Add VPN Profiles

A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This section describes how to create VPN profiles to allow for configuration of remote user connections through a VPN.

The following topics explain how to configure remote access VPN profiles.

Table of Contents

Prerequisites

Step 1 – General Settings

Enter a name and configure the general settings that this VPN profile will use.

  1. Navigate to Connect > End User Connectivity > Virtual Private Network.
  2. For VPN Profiles, click Add.
  1. Enter a meaningful VPN Profile name for this profile.

  2. Configure the General settings for this VPN profile:

  3. Optionally, enter a Display name for this profile. This is a customizable and flexible label that is displayed to end-users of the Cisco Secure Client for ease-of-selection when choosing the appropriate profile.

  4. Enter the Default Domain.

  5. Choose a DNS Server from the drop-down, or click New to add a new DNS server pair.
    The DNS server mapped through the Manage IP Pool page is set as the default server. Selecting another DNS server overwrites this default server.

  6. Under Profile Settings, review the following settings and choose the options appropriate for this profile:

    • Check Include machine tunnel for this profile to allow a client device to connect to Secure Access before a user initiates a login. Click + Add Machine Tunnel to configure a machine tunnel if one does not exist for this profile; see Manage Machine Tunnels for information.
    • Check Include regional FQDN to add a region-specific FQDN to the hostname, which provides flexibility to clients when connecting to their VPN headend.
  7. Under Protocol, select the protocol(s) that this VPN profile will use:

    • TLS/DTLS
    • IKEv2
      At least one protocol must be selected. If both TLS/DTLS and IKEv2 are selected, choose the primary protocol from the Primary drop-down.
  8. Optionally, choose a Connect time posture from the drop-down.

  9. Click Next.

Step 2 – Authentication, Authorization, and Accounting

Choose a configuration method from the Protocols drop-down to complete the authentication process for this VPN profile. Authentication is the way a user is identified before being allowed access to the network and network resources. Authentication requires valid user credentials, a certificate, or both. You can use authentication alone, or with authorization and accounting.

Choose from:

SAML

Use this option to authenticate users with SAML.

SAML Configuration

When you choose SAML, each user is authenticated using the SAML single sign-on server.

  • External browser authentication—Select this option to have Secure Client use a local browser for authentication. When selected, Secure Client can support other SAML-based web authentication options, such as Single Sign On, biometric authentication, or other enhanced methods that are unavailable with an embedded browser.
  • Forced re-authentication—Select this option to force a re-authentication whenever a VPN connection is initiated. Forced re-authentication is related to the Session Timeout setting; see Cisco Secure Client Configuration.

For more information about Secure Access and SAML, see Configure Integrations with SAML Identity Providers. SAML authentication for remote access VPNs supports SAML, SAML + Single CA certificate, and SAML + Multiple CA Certificates.

SAML Metadata XML Configuration

  1. Click the SAML Metadata XML Configuration option, provide your Service Provider XML file and follow the guidelines to complete your Identity Provider (IdP) setup.
  2. Upload your IdP Security Metadata XML file to Secure Access. You can drag-and-drop the file or click the upload icon to browse and select the file.

Manual Configuration

  1. Click the Manual Configuration option complete the form with information obtained from your Service Provider (SP) and Identity Provider (IdP).
  2. Download the SP Certificate.
  3. Obtain the following from the SAML IdP:
    1. Identity Provider Entity ID URL.
    2. Sign-in URL.
    3. Sign-out URL.
    4. IdP Certificate.
    5. Request Signature.

RADIUS

Use this option to authenticate users on a RADIUS server.

When you choose RADIUS, each user is authenticated using RADIUS group servers. RADIUS authentication for remote access VPNs supports RADIUS, RADIUS+ Single CA certificate, and RADIUS+ Multiple CA Certificates.

Certificate

Use this option to authenticate users with trusted certificate authorities (CAs).

When you choose Certificate, each user is authenticated with a client certificate. The client certificate must be configured on VPN client endpoints. By default, the user name is derived from the client certificate fields CN and OU. If the user name is specified in other fields in the client certificate, use the Primary field to authenticate and Secondary field to authenticate field to map appropriate fields.

Select Multiple Certificates authentication to authenticate the VPN client using the machine and user certificates.

When Multiple Certificates authentication is enabled, you can select one of the following certificates to map the username and authenticate the VPN user:

  • First Cert—Select this option to map the username from the machine certificate sent from the VPN client.
  • Second Cert—Select this option to map the username from the user certificate sent from the client.

Note: Multiple certificate authentication utilizing a machine certificate requires that the Windows certificate store override option is enabled, and the Client Certificate Store option is set to All in Step 4 – Cisco Secure Client Configuration of the VPN profile configuration. See The Cisco Secure Client Profile Editor for complete information.

Note: If you do not enable multiple certificate authentication, the user certificate (second certificate) is used for authentication by default.

Step 3 – Traffic Steering (Split Tunnel)

For Traffic Steering (Split Tunnel), you can configure a VPN profile to maintain a full tunnel connection to Secure Access, or configure the profile to use a split tunnel connection to direct traffic through the VPN only if necessary.

  1. For Tunnel Mode, choose either:

    • Connect to Secure Access to direct all traffic through the tunnel; or,

    • Bypass Secure Access to direct all traffic outside the tunnel.

  2. Depending on your selection, you can Add Exceptions to steer traffic inside or outside the tunnel. You can enter comma-separated IPs, domains, and network spaces.

  3. For DNS Mode, you can accept the default mode or, depending on your selection, choose to Tunnel all DNS traffic or Split DNS traffic.
    When Split DNS is chosen, DNS names matching the configured DNS Names will be routed over the encrypted Secure Client connection for resolution. Any that do not match the configured DNS Names are routed via the local physical interface for the resolution.

  4. Click Next to configure the Cisco Secure Client.

Step 4 – Cisco Secure Client Configuration

You can modify a subset of Cisco Secure Client settings based on the needs of a particular VPN profile.

  1. Click the Session Settings tab to modify session-specific settings:

  • Banner Message—Configure a banner message for the user to accept after Secure Client authentication.
  • Session Timeout—Configure a time window after which the Secure Client session will end. The default is 4 hours.
  • Session Timeout Alert—Configure the number of minutes before the session timeout to alert the user. The default is 30 minutes.
  • Idle Timeout—Configure a time window for an idle Secure Client session, after which the session will end.
  • Idle Timeout Alert—Configure the number of minutes before the idle session timeout to alert the user. The default is 1 minute.
  • Maximum Transmission Unit (MTU)—Configure the largest packet size that can be transmitted through the VPN tunnel before fragmentation. Accepts a value between 576 and 1390.
  1. Click the Client Settings tab then click Edit to modify client-specific sessions. See The Cisco Secure Client Profile Editor for complete information about Cisco Secure Client settings.

    1. Modify General client settings as needed.

    2. Modify Administrative Settings as needed.

    3. Click Save.

  2. Modify any Client Certificate Settings as needed.
    Note: When the Multiple Certificates option is selected in Step 2 – Authentication, Authorization, and Accounting of the VPN profile configuration, enable the Windows certificate store override option, and set the Client Certificate Store option to All. See The Cisco Secure Client Profile Editor for complete information.

  3. Click Save to complete the VPN Profile.


Manage VPN Profiles< Add a VPN Profile > Add a RADIUS Group