Advanced AnyConnect Deployment and Troubleshooting with...
Transcript of Advanced AnyConnect Deployment and Troubleshooting with...
-
BRKSEC-3033
Advanced AnyConnect Deployment and Troubleshooting with ASA 5500
Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 2
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions and Meet the Engineer
Visit the Cisco Store to purchase your recommended readings
Please switch off your mobile phones
After the event dont forget to visit Cisco Live Virtual: www.ciscolivevirtual.com
Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
http://www.ciscolivevirtual.com/http://www.ciscolivevirtual.com/
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 3
Agenda
Introduction
Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP AAA Deep Dive
Client Certificates Provisioning Client
Certificates
Posture Checking Dynamic Access
Policies (DAP)
Securing the Client Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 4
The Scenario : Cisco Islands
New eCountry competing in its first Olympic games
- Ambitious Synch Swimming Team
eStrategy, eCoaching, eTraining
IPv6
Windows, MAC, iPADs, iPhones, Androids.....
Security is Paramount
Easy to Use
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 5
What We Won't Cover
Clientless SSL VPN via WebPortal : see LABSEC-1186
Integration with Cisco Web Security Appliance : see BRKSEC-2101
Integration with Cisco Scansafe : see BRKSEC-2346
AnyConnect Network Access Module : see BRKSEC-3005
Licensing
Roadmaps
but covered in other Cisco Live sessions
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 6
Agenda
Introduction Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP AAA Deep Dive
Client Certificates Provisioning Client
Certificates
Posture Checking Dynamic Access
Policies (DAP)
Securing the Client Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 7
The TLS Handshake
Application Data Application Data
ClientHello
Client Version, ClientNonce
SessionID, Ciphersuites
ServerHello,
ServerCertChain,
ServerHelloDone
Server Version, ServerNonce
Selected Ciphersuite, CertificateChain
(Option: CertRequest)
ClientKeyExchange,
ChangeCipherSpec,
ClientFinished
Encrypted pre_master_secret
PRF computation
ChangeCipherSpec,
ServerFinished
PRF computation
Client Server
For Your Reference
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 8
Datagram TLS (DTLS) RFC 6347 (Obsoletes RFC 4347)
Limitations of TLS with SSL VPN tunnels
- TLS is used to tunnel TCP/IP over TCP
- TCP requires retransmission of lost packets
- Both application and TLS wind up retransmitting when packet loss is detected
DTLS solves the TCP over TCP problem
-DTLS replaces the underlying TCP transport with UDP
Cisco's implementation
- DTLS is optional and can fallback to TLS if required Ciscos implementation
- TLS tunnel is maintained in parallel to DTLS for keepalives and backup (need to allow for both TCP 443 and UDP 443 for DTLS to work)
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 9
IPSEC : IKEv2 vs IKEv1
The Motivation
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 10
IKEv2
A Sample Protocol Run
For Your Reference
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 11
Notes on IKEv2, ASA and AnyConnect
AnyConnect only supports IKEv2 (not IKEv1) for IPsec
ASA IPSEC/IKEv2 for Remote Access is not compatible with 3rd party clients (e.g. Microsoft Windows 7 native L2TP/IPsec with IKEv2).
Why would you want to use IPsec/IKEv2 instead of SSL?
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 12
Agenda
Introduction
Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP AAA Deep Dive
Client Certificates Provisioning Client
Certificates
Posture Checking Dynamic Access
Policies (DAP)
Securing the Client Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 13
AnyConnect Fundamentals : ASA Server Certificate
Enterprise
CA
fileshare
IPv4
Internet
web
IPv4/IPv6
Intranet
ASA certificate should be trusted by clients
- Public (well-known) Certificate Authority (e.g. Verisign, Thawte)
- Enterprise Certificate Authority, e.g. Microsoft Active Directory (beware of CRL checking...)
