Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
10
Helpful
3
Replies

multiple companies on AnyConnect - help me understand

jickfoo
Level 1
Level 1

‎10-01-2009 09:13 AM

I am demoing the AnyConnect VPN client. I have (1) 5505 in-house and I need to provide access to to 4 different groups. Company A with standard LDAP logins, Company A with LDAP and RSA Tokens, Company B with standard LDAP logins and Company B with LDAP and RSA Tokens.

I want to use the same hostname mainly because I dont want to buy multiple certificates and I dont want users to have to choose between profiles at login. I have no problem creating 4 custom clients.

What is the best way to do this ? Is this an alias type thing ? How do I build this into the client ?

Thanks in advance,

Justin

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎10-02-2009 07:49 AM

Justin-

In the client you can specify a User Group, but the client takes the user group name along with the host address and creates a URL for that specific group.

For an example lets use departments. I configure SSLVPN for my company, acme.com. I have three departments; marketing, engineering and support. I first create the XML file for marketing-

Acme - Marketing

acme.com

marketing

The client now builds the customer URL and tries to connect to it. The URL is marketing.acme.com.

You would then continue with engineering and support. The problem you will have is there is only one valid URL and you can not specify the User Group. The only work around I know of is to use a wildcard certificate on the ASA. Then you can configure as many client groups as you wish.

tprendergast
Level 3
Level 3

‎10-05-2009 11:49 AM

Justin,

You want to create unique IP Scopes, VPN Filters, Group-Policy, and Tunnel-groups for these companies.

IE:

Company A has

* a DHCP Scope of 10.1.1.10-250/24

* a VPN Filter that restricts their access to only one subnet inside your VPN

* a Group-Policy that specifies the dns-servers/vpn timeouts/split-tunneling policy/specific DHCP Pool to assign addresses from

* and a Tunnel-Group that tells the concentrator which authentication server(s) to use as well as tying it all together by linking the group with the policy created above.

You can dynamically assign tunnel-groups (so the user doesn't have to select from a dropdown) using SecureACS RADIUS option 25 (class) (set it to "ou=;").

Hope that helps. Rate if it does!

jickfoo
Level 1
Level 1
In response to tprendergast

‎10-07-2009 04:35 AM

Thank you both for your replies. I've set it up to so the uri's are unique.

ie.

vpn.acme.com/company1

vpn.acme.com/company2

Then I edit the preferences.xml during a custom install to point to the appropriate URL. On the switch side, I've attached the URLs to the appropriate connection profiles.

I'm assuming this is an ok approach? It seems to work ok. Let me know if you see any problems with it.

Thanks again,

Justin

0 Helpful
Customers Also Viewed These Support Documents