Auto profile selection on AnyConnect SSL vpn

Unanswered Question
Apr 25th, 2008

Hi,

We're running an ASA 5510 (8.0) with SSL vpn for our clients (AnyConnect).

Now, I've created 3 different profiles, and I have made it possible for the users to select the correct profile from a drop-down box in the AnyConnect client.

My question is this: Isn't it possible for the ASA to make some kind of auto-selection of profiles? So that it's transparent for the users?

Thanks in advance,

Rasmus

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
blueoceanventure Mon, 05/05/2008 - 22:52

Thanks for your reply.

I use Microsoft IAS. But I have already created different AD groups and set up accordingly in the ASA. So it works when the users manually select which policy/profile to use during login.

But now that I've got 3-4 different scenarios (ad group memberships or ASA profiles) I want the ASA to be able to hide the profile drop-down box (I know how to do that) and then select the proper policy/profile automatically based on which AD group the user is a member of.

I hope I make some kind of sense?

/Rasmus

Yes, it makes sense. Have a look at this link:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde3f0c

For each different scenario you will need to have a separate AD group (which it sounds like you already have). On the ASA, you will need to create a Group Policy for each AD group. I believe the drop down box lets a user select the tunnel group/connection policy. You only need to use one tunnel group. Set a default group policy for this tunnel group. When a user connects on this tunnel group, types in their username and password, the AD group that matches the Group Policy will be dynamically assigned to that user which bypasses the Group policy that is assigned to the user. These Group Policies need to be named exactly the same for this to work. So it would probably be easier to rename the AD group names to match the Group Policies on the ASA.

Let me know if you have any other questions.

Tony

cisco-sod Fri, 05/30/2008 - 04:32

Hello,

with a default connection policy every AD user is authenticated. Is it possible to deny non AD group members?

Regards,

Raymond

Actions

This Discussion