Add VPN Profiles

A virtual private network (VPN) connection establishes a secure tunnel between endpoint devices over a public network such as the Internet. This section describes how to create VPN profiles to allow for configuration of remote user connections through a VPN.

The following topics explain how to configure remote access VPN profiles.

Table of Contents

• Prerequisites
• Step 1 – General Settings
• Step 2 – Authentication, Authorization, and Accounting
• Step 3 – Traffic Steering (Split Tunnel)
• Step 4 – Cisco Secure Client Configuration

Prerequisites

• Full Admin role in Secure Access. See Manage User Roles.

Step 1 – General Settings

Enter a name and configure the general settings that this VPN profile will use.

1. Navigate to Connect > End User Connectivity > Virtual Private Network.

2. For VPN Profiles, click + VPN Profile.

3. Enter a meaningful VPN profile name for this profile.

4. Enter an optional Display name for this profile. This is a customizable and flexible label that is displayed to end-users of the Cisco Secure Client for ease-of-selection when choosing the appropriate profile.

5. Enter the Default Domain.

6. Review the DNS Servers options.

   1. By default, the DNS Servers is set to Region specified, meaning that the VPN profile uses the DNS specified for the region.
   2. (Optional) Click View DNS servers to see the list of DNS servers mapped to regions.
   3. (Optional) To choose a DNS pair other than the default regional DNS, click Custom specified, then click Map DNS servers to open an configurable view of all available DNS servers for a VPN profile. For more information, see Map DNS Servers to Regions.
   4. (Optional) Check DDNS Servers updates to include dynamic updates to the mappings of domain names to IP addresses when a remote user's network IP address changes. By default, the DDNS Servers is set to Region specified, meaning that the VPN profile uses the DDNS specified for the region. For more information, see Map DDNS Servers to Regions.

7. Click Assign IP pools and select one IP pool per region from the IP Pools drop-down. VPN profiles must have at least one IP pool assigned in each region for a valid configuration. For more information, see Add an IP Pool.

8. Under Profile Settings, review the following settings and choose the options appropriate for this profile:

   • Check Include machine tunnel for this profile to allow a client device to connect to Secure Access before a user initiates a login. Click + Add Machine Tunnel to configure a machine tunnel if one does not exist for this profile; see Manage Machine Tunnels for more information.
   • Check Include regional FQDN to add a region-specific FQDN to the hostname, which provides flexibility to clients when connecting to their VPN headend.

9. Under IP version mode, select the mode(s) that this VPN profile will use:

   • IPv4
   • IPv6

10. Under Protocol, select the protocol(s) that this VPN profile will use:

    • TLS/DTLS
    • IKEv2
      At least one protocol must be selected. If both TLS/DTLS and IKEv2 are selected, choose the primary protocol from the Primary drop-down.

11. Optionally, choose a Connect time posture from the drop-down.

    

12. Click Next.

Step 2 – Authentication, Authorization, and Accounting

Choose a configuration method from the Protocols drop-down to complete the authentication process for this VPN profile. Authentication is the way a user is identified before being allowed access to the network and network resources. Authentication requires valid user credentials, a certificate, or both. You can use authentication alone, or with authorization and accounting.

Choose from:

• SAML
• RADIUS
• Certificate

SAML

Use this option to authenticate users with SAML.

SAML Configuration

When you choose SAML, each user is authenticated using the SAML single sign-on server.

• External browser authentication—Select this option to have Secure Client use a local browser for authentication. When selected, Secure Client can support other SAML-based web authentication options, such as Single Sign On, biometric authentication, or other enhanced methods that are unavailable with an embedded browser.
• Forced re-authentication—Select this option to force a re-authentication whenever a VPN connection is initiated. Forced re-authentication is related to the Session Timeout setting; see Cisco Secure Client Configuration.

For more information about Secure Access and SAML for VPNs with a configured VPN profile, see Manage SAML Certificates for Identity Providers. SAML authentication for remote access VPNs supports SAML, SAML + Single CA certificate, and SAML + Multiple CA Certificates.

SAML Metadata XML Configuration

1. Click the SAML Metadata XML Configuration option, provide your Service Provider XML file and follow the guidelines to complete your Identity Provider (IdP) setup.
2. Upload your IdP Security Metadata XML file to Secure Access. You can drag-and-drop the file or click the upload icon to browse and select the file.

