Cisco Anyconnect For Ubuntu 20.04
Introduction
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FMC. The configuration allow Anyconnect users to establish a VPN session authenticating with a SAML Identity Service Provider.
Prerequisites
Requirements
Linux Red Hat 6, 7, 8.1 & Ubuntu 16.04 (LTS), 18.04 (LTS), and 20.04 (LTS) Additional Information To retrieve important information, such as download links, configuration details, codes/serial numbers, and installation instructions, login to our website, and click on Order History. Ubuntu 20.04 LTS (Focal Fossa) Ubuntu Universe amd64. OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. It has since been.
Cisco recommends that you have knowledge of these topics:
- Knowledge of Anyconnect configuration on FMC
- Knowledge of SAML and metatada.xml values
Components Used
The information in this document is based on these software and hardware versions:
- Firepower Threat Defense (FTD) version 6.7.0
- Firepower Management Center (FMC) version 6.7.0
- ADFS from AD Server with SAML 2.0
Note: If possible, use a NTP server to synchronize time between the FTD and IdP. Otherwise, make sure the time is manually synchronized between them.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Some of the current limitations for SAML are:
- SAML on either ASA or FTD is supported for Authentication only, for authorization you can use an external AAA server with protocols such Radius or LDAP
- Having SAML authentication attributes available in DAP evaluation (similar to RADIUS attributes sent in RADIUS auth response from AAA server) is not supported
- ASA supports SAML enabled tunnel-group on DAP policy. However, you cannot check the username attribute while using SAML authentication, because the username attribute is masked by the SAML Identity provider
- More limitations or SAML are described in the below link. These limitations apply to ASA and FTD: 'Guidelines and Limitations for SAML 2.0 '
Note: All the SAML configuration that needs to be implemented on the FTD, can be found on the metadata.xml file provided by your IdP.
Configuration
This section describes how to configure Anyconnect with SAML authentication on FTD
Get the SAML IdP parameters
The below image shows a SAML IdP metadata.xml file. From the output, you can get all values needed in order to configure the Anyconnect profile using SAML:
Configuration on the FTD via FMC
Step 1. Install and enroll the IdP certificate on the FMC. Navigate to Devices > Certificates
Step 2. Click Add. Select the FTD where you want to enroll this certificate. Under Cert Enrollment, click on the + sign
In the Add Cert Enrollment section, use any name as label for the IdP cert. Make sure you click on Manual. Check the CA Only and Skip Check for CA flag fields, Then, paste the base64 format IdP CA cert. Finally, click on Save and then on Add
Step 3. Configure the SAML server settings. Navigate to Objects > Object Management > AAA Servers > Single Sign-on Server. Then, select Add Single Sing-on Server
Step 4. Based on the metadata.xml file already provided by your IdP, configure the SAML values on the New Single Sign-on Server
Step 5. Configure the Connection Profile that uses this authentication method. Navigate to Devices > Remote Access and then edit your existing VPN Remote Access configuration
Step 6. Click on the + sign and add another Connection Profile
Step 7. Create the new Connection Profile and add the proper VPN local pool or DHCP Server
Step 8. Now, select the AAA tab. Under the Authentication Method option, select SAML. Under the the Authentication Server option, select the SAML object created on Step 4
Step 9. Finally, create a group-alias to map the connections to this Connection Profile. This is the tag that users can see on the Anyconnect Software drop-down menu. Once this is configured, select OK and save the complete SAML Authentication VPN configuration
Step 10. Navigate to Deploy > Deployment and select the proper FTD in order to apply the SAML Authentication VPN changes
Step 11. Now, provide the FTD's metadata.xml file to the IdP so they add the FTD as a trusted devic. On the FTD CLI, run the command: 'show saml metadata SAML_TG ' where SAML_TG is the name of our Connection Profile created on Step 7.
As seen in the below bracket, this is the expected output from the command mentioned above:
Once the metadata.xml from the FTD is provided to the IdP and they add it as a trusted device, test under the VPN connection can be done.
Verify
Verify if the VPN Anyconnect connection was established using SAML as authentication method with the commands seen below:
Troubleshoot
Some verification commands on the FTD CLI can be used to troubleshoot SAML and Remote Access VPN connection as seen in the bracket:
Note: You can troubleshoot DART from the Anyconnect's user PC as well
Objective
The objective of this article is to guide you through installing, using, and the option of uninstalling AnyConnect VPN Client v4.9.x on Ubuntu Desktop.
