Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5
Administering AnyConnect for Android Devices
Downloads: This chapterpdf (PDF - 354.0KB) The complete bookPDF (PDF - 5.12MB) | Feedback

Administering AnyConnect for Android Devices

Table Of Contents

Administering AnyConnect for Android Devices

Supported Mobile Devices

AnyConnect for Samsung Devices

AnyConnect for HTC Devices

AnyConnect for Lenovo Devices

AnyConnect for Motorola Devices

AnyConnect for Kindle Devices

AnyConnect for Android VPN Framework Devices

AnyConnect for Rooted Devices

AnyConnect Features Supported on Android Devices

Adaptive Security Appliance Requirements

ASA Release Requirements

ASA License Requirements

Restricting Android Mobile Connections

Recommended ASA Configurations

Using Split-Include to allow MMS/HIPRI activity on the device

Using Multiple Tunnel Groups

Disabling or Minimizing the Impact of Keepalive Messages

Configuring Mobile Posture on the Secure Gateway

Installing and Upgrading AnyConnect on Android Devices

AnyConnect Configuration and Deployment

Overview

Configuring Mobile Device Connections

Mobile-specific Attributes in the AnyConnect VPN Client Profile

Deploying VPN Client Profiles

Installing Certificates on Android Devices

Localizing AnyConnect Interface and Messages

Pre-packaged Localization

Additional Localization

User Localization Management

Using the URI Handler to Automate AnyConnect Actions

External Control of URI AnyConnect Commands

Using the URI Handler to Generate a VPN Connection Entry

Using the URI Handler to Establish a VPN Connection

Provide the Connection Name and Host Name in a URI

Provide Connection Information and Prefill a Username and Password in a URI

Provide Connection Information and Prefill Usernames and Passwords for Double Authentication

Provide Connection Information, Prefill a Username and Password, and Specify a Connection Profile Alias

Connect Parameter and Syntax Descriptions

Using the URI Handler to Disconnect from a VPN

Using the URI Handler to Localize the AnyConnect UI and Messages

Using the URI Handler to Import Certificates

HTML Hyperlink Examples

Using the URI Handler to Import a VPN Client Profile

Troubleshooting


Administering AnyConnect for Android Devices


This chapter provides you with support information, system requirements, installation information as well as other administrative tasks specific to AnyConnect 2.5 for Android devices:

Supported Mobile Devices

AnyConnect Features Supported on Android Devices

Adaptive Security Appliance Requirements

Recommended ASA Configurations

Installing and Upgrading AnyConnect on Android Devices

AnyConnect Configuration and Deployment

Localizing AnyConnect Interface and Messages

Using the URI Handler to Automate AnyConnect Actions

Troubleshooting

Supported Mobile Devices

AnyConnect supports devices from the following manufacturers:

AnyConnect for Samsung Devices

AnyConnect for HTC Devices

AnyConnect for Lenovo Devices

AnyConnect for Motorola Devices

AnyConnect for Kindle Devices

Cisco also provides:

AnyConnect for Android VPN Framework Devices

AnyConnect for Rooted Devices

AnyConnect for Samsung Devices

Samsung AnyConnect Release 2.5.5131 and Samsung AnyConnect Legacy Release 2.5.5125 support the Samsung product lines listed below. The devices must be running the latest software update from Samsung and the identified Android releases. See the installation instructions in the AnyConnect for Android User Guide to determine which package applies to your device.

Product
Android Release
Model Numbers

ACE+

 

GT-S7500
GT-S7500L
GT-S7500W

Galaxy Beam

 

GT-I8530

Galaxy Note

 

GT-N7000
GT-I9220

Galaxy Mini

 

GT-S5570
GT-S5570B
GT-S5570BD1
GT-S5570L
GT-S5578
SCH-I559
SGH-T499
SGH-T499V
SGH-T499Y

Galaxy S

2.3.3 or later

GT-I9000
GT-I9000B
GT-I9000L
GT-I9000LD1
GT-I9000M
GT-I9000T
GT-I9001'
GT-I9003
GT-I9003B
GT-I9003L
GT-I9008
GT-I9008L
GT-I9018
GT-I9088
GT-I9070
GT-I9070P
SC-02B
SCH-I400
SCH-I405
SCH-I500
SCH-I809
SCH-I909
SGH-I896
SGH-I897
SGH-I927
SGH-I997R
SGH-N013
SGH-T759
SGH-T959
SGH-T959D
SGH-T959P
SGH-T959V
SGH-T959W
SHW-M100S
SHW-M110S
SHW-M130K
SHW-M130L
SHW-M190S
SHW-M220L'
SHW-M340K
SHW-M340L
SHW-M340S
SPH-D720

Galaxy S II

2.3.3 or later

GT-I9100
GT-I9100G
GT-I9100M
GT-I9100T
GT-I9100P
GT-I9103
GT-I9108
GT-I9210
GT-I9210T
SC-O2C
SC-O3D
SCH-I510
SCH-I919
SCH-I919U
SCH-J001
SCH-W999
SGH-I727
SGH-I727R
SGH-I757M
SGH-I777
SGH-N033
SGH-N034
SGH-T989
SHV-E110S
SHV-E120K
SHV-E120L
SHV-E120S
SHW-M250K
SHW-M250L
SHW-M250S
SPH-D170