- Self-Signed (need to import certificate to all clients)
FQDN in Subject Name : olympus.ciscoislands.cs
Public
CA
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 14
AnyConnect Fundamentals : IPv4 and IPv6
DNS
IPv4
Internet
web
fileshare IPv4/IPv6
Intranet
10.1.32.0/20
FD00:1234:5678::/48
AnyConnect supports IPv6 tunneled (SSL) inside IPv4
- IPv6 address has to be enabled on both outside and inside interfaces (in spite of not being connected to IPv6 internet)
- management/control servers (CA, AD, RADIUS, DNS) IPv4 only
- Roadmap : Native IPv6 over IPv6, DNS IPv6
CA, AD, RADIUS
Virtual Adapter
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 15
Reminder : Do NOT NAT VPN Traffic
NAT configuration has changed from ASA 8.3
ASA 8.2 : NAT Exempt
ASA 8.4 : NAT
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 16
AnyConnect - Installation
Optional modules to install
- DART
- Posture
- Start-Before-Login
- Websecurity
- Telemetry
- Network Access Manager
Web Deployment (Installed from browser)
- Requires administrative privileges
- For Windows with Internet Explorer, ASA should be in "Trusted Sites"
- For Windows with Internet Explorer 8/9, use 32 bit version of browser for install
Pre Deployment
- using favorite software management package (e.g. MSI installer)
- from Appstore, Android Markets
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 17
On the Client: AnyConnect Configuration Files
AnyConnect Configuration Files are stored on the client in the following directories:
Windows 7 and
Windows VISTA C:\ProgramData\Cisco\Cisco AnyConnect Secure
Mobility Client
Windows XP C:\Documents and Settings\All Users\Application
Data\Cisco\Cisco AnyConnect VPN Client
MAC OS X and Linux /opt/cisco/anyconnect/
For Your Reference
Windows 7 and
Windows VISTA C:\Users\username\AppData\Local\Cisco\
Cisco AnyConnect VPN Client\preferences.xml
Windows XP C:\Documents and Settings\username\Local
Settings\ApplicationData\
Cisco\Cisco AnyConnect VPN
Client\preferences.xml
MAC OS X and Linux /Users/username/.anyconnect
File for storing user specific preferences
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 18
On the Client: AnyConnect Configuration Files
AnyConnect Client Profiles
(described later)
AnyConnect Local Policy
Security Settings
Default User, Default Hosts
etc.
Apply to all Users
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 19
AnyConnect Local Policy File
Not downloaded from ASA (use your favorite desktop management system)
XML file defining important aspects of AnyConnect behavior
- allowing user to accept untrusted ASA certificates
- allowing client software updates from ASA (and from which ASAs)
- allowing client profile updates from ASA (and from which ASAs)
- certificate stores, credentials caching etc.
AnyConnect Local Policy
false
false
false
olympus.ciscoislands.cs
poseidon.ciscoislands.cs
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 20
Local Policy File Example :
If the server certificate is not trusted, do you want the user to be able to accept the certificate?
.... or do you want AnyConnect to refuse to connect?
false
true
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 21
AnyConnect Troubleshooting Toolbox (Windows)
MMC console with snap-ins:
Event Viewer
Certificate (Current User)
Certificate (Local Computer)
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 22
AnyConnect Troubleshooting Toolbox (MAC)
Utilities/Console
Utilities/Keychain Access
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 23
DART Tool (Windows and MAC)
DART Tool can be installed along with the Client
Similar to "show tech" on the client
Gathering of OS Data, App Data and logfiles into a single ZIP File
GOT DART?
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 24
AnyConnect Troubleshooting Toolbox (iOS, Android)
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 25
Agenda
Introduction
Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP
AAA Deep Dive
Client Certificates Provisioning Client
Certificates
Posture Checking Dynamic Access
Policies (DAP)
Securing the Client Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 26
SMS OTP
Cisco Islands Requirements
Other Devices,
Contractors
Corporate
Devices : PCs,
iPhones...
Microsoft Active Directory
Certificate Access based on
membership in AD
and login method
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 27
Client
Profile
Connection
Profile
(tunnel-group)
AAA in ASA : Some Important Concepts
Proving Who you are
Static Passwords (local to ASA, Active Directory, LDAP)
OTP (One-Time-Passwords), typically RADIUS
Certificates
Group Policy
Determining What You are and What You can do
IP address, DNS server
ACL, Split Tunnelling
Proxy settings, Timeouts
etc..
AnyConnect behaviour...
- "Always On"
- which certificate to use
etc...
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 28
Connection Profile defines how to Authenticate
Alias : Shown as drop-
down selection to user
AAA server group
AAA, Cert or Both?
Group-Policy used
unless overwritten by
Authorization Server
AAA Server Group
RADIUS
You may have more than one Connection Profile
Connection
Profile
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 29
Connection Profile defines how to Authorize
AAA Server Group
LDAP
Possible to define different AAA server group for authorization (if not specified, the same group is used for authentication and authorization).
AAA server group
used for Authorization
Connection
Profile
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 30
User Selection of Connection Profile
Alias for drop-down at
login page
URL to
land on this connection
profile
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 31
User Selection of Connection Profile (2)
Drop-Down list allows
user to select login
method (Connection
Profile)
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 34
AnyConnect Client Profiles
XML file created by ASDM, downloaded to client Client Profile
....
true
ciscoislands.cs
10.1.40.100
Disconnect
Connect
true
....
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 35
In the AnyConnect Client Profile : Server List
...using the Connection
Profile specified with this
Group URL
Client Profile
Connection
Profile
Connect to host
olympus.ciscoislands.cs
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 36
Multiple Client Profiles on ONE Client?
