secure Mobility will be explored in the future videos.

The video shows you an ability to integrate Cisco ASA with LDAP server (here we use Active Directory) and perform user attribute to RADIUS attribute mapping for Cisco AnyConnect VPN configuration. We will step through the entire process of assigning VPN parameters to an AD user, identifying the corresponding LDAP attributes, and map them to desired RADUS attributes. This is another alternative to those that do not own a RADIUS server.

The video helps you centralize your Cisco ASA AnyConnect VPN client group-policy configuration to your RADIUS server in case you would like to maintain configuration consistency on multiple ASA VPN devices. We will convert the group-policy configured in the previous lab into RADIUS attributes and, in addition, push out a Downloadable ACL (DACL). We will also demonstrate how per-user authorization still overwrites the configuration received from the group-policy. 

The video walks you through a basic setup of Cisco ASA AnyConnect client VPN that will serve as a foundation configuration of our subsequent labs. This includes supporting configuration such as routing, NAT, address pool, and default group-policy. We will have a working VPN setup that matches the traditional IPSec remote user VPN at the end of this lab.