Anyconnect Firepower

Posted on |



  1. Anyconnect Firepower Login
  2. Firepower Anyconnect Compatibility
  3. Anyconnect Firepower Windows 10
  4. Anyconnect Firepower Login
  1. AnyConnect Customization and Localization support. The Firepower Threat Defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities. Custom Attributes for the Anyconnect Client are not supported on the Firepower Threat Defense. Hence all features that make use of Custom Attributes are not.
  2. Cisco Virtual Firepower Threat Defense Cisco ISE 2.6 Windows host with AnyConnect VPN Windows Server 2019 (CA Server).

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

Sep 11, 2019 Cisco Firepower Threat Defense (FTD) VPN with AnyConnect Duo integrates with your Cisco Firepower Threat Defense (FTD) SSL VPN to add two-factor authentication to AnyConnect VPN logins. AnyConnect provides reliable and easy-to-deploy encrypted network connectivity from devices by delivering persistent corporate access for users on the.

ASA Configuration

Create a Crypto Keypair

Create a CA Trustpoint

Authenticate the Trustpoint

In this example the ASA will enrol with a Windows Certificate Authority.

  • Open the CA’s Trusted Root certificate in notepad
  • Copy the contents on the certificate
  • On the ASA run the command crypto ca authenticate LAB_PKI
  • When prompted paste the contents of the CA Trusted Root certificate
  • Type quit at the end
  • Enter yes to import the certificate

EnrolL ASA for Identity Certificate

Anyconnect Firepower Login

The ASA will create a CSR, which will need to be signed by the Windows CA and the signed certificate imported.

  • On the ASA run the command crypto ca enroll LAB_PKI
  • When prompted copy the contents of the CSR
  • Complete the Certificate Signing Request
  • On the Window CA open the Web page to sign certificates, click Request a certificate
  • Click advanced certificate request
  • Paste the CSR generated on the ASA in the previous step above
  • Select the Certificate Template Web Server
  • Click Submit
  • Select Base 64 encoded
  • Click Download certificate, save the file to a file for use in the next step
  • On the ASA, run the command crypto ca import LAB_PKI certificate. LAB_PKI equals the name of the trustpoint previously defined.
  • When prompted paste the contents of the saved file (generated in the previous step)
  • Type quit at the end
  • Verify the Identity and Trusted Root Certificates imported successfully by running the command show crypto ca certificates
  • In the screenshot below the first certificate is the Identity Certificate (note the Subject name of the ASA). The second certificate is the Trusted Root certificate (note the subject name = lab=PKI-CA).

Enable the Certificate Trustpoint on the OUTSIDE interface

Anyconnect Firepower

Firepower Anyconnect Compatibility

Enable the Certificate Trustpoint for Remote Access

Define IKEv2 Policy


Define IPSec Transform Sets

Define Crypto Map

Reference the previously created IPSec Transform Sets. Enable Crypto Map on OUTSIDE interface

Modify Group Policy to enable IKEv2

Enable AAA and Certificate authentication

For additional security double authentication will be configured to require certificate and username/password. The certificate will be authenticated against the ASA, the UN/PW will be authenticated against the RADIUS server (defined in the previous post).

Enable AAA accounting (if not already enabled)

AAA accounting should be enabled to keep track of the connections.

ISE Configuration

The ISE Authorization Policy as defined in the previous post needs modifying to add a new rule for clients connecting with IPSec. Using this attribute is optional, but can be used to distinguish between different connections types if required.

  • Create a new Authorization rule called AnyConnect IPSec VPN
  • Define Conditions: Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name CONTAINS TG-1 AND Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type EQUALS AnyConnect-Client-IPSec-VPN
  • Permissions: VPN_Permit_DACL

Testing & Verification

You will need to create a AnyConnect Profile, download the AnyConnect Profile Editor

  • Open the VPN Profile Editor
  • Navigate to the Server List and click Add
  • Define a display name for the connection e.g ASA IKEv2/IPSec VPN
  • Define the FQDN
  • Define the User Group, this represents the Tunnel-Group on the ASA, in this instance the name is TG-1 (as defined in the previous post)
  • Set the Primary Protocol to IPSec


  • Click Save and ensure the file is saved to the folder location:
    • C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile
  • Restart the Cisco AnyConnect services or reboot
  • Open the Cisco AnyConnect Secure Mobility Client, this should display the new connection


The Windows computer has a User and Computer certificate issued by the same Windows CA that signed the certificate in use on the ASA, and therefore they should mutually trust each other and successfully authenticate.

  • On the ASA run the command debug aaa authentication
  • On the PC connect to the VPN and enter and username/password when prompted. Certificate authentication, if successful should be transparent

Anyconnect Firepower Windows 10

From the ASA debugs you can see the certificate authentication was successful

Anyconnect Firepower Login

Authentication using Username/Password was also successful. You can see from the debug output aaa authentication was successful, a DACL was downloaded, aaa accounting was successful and the client was successfully assigned an IP address from the local pool.

  • On the ASA run the command show vpn-session detail anyconnect

You will be able to confirm the Username, Assigned IP address, IKEv2 encryption algorithm used, authentication method, group-policy and tunnel-group etc.

The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication with Cisco AnyConnect using Cisco FMC.

1010

A Mideye Server (any release). If there is a firewall between the Cisco FMC and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). The Cisco FMC acts as a RADIUS client towards the Mideye Server. Hence, the Cisco FMCmust be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Create a new VPN Policy

Navigate to Devices followed by Remote Access. Click “Add” in the top right corner. Give the Policy a name and a description. Select what VPN protocol that should be used and select the firewall that should be targeted. Click “Next”.

Enter a suitable Profile name and select AAA Only in the dropdown list. Click the + sign and select “RADIUS Server group”. Fill out the form to create a new RADIUS group and add the Mideye Servers with IP and shared secret. Make sure to set the RADIUS-timeout to at least 35 seconds.

If accounting and authorization should be in use, select the same RADIUS group or create a new one.

Last, select client address assignment and create a new policy or use the predefined.

On the next page, select the Cisco Anyconnect images and click “Next” to select interface and certificate for the Remote Access. Complete the wizard.

Change timeout for Cisco Anyconnect

There are two different timeouts for Cisco Anyconnect. One, that is already configured in the stop above is for the web-based Anyconnect, but to change it for the desktop client, a client profile must be modified and selected.

Navigate to Devices followed by Remote Access. Edit the Anyconnect policy and click “Edit Group Policy” right under the Group Policy name. Select the Anyconnect tab.

Before adding a Client Profile, this must be created and uploaded to the Cisco FMC. Login to cisco.com and download and install the Profile Editor.

Anyconnect Firepower

Open VPN profile Editor on your local machine and Navigate to Preferences (Part 2). Change the default timeout (12 sec) to 35 seconds. Save the file and upload it to the Cisco FMC.

See section RADIUS clients in the reference guide.

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs. These can be found in

If nothing is logged, verify that udp/1812 is allowed between your Cisco ASA and Mideye Server.

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.