Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head
Thomas Glanzmann
thomas at glanzmann.de
Sun Jan 12 07:18:13 EST 2014
Hello Nikos,
> I think you nailed it. This error message is simply because you're
> connected using RDP. And if I rember it correctly, there is even a
> policy settings allows connecting from remote Desktops.
just for the future, find attached my normal policies. The setting
AllowRemoteUsers allow connecting to cisco anyconnect using a remote
desktop setting. See my full normal profile attached.
Cheers,
Thomas
-------------- next part --------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
This is a sample of a Cisco AnyConnect VPN Client Profile XML file.
Please refer to the Cisco AnyConnect VPN Client Administrator Guide
for information regarding profile management and examples of all
available options. In short:
- A Profile should be uniquely named for your Company. An example is:
CiscoProfile.xml
- The profile name should be the same even if different for individual
group within the company.
This file is intended to be maintained by a Secure Gateway administrator
and then distributed with the client software. The profile based on
this XML can be distributed to clients at any time. The distribution
mechanisms supported are as a bundled file with the software distribution
or as part of the automatic download mechanism. The automatic download
mechanism only available with certain Cisco Secure Gateway products.
NOTE: Administrators are strongly encouraged to validate XML profile they
create using an online validation tool or via the profile import
functionality in ASDM. Validation can be accomplished with the
AnyConnectProfile.xsd found in this directory.
AnyConnectProfile is the root element representing the AnyConnect Client
Profile.
-->
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<!--
The ClientInitialization section represents global settings for the
client. In some cases (e.g. BackupServerList) host specific overrides
are possible.
-->
<ClientInitialization>
<!--
The Start Before Logon feature can be used to activate the VPN as
part of the logon sequence.
UserControllable:
Does the administrator of this profile allow the user to control
this attribute for their own use. Any user setting associated
with this attribute will be stored elsewhere.
-->
<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
<!--
This control allows automatic certificate selection to be
disabled. When this is disabled a user certificate selection
dialog is displayed if the GUI is available.
This setting only applies to the Microsoft Windows version of
AnyConnect and has no effect on other platforms.
-->
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<!--
This control enables an administrator to have a one time message
displayed prior to a users first connection attempt. As an example,
the message could be used to remind a user to insert their smart
card into it's reader.
The message to be used with this control is localizable and can be
found in the AnyConnect message catalog.
(default: "This is a pre-connect reminder message.")
-->
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<!--
This setting allows an administrator to specify which certificate
store AnyConnect will use for locating certificates.
This setting only applies to the Microsoft Windows version of
AnyConnect and has no effect on other platforms.
-->
<CertificateStore>All</CertificateStore>
<!--
This setting allows an administrator to direct AnyConnect to search
for certificates in the Windows machine certificate store. This is
useful in cases where certificates are located in this store and
users do not have administrator privileges on their machine.
-->
<CertificateStoreOverride>false</CertificateStoreOverride>
<!--
Controls AnyConnect client behavior when started. By default, the
client will attempt to contact the last Gateway a user connected
to or the first one in the list from the AnyConnect profile. In
the case of certificate-only authentication, this will result in
the establishment of a VPN tunnel when the client is started.
-->
<AutoConnectOnStart UserControllable="true">true</AutoConnectOnStart>
<!--
Controls AnyConnect GUI behavior when a VPN tunnel is established.
By default, the GUI will minimize when the VPN tunnel is
established.
-->
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<!--
If Local LAN access is enabled for remote clients on the Secure
Gateway, this setting can be used to allow the user to accept or
reject this access.
-->
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<!--
This setting allows an administrator to control how a client will
behave when the VPN tunnel is interrupted. Control can optionally
be given to the user.
-->
<AutoReconnect UserControllable="true">true
<AutoReconnectBehavior>ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<!--
This setting allows the adminstrator to turn off the dynamic
update functionality of AnyConnect. Control of this can also be
given to the user.
-->
<AutoUpdate UserControllable="false">true</AutoUpdate>
<!--
This setting allows the adminstrator to control how the user will
interact with RSA. By default, AnyConnect will determine the
correct method of RSA interaction. The desired setting can be
locked down by the administrator or control can be given to the
user.
-->
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<!--
This setting allows the adminstrator to control if more than one
user may be logged into the client PC during a VPN connection.
-->
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<!--
This setting allows the adminstrator to control if a VPN
connection may be initiated by a remote user.
-->
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<!--
This setting determines whether to keep the VPN session
when the user logs off a Windows OS
-->
<RetainVpnOnLogoff>false
<UserEnforcement>SameUserOnly</UserEnforcement>
</RetainVpnOnLogoff>
<!--
This section enables the definition of various attributes that
can be used to refine client certificate selection.
-->
<CertificateMatch>
<!--
Certificate Key attributes that can be used for choosing
acceptable client certificates.
-->
<KeyUsage>
<MatchKey>Non_Repudiation</MatchKey>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<!--
Certificate Extended Key attributes that can be used for
choosing acceptable client certificates.
-->
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
<MobilePolicy>
<!--
DeviceLockRequired indicates that a Windows Mobile device must
be configured with a password or PIN prior to establishing a
VPN connection. This configuration is only valid on Windows
Mobile devices that use the Microsoft Default Local
Authentication Provider (LAP).
The following attributes can be specified to check additional
settings. The platforms for which each additional check is
performed as specified with "WM5AKU2+" for Windows Mobile 5 with
the Messaging and Security Feature Pack delivered as part of
Adaption Kit Upgrade 2 (AKU2).
