Cisco 5505 Administration Guide - Page 78

Configuring the ServerList Attribute, Configuring the Certificate Match Attribute

Get Cisco 5505 - ASA Firewall Edition Bundle PDF manuals and user guides
UPC - 882658082252
View all Cisco 5505 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 78 highlights

Configuring Profile Attributes Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles You must also specify on the security appliance that you want to allow SBL (or any other modules for additional features). See the description in the section Enabling Modules for Additional AnyConnect Features, page 5-5 (ASDM) or Enabling Modules for Additional AnyConnect Features, page 6-4 (CLI) for a description of how to do this. Configuring the ServerList Attribute One of the main uses of the profile is to provide a means of supplying a user of the client with a list of hosts to which they can connect. The user then selects the appropriate server. This server list consists of host name and host address pairs. The host name can be an alias used to refer to the host, an FQDN, or an IP address. If an FQDN or IP address is used, a HostAddress element is not required. In establishing a connection, the host address is used as the connection address unless it is not supplied. This allows the host name to be an alias or other name that need not be directly tied to a network addressable host. If no host address is supplied, the connection attempt tries to connect to the host name. As part of the definition of the server list, a default server can be specified. This default server is identified as such the first time a user attempts a connection using the client. If a user connects with a server other than the default then for this user, the new default is the selected server. The user selection does not alter the contents of the profile. Instead, the user selection is entered into the user preferences. MarketingASA01 209.165.200.224,/HostAddress> EngineeringASA01 209.165.200.225,/HostAddress> Configuring the Certificate Match Attribute The AnyConnect client supports the following certificate match types. Some or all of these may be used for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect profile. The criteria are: • Key Usage • Extended Key Usage • Distinguished Name Certificate Key Usage Matching Certificate key usage offers a set of constraints on the broad types of operations that can be performed with a given certificate. The supported set includes: • DIGITAL_SIGNATURE • NON_REPUDIATION • KEY_ENCIPHERMENT 7-12 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
7-12
Cisco AnyConnect VPN Client Administrator Guide
OL-12950-012
Chapter 7
Configuring and Using AnyConnect Client Operating Modes and User Profiles
Configuring Profile Attributes
You must also specify on the security appliance that you want to allow SBL (or any other modules for
additional features). See the description in the section
Enabling Modules for Additional AnyConnect
Features, page 5-5
(ASDM) or
Enabling Modules for Additional AnyConnect Features, page 6-4
(CLI)
for a description of how to do this.
Configuring the ServerList Attribute
One of the main uses of the profile is to provide a means of supplying a user of the client with a list of
hosts to which they can connect. The user then selects the appropriate server. This server list consists of
host name and host address pairs. The host name can be an alias used to refer to the host, an FQDN, or
an IP address. If an FQDN or IP address is used, a HostAddress element is not required. In establishing
a connection, the host address is used as the connection address unless it is not supplied. This allows the
host name to be an alias or other name that need not be directly tied to a network addressable host. If no
host address is supplied, the connection attempt tries to connect to the host name.
As part of the definition of the server list, a default server can be specified. This default server is
identified as such the first time a user attempts a connection using the client. If a user connects with a
server other than the default then for this user, the new default is the selected server. The user selection
does not alter the contents of the profile.
Instead, the user selection is entered into the user preferences.
<?xml version="1.0" encoding="UTF-8" ?>
<Configuration>
<ServerList>
<HostEntry>
<HostName>MarketingASA01</HostName>
<HostAddress>209.165.200.224,/HostAddress>
</HostEntry>
<HostEntry>
<HostName>EngineeringASA01</HostName>
<HostAddress>209.165.200.225,/HostAddress>
</HostEntry>
</ServerList>
Configuring the Certificate Match Attribute
The AnyConnect client supports the following certificate match types. Some or all of these may be used
for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect
profile. The criteria are:
Key Usage
Extended Key Usage
Distinguished Name
Certificate Key Usage Matching
Certificate key usage offers a set of constraints on the broad types of operations that can be performed
with a given certificate. The supported set includes:
DIGITAL_SIGNATURE
NON_REPUDIATION
KEY_ENCIPHERMENT