ONE client typically only has ONE Client Profile..... but
Old Client Profiles are not deleted, multiple profiles maybe accumulated
- a consultant connecting to different ASAs
- testing/piloting AnyConnect using different profile names
Upon connection, the profile assigned by the chosen ASA headend is downloaded and applies for the VPN session
If a profile with Always-On is downloaded, the other profiles are deleted
Client Profile A
Server List
A
Client Profile B
Server List B
Client Profile X
Always On=True
Group Policy
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 37
Authentication and Authorization by RADIUS
Connection
Profile "SMS"
Default
Group
Policy
Group Policy
Coach Group Policy
IT Support
Group Policy
Swimmers
AAA Server Group
RADIUS
Client Profile
"HiSec"
User can be authenticated and authorized by RADIUS.
RADIUS attribute IETF 25 (Class) is used to assign the group policy.
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 39
Authentication by RADIUS Authorization by LDAP
Default
Group
Policy
Group Policy
Coach Group Policy
IT Support
Group Policy
Swimmers
Connection
Profile "SMS"
Client Profile
"HiSec"
AAA Server Group
LDAP
AAA Server Group
RADIUS
User authenticated by RADIUS (typically strong authentication, OTP)
Username used for LDAP lookup
LDAP attributes are mapped to a Group Policy
LDAP
map
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 40
AAA Server Groups
Using the same authentication protocol and characteristics
Several Servers in
a Group for
redundancy
Same Protocol but
different Groups if
different characteristics
AAA Server Group
LDAP
AAA Server Group
RADIUS
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 41
RADIUS Server Definition
Double check port
numbers on RADIUS
server
Shared Secret must
match with RADIUS
server
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 42
RADIUS Authorization
RADIUS server tells ASA which Group Policy to apply
RADIUS Server
(Cisco ISE)
definition
Typically, RADIUS Server just needs to inform ASA about Group-Policy with IETF attribute 25 ("Class")
Group Policy on ASA defines authorization (IP address, ACL, etc).
Also possible to define other authorization attributes (such as ip address) on RADIUS server
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 43
LDAP Server Definition (Active Directory)
Domain is
ciscoislands.cs
Attribute for user lookup ASA
Credentials
Used to map LDAP
attributes to ASA
attributes (to be
covered)
LDAP over SSL
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 44
A Good LDAP Browser is useful
To learn LDAP structure, and for troubleshooting
http://www.softerra.com or LDP.exe (Windows 2008)
http://www.softerra.com
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 45
Determining Group Policy from LDAP
Any LDAP attribute can be mapped to a group policy
Active Directory
User/Properties
Configuration
Group
Policy
Coaches
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 46
LDAP Attribute Maps
maps any LDAP attribute to selected ASA attribute
The content of department
attribute is matched to Group
Policy
LDAP
map
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 47
Using Active Directory memberOf
A user in Active Directory is typically a member of many groups
A user can only be mapped to one ASA Group Policy
Active Directory groups have names like:
cn=Coaches, cn=Users, dc=CiscoIslands,dc=cs
Nested Active Directory Groups: CSCso24147
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 48
Mapping memberOf to Group Policy
Values of memberOf can be matched to ASA Group Policy with the LDAP attribute map
Beware: First match will apply (many memberOf -> one Group Policy)
DAP (covered later) allows for more flexibility in handling "many memberOf"
LDAP
map
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 49
Troubleshooting AAA server
Test that AAA server works
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 50
Troubleshooting AAA
Checking that the right Group Policy has been assigned
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 51
Troubleshooting RADIUS
debug radius
asa# debug radius user hacke
asa# radius mkreq: 0xba
alloc_rip 0xcb207f4c
new request 0xba --> 7 (0xcb207f4c)
got user 'hacke'
got password
add_req 0xcb207f4c session 0xba id 7
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=64.103.49.80
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 138).....
01 07 00 8a d3 10 09 0e 2f 3c c5 1a 4b 28 41 e6 | ......../
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 52
Troubleshooting RADIUS (2)
RADIUS packet decode (response)
.....
......