MaximumTimeoutMinutes - when set to non-negative
number, specifies the maximum number of minutes
that must be configured before device lock takes
effect. (WM5/WM5AKU2+)
MinimumPasswordLength - when set to a non-negative number,
specifies that any PIN/password used for device lock
must be equal to or longer than the specified value,
in characters. This setting must be pushed down to
the mobile device by syncing with an Exchange server
before it can be enforced. (WM5AKU2+)
PasswordComplexity - when present checks for the following
password subtypes:
"alpha" - Requires an alphanumeric password
"pin" - Numeric PIN required
"strong" - Strong alphanumeric password defined by
Microsoft as containing at least 7
characters, including at lesst 3 from
the set of uppercase, lowercase,
numerals, and punctuation.
This setting must be pushed down to the mobile device
by syncing with an Exchange server before it can be
enforced. (WM5AKU2+)
Note that this configuration setting merely enforces policy -
it does not actually change local device policy.
-->
<DeviceLockRequired
MaximumTimeoutMinutes="60"
MinimumPasswordLength="4"
PasswordComplexity="pin"/>
</MobilePolicy>
<!--
Automatic VPN policy defines policy for automatically connecting
and disconnecting the VPN tunnel based on network state.
-->
<AutomaticVPNPolicy>false
<!--
When a client machine has one of the following DNS suffixes or DNS
server addresses, it will be treated as though it is on a Trusted
Network. When the client machine is not in the Trusted Network,
it is considered to be on an Untrusted Network. When the client
transitions to a Trusted Network or Untrusted Network, it will perform
the action in the corresponding policy setting. Typically this is
used to have the client automatically initiate a VPN connection when
the user???s laptop is at home, and disconnect when they reach the Trusted
Network at work. To get started using Trusted Network Detection, replace
the values containing placeholder values with the appropriate settings
for your enterprise.
-->
<TrustedDNSDomains>REPLACE_company.com</TrustedDNSDomains>
<TrustedDNSServers>REPLACE_1.2.3.4</TrustedDNSServers>
<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
<!--
The AlwaysOn setting configures a client machine to establish a VPN
connection when the user logs in to their computer. If the connection
cannot be established, the ConnectFailurePolicy can be used to control
whether or not the user may access other network resources. Please
read the Cisco AnyConnect Secure Mobility Client Administrator Guide
before enabling AlwaysOn.
-->
<AlwaysOn>true
<ConnectFailurePolicy>Open
<!--
When ConnectFailurePolicy is set to "Closed", the
AllowCaptivePortalRemediation setting controls whether the user will
be permitted to log into a captive portal to allow VPN establishment
to continue. This is typically turned on to allow users to VPN from
hotels and coffee shops that require a web-based login before VPN
connections can be established.
-->
<AllowCaptivePortalRemediation>true
<!--
Specifies the amount of time, in minutes, that HTTP and HTTPS
traffic is permitted out after a network change that results in
a "Closed" ConnectFailurePolicy. After this time expires, the
user will be unable to send web traffic.
-->
<CaptivePortalRemediationTimeout>5</CaptivePortalRemediationTimeout>
</AllowCaptivePortalRemediation>
<!--
Firewall and split-exclude rules can be cached locally on the client
when in Always-On mode. This setting controls whether the last set
of firewall and split-exclude rules from the ASA will be applied even
when the VPN connection is not established.
-->
<ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules>
</ConnectFailurePolicy>
</AlwaysOn>
</AutomaticVPNPolicy>
<!--
When Optimal Gateway Selection (OGS) is enabled, the client will contact each of
the servers in the ServerList, and connect to the one with the lowest
round trip time (RTT). When a client machine comes out of a system resume of at
least the duration in hours specified by AutoServerSelectionSuspendTime, it
will connect to a different host only if the RTT improves by the percentage
specified by AutoServerSelectionImprovement. The examples below allow a
user that suspends their laptop during a transatlantic flight of at least
4 hours to switch from North American to European servers if there is at
least a 20% reduction in latency.
-->
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<!--
Amount of time, in seconds, that the client waits for authentication to be completed. By default, the client
expects to receive a response in 12 seconds; therefore, if the authentication process takes longer than this,
the connection fails. For example, the secure gateway is configured to contact a RADIUS server which first
authenticates the username and then initiates a phone call to the user who then needs to press # for the
RADIUS server to accept the request, this process can take more than 20 seconds.
-->
<AuthenticationTimeout>30</AuthenticationTimeout>
</ClientInitialization>
<!--
This section contains the list of hosts the user will be able to
select from.
-->
<ServerList>
<!--
This is the data needed to attempt a connection to a specific
host.
-->
<HostEntry>
<!--
Can be an alias used to refer to the host or an FQDN or
IP address. If an FQDN or IP address is used, a
HostAddress is not required.
-->
<HostName>vpn.glanzmann.de</HostName>
<HostAddress>vpn.glanzmann.de</HostAddress>
</HostEntry>
<!--
<HostEntry>
<HostName>REPLACE_AsaName2</HostName>
<HostAddress>REPLACE_10.94.146.172</HostAddress>
<UserGroup>REPLACE_TunnelGroup</UserGroup>
</HostEntry>
-->
</ServerList>
</AnyConnectProfile>
More information about the openconnect-devel
mailing list