Prioritizing client VPN connections

Unanswered Question
Jun 16th, 2009
User Badges:

my risk dept is looking at swine flu pandemic planning and is wondering if certain users can have connections prioritized over the general remote access population.

Reducing the IP pool allocated to the general user and allocating addresses from a fixed pool is an option but are there other options available. All users have the VPN client and connect to ASA 8.04


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Danilo Dy Wed, 07/08/2009 - 08:41
User Badges:
  • Blue, 1500 points or more

I don't know if there is such feature. Anyway, once you have it, everybody will say their job is high priority. If there is a pandemic, everybody will be working remotely.

I think running out of IP in the pool is not a problem if it is designed properly. Most RA VPN problem is bandwidth and license (for SSL).

hobbe Tue, 07/14/2009 - 06:47
User Badges:
  • Gold, 750 points or more

what is it that you are trying to achieve ?

that they get the bandwith ?

that they get a license ?

what are you/they afraid of running out of ?

if using radius authentication there are several things that you can do to limit a specific user. i do not however believe there are a prioritasion schedule that someone is more important than someone else.

how would it choose ?

if one who is prioritised tries to log in and the licensing is already full, who should it kick out ?

I can recomend checking out cryptocard for authentication purposes if you do not have 2 factor authentication for the users.

macloughs Tue, 07/14/2009 - 07:37
User Badges:

Hi Thanks for your reply.

The proposal is that there will be a group identified who should get connected at all times in preference to a "normal worker??" Its not a bandwidth issue. ACS Radius is used for the authentication. But as you say. how to prioritize? Its an effort to try to stop the manual kicking out process

hobbe Wed, 07/15/2009 - 04:02
User Badges:
  • Gold, 750 points or more

I do not think there is a "real" way to actually do this. i came up with the same idea as you with the ip pools, but other than that it is only automated scripting I can tink of that logs on to the firewall and keeps one line open at all times.

and I would not want to kick users out with scripts.

the other option would be to buy the critical people another firewall or atleast another way in.


This Discussion