Introduction
The Cisco AnyConnect Virtual Private Network (VPN) Mobility Client provides remote users with a secure VPN connection. It provides the benefits of a Cisco Secure Sockets Layer (SSL) VPN client and supports applications and functions unavailable to a browser-based SSL VPN connection. Commonly used by remote workers, AnyConnect VPN lets employees connect to the corporate network infrastructure as if they were physically at the office, even when they are not. This adds to the flexibility, mobility, and productivity of your workers. Cisco AnyConnect is compatible with Windows 7, 8, 8.1, and 10, Mac OS X 10.8 and later, and Linux Intel (x64).
Follow the steps in this article to install the Cisco AnyConnect VPN Mobility Client on a Ubuntu Desktop. In this article, Ubuntu version 20.04 is used.
If you are using a Windows computer, click here to view an article on how to install AnyConnect on Windows.
If you are using a Mac computer, click here to view an article on how to install AnyConnect on Mac.
AnyConnect Software Version
- AnyConnect - v4.9.x (Download latest)
Table of Contents
Installing AnyConnect Secure Mobility Client v4.9.x
Step 1
Cisco Anyconnect For Ubuntu 20.04 Full
Download the AnyConnect Pre-Deployment Package for Linux from Cisco Software Downloads.
The latest release at the time of publication was 4.9.01095.
Step 2
Open the Terminal by pressing Ctrl+Alt+T on your keyboard. To navigate to the folder where you have downloaded the AnyConnect Client Package, use the command, ‘cddirectory name’. For more information on the ‘cd’ command, click here.
In this example, the file is placed on the Desktop.
The directory may be different based on the location of the AnyConnect file download. For long filenames or paths, start typing some characters and press the tab key on your keyboard. The filename will auto-populate. If it doesn't even after you press tab twice, it indicates that you need to type more number of unique characters. Alternately, you can use the 'ls' command to list the files in your current directory.
Step 3
The initial download is a tarball archive (several files packed into one), which must be extracted. The command ‘tar xvffilename’ will extract the contents to the same directory in which the initial file is located.
For more information on the ‘tar’ command, click here.
Step 4
Once the folder is extracted, use the ‘cddirectory name’ command again to navigate into the folder.
cd [Directory Name]
Step 5
After navigating into the main folder, ‘cd’ into the vpn sub-folder.
Step 6
To run the AnyConnect install script, type ‘sudo ./vpn_install.sh’. This will begin the installation process using superuser permissions.
sudo ./vpn_install.sh
For more details on the 'sudo' command, click here.
Step 7
Accept the terms in the license agreement to complete the installation by typing ‘y’.
The AnyConnect installation should complete, and the Terminal window can be closed.
Using AnyConnect Secure Mobility Client v4.9.x
Step 1
To access the Anyconnect app, open the Terminal by pressing Ctrl+Alt+T on your keyboard. Use the command, ‘/opt/cisco/anyconnect/bin/vpnui’.
/opt/cisco/anyconnect/bin/vpnui
If you encounter any errors through the Terminal, you can access the app from the applications menu as shown below.
To access the applications menu using the User Interface (UI), click on the start icon (appears as nine dots on the lower left corner). Choose the Anyconnect app.
Alternatively, press Super+A (Super key is the windows icon key) on your keyboard to bring up the search bar. Start typing 'Anyconnect' and the app will appear.
Step 2
Click on the Anyconnect app.
Step 3
Enter the IP Address or Hostname of your desired server followed by the port number.
For RV340 family, the default port number is 8443.
Step 4
Cisco Anyconnect For Ubuntu 20.04 Windows 7
Some connections may not be secure using a trusted SSL certificate. By default, AnyConnect Client will block connection attempts to these servers.
Uncheck Block connections to untrusted servers to connect to these servers.
Ubuntu Cisco Anyconnect Vpn
Uninstalling AnyConnect Secure Mobility Client v4.9.x
Step 1
Using Terminal, navigate to the folder that contains the uninstall shell script using the ‘cd’ command.
In a default installation, these files will be located in /opt/cisco/anyconnect/bin/.
Step 2
To run the Anyconnect uninstall script, enter ‘sudo ./vpn_uninstall.sh’
This will begin the uninstall process using superuser permissions. For more information on the 'sudo' command, click here.
Step 3
At the prompt, enter the sudo password and the client software will complete uninstallation.
Conclusion
There you have it! You have now successfully learned the steps to install, use, and uninstall the Cisco AnyConnect Secure Mobility Client v4.9.x on Ubuntu Desktop.
For community discussions on Site-to-Site VPN, go to the Cisco Small Business Support Community page and do a search for Site-to-Site VPN.
AnyConnect App
The Anyconnect App can be downloaded from the Google Play store or the Apple store.