« Configuring Cisco ISE 1.2 and StealthWatch IntegrationCisco ACS v5 should be able to query only desired Domain Controllers – Active Directory/DNS Workaround »

AnyConnect Secure Mobility Client version 3.1 - Untrusted VPN Server blocked

01/17/13

Permalink 08:34:50 am, by Brandon Culler Email , 307 words
Categories: Cisco ASA, Cisco AnyConnect

AnyConnect Secure Mobility Client version 3.1 - Untrusted VPN Server blocked

With the increase of targeted attacks against mobile users on untrusted networks, Cisco has improved the security protections in the AnyConnect Secure Mobility client version 3.1 to help prevent serious security breaches. The default client behavior has been changed to provide an extra layer of defense against man-in-the-middle attacks.

When the user tries to connect to a secure gateway, and there is a certificate error (due to expired, invalid date, wrong key usage, or CN mismatch), the user sees a red-colored dialog with Change Settings and Keep Me Safe buttons.

Untrusted-Server

Clicking Keep Me Safe cancels the connection (Recommended – See Recommendations below).

Clicking Change Settings opens AnyConnect's Advanced > VPN >Preferences dialog, where the user can enable connections to untrusted servers.

AnyConnect-Block-Server

If the user un-checks Block connections to untrusted servers, then the next time the user attempts to connect to this secure gateway, the user will not see the Certificate Blocked Error Dialog dialog; they only see the following dialog:

AnyConnect-Untrusted-Server-Accept

If the user checks Always trust this VPN server and import the certificate, then future connections to this secure gateway will not prompt the user to continue. (Not Recommended)

Recommendations:

You do not want your end users in the habit of ignoring these types of warnings, we strongly encourage following best practices.  You should generate a Certificate signing request to be signed by a trusted 3rd Party Certificate Authority.  Import the signed certificate onto your VPN appliance to avoid your end users changing the default setting, which is designed to keep them safe.

There is no administrative override to make the end user more secure automatically. To completely remove the preceding security decisions from your end users, enable Strict Certificate Trust in the user's local policy file. When Strict Certificate Trust is enabled, the user sees an error message, and the connection fails; there is no user prompt.

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.

Search

XML Feeds

Archives