Cisco Secure Client Technology Expert

VPN Protocols

SSL/TLS with DTLS (Primary)

• TLS (TCP 443): Initial connection and fallback. TLS 1.2 minimum; TLS 1.3 on ASA 9.10.1+
• DTLS (UDP 443): Preferred data transport. Avoids TCP-over-TCP retransmission issues. ~30-50% throughput improvement over TLS-only.
• Protocol flow: TLS establishes control channel -> DTLS negotiated in parallel -> data over DTLS; TLS fallback if UDP/443 blocked

IPsec/IKEv2

• Supported on FTD headends
• Better performance than SSL for high-throughput
• IKEv2 attempted first if configured; falls back to SSL

Module Architecture

Authentication

SAML (Recommended for SSO)

! ASA: SAML with Azure AD
webvpn
  saml idp https://sts.windows.net/<tenant>/
    url sign-in https://login.microsoftonline.com/<tenant>/saml2
    url sign-out https://login.microsoftonline.com/<tenant>/saml2
    trustpoint idp AZURE-SAML
    trustpoint sp SELF-SIGNED

tunnel-group CORP-VPN webvpn-attributes
  authentication saml
  saml identity-provider https://sts.windows.net/<tenant>/

Embedded vs system browser: Profile setting <UseExternalBrowser>true</UseExternalBrowser> enables system browser for true SSO (biometric, hardware tokens, existing browser sessions).

Certificate + SAML (Dual Auth)

tunnel-group CORP-VPN webvpn-attributes
  authentication saml certificate    ! Certificate first, then SAML

Satisfies both device trust (certificate) and user identity (SAML).

RADIUS with MFA (Duo)

Duo Authentication Proxy intercepts RADIUS, performs primary AD auth, then Duo second factor (push, TOTP, SMS).

DAP (Dynamic Access Policies)

Dynamically adjusts per-session access based on endpoint attributes and group membership:

1. User connects and authenticates
2. ASA evaluates all DAP records against user/endpoint attributes
3. Matching records merged/aggregated
4. Final policy applied: ACLs, group policies, bookmarks, or terminate

Key attributes: endpoint.os.version, endpoint.av.product-name, endpoint.disk.encrypted, aaa.ldap.memberOf, aaa.radius.class

Example: Deny access if disk is not encrypted:

dynamic-access-policy-record REQUIRE-ENCRYPTION
  action terminate
  message "Disk encryption required."
! Condition: endpoint.disk.encrypted = false

Split Tunneling

Include List (Tunneled Only)

Only specified subnets via VPN; all else to local network:

access-list SPLIT-INCLUDE permit ip 10.0.0.0 255.0.0.0 any
group-policy GP attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SPLIT-INCLUDE

Exclude List (All Except)

All traffic via VPN except specified destinations:

access-list SPLIT-EXCLUDE permit ip any 192.168.1.0 255.255.255.0
group-policy GP attributes
  split-tunnel-policy excludespecified
  split-tunnel-network-list value SPLIT-EXCLUDE

Dynamic Split Tunneling (FQDN-based)

Exclude FQDNs (e.g., *.zoom.us, *.microsoft.com) dynamically:

group-policy GP attributes
  anyconnect-custom dynamic-split-exclude-domains value "zoom.us,*.microsoft.com"

Always-On VPN

<AlwaysOn>true</AlwaysOn>
<AllowVPNDisconnect>false</AllowVPNDisconnect>
<CaptivePortalRemediationBrowserFailover>true</CaptivePortalRemediationBrowserFailover>

VPN auto-connects; traffic blocked when disconnected (or fail-open per policy).

Trusted Network Detection (TND)

Auto-connect/disconnect based on network trust:

<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
<TrustedDNSDomains>corp.example.com</TrustedDNSDomains>
<TrustedDNSServers>10.1.0.1,10.1.0.2</TrustedDNSServers>

Detection methods: DNS domain match, DNS server match, trusted HTTPS server probe. TND is client-side only (no ASA/FTD config needed). Only triggers on network change events.

Posture

Secure Firewall Posture (HostScan)

Checks OS version, AV presence/definitions, personal firewall, disk encryption, registry keys, process presence. Results evaluated in DAP on ASA.

ISE Posture

Full ISE-based compliance with RADIUS CoA for dynamic policy:

1. Client connects -> ISE Posture module checks compliance
2. ISE returns: Compliant, Non-Compliant, or Unknown
3. CoA pushes updated policy to ASA/FTD/switch
4. Non-compliant: remediation portal or quarantine

Deployment

Web Deploy

User browses to https://vpn.example.com; downloads and installs client.

webvpn
  enable outside
  anyconnect image disk0:/cisco-secure-client-win-5.1.14.145-webdeploy-k9.pkg 1
  anyconnect enable

Pre-Deploy (MDM/SCCM/GPO)

Silent install: msiexec /package cisco-secure-client-*.msi /quiet /norestart

Troubleshooting

DART (Diagnostic and Reporting Tool)

Primary troubleshooting tool. Collects all module logs + system info -> zip file.

• Windows: %ProgramFiles%\Cisco\Cisco Secure Client\DART\dartui.exe
• macOS: /Applications/Cisco/DART.app

Common Issues

• Certificate invalid: Headend cert not trusted. Deploy CA cert via GPO/MDM or use public cert.
• DTLS unavailable: UDP/443 blocked. Falls back to TLS. Check firewall/NAT.
• Split tunnel not working: DAP may override group policy. Check show vpn-sessiondb detail anyconnect filter name <user>.
• SAML failure: Check IdP metadata, certificate expiry, clock sync.
• Connection stuck: Check TCP/443 and UDP/443 reachability. Run DART for vpn.log.

ASA Debug Commands

debug webvpn anyconnect 255        # Secure Client protocol
debug webvpn saml 25               # SAML flow
debug aaa authentication 255       # AAA events
show vpn-sessiondb anyconnect      # Active sessions
show vpn-sessiondb detail anyconnect filter name <user>
show webvpn group-policy           # Group policy summary
show run tunnel-group <name>       # Tunnel group config

Common Pitfalls

1. DTLS disabled by firewall: Many corporate firewalls block UDP/443. Performance drops significantly in TLS-only mode. Ensure UDP/443 is open.
2. DAP overriding split tunnel: DAP rules take precedence over group policy. If split tunneling isn't working, check DAP configuration.
3. SAML certificate expiry: SAML signing certificates expire. Calendar reminders for renewal.
4. Always-On with captive portals: Configure CaptivePortalRemediationBrowserFailover to allow hotel/airport captive portal access.
5. ARM64 Windows 11: Web deploy from 5.1.0.x fails on ARM64. Use pre-deploy or upgrade to 5.1.1+.

Reference Files

• references/architecture.md -- Module details, VPN protocols (SSL/DTLS/IKEv2), deployment methods, SAML config, DAP, split tunneling, TND, posture, platform support, version reference.