Galaxy S III

4.0 or later

GT-I9300
SCH-I535
SGH-I747
SGH-T999
SPH-L710

Galaxy Tab 7 (WiFi only)1

2.3.3. or later

GT-P1000
GT-P1000M
GT-P1000R
GT-P1010
SC-01C
SCH-I800

Galaxy Tab 7.0 Plus

 

GT-P6200
GT-P6210

Galaxy Tab 7.7

 

GT-P6800
SCH-I815

Galaxy Tab 8.9

3.0 or later

GT-P7300
GT-P7310

Galaxy Tab 10.1

3.1 or later with Samsung Touch Wiz updates

GT-P7300
GT-P7310
GT-P7500
GT-P7500D
GT-P7500M
GT-P7500R
GT-P7510
SC-01D

Galaxy W

 

GT-I8150
SGH-T679

Galaxy Xcover

 

GT-S5690

Galaxy Y Pro

 

GT-B5510B
GT-B5510L

Illusion

 

SCH-I110

Infuse

 

SCH-I997

Stratosphere

 

SCH-I405

1 We do not support the Sprint distribution of the Samsung Galaxy Tab 7 mobile device.



Note Samsung rebrands devices in these product lines for each mobile service provider.


AnyConnect for HTC Devices

HTC AnyConnect Release 2.5.5125 supports the HTC product lines listed at http://www.htcpro.com/enterprise/VPN, if they are running Android release 2.1-3.0 (Eclair-Honeycomb). These devices must be running the minimum software required as shown in the table. Go to Settings > About phone > Software information > Software number to determine the software number running on your device.

AnyConnect ICS+ Release 2.5.5125 must be used on the following HTC devices if they are running, or have been upgraded to, Android 4.0 (Ice Cream Sandwich) or later. If the HTC device was upgraded while HTC AnyConnect was installed, uninstall the HTC AnyConnect app and restart the device before downloading the AnyConnect ICS+ app.

HTC Rhyme S510b

HTC ADR6330VW

HTC Vivid

HTC EVO Design 4G

HTC ThunderBolt ADR6400L

HTC Sensation XE

HTC Sensation

HTC Amaze 4G

HTC Sensation XL with Beats Audio

HTC EVO 3D

HTC EVO 3D

HTC EVO 3D X515m

HTC X515d

HTC ADR6425LVW

The HTC Raider, also know as the HTC Holiday, does not work with Cisco AnyConnect. Cisco and HTC are working to address this issue, and on allowing the HTC AnyConnect app to work on all HTC devices, regardless of the Android release they are running.

AnyConnect for Lenovo Devices

Lenovo AnyConnect Release 2.5.5125 supports the Lenovo ThinkPad tablet product, provided the device is running the latest software update from Lenovo.

AnyConnect for Motorola Devices

Motorola AnyConnect Release 2.5.5125 supports the following Motorola product lines, provided the devices are running the latest software update from Motorola:

Product
Minimum Software Required

ATRIX 2

55.13.25

XYBOARD

 

RAZR

6.12.173

RAZR MAXX

6.12.173

DROID 4

6.13.215


AnyConnect for Kindle Devices

Cisco AnyConnect Release 2.5.5125 is available from Amazon for the Kindle Fire HD devices, and the New Kindle Fire, these products will be shipping mid-September 2012. Anyconnect for Kindle is supported by the Android VPN Framework and is equivalent in functionality to the AnyConnect ICS+ package.

AnyConnect for Android VPN Framework Devices

AnyConnect ICS+ Release 2.5.5125 offers VPN connectivity supported by the Android VPN Framework (AVF) in Android 4.0 (Ice Cream Sandwich) or later.

AVF provides only basic VPN connectivity. The AnyConnect AVF client, dependent upon these basic VPN capabilities, is unable to provide the full set of VPN features available in the brand-specific packages.


Note Cisco recommends the AnyConnect AVF client for unsupported devices running Android 4.0 or later. Supported devices should use the brand-specific AnyConnect client regardless of the version of the Android operating system.


AnyConnect for Rooted Devices

Cisco provides Rooted AnyConnect Release 2.5.5125 for rooted Android mobile devices running Android 2.1 or later, for preview and testing purposes only. Cisco does not support this client, but it works on most rooted devices running 2.1+. If you encounter issues, please report them to android-mobile-feedback@cisco.com, we will make our best effort to resolve them.

Both a tun.ko module and iptables are required. AnyConnect displays an error message informing you about what is missing when you attempt to establish a VPN connection. If the tun.ko module is missing, obtain or build it for your corresponding device kernel and place it in the /data/local/kernel_modules/ directory.


Caution Rooting your device could void your device warranty. Cisco does not support rooted devices, nor do we provide instructions to root your device. If you choose to root your device, you do so at your own risk.

AnyConnect Features Supported on Android Devices

Table 10-1 lists the features in the following AnyConnect 2.5.x for Android packages.

Android Brand-specific AnyConnect

For supported devices, Cisco provides brand-specific AnyConnect packages that offer a full-featured VPN experience across Android operating systems. These brand-specific AnyConnect packages are provided in partnership with device vendors and are the preferred AnyConnect clients for supported devices.

Android VPN Framework AnyConnect

For other Android devices unable to use the brand-specific AnyConnect packages above, Cisco provides an AnyConnect client that offers VPN connectivity supported by the Android VPN Framework (AVF) introduced in Android 4.0 (Ice Cream Sandwich). AVF provides only basic VPN connectivity. The AnyConnect AVF client, dependent upon these basic VPN capabilities, is unable to provide the full set of VPN features available in the device-specific packages. These discrepancies are shown in the table.

