multiple companies on AnyConnect - help me understand

Unanswered Question
Oct 1st, 2009

I am demoing the AnyConnect VPN client. I have (1) 5505 in-house and I need to provide access to to 4 different groups. Company A with standard LDAP logins, Company A with LDAP and RSA Tokens, Company B with standard LDAP logins and Company B with LDAP and RSA Tokens.

I want to use the same hostname mainly because I dont want to buy multiple certificates and I dont want users to have to choose between profiles at login. I have no problem creating 4 custom clients.

What is the best way to do this ? Is this an alias type thing ? How do I build this into the client ?

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Collin Clark Fri, 10/02/2009 - 07:49


In the client you can specify a User Group, but the client takes the user group name along with the host address and creates a URL for that specific group.

For an example lets use departments. I configure SSLVPN for my company, I have three departments; marketing, engineering and support. I first create the XML file for marketing-

Acme - Marketing


The client now builds the customer URL and tries to connect to it. The URL is

You would then continue with engineering and support. The problem you will have is there is only one valid URL and you can not specify the User Group. The only work around I know of is to use a wildcard certificate on the ASA. Then you can configure as many client groups as you wish.

tprendergast Mon, 10/05/2009 - 11:49


You want to create unique IP Scopes, VPN Filters, Group-Policy, and Tunnel-groups for these companies.


Company A has

* a DHCP Scope of

* a VPN Filter that restricts their access to only one subnet inside your VPN

* a Group-Policy that specifies the dns-servers/vpn timeouts/split-tunneling policy/specific DHCP Pool to assign addresses from

* and a Tunnel-Group that tells the concentrator which authentication server(s) to use as well as tying it all together by linking the group with the policy created above.

You can dynamically assign tunnel-groups (so the user doesn't have to select from a dropdown) using SecureACS RADIUS option 25 (class) (set it to "ou=;").

Hope that helps. Rate if it does!

jickfoo Wed, 10/07/2009 - 04:35

Thank you both for your replies. I've set it up to so the uri's are unique.


Then I edit the preferences.xml during a custom install to point to the appropriate URL. On the switch side, I've attached the URLs to the appropriate connection profiles.

I'm assuming this is an ok approach? It seems to work ok. Let me know if you see any problems with it.

Thanks again,



This Discussion