Cisco Anyconnect Centos 8

Secure your LDAP server connection between client and server application to encrypt the communication. In case of simple bind connection using SSL/TLS is recommended to secure the authentication as simple bind exposes the user crendetials in clear text.

Linux 64 bit (Version 4.5.0058) Linux 64 bit (Version 4.6.04056) Linux 64 bit (Version 4.7.04056) Linux 64 bit (Version 4.8.02045) Linux 64 bit (Version 4.9.00086) Linux 64 bit (Version 4.9.05042) The older stand alone Cisco IPSEC VPN client is no longer supported by our vendor. Cisco AnyConnectは，クラアントにインストールして常駐し，Cisco ASA 5500などの終端装置に対してアクセスすることで，VPN環境を提供します。では，そのために使われるクラアントソフトウェアが，AnyConnect Secure Mobility Clientです。.

Step 1: Install Certificate Authority, Create and Export the certificate

1.1: Install 'Active Directory Certificate Services' role through Server Manager roles.

On your Windows Server Machine, click on Start -> Server Manager -> Add Roles and Features.

After selecting Add Roles and Features and Click on Next.

Choose Role-based or feature-based installation option and Click on Next button.

Choose Select a server from the server pool option & Select ldap server from the server pool and click on Next button.

Choose Active Directory Certificate Services option from the list of roles and click on Next button.

Choose nothing from the list of features and click on Next button.

In Active Directory Certificate Services (AD CS) choose nothing and Click on Next button.

Mark Certification Authority from the list of roles and Click on Next button.

Click on Install button to confirm installation.

Now, click on Configure Active Directory Certificate Services on Destination Server option and click on Close button.

We can use the currently logged on user to configure role services since it belongs to the local Administrators group. Click on Next button.

Mark Certification Authority from the list of roles and Click on Next button.

Choose Enterprise CA option and Click on Next.

Choose Root CA option and Click on Next button.

Choose Create a new private key option and Click on Next button.

Choose SHA256 as the hash algorithm and Click on Next.
UPDATE : Recommended to select the most recent hashing algorithm.

Click on Next button.

Specify the validity of the certificate choosing Default 5 years and Click on Next button.

Select the default database location and Click on Next.

Click on Configure button to confirm.

Once the configuration succeeded and click on Close button.

1.2: Create certificate template

Go to Windows Key+R and run certtmpl.msc command and choose the Kerberos Authentication Template.

Right-click on Kerberos Authentication and then select Duplicate Template.

The Properties of New Template will appear. Configure the setting according to your requirements.
Go to the General tab and Enable publish certificate in Active Directory option.

Go to the Request Handling Tab and Enable ‘Allow private key to be exported’ option.

Go to the Subject Name tab and Enable subject name format as DNS Name and click on Apply & OK button.

1.3: Issue certificate template

Go to Start -> Certification Authority Right click on 'Certificate Templates' and select New-> Certificate Template to Issue.

Now, select your recently created Certificate Template and click on ok button.

1.4: Request new certificate for created certificate template

Go to Windows Key+R -> mmc -> File -> Add/Remove snap-in. Select Certificates, and click on Add button and then click on Ok button .

Select Computer account option and click on Next button.

Select Local computer option and click on Finish button.

Now, right Click on Certificates select All Tasks and click on Request for new Certificate.

Click on Next button.

Click on Next button.

Select your certificate and click on Enroll button.

Click on Finish button.

1.5: Export the created certificate

Right click on recently generated certificate and select All tasks -> Export.

Click on Next button.

Select Do not export the private key option and click on Next button.

Choose Base-64 encoded X .509 file format and click on Next.

Export the .CER to your local system path and click on Next.

Click on Finish button to complete the certificate export.

Step 2: Confiure LDAPS on the client side server

2.1: Convert Certificate Format and Install the Certificate using OpenSSL

To convert the certificate from .cer to .pem format you can use OpenSSL.
For Windows:
You can obtain this software from here: http://gnuwin32.sourceforge.net/packages/openssl.htm if you don’t already have it.

Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:
For example:
C:opensslopenssl x509 -in mOrangeLDAPS.cer -out mOrangeLDAPS.pem
This creates the certificate file in a form that OpenLDAP Client Library can use.
Place the .pem file generated in a directory of your choosing (C:openldapsysconf may be a good choice since that directory already exists.)
Add the following line to your ldap.conf file:
TLS_CACERT C:openldapsysconfmOrangeLDAPS.pem
This directive tells the OpenLDAP Client Library about the location of the certificate, so that it can be picked up during initial connection.

For Linux:
Run the following command to install the Openssl.

For Ubuntu:

sudo apt-get install openssl

For RHEL/CentOS:

yum install openssl

Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:
For example:
/openssl x509 -in mOrangeLDAPS.cer -out mOrangeLDAPS.pem
This creates the certificate file in a form that OpenLDAP Client Library can use.
Place the .pem file generated in a directory of your choosing (/etc/openldap/ may be a good choice since that directory already exists.)
Add the following line to your ldap.conf file:
TLS_CACERT /etc/openldap/mOrangeLDAPS.pem
This directive tells the OpenLDAP Client Library about the location of the certificate, so that it can be picked up during initial connection.

Restart your web server.

2.2: Install certificate in JAVA Keystore.

Run the following command to install the certificate in cacerts.
For Windows:

keytool -importcert -alias 'mOrangeLDAPS'
-keystore 'C:Program FilesJavajre1.8.0_231libsecuritycacerts' 
-file 'C:UsersAdministratorDocumentsmOrangeLDAPS.cer'

For Linux:

keytool -importcert -alias 'mOrangeLDAPS' 
-keystore '/usr/java/jdk1.8.0_144/jre/lib/security/cacerts' 
-file '/home/mOrangeLDAPS.cer'

Restart your web server.

Installing the VPN Client

Download the AnyConnect VPN client for Windows. Note: If you're using Microsoft Edge, the program will download as a 'sys_attachment.do' file. You will need to rename the file to 'sys_attachment.msi'
- If you have the Windows Surface Pro X tablet with an ARM-based processor, you should download the AnyConnect VPN client for ARM64.
Click Run on the Open File – Security Warning dialog box.
Click Next in the Cisco AnyConnect Secure Mobility Client Setup dialog box, then follow the steps to complete the installation. NOTE: We recommend you un-check everything (Web Security, Umbrella, etc) except for the VPN and the Diagnostic and Reporting Tool (DART). This will give you a minimal install. The other features are not supported so there's no need to install them.

Starting the VPN Client

Go to Start->Programs->Cisco->Cisco AnyConnect Secure Mobility Client to launch the program.
Enter vpn.uci.edu in the Ready toConnect to field, then press the Connect button.
Select your desired connection profile from the Group drop-down menu:
- UCIFULL – Route all traffic through the UCI VPN.
  - IMPORTANT: Use UCIFULL when accessing Library resources.
- UCI – Route only campus traffic through the UCI VPN. All other traffic goes through your normal Internet provider.
Enter your UCInetID and password, then click OK.
A banner window will appear. Click Accept to close that window. You are now connected!

Disconnecting the VPN Client

When you are finished using the VPN, remember to disconnect.

Centos 8 Download

Right-click the AnyConnect client icon located in the system tray near the bottom right corner of your screen.
Select Quit.