AnyConnect Group Control

tohoken · ‎03-31-2009

When my users connect to the IP address of my ASA for the first time they are asked for login information before they are taken to the AnyConnect client download page. Everything is working fine but I would like to control the group dropdown list on the login page. I have multiple groups which vary in access privileges. Is there a way to control access to the groups? IE, I don't want my standard users to be able to choose the IT group as this group has full access to all network resources.

Thanks,

Ken

Ivan Martinon · ‎03-31-2009

Hi Ken,

If you want to control what group the user is able to connect and which one is not, you would need to use group-lock, which will restrict the user to a specific tunnel group/group policy, this will be achieved based on the user credentials and the class value attributes received back from an external server (such as radius, ldap or even internal server) Say if the user belongs to the group standard users you place a value that matches only the standard users group policy, when the user connects and chooses ITgroup, the asa will read the class value that the user receives back from the authentication server and after it reads that the group policy that he recieves is standard users it will check that it does not match the selected tunnel group/group policy and will fail the authentication.

You can also control what group the user connnects to by giving them the specific group url. Yet this can be bypassed.