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 7 (0x07)
Radius: Length = 73 (0x0049)
Radius: Vector: 9F7E831B16FD6E1802BE49E0643C41FE
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
68 61 63 6b 65 | hacke
Radius: Type = 25 (0x19) Class
Radius: Length = 15 (0x0F)
Radius: Value (String) =
6f 75 3d 49 54 73 75 70 70 6f 72 74 3b | ou=ITadmins;
Radius: Type = 25 (0x19) Class
Radius: Length = 31 (0x1F)
Radius: Value (String) =
43 41 43 53 3a 41 43 53 2d 41 4e 49 4d 41 4c 53 |
CACS:ACS-ANIMALS
2f 38 30 30 35 35 39 39 30 2f 34 30 35 | /80055990/405
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS Response:
ACCESS-ACCEPT or
ACCESS-REJECT
Class attribute=Group Policy
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 53
Troubleshooting RADIUS
RADIUS server logs may be useful
Authentication logs
from Cisco ISE
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 54
Troubleshooting LDAP
debug ldap
asa# debug ldap 100
debug ldap enabled at level 100
asa#
[80] Session Start
[80] New request Session, context 0xcb196fa8, reqType = Other
[80] Fiber started
[80] Creating LDAP context with uri=ldap://10.1.40.100:389
[80] Connect to LDAP server: ldap://10.1.41.90:389, status = Successful
[80] supportedLDAPVersion: value = 3
[80] supportedLDAPVersion: value = 2
[80] Binding as asa
[80] Performing Simple authentication for asa to 10.1.41.100
[80] LDAP Search:
Base DN = [dc=CiscoIslands,dc=cs]
Filter = [[email protected]]
Scope = [SUBTREE]
[80] User DN = [CN=Hakan Nohre,CN=Users,DC=CiscoIslands,DC=cs]
Connect (layer 4)
Bind (authentication)
LDAP search
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 55
Troubleshooting LDAP (2)
debug LDAP (2)
80] Retrieved User Attributes:
[80] .....
[80] cn: value = Hakan a
[80] sn: value = Nohre
[80] givenName: value = Hakan
[80] distinguishedName: value = CN=Hakan Nohre,CN=Users,DC=CiscoIslands,DC=cs
.......
[80] displayName: value = Hakan Nohre
[80] memberOf: value =CN=ITsupport,CN=Users,DC=CiscoIslands,DC=cs
[80] memberOf: value = CN=Domain Admins,CN=Users,DC=CiscoIslands,DC=cs
[80] memberOf: value = CN=Enterprise Admins,CN=Users,DC=CiscoIslands,DC=cs
[80] memberOf: value = CN=Administrators,CN=Builtin,DC=CiscoIslands,DC=cs
[80] uSNChanged: value = 13842
[80] department: value = ITadmins
[80] mapped to Group-Policy: value = ITadmins
[80] mapped to LDAP-Class: value = ITadmins
Retrieved
Attributes
Group-Policy mapping
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 56
Recommendations
Use strong authentication that is easy to use and manage
Determine your roles, how many different sets of Group Policies and Client Profiles do you really need?
- also consider what you can do with DAP (covered later)
Leverage the Enterprise Directory :
- "outsource" the daily work of user adds/moves/changes to "somebody else"
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 57
Demo
Authentication via RADIUS (OTP server from Mideye) server reads mobile number from AD, SMS with OTP sent to user
Authorization via AD
AD
IPv4
Internet
IPv4/IPv6
Intranet
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 58
Agenda
Introduction
Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP AAA Deep Dive
Client Certificates
Provisioning Client
Certificates
Posture Checking Dynamic Access
Policies (DAP)
Securing the Client Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 59
Authentication with Client Certificates
Application Data Application Data
ClientHello
ServerHello,
ServerCertChain,
ServerHelloDone
Client Certificate Request ClientKeyExchange,
ChangeCipherSpec,
Client Certificate
Encrypted Random
byte string
ClientFinished
ChangeCipherSpec,
ServerFinished
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 60
Authentication with Client Certificates
Considered stronger authentication than passwords
No need to manage passwords (password complexity, resetting passwords, expiring passwords...)
Need to manage a PKI (Public Key Infrastructure) to enroll and revoke certificates
Client Certificates may be tied to machine or user
User certificates may be soft or hard (smart cards)
We can make it difficult to move a certificate from one machine to another: Using client certificates allows us to distinguish corporate devices from other devices (employee iPADs etc)
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 61
ASA must trust the Issuer of Client Certificates
Install Issuer CA Certificate
- from file
- paste PEM file
- SCEP
Issuer of client certificates may not be the same as the issuer of the ASA certificate
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 62
Checking for lost/stolen certificates
CRL (Certificate Revocation List) downloads a list of revoked certificates (can be cached)
OCSP (Online Certificate Status Protocol) checks status of individual certificates
Do we trust certificate if
we cannot retrieve CRL?
