[PATCH] Provide profile.xml for AnyConnect

Thomas Glanzmann thomas at glanzmann.de
Wed Jan 29 04:03:18 EST 2014


This commit replaces the old profile.xml with the Example Configuration
from the Administrator Guide while not locking down the client and allow
AnyConnect sessions from remote desktop connections.

Source: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/administration/23adminapa.html

Signed-off-by: Thomas Glanzmann <thomas at glanzmann.de>
---
 doc/profile.xml |  343 ++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 316 insertions(+), 27 deletions(-)

diff --git a/doc/profile.xml b/doc/profile.xml
index af0bd36..8157a4b 100644
--- a/doc/profile.xml
+++ b/doc/profile.xml
@@ -1,31 +1,320 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This is a sample of a Cisco AnyConnect VPN Client Profile XML file.
+
+    Please refer to the Cisco AnyConnect VPN Client Administrator Guide
+    for information regarding profile management and examples of all
+    available options. In short:
+
+      - A Profile should be uniquely named for your Company.  An example is:
+        CiscoProfile.xml
+
+      - The profile name should be the same even if different for individual
+        group within the company.
+
+    This file is intended to be maintained by a Secure Gateway administrator
+    and then distributed with the client software.  The profile based on
+    this XML can be distributed to clients at any time.  The distribution
+    mechanisms supported are as a bundled file with the software distribution
+    or as part of the automatic download mechanism.  The automatic download
+    mechanism only available with certain Cisco Secure Gateway products.
+
+    NOTE: Administrators are strongly encouraged to validate XML profile they
+          create using an online validation tool or via the profile import
+          functionality in ASDM.  Validation can be accomplished with the
+          AnyConnectProfile.xsd found in this directory.
+
+
+    AnyConnectProfile is the root element representing the AnyConnect Client
+    Profile.
+  -->
 <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
+    <!--
+        The ClientInitialization section represents global settings for the
+        client.  In some cases (e.g. BackupServerList) host specific overrides
+        are possible.
+      -->
+    <ClientInitialization>
+    <BypassDownloader>true</BypassDownloader>
+
+        <!--
+            The Start Before Logon feature can be used to activate the VPN as
+            part of the logon sequence.
+
+            UserControllable:
+            Does the administrator of this profile allow the user to control
+            this attribute for their own use.  Any user setting associated
+            with this attribute will be stored elsewhere.
+          -->
+        <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
+        <!--
+            This control allows automatic certificate selection to be 
+            disabled. When this is disabled a user certificate selection 
+            dialog is displayed if the GUI is available. 
+
+            This setting only applies to the Microsoft Windows version of
+            AnyConnect and has no effect on other platforms.
+          -->
+        <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
+        <!--
+            This control enables an administrator to have a one time message
+            displayed prior to a users first connection attempt.  As an example,
+            the message could be used to remind a user to insert their smart
+            card into it's reader. 
+
+            The message to be used with this control is localizable and can be
+            found in the AnyConnect message catalog.
+            (default: "This is a pre-connect reminder message.")
+          -->
+        <ShowPreConnectMessage>false</ShowPreConnectMessage>
+        <!--
+            This setting allows an administrator to specify which certificate 
+            store AnyConnect will use for locating certificates.
+
+            This setting only applies to the Microsoft Windows version of
+            AnyConnect and has no effect on other platforms.
+          -->
+        <CertificateStore>All</CertificateStore>
+        <!--
+            This setting allows an administrator to direct AnyConnect to search 
+            for certificates in the Windows machine certificate store.  This is 
+            useful in cases where certificates are located in this store and 
+            users do not have administrator privileges on their machine.
+          -->
+        <CertificateStoreOverride>false</CertificateStoreOverride>
+        <!--
+            Controls AnyConnect client behavior when started.  By default, the
+            client will attempt to contact the last Gateway a user connected
+            to or the first one in the list from the AnyConnect profile.  In
+            the case of certificate-only authentication, this will result in
+            the establishment of a VPN tunnel when the client is started.
+          -->
+        <AutoConnectOnStart UserControllable="true">true</AutoConnectOnStart>
+        <!--
+            Controls AnyConnect GUI behavior when a VPN tunnel is established.
+            By default, the GUI will minimize when the VPN tunnel is
