Guides
Secure Access Help Center

Manage Custom Attributes

Custom attributes are used by the Cisco Secure Client to configure features such as Per App VPN and split tunneling. You can create the Secure Client custom attributes objects from the VPN Profiles dashboard, add the objects to a VPN profile, and associate the VPN profile with a remote access VPN to enable the features for the VPN clients.

Secure Access supports the following features using the custom attribute objects:

  • Per App VPN—The Per App VPN feature helps identify an app and tunnel only applications allowed by the Secure Access administrator over the VPN.
  • Bypass Virtual Subnets—The Bypass Virtual Subnets feature helps resolve connectivity issues with virtual machine-based subsystems.

About Per APP VPN

When you use Cisco Secure Client AnyConnect to establish a VPN connection from a mobile device, all the traffic including the traffic from personal applications is routed through the VPN.

If you instead want to route corporate applications only through the VPN, so that non-corporate traffic is excluded from the VPN, you can use Per App VPN to select which applications should be tunneled through the VPN.

You configure Per App VPN using the perapp AnyConnect custom attribute. Adding this attribute to a remote access VPN group profile automatically limits the tunnel to the explicitly identified applications. Traffic from all other applications is automatically excluded from the tunnel.

Configuring Per App VPN has the following main benefits:

  • Performance—It limits traffic in the VPN to the traffic that needs to go to the corporate network. Thus, you free up resources at the head end of the RA VPN.
  • Protection—Because only traffic from approved applications is allowed, it protects the corporate tunnel from unapproved malicious applications that a user might unwittingly install on the mobile device. Because these applications are not included in the tunnel, traffic from them is never sent to the head end.

The Mobile Device Manager (MDM) running on the mobile endpoint enforces the Per App VPN policy on the applications.

About Bypass Virtual Subnets

If you experience connectivity issues with virtual machine-based subsystems, such as Windows Subsystem for Linux (WSL2) or VMware Fusion VM, when the AnyConnect VPN is active on the host (Windows 10 or macOS 11 (and later), you can configure local LAN split/exclude tunneling restricted to only virtual adapter subnets.

About Cisco Secure Client on Mobile Devices

Cisco Secure Client on mobile devices is similar to Cisco Secure Client on Windows, macOS, and Linux platforms. The Cisco Secure Client (including AnyConnect) Administrator Guide provides device information, configuration information, support information, as well as other administrative tasks specific to Cisco Secure Client for mobile devices.

Because Secure Access supports custom attributes on Android and iOS devices, you should review the following sections of the Administrator Guide:

In particular, pay close attention to the following guidelines and limitations for each supported platform. As always, you should consult the latest Cisco Secure Client (including AnyConnect) Administrator Guide for the most up-to-date information.

Guidelines and Limitations for Secure Client AnyConnect on Android

  • The Secure Firewall ASA does not provide distributions and updates for AnyConnect for Android. They are available on Google Play. The APK (package) file for the latest version is also posted on Cisco.com.
  • AnyConnect for Android supports only the Network Visibility Module and Umbrella; it does not support any other Secure Client modules.
  • The Android device supports no more than one AnyConnect profile, which is the last one received from a headend. However, a profile can consist of multiple connection entries.
  • If users attempt to install AnyConnect on devices that are not supported, they receive the pop-up message Installation Error: Unknown reason -8. This message is generated by the Android OS.
  • With users who have AnyConnect in a widget on their home screen, the AnyConnect services are automatically started (but not connected) regardless of the "Launch at startup" preference.
  • AnyConnect for Android requires UTF-8 character encoding for extended ASCII characters when using pre-fill from client certificates. The client certificate must be in UTF-8 if you want to use prefill, per the instructions in KB-890772 and KB-888180.
  • AnyConnect blocks voice calls if it is sending or receiving VPN traffic over an EDGE connection per the inherent nature of EDGE and other early radio technology.
  • Some known file compression utilities do not successfully decompress log bundles packaged with the use of the AnyConnect Send Log button. As a workaround, use the native utilities on Windows and macOS to decompress Secure Client log files.
  • DHE Incompatibility—With the introduction of DHE cipher support in AnyConnect, incompatibility issues result in Cisco Secure Firewall ASA versions before ASA 9.2. If you are using DHE ciphers with Secure Firewall ASA releases earlier than 9.2, you must disable DHE ciphers on those Secure Firewall ASA versions.
  • Because AnyConnect is a networking VPN application, it requires background operation to function; therefore, you should never add AnyConnect to the deep sleep list.

