AnyConnectProfile
Description
An object containing AnyConnect VPN profile connection properties (Note: The field level constraints listed here might not cover all the constraints on the field. Additional constraints might exist.)
Model Properties
| Property | Required | Type | Description | |||
|---|---|---|---|---|---|---|
| version | False | string | A unique string version assigned by the system when the object is created or modified. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete an existing object. As the version will change every time the object is modified, the value provided in this identifier must match exactly what is present in the system or the request will be rejected. | |||
| name | True | string | A string containing the name of the VPN profile. The string can be up to 50 characters, but can only consist of alphanumeric characters and the following special characters: _.+- | |||
| groupPolicy | False | object | A mandatory AnyConnectGroupPolicy object that contains additional VPN profile properties for this connection profile. Field level constraints: cannot be null. (Note: Additional constraints might exist) Allowed types are: [AnyConnectGroupPolicy] |
|||
| authenticationIdentitySource | False | object | A mandatory IdentitySource object that defines the server to use for AnyConnect client authentication. Allowed types are: [ActiveDirectoryRealm, DuoLDAPIdentitySource, IdentitySourceBase, LDAPRealm, LocalIdentitySource, RadiusIdentitySource, RadiusIdentitySourceGroup, RealmSequence, SAMLServer, SpecialRealm] |
|||
| fallbackLocalIdentitySource | False | object | An IdentitySource object that uses the Local Identity Source. Allowed types are: [LocalIdentitySource] |
|||
| authMethod | True | string | An enum value that specifies the authentication method for the remote access vpn. Values can be one of the following. 1) AAA - This option would require remote access VPN client to send a username and password that the threat defense checks with the configured AAA server. 2) CLIENT_CERTIFICATE - This option requires the remote access vpn client to provide a certificate during SSL negotiation. 3)AAA_AND_CLIENT_CERTIFICATE - This option would first do a certificate authentication followed by the AAA authentication. The default is AAA. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| serverCertificate | True | object | The mandatory InternalCertificate object for the remote access VPN. The internal certificate is used to establish the identity of the device. Clients must accept this certificate to complete a secure VPN connection. Field level constraints: cannot be null. (Note: Additional constraints might exist) Allowed types are: [InternalCertificate] |
|||
| clientCACertificates | False | [object] | The ExternalCACertificate object which is the certificate of the CA from where the remote access vpn clients have got their ID cert. Allowed types are: [ExternalCACertificate] |
|||
| usernameFromCertificate | False | string | string, // EnumType : An enum value that specifies the DN of the peer certificate used as username for authorization and/or authentication. ENTIRE_DN - Use entire DN name. SPECIFIED_FIELD - Use the specified fields given in the usernamePrimaryField and usernameSecondaryField attributes. |
|||
| usernamePrimaryField | False | string | string, // EnumType : An enum value that specifies the primary field of the username. Values are C_COUNTRY, CN_COMMMON_NAME, DNQ_DN_QUALIFIER, EA_EMAIL_ADDRESS, GENQ_GENERATIONAL_QUALIFIER, GN_GIVEN_NAME, I_INITIAL, L_LOCALITY, N_NAME, O_ORGANISATION, OU_ORGANISATIONAL_UNIT, SER_SERIAL_NUMBER, SN_SURNAME, SP_STATE_PROVINCE, T_TITLE, UID_USER_ID, UPN_USER_PRINCIPAL_NAME. | |||
| usernameSecondaryField | False | string | string, // EnumType : An enum value that specifies the secondary field of the username. Values are C_COUNTRY, CN_COMMMON_NAME, DNQ_DN_QUALIFIER, EA_EMAIL_ADDRESS, GENQ_GENERATIONAL_QUALIFIER, GN_GIVEN_NAME, I_INITIAL, L_LOCALITY, N_NAME, O_ORGANISATION, OU_ORGANISATIONAL_UNIT, SER_SERIAL_NUMBER, SN_SURNAME, SP_STATE_PROVINCE, T_TITLE, UID_USER_ID, UPN_USER_PRINCIPAL_NAME. | |||
| prefillUsernameFromCertificate | False | boolean | For authMethod = CLIENT_CERT_AND_AAA, whether to prefill the username extracted from the client certificate as per the usernameFromCertificate attributes | |||
| disablePrefilledUsernameEdit | False | boolean | A Boolean value, TRUE or FALSE, where FALSE is the default.The TRUE value would disable the modifying of the prefilled secondary username from certificate in the login window. | |||
| stripGroupFromUsername | False | boolean | A Boolean value, TRUE or FALSE, where FALSE is the default. The TRUE value would remove the group details from the username. | |||
| stripRealmFromUsername | False | boolean | A Boolean value, TRUE or FALSE, where FALSE is the default. The TRUE value would remove the realm details from the username. | |||
| outsideInterface | True | object | The PhysicalInterface or SubInterface that identities the interface to which users connect when making the remote access VPN connection. Although this is normally the outside (Internet-facing) interface, choose whichever interface is between the device and the end users you are supporting with this connection profile. Field level constraints: cannot be null. (Note: Additional constraints might exist) Allowed types are: [EtherChannelInterface, PhysicalInterface, SubInterface, VirtualTunnelInterface, VlanInterface] |