Android Rooted AnyConnect

Cisco also provides an AnyConnect package for rooted Android devices equivalent in functionality to the brand-specific packages. This package works on most rooted devices running Android 2.1 or later. Brand-specific AnyConnect packages do not work on rooted devices; therefore you must use the rooted version of AnyConnect on rooted devices.

Table 10-1 AnyConnect Android Features

AnyConnect Feature
Sub Feature
Android Brand- Specific
AnyConnect Packages
Android VPN
Framework & Kindle AnyConnect Packages

Tunneling

TLS/DTLS

Yes

Yes

IKEv2 - NAT-T

No

No

IKEv2 - raw ESP

No

No

Suite B support

No

No

TLS compression

Yes

Yes

Dead peer detection

Yes

Yes

Tunnel keepalive

Yes

Yes

Tunnel Establishment

Optimal Gateway Selection

No

No

VPN load balancing

Yes

Yes

Backup server list

Yes

Yes

Activate a Host Entry on profile import

Yes

Yes

URI connect credential pre-fill

Yes

Yes

Tunnel Policy

All/full tunnel

Yes

Yes

Split tunnel (split include)

Yes

Yes

Local LAN (split exclude)

Yes

No

Split-DNS

Yes

Will work with split include.

Always-on enforcement

No

No

Auto-reconnect: maintains the VPN as users move between 3G and WiFi networks

Yes

Yes

VPN on-demand (triggered by destination)

No

No

VPN on-demand (triggered by application)

No

No

Trusted network detection (TND)

Yes

No

Rekey

Yes

Yes

ASA group profile support

Yes, limited

Yes, limited

IPv4 public transport

Yes

Yes

IPv6 public transport

No

No

IPv4 over IPv4 tunnel

Yes

Yes

IPv6 over IPv4 tunnel

Yes

Yes

Default Domain

Yes

Yes

DNS server configuration

Yes

Yes

Private-side proxy support

No

No, WiFi proxies are disabled when VPN established.

Pre-login banner

Yes

Yes

Post-login banner

Yes

Yes

Scripting

No

No

Reconfigure VPN

Yes

Yes

Tunnel Security

Network change monitoring

Yes

Yes

Shim intercept/filtering

No

No

Embedded firewall rules

No

No

Filter Support (iptables)

Yes

No

Authentication

Manual certificate import (get certificate)

Yes

Yes

SCEP enrollment

Yes

Yes

Automatic certificate selection

Yes

Yes

Manual certificate selection

Yes

Yes

Non-exportable certificate

N/A

N/A

Smart card support

No

No

Username and password

Yes

Yes

Tokens/challenge

Yes

Yes

Double authentication

Yes

Yes

Group selection

Yes

Yes

Credential Prefill

Yes

Yes

Save password

No

No

User interface

Standalone GUI

Yes

Yes

Native OS GUI

No

No

CLI

No

No

API

Yes, Java not C++

Yes, Java not C++

UI customization

Yes (themes)

Yes (themes)

UI Localization

Yes

Yes

User Preferences

Yes

Yes

Certificate Confirmation Reasons

Yes

Yes

Home screen widgets for one-click VPN access

Yes

Yes

Paused icon when connection suspended for TND

Yes

Yes

Hide AnyConnect icon when idle

Yes

Yes

Launch on startup of mobile device

Yes

Yes

Exit AnyConnect

Yes

Yes

User Certificate Management

Yes

Yes

User Profile Management

Yes

Yes

User Localization Management

Yes

Yes

Deployment

WebLaunch (browser-initiated)

No

No

Web redirect to application store

No

No

Standalone installer

No

No

Preinstalled by OEM

No

No

Install or Upgrade from the ASA

No

No

Install or upgrade from Android Market

Yes

Yes

Pre-packaged localization for some languages

Yes

Yes

Configuration

XML Client Profile import on connect.

Yes

Yes

URI handler support for importing XML Client Profile

Yes

Yes

User configured connection entries

Yes

Yes

Posture Assessment

Device check (pin lock, encryption, etc)

No

No

Running or installed apps

No

No

Serial number or unique ID check

No

No

Mobile Posture

Yes

Yes

URI Handling

Add connection entry

Yes

Yes

Connect to a VPN

Yes

Yes

Credential pre-fill on connect

Yes

Yes

Disconnect VPN

Yes

Yes

Import certificate

Yes

Yes

Import localization data

Yes

Yes

Import XML client profile

Yes

Yes

External (user) control of URI commands

Yes

Yes

Troubleshooting

Statistics

Yes

Yes

Logging

Yes

Yes

Email statistics, log messages and system information

Yes

Yes

Direct feedback to Cisco

Yes

Yes

DART

No

No

Certifications

FIPS 140-2 Level 1

No

No

Common criteria

No

No


Adaptive Security Appliance Requirements

ASA Release Requirements

ASA models support the Cisco AnyConnect Secure Mobility client for Android. See the Adaptive Security Appliance VPN Compatibility Reference for a complete list of compatibility requirements.

Table 10-2 shows the minimum Cisco ASA 5500 software images that support AnyConnect.