Guidelines and Limitations for Secure Client AnyConnect on Apple iOS

AnyConnect for Apple iOS supports only features that are related to remote VPN access such as:

  • AnyConnect can be configured by the user (manually), by the AnyConnect VPN Client Profile, generated by the Apple Configurator Utility (http://www.apple.com/support/iphone/enterprise/), or using an Enterprise Mobile Device Manager.
  • The Apple iOS device supports no more than one AnyConnect VPN client profile. The contents of the generated configuration always match the most recent profile. For example, you connect to vpn.example1.com and then to vpn.example2.com. The AnyConnect VPN client profile imported from vpn.example2.com replaces the one imported from vpn.example1.com.
  • This release supports the tunnel keepalive feature; however, it reduces battery life of the device. Increasing the update interval value mitigates this issue.

Apple iOS Connect On-Demand Considerations:

  • VPN sessions, which are automatically connected as a result of iOS On-Demand logic and have Disconnect on Suspend configured, are disconnected when the device sleeps. After the device wakes up, On-Demand logic will reconnect the VPN session when it is necessary again.
  • AnyConnect collects device information when the UI is launched and a VPN connection is initiated. Therefore, there are circumstances in which AnyConnect can misreport mobile posture information if the user relies on iOS Connect On-Demand feature to make a connection initially, or after device information, such as the OS version has changed.
  • This only applies in your environment if you are running a Legacy AnyConnect release earlier than 4.0.05032, or an Apple iOS release earlier than 9.3 while using Apple Connect-on-Demand capabilities. To ensure proper establishment of Connect On-Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message “The VPN Connection requires an application to start up” displays.

Cisco AnyConnect and Legacy AnyConnect are different apps with different app IDs. Hence:

  • Using the new extension framework in AnyConnect 4.0.07x (and later) causes the following changes in behavior from legacy AnyConnect 4.0.05x: AnyConnect considers traffic for tunnel DNS server to be tunneled, even if it is not in split-include network.
  • You cannot upgrade the AnyConnect app from a legacy 4.0.05x or earlier version to AnyConnect 4.0.07x or 4.6.x (or later). Cisco AnyConnect 4.0.07x (or 4.6.x and later) is a separate app, installed with a different name and icon.
  • The different versions of AnyConnect can co-exist on the mobile device, but this is not supported by Cisco. The behavior may not be as expected if you attempt to connect while having both versions of AnyConnect installed. Make sure you have only one AnyConnect app on your device, and it is the appropriate version for your device and environment.
  • Certificates imported using Legacy AnyConnect version 4.0.05069 and any earlier release cannot be accessed or used by the new AnyConnect app release 4.0.07072 or later. MDM deployed certificates can be accessed and used by both app versions.
  • App data imported to the Legacy AnyConnect app, such as certificates and profiles, should be deleted if you are updating to the new version. Otherwise they will continue to show in the system VPN settings. Remove app data before uninstalling the Legacy AnyConnect app.
  • Current MDM profiles will not trigger the new app. EMM vendors must support VPNType (VPN), VPNSubType (com.cisco.anyconnect) and ProviderType (packet-tunnel). For integration with ISE, they must be able to pass the UniqueIdentifier to AnyConnect since AnyConnect no longer has access to this in the new framework. Consult your EMM vendor for how to set this up; some may require a custom VPN type, and others may not have support available at release time.

Using the New Extension Framework in AnyConnect 4.0.07x and later causes the following changes in behavior from Legacy AnyConnect 4.0.05x:

  • The Device ID sent to the head end is no longer the UDID in the new version, and it is different after a factory reset unless your device is restored from a backup made by the same device.
  • You may use MDM deployed certificates, as well as certificates imported using one of the methods available in AnyConnect: SCEP, manually through the UI, or via the URI handler. The new version of AnyConnect can no longer use certificates imported via email or any other mechanism beyond these identified ones.
  • When creating a connection entry using the UI, the user must accept the iOS security message displayed.
  • A user-created entry with the same name as a downloaded host entry from the AnyConnect VPN profile will not be renamed until it disconnects, if it is active. Also, the downloaded host connection entry will appear in the UI after this disconnect, not while it remains connected.
  • AnyConnect considers traffic for tunnel DNS server to be tunneled even if it is not in split-include network.

Manage Application-Based Remote Access VPN (Per App VPN) < Manage Custom Attributes > Define Custom Attributes

Updated 5 days ago