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 63
AAA Server Group
LDAP
Authentication with Client Certificates Authorization with LDAP
Default
Group
Policy
Group Policy
Coach Group Policy
IT Support
Group Policy
Swimmers
Connection Profile
"certificate"
Client Profile
"HighSec"
User authenticated with client certificate
Username (some field) of certificate used for LDAP lookup
LDAP attributes are mapped to a Group Policy
LDAP
map
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 64
Authentication with Client Certificates
Defined in Connection Profile
Choosing "both" means that user first has to authenticate with certificate, then with username/password
- Use case : Checking that user uses a corporate machine (with a soft certificate)
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 65
Authorization with Client Certificates
Work out which fields in cert to use and how to map to LDAP
Client Certificate : SAN
(Principal Name) [email protected]
LDAP : userPrincipalName [email protected]
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 66
Authorization with Client Certificates
Client Certificate LDAP Database
Connection Profile :
User mapping from Cert=
UPN (Users' Principal Name)
AAA Server :
Naming Attribute=
userPrincipalName
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 67
Agenda
Introduction
Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP AAA Deep Dive
Client Certificates Provisioning Client
Certificates
Posture Checking Dynamic Access
Policies (DAP)
Securing the Client Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 68
Certificate Enrollment : Active Directory
Microsoft Active Directory supports automatic certificate enrollment for user and machine certificates
User and machine are members of Active Directory Domain: Their certificates can be pushed by GPOs (Group Policy Objects)
http://technet.microsoft.com/en-
us/library/cc770546.aspx
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 69
Certificate Enrollment : Active Directory (2)
Microsoft CA also supports web enrollment
Can be used by non-domain members, e.g MACs
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 70
Simple Certificate Enrollment Protocol (SCEP)
http://tools.ietf.org/id/draft-nourse-scep-21.txt
Protocol for enrolling certificates over HTTP (basically encapsulating PKCS#10, PKCS#7 over HTTP)
Originally developed by Verisign for Cisco
Widely supported by network devices (including ASA and AnyConnect), clients and most Certificate Authorities (including Microsoft CA)
CA
SCEP
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 71
AnyConnect SCEP Proxy Support
ASA can be an SCEP proxy, enabling AnyConnect on the outside to enroll to a CA on the inside of ASA without poking holes in Firewall
SCEP proxy requires AnyConnect 3.0 : Not supported by iOS or Android
CA
SCEP SCEP
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 72
Case Study : Secure Enrolment of Certificates to Mobile Devices
OTP
CA
Mobile users (Windows, MAC, Phone, Android) logon from anywhere (over internet) to enroll
Secure authentication via OTP sent by SMS to mobile
Certificate automatically enrolled with correct CN=....
Phone profile updated with profile that use certificate
- note: to mitigate risk of stolen phones, use certs + AAA for authentication
SCEP
VPN
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 73
1. User Connects to ASA
OTP CA AD
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 74
2. User Gets SMS with OTP
OTP CA AD
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 75
3. User logs on with OTP
OTP CA AD
Client Profile
"SCEP-Enroll"
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 76
4. AnyConnect Gets Certificate from CA
OTP CA AD
SCEP
Client Profile
"SCEP-Enroll"
For iOS, cert can also be used for 802.1X
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 77
5. AnyConnect On Demand (iOS only)
x.ciscoislands.cs
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 78
What to Configure on ASA
Connection Profile
"CertEnroll"
AAA Server Group
SMS (RADIUS)
AAA Server Group
AD (LDAP)
Group Policy
"CertEnroll"
Client Profile
"SCEP-Enroll"
Configuration example (using local authentication) on
- http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b25dc1.shtml
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 79
Client Profile For Certificate Enrollment (1)
subject-name CN, can use
%USER% %MACHINEID% *
Defaults to 512
Microsoft SCEP URL
http://.../certsrv/mscep/mscep.dll
*Current versions
of iOS and Android
do not supply device ID
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 80
Client Profile for Certificate Enrollment (2)
Tell Client to which Connection Profile to
connect for certificate authentication
On Demand
Apple iOS only
Mobile Settings
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 81
Configuration on Windows 2008 R2 Server (1)
SCEP RA
(Registration Authority)
By default Microsoft requires
user to enter challenge password
to get certificate
For Your Reference
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 82
Configuration on Windows 2008 R2 Server (2)
Microsoft registry setting to
change default Certificate
Template used by SCEP
Hint : the default template does
not work for SSL VPN
Good Microsoft document on
- http://www.microsoft.com/download/en/details.aspx?id=1607
For Your Reference
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 83
Troubleshooting Tips
If AnyConnect already has a certificate it will not try to get another one
- ensure that AnyConnect fails to connect to a connection profile using certificate authentication
Pay attention to the certificate templates used by Microsoft CA
- certificate usage
- security permissions
- minimum key length
Logs from Microsoft Server may be helpful
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 84
Agenda
Introduction
Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP AAA Deep Dive
Client Certificates Provisioning Client
Certificates
Posture Checking
Dynamic Access
Policies (DAP)
Securing the Client Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 85
AnyConnect Posture : Do the Clients meet Requirements?
fileshare
Internet Coaches
web
Possible to check that client meets Posture Requirements : OS, Anti-Virus, Personal Firewall, Registry Keys, Open Ports etc
Used in combination with Dynamic Access Policies (DAP) to grant access to clients depending on their posture status
1. VPN Connection
Microsoft Firewall
ON, but No
Antivirus...
