Skip to main content

 

 

Cisco Defense Orchestrator

Read RA VPN Configuration of an Onboarded ASA Device

When you onboard an ASDM managed ASA device that already has RA VPN settings, it discovers and displays the existing remote access VPN configurations. CDO automatically creates a "Default RA VPN Configuration" and associates the ASA device with this configuration. There are some RA VPN configurations that aren’t read or supported in the CDO but can be configured in the CDO command-line interface.

Note: This section doesn’t cover every supported or unsupported configuration in CDO. Instead, it only describes the most commonly used ones.

To see the RA VPN configurations from an onboarded ASA, perform the following steps:

  1. On the CDO interface, navigate to VPN > Remote Access VPN Configuration
  2. Click the RA VPN configuration corresponding to the onboarded ASA device.
    CDO automatically creates a "Default_RA_VPN_Configuration" and associates the ASA device with this configuration. You can delete the default configuration.
    The ASA RA VPN configurations that are read in CDO are classified as follows:
    • Device settings
    • Connection profiles
    • Group policies

Device Settings

The RA VPN configurations associated with the onboarded ASA device appear in Default_RA_VPN_Configuration. You need to click on this configuration to see the name of the ASA device (in the Devices pane on the right) associated with that configuration. You can also see the AnyConnect packages present in the ASA devices by clicking the edit button.

Connection Profile

CDO supports and reads the connection profiles defined in "AnyConnect Client VPN Access" of the ASA device. It does not support the "Clientless SSL VPN Access" configuration. 

To see the connection profile attributes, perform the following:

  1. Expand Default_RA_VPN_Configuration.
  2. Click one of the connection profiles that you want and click Edit

All the basic and advanced ASA RA VPN attributes can be seen in the Connection Profile name and details of the CDO RA VPN configuration page.

Note: You can delete the default configuration (Select the default RA VPN configuration and in the Actions pane on the right, click Remove).

Primary Identity Source

  • CDO reads the Connection Aliases and Group URLs attributes as Group Alias and Group URL.

Note:

  • The connection profiles configured with SAML, Multiple certificates and AAA, and Multiple certificates aren't read.
  • The authentication server group with the interface and server group is not supported.
  • CDO supports the AnyConnect connection profiles configured with "AAA", "AAA and certificate", and "Certificate only" authentication methods in Primary Identity Source.
  • The AAA Server Group is read in CDO as Primary Identity Source for User Authentication in Primary Identity Source (You can see this attribute by selecting AAA or AAA and Client Certificate as the Authentication Type). 
    • If the AAA Server Group has been configured something other than LOCAL, CDO reads and displays this attribute in the Fallback Local Identity Source field under Primary Identity Source. (You can see this attribute by selecting AAA as the authentication type).

To learn more about the server group attributes read in CDO, see AAA Server Groups

Secondary Identity Source

The Secondary Identity Source displays the secondary authentication attributes of the ASA device. To see these attributes, select AAA or AAA and Client Certificate as the authentication type, and click View Secondary Identity Source

  • The Secondary Identity Source for User Authentication displays the secondary authentication Server Group attribute.
    • If the Server Group has been configured something other than LOCAL, CDO reads and displays this attribute in the Fallback Local Identity Source for Secondary field under Secondary Identity Source.
  • CDO doesn't support the Attribute Server and Interface-Specific Authorization Server Groups attributes.

To learn more about the server group attributes read in CDO, see AAA Server Groups

Authorization Server

  • The Authorization Server displays the authorization Server Group attribute.
  • CDO doesn't support the authorization server group with interface and server group. 

To learn more about the RADIUS server group attributes read in CDO, see RADIUS Server Groups

Accounting Server

The Accounting Server displays the accounting Server Group attributeTo learn more about the server group attributes read in CDO, see RADIUS Server Groups.  

Client Address Pool Assignment

CDO reads the Client Address Assignment attributes (DHCP ServersClient Address Pools, and Client IPv6 Address Pools) as objects. (You can see these attributes in Client Address Pool Assignment). The DHCP server details are read as literals.

Note: CDO doesn't support the IP address pools assigned on specific interfaces. However, these attributes can be seen in the ASA command-line interface (CLI). 

AAA Server Groups

LDAP Server Group and LDAP Server

CDO represents an LDAP Server Group and its associated LDAP Servers as an Active Directory Realm object. For Active Directory (AD), a realm is equivalent to an Active Directory domain. Note that CDO does read the AD password for AD realm objects that are already present. 

  1. In Objects, you can apply the Active Directory Realms filter to see this object. 
  2. Select the Active Directory Realm object that you want and click Edit to see its details. 

You can see that the AD realm contains the associated AD server and its configuration. If there are multiple Active Directory (AD) servers for the AD realm, the AD servers need to be duplicates of each other and support the same AD domain. Therefore, the basic realm properties such as Directory name, Directory Password, and Base Distinguished Name must be the same across all AD servers associated with that AD realm. CDO displays a warning message in the Active Directory Realm object if these properties aren’t the same. You have to correct these properties to make them consistent across the AD servers. If you continue without addressing this warning, CDO uses one of the AD server properties and applies it to other servers in that realm object.

RADIUS Server Group

The AAA RADIUS Server Group attributes of the ASA device are read in CDO as RADIUS Server Group objects.

  1. In Objects, you can apply the RADIUS Server Group filter to see this object. 
  2. Select the object that you want and then click Edit to see its details. 
  • The Enable dynamic authorization in ASA is read in CDO as Dynamic Authorization (for RA VPN only).
  • The Depletion option in Reactivation Mode is read in CDO, and therefore the Dead Time value associated with depletion time is read in CDO. However, the Timed attribute is not read in CDO.
  • CDO doesn't support Accounting Mode, TimedEnable interim accounting update, Enable interim accounting update, and Use authorization only mode.

RADIUS Server

When CDO reads the Radius Servers from ASA, it creates a Radius server object specifies the name as "Name of the Radius server group_server name or IP address".

  1. In Objects, you can apply the RADIUS Server filter to see this object. 
  2. Select the object that you want and then click Edit to see its details. 

Group Policy 

In the Group Policy section, click the drop-down to view the group policies associated with the device.

Attention: CDO reads the group policies configured with tunneling protocol as SSL VPN Client.  

CDO reads most of the group policy attributes configured in ASA. The information is displayed across the tabs in the RA VPN Group policy wizard.
To see the details of group policies read from the ASA device, you need to perform the following: 

  1. On the CDO navigation bar, click Objects and filter for RA VPN Group Policy.
  2. Select the group policy associated with that device and click Edit.

Note: CDO doesn't support the Standard Access Control Lists (ACL) defined in the split tunneling in the ASA device. It supports the Extended Access Control Lists (ACL) and reads them as ACLs in the ASA policies. For more information, see Split Tunneling Attributes.  To see the policies, on the navigation bar, you can click Policies > ASA Access Policies.

To select the extended ACLs, perform the following:

  • Click the Split Tunneling tab.
  • Based on whether the traffic in ASA uses IPv4 or IPv6 addresses, select "Allow specified traffic over tunnel" or "Exclude networks specified below" from the corresponding drop-down list. Select the extended ACLs that are imported from ASA
  • Was this article helpful?