+            established.
+          -->
+        <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
+        <!--
+            If Local LAN access is enabled for remote clients on the Secure
+            Gateway, this setting can be used to allow the user to accept or
+            reject this access.
+          -->
+        <LocalLanAccess UserControllable="true">true</LocalLanAccess>
+        <!--
+            This setting allows an administrator to control how a client will
+            behave when the VPN tunnel is interrupted.  Control can optionally
+            be given to the user.
+          -->
+        <AutoReconnect UserControllable="true">true
+          <AutoReconnectBehavior>ReconnectAfterResume</AutoReconnectBehavior>
+        </AutoReconnect>
+        <!--
+            This setting allows the adminstrator to turn off the dynamic
+            update functionality of AnyConnect.  Control of this can also be
+            given to the user.
+          -->
+        <AutoUpdate UserControllable="false">true</AutoUpdate>
+        <!--
+            This setting allows the adminstrator to control how the user will
+            interact with RSA.  By default, AnyConnect will determine the
+            correct method of RSA interaction.  The desired setting can be
+            locked down by the administrator or control can be given to the
+            user.
+          -->
+        <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
+        <!--
+            This setting allows the adminstrator to control if more than one
+            user may be logged into the client PC during a VPN connection.
+          -->
+        <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
+        <!--
+            This setting allows the adminstrator to control if a VPN
+            connection may be initiated by a remote user.
+          -->
+        <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
+        <!--
+            This setting determines whether to keep the VPN session 
+            when the user logs off a Windows OS
+          -->
+        <RetainVpnOnLogoff>false
+          <UserEnforcement>SameUserOnly</UserEnforcement>
+        </RetainVpnOnLogoff>
+        <!--
+            This section enables the definition of various attributes that
+            can be used to refine client certificate selection.
+          -->
+        <CertificateMatch>
+            <!--
+                Certificate Key attributes that can be used for choosing
+                acceptable client certificates.
+              -->
+            <KeyUsage>
+                <MatchKey>Non_Repudiation</MatchKey>
+                <MatchKey>Digital_Signature</MatchKey>
+            </KeyUsage>
+            <!--
+                Certificate Extended Key attributes that can be used for
+                choosing acceptable client certificates.
+              -->
+            <ExtendedKeyUsage>
+                <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
+            </ExtendedKeyUsage>
+        </CertificateMatch>
+        <MobilePolicy>
+            <!-- 
+            DeviceLockRequired indicates that a Windows Mobile device must 
+            be configured with a password or PIN prior to establishing a 
+            VPN connection.  This configuration is only valid on Windows 
+            Mobile devices that use the Microsoft Default Local 
+            Authentication Provider (LAP).
+            
+            The following attributes can be specified to check additional 
+            settings.  The platforms for which each additional check is 
+            performed as specified with "WM5AKU2+" for Windows Mobile 5 with
+            the Messaging and Security Feature Pack delivered as part of
+            Adaption Kit Upgrade 2 (AKU2).
+            
+                MaximumTimeoutMinutes - when set to non-negative 
+                    number, specifies the maximum number of minutes 
+                    that must be configured before device lock takes
+                    effect.  (WM5/WM5AKU2+)                   
+                MinimumPasswordLength - when set to a non-negative number,
+                    specifies that any PIN/password used for device lock 
+                    must be equal to or longer than the specified value, 
+                    in characters.  This setting must be pushed down to
+                    the mobile device by syncing with an Exchange server
+                    before it can be enforced. (WM5AKU2+)
+                PasswordComplexity - when present checks for the following
+                    password subtypes:
+                        "alpha"  - Requires an alphanumeric password
+                        "pin"    - Numeric PIN required
+                        "strong" - Strong alphanumeric password defined by
+                                   Microsoft as containing at least 7 
+                                   characters, including at lesst 3 from 
+                                   the set of uppercase, lowercase, 
+                                   numerals, and punctuation.
+                    
+                    This setting must be pushed down to the mobile device 
+                    by syncing with an Exchange server before it can be 
+                    enforced. (WM5AKU2+)
 