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 86
CSD
Host Scan Vault
AnyConnect 3.0
Host Scan
Standalone Host Scan
Posture/Host Scan Software Packages Options
Cache
Cleaner
Keylogger
Detection
Host Emulation
Detection
Host Scan is packaged standalone, with AnyConnect 3.0 and with CSD
Standalone Host Scan gives faster updates of AV database etc (no need to wait for AnyConnect or CSD updates)
Also included: Cache Cleaner, Keylogger, Host Emulation Detection (used with Clientless SSL VPN)
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 87
Specifying Host Scan Image
Standalone Host Scan
location on CCO
For Your Reference
Choose standalone Host
Scan, AnyConnect or CSD
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 88
Host Scan
loads
Prelogin Checks based on
OS, ip, cert , file, registry
"Corp
Windows" "MAC
" Other
Endpoint Assessment
Get info on FW, AV, AS,
Registry, Processes,
Files...
Advanced Endpoint
Assessment:
Remediation/Fix
FW, AV, AS
DAP
Policy
The Host Scan Process
Both in
Parallel
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 89
Configuring Host Scan
Endpoint Assessment must be checked
to retrieve info on AV, AS, Firewall
settings that can be enforced by DAP
Advanced Endpoint Assessment can
remediate (turn on AV, AS, Firewall)
Possible to create checks for
Process, File and Registry keys
that can be enforced by DAP
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 90
Prelogin Policy
Typical use case is to differentiate corporate devices from other devices
Check client ip address, OS, that file exists, registry keys/values and certificate
- note : certificate check only checks if certificate exist, it does not cryptographically verify that the private key is there
Possible to deny login immediately, or pass Policy Name to DAP for policy enforcement
Policy Classification can
be used by DAP
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 91
Agenda
Introduction
Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP AAA Deep Dive
Client Certificates Provisioning Client
Certificates
Posture Checking Dynamic Access
Policies (DAP)
Securing the Client Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 92
Dynamic Access Policies (DAP) : Granular Access Control
shareB
Internet
webA
DAP allows granular access to resources based on authentication method, AAA parameters and Posture
Very flexible, allowing policies set by Data Owners access to Data :
- "to access my data you must be member of AD groups SynchSwim and Coaches, you must be logged in with strong authentication and you must have Antivirus with the latest updates"
Microsoft Firewall ON,
AntiVirus ON,
memberOf SynchSwim
Synch
Swim
DENIED
PERMIT
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 93
AAA Server Group
SMS (RADIUS)
How DAP relates to AAA
AAA Server Group
AD (LDAP)
Default
Group
Policy
Group Policy
Coach
Group Policy
IT Support
Connection
Profile SMS
Dynamic Access Policies
override certain attributes from Group Policy
depending on AAA, Posture, Connection Profile...
DAP-1 DAP-2 DAP-N + memberOf
Fans
Posture: .....
memberOf
Coaches
LDAP
map
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 94
Configuring DAP
If member of Coaches
logged on with certificate...
and Policy is Corporate Windows
Registry Key exists
Antivirus Updated...
Authorization
IPv4 ACL
don't mix permit
and deny in ACL
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 95
Default DAP (DfltAccessPolicy)
SynchSwim SwimSuit-Server
ITadmins w Clean Machine
Strong Authentication ITadmins
Coaches w Clean PC Tactics-Server
Condition ACL
DfltAccessPolicy
If no DAP
matches then
DfltAccessPolicy
Applies
Action=
Terminate
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 96
DAP Grows On You! (DAP accumulates)
SynchSwim SwimSuit-Server
ITadmins w Clean Machine
Strong Authentication ITadmins
Coaches w Clean PC Tactics-Server
Condition ACL
SwimSuit-Server
Tactics-Server
Matching
Several
conditions
Accumulates
Access Rights
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 97
The Power of DAP
Very flexible mapping to multiple "memberOf"
- Example : 4 groups in Directory
- A user may be a member of 0 to 4 groups : 16 combinations
A B C D
A B C D A B A C A D D B B C
D C A B C A B D A D C D C B D C B A
Quiz : How many DAP policies do you need to cover the 16 combinations?
Condition (memberOf) ACL
A
B
C
D
ACL-A
ACL-B
ACL-C
ACL-D
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 98
DAP with Quarantine
Possible to create a DAP (with ACL) that gives a user limited access to the network to remediate posture, after which he can "reconnect".