Table 10-2 Software Images that Support AnyConnect, Release 2.5 for Android

Image Type
Version

ASA Boot image

8.0(3) or later

Adaptive Security Device Manager (ASDM)

6.1(3) or later



Note Any Cisco router running Cisco IOS version 15.1(1)T or later also supports the Cisco AnyConnect Secure Mobility client for Android.


ASA License Requirements

AnyConnect for Android connections require the following licenses on the ASA:

One of the following AnyConnect core license options:

Cisco AnyConnect Essentials license (L-ASA-AC-E-55XX=), sufficient for ASA Release 8.2 or later.

Cisco AnyConnect Premium Clientless SSL VPN Edition license (L-ASA-AC-SSL-YYYY=), required for ASA Releases 8.0(3) or later.

AnyConnect Mobile license (L-ASA-AC-M-55XX=).

The XX in the license code represents the last two digits of your ASA model number. The YYYY represents the number of simultaneous users.

These licenses are mutually exclusive per ASA, but you can configure a mixed network. The AnyConnect Essentials and AnyConnect Mobile licenses are nominally priced. We offer the following trial options:

If you have an AnyConnect Essentials or Premium license and you would like to obtain a three-month trial Mobile AnyConnect license, go to the following website: https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=717

If you would like to obtain both an AnyConnect Essentials or Premium license and an AnyConnect Mobile license, or you have questions about licensing, email us a request with the show version output from your ASA to ac-mobile-license-request@cisco.com.

For brief descriptions and example product numbers (SKUs) of the AnyConnect user license options, see Cisco Secure Remote Access: VPN Licensing Overview.

For the latest details about the AnyConnect user license options, see "Managing Feature Licenses" in the latest Cisco ASA 5500 Series Configuration Guide.

Restricting Android Mobile Connections

ASAs running release 8.2(5+) and 8.4(2) feature AnyConnect Mobile Posture for mobile device detection. Mobile Posture lets you accept or restrict mobile connections without Cisco Secure Desktop, earlier releases require Cisco Secure Desktop.

Mobile Posture requires an AnyConnect Premium and an AnyConnect Mobile license.

Table 10-3 AnyConnect Requirements for ASA Releases

Requirements
ASA Release 8.2(5+)and 8.4(2) and later 1
ASA Releases 8.0(4) - 8.2(4), and 8.4(1)

Cisco Secure Desktop enabled?

Not required

Yes

Dynamic access policy (DAP) endpoint configuration

Open ASDM and choose Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add or Edit > Add to the right of the Endpoint Attributes table, change the Endpoint Attribute Type to AnyConnect, and change the Platform to Android. ASDM displays a drop-down list next to Device Type, however, the drop-down options are not supported. Enter the model name into the Device Type field. Add one endpoint attribute to a DAP for each device to assign a policy to it.

Use the tabs in the Access/Authorization Policy Attributes section of the Add or Edit Dynamic Access Policy window to continue, terminate, or impose restrictions on Android connections.

Open ASDM and choose Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add or Edit, click Advanced, and enter the following line into the Logical Expressions box to grant, restrict, or deny access to Android connections:

EVAL(endpoint.os.version, "EQ", "Android", "string")

Use the tabs in the Access/Authorization Policy Attributes section of the Add or Edit Dynamic Access Policy window to continue, terminate, or impose restrictions on Android connections.

Note: The Android user sees the message entered in the message box on the Action tab of the ASDM Add or Edit Dynamic Access Policy window only if the regular expression fails to match.

1 If you already have AnyConnect Premium and Cisco Secure Desktop, and the ASA is running 8.0(4) or later, you have the option to add the logical expression shown in the third column.


Recommended ASA Configurations

Using Split-Include to allow MMS/HIPRI activity on the device


Note This recommendation applies to AnyConnect 2.5.5131 and later. Prior releases do not allow MMS/HIPRI activity at all. When AnyConnect does not allow this activity due to the package version, or the ASA configuration, the user will be notified. See Responding to MMS/HIPRI Notifications in the Android User Guide.


A user will be unable to retrieve or send Multimedia (MMS) messages, or use a High Priority (HPRI) service on their device unless a split-include policy is configured for the intended VPN traffic. A split include configuration allows other traffic, not intended for the VPN, including MMS and HIPRI, to flow normally.

Using Multiple Tunnel Groups

For the best user experience, Cisco recommends using multiple AnyConnect connection profiles, also called tunnel groups, for mobile devices, depending on the authentication configuration. You will have to decide how best to balance user experience with security.

For AAA-based authentication tunnel groups for mobile devices, the tunnel group should have a very long idle-timeout, such as 24 hours, to let the client remain in a reconnecting state without requiring the user to re-authenticate.

Disabling or Minimizing the Impact of Keepalive Messages

We recommend increasing the keepalive update interval or disabling keepalive messages to conserve the battery life of mobile devices. To access the Keepalive Messages parameter, use ASDM to go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Advanced > AnyConnect Client.

It is also recommend that you enable client-side dead-peer detection to let AnyConnect determine when the quality of transmission is too low or unavailable to continue sending traffic over the VPN connection.

Configuring Mobile Posture on the Secure Gateway

You can configure dynamic access policies (DAP) based on these attributes of a mobile device:

Client Version — The AnyConnect client version.

Platform — The operating system including Android and Apple iOS.

Platform Version — The operating system version number.

Device Type — The mobile device type, such as iPad or Samsung GT-I9000.

Device Unique ID — The mobile device's unique ID.