|||
| outsideFqdn | False | string | aaa Field level constraints: must match pattern ^((?!;).)*$. (Note: Additional constraints might exist) |
|||
| ipv4LocalAddressPool | False | object | The NetworkObject that defines the IPv4 subnet to use for assigning IPv4 addresses to remote access VPN users. Specify an object only if you want to support IPv4 addresses in the VPN. If specified, the object must represent a network, and the network must contain 16384 or fewer addresses (that is, the subnet mask length must be 18 bits or greater). The address pool cannot be on the same subnet as the IPv4 global address for the outside interface. Note: You must specify at least one of ipv4LocalAddressPool or ipv6LocalAddressPool, or both. Allowed types are: [NetworkObject] |
|||
| ipv6LocalAddressPool | False | object | The NetworkObject that defines the IPv6 subnet to use for assigning IPv6 addresses to remote access VPN users. Specify an object only if you want to support IPv6 addresses in the VPN. If specified, the object must represent a network, and the network must contain 16384 or fewer addresses (that is, the prefix must be 114 bits or greater). The address pool cannot be on the same subnet as any IPv6 address for any interface. Note: You must specify at least one of ipv4LocalAddressPool or ipv6LocalAddressPool, or both. Allowed types are: [NetworkObject] |
|||
| dnsServers | False | [string] | A mandatory list of strings that are the IP addresses of the DNS servers clients should use for domain name resolution when connected to the VPN. Specify the addresses in priority order, with the first address being the primary DNS server. You can specify up to 2 DNS servers. | |||
| domainName | False | string | An optional UTF-8 character string that is the domain name for your network, e.g. example.com. This domain is added to hostnames that are not fully-qualified, for example, serverA instead of serverA.example.com. Enter an existing real domain name, you cannot create a new domain name through this attribute. Field level constraints: must match pattern ^((?!;).)*$. (Note: Additional constraints might exist) |
|||
| exemptNatRule | True | boolean | A Boolean value, TRUE or FALSE, where FALSE is the default. The TRUE value enables NAT Exempt, exempting traffic to and from the remote access VPN endpoints from NAT translation. If you do not exempt VPN traffic from NAT, ensure that the existing NAT rules for the outside and inside interfaces do not apply to the RA VPN pool of addresses. NAT exempt rules are manual static identity NAT rules for a given source/destination interface and network combination, but they are not reflected in the NAT policy, they are hidden. If you enable NAT Exempt, you must also configure the insideNetworks and insideInterfaces options. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| splitTunnel | True | boolean | A Boolean value, TRUE or FALSE (the default). The TRUE value enables split-tunneling to allow users access to their local networks or the Internet directly at the same time they are using a secure VPN tunnel. Keep split-tunneling disabled (FALSE) for a more secure VPN connection. If you enable split tunneling, you must also select the network objects that represent internal networks remote users will be accessing in the insideNetworks list. The networks list must contain the same IP types as the address pools you are supporting. For any networks outside the ones specified, the user's ISP gateway is used for transmitting traffic. Field level constraints: cannot be null. (Note: Additional constraints might exist) |
|||
| insideInterfaces | False | [object] | A list of PhysicalInterface or SubInterface objects that connect to the internal networks remote users will be accessing. NAT exemption rules are created for these interfaces. This list is mandatory and must contain at least one interface if you set exemptNatRule to TRUE. The list is ignored if exemptNatRule is set to FALSE. Allowed types are: [EtherChannelInterface, PhysicalInterface, SubInterface, VirtualTunnelInterface, VlanInterface] |
|||
| insideNetworks | False | [object] | A list of NetworkObject or NetworkObjectGroup objects, or both, that represent the internal networks that remote access VPN users will be accessing and that need NAT exemption or split-tunneling rules. You cannot have separate network lists for NAT exemption or split tunneling. This list is used only if one, or both, of exemptNatRule or splitTunnel are set to TRUE, in which case this list must contain at least one object. The networks list must contain the same IP types as the address pools you are supporting. Allowed types are: [NetworkObject, NetworkObjectGroup] |
|||
| id | False | string | A unique string identifier assigned by the system when the object is created. No assumption can be made on the format or content of this identifier. The identifier must be provided whenever attempting to modify/delete (or reference) an existing object. Field level constraints: must match pattern ^((?!;).)*$. (Note: Additional constraints might exist) |
|||
| type | True | string | A UTF8 string, all letters lower-case, that represents the class-type. This corresponds to the class name. | |||