Used together with "Advanced Endpoint Assessment"
Remember that DAP accumulates ACL privileges (if other DAPs are matched user may still get full access to the network).
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 99
DAP for Mobile Devices (iOS, Android)
"Mobile Posture Assessment"
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 100
DAP with LUA
LUA (www.lua.org) scripting language
that allows for advanced checks, e.g
- check for any AV
- check for any AV, AS, Firewall
- regexp matching of hotfixes, DN etc
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 101
LUA examples
assert(function()
for k,v in pairs(endpoint.av) do
if (EVAL(v.exists, "EQ", "true", "string")) then
return true
end
end
return false
end)()
Check for Any Antivirus
assert(function()
function check(antix)
if (type(antix) == "table") then
for k,v in pairs(antix) do
if (EVAL(v.exists, "EQ", "true", "string")) then
return true
end
end
end
return false
end
return (check(endpoint.av) or check(endpoint.fw) or check(endpoint.as))
end)()
Check for Any Antivirus, Firewall or
AntiSpyware
For Your Reference
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 102
LUA check that User Connecting with the "right" device
Device ID as signaled by
AnyConnect "Mobile Posture"
Attribute read from LDAP (where
mobile ID is stored in attribute
"mobileid"
Problem : A user with admin privileges may move a cert (and the private keys) from an "approved" device to a non-approved.
LUA can detect this by comparing device ID signalled by AnyConnect with
- name in certificate (if certificate contains device ID)
- an attribute from LDAP lookup (requires device IDs to be stored in LDAP server
EVAL(endpoint.anyconnect.deviceuniqueid,"EQ", aaa.ldap.mobileid,"caseless")
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 103
Troubleshooting DAP : debug dap trace
DAP_TRACE: DAP_open: CD923B10
DAP_TRACE: Username: [email protected], aaa.ldap.objectClass.1 = top
......
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["memberOf"]["1"]="Coaches"
DAP_TRACE: name = aaa["ldap"]["memberOf"]["1"], value = "Coaches"
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["memberOf"]["2"]="ITadmins"
DAP_TRACE: name = aaa["ldap"]["memberOf"]["2"], value = "ITadmins"
......
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.os.version="Windows 7"
DAP_TRACE: name = endpoint.os.version, value = "Windows 7"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.os.servicepack="Service Pack 1"
DAP_TRACE: name = endpoint.os.servicepack, value = "Service Pack 1"
DAP_TRACE: name = endpoint.fw["MSWindowsFW"].version, value = "7"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.fw["MSWindowsFW"].enabled="ok"
DAP_TRACE: name = endpoint.fw["MSWindowsFW"].enabled, value = "ok"
......
.....
DAP_TRACE: Username: [email protected], Selected DAPs: ,Access-Tactics-
Server,ITadmins
DAP_TRACE: dap_process_selected_daps: selected 2 records
DAP_TRACE: Username: [email protected], DAP_close: CD923B10
LDAP info
Posture
(Subset)
Result
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 104
Troubleshooting DAP :
Monitoring/Session Details/ACL
Syslog %ASA-6-734001
DAP: User [email protected], Addr 64.103.25.233, Connection AnyConnect: The following DAP records were selected for this connection:
Access-Tactics-Server, ITadmins
User
DAPs
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 105
Troubleshooting Hostscan Component
Enable Debugging level at ASDM, then rerun test on problematic client
GOT DART?
Check Host Scan log files on problematic client
- libcsd.log
- cscan.log, detailed posture attributes
These are located at
- Windows %LOCALAPPDATA%\Cisco\Cisco HostScan\log
- MAC/Linux : ~/.cisco/hostscan/log/
Examine Windows Event logs
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 107
Agenda
Introduction
Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP AAA Deep Dive
Client Certificates Provisioning Client
Certificates
Posture Checking Dynamic Access
Policies (DAP)
Securing the Client
Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 108
(No) Split Tunnelling Policy
Determines whether to allow traffic outside of the tunnel
Defined under Group Policy, default is to tunnel all networks (no split tunneling)
DENIED
IPv4 Internet
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 109
Note on Split Tunnelling Policy for mobile devices
Even with no Split Tunneling (Tunnel All Networks), certain traffic from mobile devices (e.g. iTunes) goes outside the tunnel
DENIED
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 110
No Split Tunneling but Allow Local LAN Access
Possible to allow split tunneling to "Local LAN" without knowing its ip address in advance
- Exclude Network List Below : permit any
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 113
Seamless Security with Always-On
ASA5505
fileshare
Internet Coaches
web
Force (some) users to always be connected over VPN when off-premises
- works on Windows, MAC
Objective #1: Increased Security if surfing out via Enterprise Proxy
- WCCP or Explicity Proxy (centrally configured at ASA)
Objective #2 : Seamless, simple user experience
- Automatic Connection, "I am always at work"
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 114
AnyConnect Client Profile with Always-On
Define conditions for Trusted Network Detection (DNS Servers and Domain)
Define Always-On (don't forget Server List)
Define Connection Failure Policy : Open or Closed
- Balance Security Requirements vs Risk of No Network...