Note Mobile Posture requires an AnyConnect Premium License on the ASA, see Cisco Secure Remote Access: VPN Licensing Overview for AnyConnect licensing information.


For complete instructions, see Adding Mobile Posture Attributes to a DAP in Cisco 5500 Series Configuration Guide using ASDM, 6.4 or see Add/Edit Endpoint Attributes in Cisco Security Appliance Configuration Guide using ASDM, 6.2.

Installing and Upgrading AnyConnect on Android Devices

AnyConnect for Android devices is available from the Android Market only, it cannot be downloaded from the ASA. For instructions on downloading the appropriate AnyConnect package for an Android device see the Android User Guide for Cisco AnyConnect Secure Mobility Client, Release 2.5. This user guide also contains a description of the Android client interface and all user activities.

AnyConnect Configuration and Deployment

Overview

The AnyConnect VPN Client Profile is an XML file that specifies client behavior and identifies VPN connections. Each connection entry in the VPN Client Profile specifies a secure gateway that is accessible to the endpoint device as well as other connection attributes, policies and constraints. These connection entries, in addition to the VPN connections the user configures locally on the mobile device, are listed on the AnyConnect home screen to choose from when initiating a VPN connection.

Administrators use the AnyConnect Profile Editor to edit the VPN Client Profile XML file, configuring connection entries and client features for mobile devices. Administrators choose how to distribute the client profile by configuring the ASA to upload a client profile onto the mobile device upon VPN connectivity, by providing the user with an AnyConnect URI link to import a client profile, or by defining a procedure for the user to manually import a client profile. See the AnyConnect Administrators Guide for details and procedures on configuring and deploying Client Profiles.


Note AnyConnect retains only one VPN Client Profile on the Android device at a time. The following are some key scenarios that cause the current Profile, if it exists, to be replaced or deleted.

Manually importing a profile will replace the current profile with the imported profile.

Upon startup of an automatic or manual VPN connection the new connection's profile will replace the current profile.

If a VPN connection does not have a a profile associated with it, the existing profile will be deleted upon startup of that VPN.


Configuring Mobile Device Connections

Use the AnyConnect Profile Editor 3.0.1047 or later to create a VPN client profile that includes host connection entries for Android devices. The Profile Editor can be used as a standalone tool, and it can be downloaded from Cisco.com. To download Profile Editor:


Step 1 Connect to the AnyConnect Secure Mobility Client page on Cisco.com and click Download Software.

Step 2 Expand the All Releases and 3.0 directories and select 3.0.1047 or a later version of AnyConnect.

Step 3 In the column on the right, look for a file with the naming convention, anyconnect-profileeditor-win-<version>-k9.exe. If you were downloading the AnyConnect Profile Editor released with AnyConnect 3.0.1047, you would find: anyconnect-profileeditor-win-3.0.1047-k9.exe.

Step 4 Click Download now and follow the instructions on the site to complete the download process.


After you have downloaded Profile Editor, see Configuring Connections for Mobile Devices in the AnyConnect Secure Mobility Client Administrator Guide, release 3.0 for instructions on how to configure connections for Android devices.

Mobile-specific Attributes in the AnyConnect VPN Client Profile

CertificatePolicy

The CertificatePolicy attribute associated with a connection entry specifies how certificates will be handled for this connection. Valid values are Automatic, Manual, or Disabled:

Automatic: AnyConnect enumerates all certificates on the client at connection time, matching them against the CertificateMatch rules in the profile and choosing the appropriate one.

Manual: AnyConnect tries to find a certificate on the mobile device to associate with the connection by applying the CertificateMatch rules when the client profile is imported. If one is found, the matched certificate is associated with the imported connection as if the user had manually selected it. If no matching certificate is found, the Certificate Policy will be reset to Automatic.

Disabled: This connection will not use certificates.

ActivateOnImport

The ActivateOnImport flag associated with a connection entry identifies the connection that will become active after the Client Profile is imported.

If more than one connection entry has this flag set, the AnyConnect client will set the first flagged connection entry as the active connection.

Deploying VPN Client Profiles

After creating the VPN client profile with the Android connection entries, choose how to distribute the client profile in one of the following ways:

Configuring the ASA to upload a client profile onto the mobile device upon VPN connectivity.

See Deploying the AnyConnect Profile for instructions on how to import the VPN client profile to the ASA and associate it with a group policy.

Providing the user with an AnyConnect URI link to import a client profile.

See Using the URI Handler to Import a VPN Client Profile for details.

Defining a procedure for the user to manually import a client profile.

See Import an AnyConnect Profile in the Android AnyConnect User Guide.

Installing Certificates on Android Devices

In order to authenticate the mobile device to the secure gateway using a certificate, end users must import a certificate onto their device and then associate that certificate with a connection entry. Certificates are imported using the following methods:

Hyper link: See Using the URI Handler to Import Certificates for how to supply these hyperlinks.

SCEP: See Configuring Certificate Enrollment using SCEP for administrator procedures to configure this.

User Import: Using the Android UI, the user can import a certificate from the local file system.

See "Installing Certificates on Your Mobile Device" and "Viewing and Managing Certificates" in the User Guide for Cisco AnyConnect for Android.

Localizing AnyConnect Interface and Messages

Starting in release 2.5, AnyConnect Secure Mobility Client for Android supports localization, adapting the AnyConnect user interface and messages to the user's locale.

