Cisco Secure Desktop and Tunnel Group Profiles

Unanswered Question
Jun 3rd, 2009

Okay Guys, I have a question. I am configuring remote vpn on an ASA 5540. Here is what I want to do but I am not sure if this is possible.

I want to set it up to where when a user goes to https://vpn.website.com they are prompted to select a GROUP and then logon. (Corporate users or Contract users) I have this part working. The problem comes in when I enable Cisco Secure Desktop. I only want my "Contract Users" to load CSD. The problem is when going to https://sslvpn.website.com it immediately starts to load CSD forcing all users to use CSD. My problem is I DO NOT want my corporate users being forced into CSD so I was hoping that you could FIRST select the profile and then CSD would load only if you are a "Contract User". I am aware of "without-csd" command for the Corporate Tunnel-group "" webvpn attributes, but it still loads CSD before allowing you to select a profile. Hope my scenario is making sense.

Here is my config:

CCCASA-5540# sho run webvpn

webvpn

enable outside

csd image disk0:/securedesktop_asa_3_3_0_129.pkg.zip

csd enable

svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1

svc enable

tunnel-group-list enable

CCCASA-5540# sho run tunn

CCCASA-5540# sho run tunnel-group

tunnel-group Corporate type remote-access

tunnel-group Corporate general-attributes

address-pool SSL_VPN_Pool

authentication-server-group SSL_VPN

default-group-policy Corporate

tunnel-group Corporate webvpn-attributes

group-alias Corporate enable

group-url https://0.0.0.0

/Corporate enable

without-csd

tunnel-group Consultant type remote-access

tunnel-group Consultant general-attributes

address-pool SSL_VPN_Pool

authentication-server-group SSL_VPN

default-group-policy Consultant

tunnel-group Consultant webvpn-attributes

group-alias Consultant enable

group-url https://0.0.0.0/Consultant enable

CCCASA-5540# sho run group-po

group-policy Corporate internal

group-policy Corporate attributes

dns-server value 10.x.x.x

vpn-tunnel-protocol svc

group-policy Consultant internal

group-policy Consultant attributes

vpn-tunnel-protocol svc

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Tue, 06/09/2009 - 07:48

You can set up different login windows for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create a WebVPN tunnel group called sales that uses that customization profile, as the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1117540

Actions

This Discussion