AnyConnect requires the following information for configuring VPN connectivity:
An address to a secure gateway for access to your network.
Authentication information to successfully complete your connection, in the form of a username and password, a digital certificate, or both.
Configure your AnyConnect client as directed by your administrator; contact your administrator if you do not have clear instructions. Your administrator provides you with one of the following:
Addressing and authentication information, and other connection attributes if needed, to manually configure your device.
Procedures to automate configuration using this information.
You, the AnyConnect user, should be familiar with:
Connection entries: VPN connections configured on your device manually or automatically. Connection entries are listed on the AnyConnect home screen. The current active connection entry is identified in the AnyConnect VPN panel on the app's home screen.
How to establish a VPN connection: manually tap the connection entry in the connection list, or tap the checkbox or slider in the AnyConnect VPN panel. VPN connections can also be made automatically using procedures provided by your administrator.
The authentication method used to establish a connection: remembering your username and password or importing and assigning a user certificate to a connection entry.
AnyConnect is a sophisticated networking application that also allows you to carry out the following activities:
Set preferences for the application, controlling the appearance and operation of AnyConnect.
Use diagnostic tools and management facilities on your device as recommended by your administrator.
A connection entry specifies a secure gateway that is accessible to this device, as well as other connection attributes. Connection entries are configured in the following ways:
Added automatically: After clicking a link provided by your administrator to configure connection entries.
Manually configured: You must know the address of the secure gateway to your network. The address is the domain name or the IP address of the secure gateway; it may also specify a group that you are connecting to.
Connection entries are also defined in an AnyConnect client profile that is downloaded from a Cisco ASA secure gateway upon connectivity.
Add a VPN connection entry to identify the VPN secure gateway to which you want to connect.
From the AnyConnect home window, tap Add new VPN Connection to open the Connection Editor.
Cancel out of the Connection Editor window at any time.
(Optional)Choose Description to enter a descriptive name for the connection entry.
Enter a unique name for this connection entry. If not specified, the Server Address is used as the default. Use any letters, spaces, numbers, or symbols on the keyboard display. This field is case-sensitive.
Choose Server Address to enter the address of the secure gateway.
Enter the domain name or IP address of the secure gateway, including a group if specified by your administrator.
(Optional)Tap Advanced Preferencesto change advanced certificate and protocol settings.
Cancel out of the Advanced Connection Editor window at any time.
(Optional)Tap Certificate to specify how user certificates are used for this connection.
Tap Disabled to specify that certificates will not be used for this connection.
Tap Automatic to specify that a certificate will be used to establish a connection only if it is required by the secure gateway.
Tap the certificate that your administrator instructs you to use.
Your administrator will provide you with instructions for installing a user certificate on your mobile device if one is necessary to establish a VPN session. Tap any certificate in the list to view its details.
(Optional)Tap Connect with IPsec to use IPsec instead of SSL for this VPN connection.
This connection attribute is provided to you by your administrator.
The Authentication parameter becomes active if you choose IPsec for your VPN connection protocol.
(Optional)Tap Authentication and choose the authentication method for this IPsec connection.
This connection attribute is provided to you by your administrator.
EAP-AnyConnect (default authentication option)
Your authentication option is shown in the Advanced Connection Editor window.
(Optional)If you have specified EAP-GTC, EAP-MD5, or EAP-MSCHAPv2 to be used for authentication, tap IKE Identity to enter the identity information given to you by your administrator.
Tap Done in both the Advanced Connection Editor window and the Connection Editor window to save the connection values.
AnyConnect adds the new connection entry to the list in the home window.
In order for you, the AnyConnect user, to authenticate to the secure gateway using a digital certificate, you need a user certificate in the AnyConnect certificate store on your device. User certificates are imported using one of the following methods, as directed by your administrator:
Imported automatically after clicking a hyperlink provided by your administrator in an e-mail or on a web page.
Imported manually by you from the device's file system, from the device's credential storage, or from a network server.
Imported when connecting to a secure gateway that has been configured by your administrator to provide you with a certificate.
Once imported, the certificate can be associated with a particular connection entry or selected automatically during connection establishment to authenticate.
You can delete user certificates from the AnyConnect store if they are no longer needed for authentication.
The following explains all possible options for manually importing a user certificate to the AnyConnect store for VPN authentication purposes.
Before You Begin
Obtain the specific certificate import procedures from your adinistrator.
From the AnyConnect home window, tap Menu > Diagnostics > Certificate Management.
Tap the User tab.
Tap Import to import a certificate.
Select your import source:
Tap File System to import a certificate file from the local file system.
Tap Network Location (URI) to import a certificate from a server on the network.
Tap Device Credential Storage to link to a certificate currently in the Device Credential Storage.
The source certificate is not actually copied into the AnyConnect certificate store. If the certificate is removed from Credential Storage, the link to the certificate will also be removed.
This option is available only on devices running Android 4.0 (Ice Cream Sandwich) or later.
When attempting to import a certificate from the Device Credential Storage on Android 4.1 (Jelly Bean), the client shows the error message "This feature is not supported on this version of Android". Import the certificate directly into the AnyConnect store instead of using the Android native store.