Pre-packaged Localization

The following language translations are included in the AnyConnect package:

Czech (cs-cz)

German (de-de)

Latin American Spanish (es-co)

Canadian French (fr-ca)

Japanese (ja-jp)

Korean (ko-kr)

Polish (pl-pl)

Simplified Chinese (zh-cn)

Localization data for these languages is installed on the Android device when AnyConnect is installed. The displayed language is determined by the locale specified in Settings > Language and Keyboard > Select locale. AnyConnect uses the language specification, then the region specification, to determine the best match. For example, after installation, a French-Switzerland (fr-ch) locale setting results in a French-Canadian (fr-ca) display. AnyConnect UIs and messages are translated as soon as AnyConnect starts. The selected localization is noted as Active in the AnyConnect Menu > Settings > Localization Management screen.

Additional Localization

From the ASA

For languages not in the AnyConnect package, administrators can add localization data to the ASA that is downloaded to the Android device upon AnyConnect VPN connectivity. See Localizing the AnyConnect GUI for instructions on configuring localization on an ASA.

All localization data files matching the device's language specification are downloaded to the device. AnyConnect then determines the best match based on the region specification. The selected localization data is used for translation immediately, AnyConnect does not have to be restarted for it to take effect. Users have the option to restore installed localization data in the Localization Management screen.

If the ASA does not contain localization data for the device's locale, the installed localization data from the AnyConnect application package continues to be used.

URI Localization Support

An additional way to get localization data onto a user's device is for the administrator to provide the user with an AnyConnect URI for importing localization data. For example:

anyconnect://import?type=localization&host=asa.example.com&lang=ja-jp
 
   

See Using the URI Handler to Localize the AnyConnect UI and Messages for a full explanation.

User Localization Management

Android users can manage localization data on their own device in the Menu > Settings > Localization Management screen. Users can perform these localization activities:

Import localization data from a specified server. The user selects Server Localization Import and then specifies the address of the secure gateway and the locale. The locale is specified per ISO 639-1, with the country code added if applicable (for example, en-US, fr-CA, ar-IQ, and so on). This localization data is used in place of the pre-packaged, installed localization data.

Restore default localization data. Selecting Restore Localization restores the use of the pre-loaded localization data from the AnyConnect package and delete all imported localization data.

Using the URI Handler to Automate AnyConnect Actions

The URI handler lets applications pass action requests in the form of Universal Resource Identifiers (URIs) to AnyConnect. To simplify the AnyConnect user setup process, you can embed the URIs as links on web pages or email messages and give users instructions to access them.


Note The user cannot enter these URIs into the address bar of your Android device's web browser because Android does not allow this. The user needs to access these URIs from a remote web server or, depending on your email client, you may be able to click on a link in email.


You can use URIs to:

Generate VPN connection entries.

Establish a connection to a VPN & disconnect from a VPN.

Import localization files, certificate file, and profiles.


Note You must use URL encoding when entering URI handler parameter values. Use a tool such as the one in this link to encode an action request.


External Control of URI AnyConnect Commands

URI handling in the AnyConnect application is Disabled by default. Android device users can allow this functionality by selecting Menu > Settings > Application Preferences > External Control and then choosing Enable or Prompt. Enabling external control allows all URI commands without user interaction. The user can be notified of URI activity, and allow or disallow it at request time by choosing Prompt.

Inform users how to respond to the following actions and associated prompts if you set up URI handling:

Create a connection entry: Another application has requested that AnyConnect create a new connection to host. Do you want to allow this? [Yes | No]

Connect to a VPN: Another application has requested that AnyConnect connect to host. Do you want to allow this? [Yes | No]

Disconnect a VPN: Another application has requested that AnyConnect disconnect the current connection. Do you want to allow this? [Yes | No]

Import:

Certificate bundles: Another application has requested that AnyConnect import a certificate bundle to the AnyConnect certificate store. Do you want to allow this? [Yes | No]

Localization files: Another application has requested that AnyConnect import localization files. Do you want to allow this? [Yes | No]

Client Profiles: Another application has requested that AnyConnect import profiles. Do you want to allow this? [Yes | No]

Using the URI Handler to Generate a VPN Connection Entry

Use the AnyConnect URI handler create action to simplify the generation of an AnyConnect connection entry for users.

Insert a separate link for each connection entry you want to add to the device. Specifying multiple create connection entry actions in a single link is not supported.

Use the following syntax to insert the create action to add an AnyConnect connection entry to the endpoint configuration:

anyconnect:[//]create[/]?name=Description&host=ServerAddress[&Parameter1=Value&Parameter2=
Value...]
 
   

Examples:

anyconnect:create?name=SimpleExample&host=vpn.example.com
 
   
anyconnect:create?name=Example with 
certificate&host=vpn.example.com&usecert=true&certcommonname=example-ID
 
   

The slashes before and after create are optional. The create action requires that you specify the name or host. All parameters are also optional.


Note You must use URL encoding when entering URI handler parameter values. Use a tool such as the one in this link to encode an action request.


