Cisco IOS SSL Enhancements

Most Cisco customers would naturally recognize that the ASA Security appliance is THE platform on which to implement SSL VPN types of any sort (clientless or using the AnyConnect® client). The ASA has been a replacement for the VPN Concentrator in this technology area since its introduction in mid-2005.

What is not widely known however, is that the Cisco IOS® has been “catching up” to the ASA in functionality. This article will address some of the recent enhancements made starting in release 15.0.

To begin with, support for the AnyConnect® client began with IOS® version 12.4(15)T; before that only the old SSL VPN Client (SVC) could be used. Version 15.0(1)M introduced support for client-side certificate based authentication, a feature which provides several benefits.

  • For organizations which require double authentication, this can be combined with another AAA (Authentication, Authorization & Accounting) method for additional secure identification.
  • This also makes a pre-login tunnel-group association possible. By using certificate matching rules, a network administrator can map a field such as the Organizational Unit (OU) to a group policy, either static or dynamic.

Version 15.0(1)M also supports a licensing model in a manner similar to that on the ASA appliance. The difference, however, is that the IOSuses a node-associated (vs. a user-associated) approach. The license can be installed using the CLI or the Cisco License Manager GUI. License validation becomes part of the user login process. Cisco provides four basic licensing types:

  1. permanent
  2. evaluation
  3. extension
  4. grace-rehost

The last of these could be used in a disaster recovery scenario where a grace period is required while a machine is being repaired or restored.

Version 15.1(1)M adds two major feature areas worthy of mention:

  1. SSL VPN Phase-4 support– adds support for the use of split-tunnel access-lists, a capability frequently utilized when an outside user requires access to a limited number of usually local networks while the tunnel is up. Phase-4 also provides user-based session statistics as well as a Start Before Login option.
  2. SSL VPN DVTI (Dynamic Virtual Tunnel Interface) support– is interoperable with configurations using Network Address Translation (NAT), interface access-lists, and zone-based firewall (ZBF). The last of these items caused problems with VPN tunnels terminated on physical interfaces.

References:

SSL VPN – Cisco Configuration Guide – Secure Connectivity – Release 15.1

In this article

Join the Conversation