We have currently IPSec VPN configured on our ASA 5520 for our corporate users and for all our consultants, authentications to our AD by our Radius servers. Now we want to upgrade all those people to AnyConnect, so my question is:
As the pre shared key for each profiles was replaced by alias on AnyConnect client how differentiate profiles if users are doing authentication against AD by Radius.???
To be clear I will give you example:
We have profiles on our ASA for IPSec client like below:
Our company users:
VPN-users -> Authentication = user and password “AD”
VPN-Q -> Authentication = user and password “AD”
VPN-L -> Authentication = user and password “AD”
VPN-Y -> Authentication = user and password “AD”
VPN-Z -> Authentication = user and password “AD”
Here everything’s works well so we gave each consultant the according group name and pre shared key and they configured their Cisco VPN client with all those information’s.
Now if I take all those profiles and enable Anyconnect, I have to create alias for each profiles, so in the http main pages or in the Anyconnect client they will see on a drop/down menu all those alias and they can choice which they want and as they are all into our AD they can connect to all those profiles even a consultant on (VPN-users) profile for our company users.
Is someone had the same scenario on his infrastructure? Or has someone response for this question?
Thanks a lot in advance
You can configure LDAP policy mapping to map user to the right group-policy.
Here is the sample configuration for your reference:
Hope that helps.