Enter the parameter values, as follows:

name—Specifies a unique name for the connection entry to appear in the connection list of the AnyConnect home window and the Description field of the AnyConnect connection entry. AnyConnect responds only if the name is unique. The letters are case-sensitive.

host—Identifies the domain name, IP address, or Group URL of the ASA with which to connect. AnyConnect inserts the value of this parameter into the Server Address field of the AnyConnect connection entry. For example,

vpn.example.com
 
   

usecert (optional)—Determines whether to use a digital certificate installed on the device when establishing a VPN connection to the host. The valid values are:

true (default setting)—Enables automatic certificate selection when establishing a VPN connection with the host. Turning usecert to true without specifying a certcommonname value sets the Certificates field to Automatic, selecting a certificate from the AnyConnect certificate store at connection time.

false (default)—Disables automatic certificate selection.

certcommonname (optional, but requires the usecert parameter)—Matches the Common Name of a valid certificate pre-installed on the device. AnyConnect inserts the value into the Certificate field of the AnyConnect connection entry.

To view this value on a certificate installed on the device, tap Diagnostics in the button bar and tap Manage Certificates. You can now view a list of the certificates installed on the device. The common name in the following example is example-id.

Figure 1 Select Certificate Window

You might need to scroll to view the certificate required by the host. You can also tap the detail disclosure button to the right of the certificate summary to view the Common Name parameter read from the certificate, as well as the other values.

Using the URI Handler to Establish a VPN Connection


Note Specifying a password when establishing a VPN connection using a URI should only be used in conjunction with a One Time Password (OTP) infrastructure.


Provide the Connection Name and Host Name in a URI

Use either syntax expression to insert the name and host parameter in the connect action:

anyconnect:[//]connect[/]?[name=Description|host=ServerAddress]
anyconnect:[//]connect[/]?name=Description&host=ServerAddress

Examples of completed URIs

anyconnect://connect/?name=Example
anyconnect:connect?host=hr.example.com
anyconnect:connect?name=Example&host=hr.example.com
See Connect Parameter and Syntax Descriptions for expanded descriptions of the parameters and 
additional syntax requirements. 

Provide Connection Information and Prefill a Username and Password in a URI

Use either syntax to specify the prefilled username and prefilled password parameters in addition to name and host parameter in the connect action:

anyconnect:[//]connect[/]?[name=Description|host=ServerAddress]&prefill_username=username&
prefill_password=password
anyconnect:[//]connect[/]?name=Description&host=ServerAddress&prefill_username=username&pr
efill_password=password

Examples of completed URIs

anyconnect://connect/?name=Example&host=hr.example.com&prefill_username=user1&prefill_pass
word=password1
anyconnect:connect?name=Example&host=hr.example.com&prefill_username=user1&prefill_passwor
d=password1

See Connect Parameter and Syntax Descriptionsfor expanded descriptions of the parameters and additional syntax requirements.

Provide Connection Information and Prefill Usernames and Passwords for Double Authentication

Use either syntax to specify the prefilled primary and secondary usernames and prefilled passwords parameters in addition to name and host parameter in the connect action:

anyconnect:[//]connect[/]?[name=Description|host=ServerAddress]&prefill_username=username&
prefill_password=password&prefill_secondary_username=username2&prefill_secondary_password=
password2

anyconnect:[//]connect[/]?name=Description&host=ServerAddress&prefill_username=username&prefill_password=password&prefill_secondary_username=username2&prefill_secondary_password=password2

Examples of completed URIs

anyconnect://connect/?name=Example&host=hr.example.com&prefill_username=user1&prefill_password=password1&prefill_secondary_username=user2&prefill_secondary_password=password2

anyconnect:connect?name=Example&host=hr.example.com&prefill_username=user1&prefill_password=password1&prefill_secondary_username=user2&prefill_secondary_password=password2

See Connect Parameter and Syntax Descriptions for expanded descriptions of the parameters and additional syntax requirements.

Provide Connection Information, Prefill a Username and Password, and Specify a Connection Profile Alias

This example adds a connection profile alias to a URI that provides a prefilled username and prefilled password in addition to name and host parameter for the connect action:

anyconnect:[//]connect[/]?[name=Description|host=ServerAddress]&prefill_username=username&
prefill_password=password&prefill_group_list=10.%20Single%20Authentication
anyconnect:[//]connect[/]?name=Description&host=ServerAddress&prefill_username=username&pr
efill_password=password&prefill_group_list=10.%20Single%20Authentication

Examples of completed URIs

anyconnect://connect/?name=Example&host=hr.example.com&prefill_username=user1&prefill_pass
word=password1&prefill_group_list=10.%20Single%20Authentication
anyconnect:connect?name=Example&host=hr.example.com&prefill_username=user1&prefill_passwor
d=password1&prefill_group_list=10.%20Single%20Authentication

See Connect Parameter and Syntax Descriptions for expanded descriptions of the parameters and additional syntax requirements.

Connect Parameter and Syntax Descriptions

The connect action requires either the name and host parameters, but allows both. Otherwise, if all the parameter values in the statement match those of an AnyConnect connection entry on the device, AnyConnect uses the remaining parameters to establish the connection. If AnyConnect does not match all parameters in the statement to those in a connection entry and the name parameter is unique, it generates a new connection entry and then attempts the VPN connection.

The slashes in the beginning of the URI are optional.

To match a space, enter %20. For example, to match a connection entry named Example Connection 1, enter Example%20Connection%201. All characters that are not [a-z], [A-Z], and [0-9] will have to be URI-encoded.