-	<ClientInitialization>
-		<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
-		<StrictCertificateTrust>false</StrictCertificateTrust>
-		<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
-		<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
-		<BypassDownloader>true</BypassDownloader>
-		<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
-		<CertificateMatch>
-			<KeyUsage>
-				<MatchKey>Digital_Signature</MatchKey>
-			</KeyUsage>
-			<ExtendedKeyUsage>
-				<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
-			</ExtendedKeyUsage>
-		</CertificateMatch>
-
-		<BackupServerList>
-	            <HostAddress>localhost</HostAddress>
-		</BackupServerList>
-	</ClientInitialization>
-
-	<ServerList>
-		<HostEntry>
-	            <HostName>VPN Server</HostName>
-	            <HostAddress>localhost</HostAddress>
-		</HostEntry>
-	</ServerList>
+            Note that this configuration setting merely enforces policy - 
+            it does not actually change local device policy.
+          -->
+        <DeviceLockRequired 
+            MaximumTimeoutMinutes="60"
+            MinimumPasswordLength="4"
+            PasswordComplexity="pin"/>
+        </MobilePolicy>
+		<!-- 
+			Automatic VPN policy defines policy for automatically connecting 
+			and disconnecting the VPN tunnel based on network state. 
+		  -->
+		<AutomaticVPNPolicy>false
+			<!-- 
+				When a client machine has one of the following DNS suffixes or DNS 
+				server addresses, it will be treated as though it is on a Trusted 
+				Network.  When the client machine is not in the Trusted Network, 
+				it is considered to be on an Untrusted Network. When the client 
+				transitions to a Trusted Network or Untrusted Network, it will perform
+				the action in the corresponding policy setting.  Typically this is 
+				used to have the client automatically initiate a VPN connection when 
+				the user’s laptop is at home, and disconnect when they reach the Trusted 
+				Network at work.  To get started using Trusted Network Detection, replace
+				the values containing placeholder values with the appropriate settings 
+				for your enterprise.
+			  -->
+			<TrustedDNSDomains>REPLACE_company.com</TrustedDNSDomains>
+			<TrustedDNSServers>REPLACE_1.2.3.4</TrustedDNSServers>
+			<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
+			<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
+			<!-- 
+				The AlwaysOn setting configures a client machine to establish a VPN 
+				connection when the user logs in to their computer.  If the connection 
+				cannot be established, the ConnectFailurePolicy can be used to control 
+				whether or not the user may access other network resources.  Please 
+				read the Cisco AnyConnect Secure Mobility Client Administrator Guide 
+				before enabling AlwaysOn.
+			-->
+			<AlwaysOn>true
+				<ConnectFailurePolicy>Open
+					<!--
+						When ConnectFailurePolicy is set to "Closed", the 
+						AllowCaptivePortalRemediation setting controls whether the user will
+						be permitted to log into a captive portal to allow VPN establishment
+						to continue.  This is typically turned on to allow users to VPN from
+						hotels and coffee shops that require a web-based login before VPN
+						connections can be established.
+					-->							
+					<AllowCaptivePortalRemediation>true
+						<!-- 
+							Specifies the amount of time, in minutes, that HTTP and HTTPS
+							traffic is permitted out after a network change that results in 
+							a "Closed" ConnectFailurePolicy. After this time expires, the 
+							user will be unable to send web traffic.
+						  -->
+						<CaptivePortalRemediationTimeout>5</CaptivePortalRemediationTimeout>
+					</AllowCaptivePortalRemediation>
+					<!-- 
+						Firewall and split-exclude rules can be cached locally on the client
+						when in Always-On mode.  This setting controls whether the last set
+						of firewall and split-exclude rules from the ASA will be applied even
+						when the VPN connection is not established.
+					  -->
+					<ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules>
+				</ConnectFailurePolicy>
+			</AlwaysOn>
+		</AutomaticVPNPolicy>
+		<!--
+			When Optimal Gateway Selection (OGS) is enabled, the client will contact each of
+			the servers in the ServerList, and connect to the one with the lowest 
+			round trip time (RTT).  When a client machine comes out of a system resume of at
+			least the duration in hours specified by AutoServerSelectionSuspendTime, it
+			will connect to a different host only if the RTT improves by the percentage
+			specified by AutoServerSelectionImprovement.  The examples below allow a
+			user that suspends their laptop during a transatlantic flight of at least 
+			4 hours to switch from North American to European servers if there is at 
+			least a 20% reduction in latency.
+		-->
+		<EnableAutomaticServerSelection UserControllable="true">false
+			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
+			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
+		</EnableAutomaticServerSelection>
+    <!-- 
+        Amount of time, in seconds, that the client waits for authentication to be completed. By default, the client
+        expects to receive a response in 12 seconds; therefore, if the authentication process takes longer than this,
+        the connection fails. For example, the secure gateway is configured to contact a RADIUS server which first
+        authenticates the username and then initiates a phone call to the user who then needs to press # for the
+        RADIUS server to accept the request, this process can take more than 20 seconds.
+    -->
+    <AuthenticationTimeout>30</AuthenticationTimeout>
+    </ClientInitialization>
+    <!--
+        This section contains the list of hosts the user will be able to
+        select from.
+      -->
+    <ServerList>
+        <!--
+            This is the data needed to attempt a connection to a specific
+            host.
+          -->
+        <HostEntry>
+            <!--
+                Can be an alias used to refer to the host or an  FQDN or
+                IP address.  If an FQDN or IP address is used, a
+                HostAddress is not required.
+              -->
+            <HostName>PUT_THE_FQDN_OF_YOUR_OCSERV_HERE</HostName>
+            <HostAddress>PUT_THE_FQDN_OF_YOUR_OCSERV_HERE</HostAddress>
+        </HostEntry>
+        <!--
+        <HostEntry>
+            <HostName>REPLACE_AsaName2</HostName>
+            <HostAddress>REPLACE_10.94.146.172</HostAddress>
+            <UserGroup>REPLACE_TunnelGroup</UserGroup>
+        </HostEntry>
+        -->
+    </ServerList>
 </AnyConnectProfile>
-- 
1.7.10.4



More information about the openconnect-devel mailing list