- If Closed, specify if traffic will be allowed for X minutes if Captive Portal is detected
- "Last VPN Local Resource Rules" : Last Client Firewall Rules
Example: No traffic if
tunnel cannot be
established, except if
Captive Portal is
detected
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 115
Disabling Always-On with DAP
Always-On can be disabled by DAP
AnyConnect will remember this setting when disconnected
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 117
Agenda
Introduction
Some Theory
SSL and IPSEC
IKEv2
AnyConnect
Fundamentals
(v4v6)
AAA Deep Dive
RADIUS and LDAP AAA Deep Dive
Client Certificates Provisioning Client
Certificates
Posture Checking Dynamic Access
Policies (DAP)
Securing the Client Customizing the
User Experience
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 118
Seamless Office Experience by Start-Before-Logon
fileshare
Internet
Coaches AD
Allows (some) Windows users to connect VPN before logging into computer
Why? Allow domain-logon, GPOs, logon-scripts, change passwords, etc...
Can be used with or without Always-On
1. VPN Connection
2. Domain Logon
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 119
Configuring SBL in Client Profile
May make it user controllable
Note : Client certificates in User Store typically not accessible before logon
(no knowledge of who the user is).
Client certificates on Smart Cards will work!
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 120
Running Scripts after Connect and Disconnect
fileshare
Internet
Coaches AD
Runs a predefined script when (some) users connect to (or disconnect from VPN)
Any native script language understood by client ( *.vbs, *.sh etc)
Script can be downloaded from ASA, or distributed by some other means
Why?
- Allow mapping of drives, GPO-update when SBL is not possible (e.g behind a captive portal).
- Also works on non domain members, including MAC, Linux
VPN Connection
net use
q:.....
net use
q: ...
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 121
Configuring Scripting
Enable Scripting in AnyConnect Client Profile
Optionally : Import script to ASA for download to all clients
Alternatively, use other means of putting the script in the script directory for desired clients
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 122
On the Client : The Scripts Folder
AnyConnect executes the script in the folder that starts with
"OnConnect"/"OnDisconnect" after VPN connection/disconnection.
Only one script is executed, but that script can launch other scripts
Troubleshooting : Check that script exists in folder and that AnyConnect Profile allows scripting.
Check that script executes ok when invoked from local machine (permissions etc).
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 123
Example Scripts on CCO For Your Reference
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 124
Customizing AnyConnect Look and Feel
status_ico_good.png cues_bg.jpg
company_logo.png minimize.png
AnyConnect GUI and User facing messages can be customized/translated
Images must follow sizing and naming conventions (depending on OS)
- consult documentation for details
Translations of text strings created per language (en-uk, en-us, fr, ge, sv....)
- will use current language on client
translated text message (sv)
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 125
Message Customization using Language Templates
User facing messages can be translated based on language templates
Matches the active display language on the client
Translation files (AnyConnect.mo) downloaded to
- %ALLUSERSDATA%\Cisco\Cisco AnyConnect Secure Mobility\l10n\
- /opt/cisco/anyconnect/l10n
msgid = original text
msgstr = translated text
File imported as
customization for a
particular language
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 126
Summary
Strong authentication and Granular Access Control with AAA and DAP
Secure the Client
Seamless User Experience
Find Balance between Requirements and Complexity (testing, maintenance)
Good security and networking skills are essential, but also knowledge of adjacent technologies such as Active Directory, LDAP and PKI as well as different client platforms
-
Recommended Reading
Please visit the Cisco Store for suitable reading.
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 128
Please complete your Session Survey
Don't forget to complete your online session evaluations after each session.
Complete 4 session evaluations & the Overall Conference Evaluation
(available from Thursday) to receive your Cisco Live T-shirt
Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite
which can also be accessed through the screens at the Communication Stations
Or use the Cisco Live Mobile App to complete the
surveys from your phone, download the app at
www.ciscolivelondon.com/connect/mobile/app.html
We value your feedback
http://m.cisco.com/mat/cleu12/
1. Scan the QR code
(Go to http://tinyurl.com/qrmelist for QR code reader
software, alternatively type in the access URL above)
2. Download the app or access the mobile site
3. Log in to complete and submit the evaluations
http://www.ciscolivelondon.com/onsitehttp://www.ciscolivelondon.com/connect/mobile/app.htmlhttp://tinyurl.com/qrmelist
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 129
-
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3033 130
Thank you.