Manual Configuration

1. Click the Manual Configuration option complete the form with information obtained from your Service Provider (SP) and Identity Provider (IdP).
2. Download the SP Certificate.
3. Obtain the following from the SAML IdP:
   1. Identity Provider Entity ID URL.
   2. Sign-in URL.
   3. Sign-out URL.
   4. IdP Certificate.
   5. Request Signature.

RADIUS

Use this option to authenticate users on a RADIUS server.

Note: Cisco strongly discourages the use of RADIUS (RADIUS username/password only) as a single form of authentication. If the RADIUS server does not provide multi-factor authentication (MFA), then you must enable a second factor of authentication in Secure Access for VPN authentication. You can configure certificates in Secure Access as the second form of authentication.

When you choose RADIUS, each user is authenticated using RADIUS group servers. RADIUS authentication for remote access VPNs supports RADIUS, RADIUS+ Single CA certificate, and RADIUS+ Multiple CA Certificates.

Certificate

Use this option to authenticate users with trusted certificate authorities (CAs).

When you choose Certificate, each user is authenticated with a client certificate. The client certificate must be configured on VPN client endpoints. By default, the user name is derived from the client certificate fields CN and OU. If the user name is specified in other fields in the client certificate, use the Primary field to authenticate and Secondary field to authenticate field to map appropriate fields.

Select Multiple Certificates authentication to authenticate the VPN client using the machine and user certificates.

If have enabled Multiple Certificates authentication, you can select one of the following certificates to map the username and authenticate the VPN user:

• First Cert—Select this option to map the username from the machine certificate sent from the VPN client.
• Second Cert—Select this option to map the username from the user certificate sent from the client.

Note: If you do not enable multiple certificate authentication, the user certificate (second certificate) is used for authentication by default.

Step 3 – Traffic Steering (Split Tunnel)

For Traffic Steering (Split Tunnel), you can configure a VPN profile to maintain a full tunnel connection to Secure Access, or configure the profile to use a split tunnel connection to direct traffic through the VPN only if necessary.

1. For Tunnel Mode, choose either:

   • Connect to Secure Access to direct all traffic through the tunnel; or,

     

   • Bypass Secure Access to direct all traffic outside the tunnel.

     

2. Depending on your selection, you can Add Exceptions to steer traffic inside or outside the tunnel. You can enter comma-separated IPs, domains, and network spaces.

3. For DNS Mode, you can accept the default mode or, depending on your selection, choose to Tunnel all DNS traffic or Split DNS traffic.
   When Split DNS is chosen, DNS names matching the configured DNS Names will be routed over the encrypted Secure Client connection for resolution. Any that do not match the configured DNS Names are routed via the local physical interface for the resolution.

4. Click Next to configure the Cisco Secure Client.

Step 4 – Cisco Secure Client Configuration

You can modify a subset of Cisco Secure Client settings based on the needs of a particular VPN profile.

1. Click the Session Settings tab to modify session-specific settings:

   

• Banner Message—Configure a banner message for the user to accept after Secure Client authentication.
• Session Timeout—Configure a time window after which the Secure Client session will end. The default is 4 hours.
• Session Timeout Alert—Configure the number of minutes before the session timeout to alert the user. The default is 30 minutes.
• Idle Timeout—Configure a time window for an idle Secure Client session, after which the session will end.
• Idle Timeout Alert—Configure the number of minutes before the idle session timeout to alert the user. The default is 1 minute.
• Maximum Transmission Unit (MTU)—Configure the largest packet size that can be transmitted through the VPN tunnel before fragmentation. Accepts a value between 576 and 1390.
• Smart card removal—Check Maintain VPN session to continue the VPN connection in the event of a smart card removal. Otherwise the VPN connection is terminated when a smart card is removed.

2. Click the Client Settings tab then click Edit to modify client-specific sessions. See The Cisco Secure Client Profile Editor for complete information about Cisco Secure Client settings.

   1. Modify Session Settings as needed.

      

   2. Modify Client Settings (General) as needed.

      

   3. Modify Client Settings (Administrator) as needed.

      

   4. Click Save.

3. Modify any Client Certificate Settings as needed.

   

4. Click Save to complete the VPN Profile.

   

---

Manage VPN Profiles< Add a VPN Profile > Add a RADIUS Group