These are descriptions of the connect parameter options:

name—Name of the connection entry as it appears in the connection list of the AnyConnect home window. AnyConnect evaluates this value against the Description field of the AnyConnect connection entries, also called name if you used the previous instructions to create the connection entry on the device. The value is case-sensitive; AnyConnect does not match this field if the case of the letters in the statement differ from those in the connection entries.

host—Enter the domain name, IP address, or Group URL of the ASA to match the Server Address field of an AnyConnect connection entry, also called the host if you used the previous instructions to generate the connection entry on the device.

prefill_username - Provides the username in the connect URI and prefills it in connection prompts.

prefill_password - Provides the password in the connect URI and prefills it in connection prompts.


Caution Prefill password field should only be used with connection profiles configured for one-time passwords.

prefill_secondary_username - In environments that are configured to require double authentication, this parameter provides the secondary username in the connect URI and prefills it in the connection prompts.

prefill_secondary_password - In environments that are configured to require double authentication, this parameter provides the password for the secondary username in the connect URI and prefills it in the connection prompts.

prefill_group_list - The connection alias defined in ASDM by selecting Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Advanced > Group Alias/Group URL > Connection Aliases.

Using the URI Handler to Disconnect from a VPN

Use the following syntax to insert the disconnect action:

anyconnect:[//]disconnect[/]
 
   

Example:

anyconnect:disconnect
 
   

The slashes are optional. The disconnect action takes no parameters.

Using the URI Handler to Localize the AnyConnect UI and Messages

You can use this URI handler method to distribute additional localization files to AnyConnect clients.

Use the following syntax to use the import command in a URI:

anyconnect:[//]import[/]?type=localization&lang=LanguageCode&host=ServerAddress
 
   

Example:

anyconnect:import?type=localization&lang=fr&host=asa.example.com
 
   

The slashes are optional. The import action requires the host parameter. The type, lang and host parameters are defined below:

type—The import type, in this case, will always be localization.

lang—The two or four character language tag representing the language provided in the anyconnect.po file. For example, the language tag may simply be fr for "French" or fr-ca for "Canadian French."

host—Enter the domain name or IP address of the ASA to match the Server Address field of an AnyConnect connection entry.

Using the URI Handler to Import Certificates

The AnyConnect client can authenticate itself to the ASA using a PKCS12 encoded certificate that has been installed on the endpoint. You can use the URI handler import command to import a PKCS12 encoded certificate bundle to the endpoint.

Use the following syntax to import a PKCS12 certificate from a URL:

anyconnect://import/?type=pkcs12&uri=http%3A%2F%2Fexample.com%2FCertName.p12
anyconnect:import?type=pkcs12&uri=http%3A%2F%2Fexample.com%2FCertName.p12

The slashes in the beginnings of the URI are optional.

To match a space, enter %20. For example, to match a string named Example Connection 1, enter Example%20Connection%201.

To match a colon in a URI, use %3A. To match a forward slash in a URI, use %2F. For example, to match http://example.cisco.com/CertName.p12 enter http%3A%2F%2Fexample.cisco.com%2FCertName.p12

These are descriptions of the import parameter options:

type - Only pkcs12 certificate type is supported

uri - URL Encoded identifier for where the certificate can be found. We support "http", "https", and "ftp". In the URI, %3A represents a colon (:), %2F represents a forward slash (/), and %40 represents an ampersand (@).

HTML Hyperlink Examples

To add the URI to an HTML page, you need to make it part of a hyperlink. Here are examples that show how to use the URI in an HTML hyperlink. The part of the example in bold is the URI.

HTTP Example

<p>
<a href="anyconnect:import?type=pkcs12&uri=http%3A%2F%2Fexample.com%2FCertName.p12> 
click here to import certificate using http</a>
</p>

FTP Example

<p>

<a href="anyconnect://import?type=pkcs12&uri=ftp%3A%2F%2FAdministrator%3Apassword%40192.168.10.20%2Fcerts%2FCertName.pfx">click here to import certificate using ftp </a>

</p>

Secure Digital Card Example

<p>

<a href="anyconnect://import?type=pkcs12&uri=file%3A%2F%2F%2Fsdcard%2CertName.pfx">click here to import certificate from sdcard on mobile device</a>

</p>

Using the URI Handler to Import a VPN Client Profile

You can use this URI handler method to distribute client profiles to AnyConnect clients.

Use the following syntax to use this import command in a URI:

anyconnect:[//]import[/]?type=profile&uri=Filename.xml
 
   

Example:

anyconnect:import?type=profile&uri=file%3A%2F%2Fsdcard%2Fprofile.xml
 
   

The slashes are optional. The import action requires the uri parameter.

Troubleshooting

Enable logging on the Android device and follow the troubleshooting instructions in the User Guide for Cisco AnyConnect Secure Mobility Client for Android. If following those instructions does not resolve the issue, try the following suggestions:

Determine whether the same problem occurs with the desktop client.

Ensure the AnyConnect Mobile license is installed on the ASAs.

If certificate authentication fails, ensure the correct certificate has been selected. Ensure that the client certificate on the device has Client Authentication as an Extended Key Usage. Ensure the certificate matching rules in the AnyConnect profile are not filtering out the user's selected certificate. Even if a user selected the certificate, it will not be used for authentication if it does not match the filtering rules in the profile. If your authentication mechanism uses any associated accounting policy to an ASA, verify that the user can successfully authenticate. If problems persist, enable logging on the client and enable debug logging on the ASA.

If you see an authentication screen when you are expecting to use certificate-only authentication, configure the connection to use a group URL and ensure that secondary authentication is not configured for the tunnel group. For details, refer to your ASA Administrator Guide.