AnyConnect Client

Answered Question
May 31st, 2010

Dear all,

We have currently IPSec  VPN configured on our ASA 5520 for our corporate users and for all our consultants, authentications to our AD by our Radius servers. Now we want to upgrade all those people to AnyConnect, so my question is:

As the pre shared key for each profiles was replaced by alias on AnyConnect client how differentiate profiles if users are doing authentication against AD by Radius.???

To be clear I will give you example:

We have profiles on our ASA for IPSec client like below:

Our company users:

VPN-users -> Authentication = user and password “AD”

Consultants:

VPN-Q -> Authentication = user and password “AD”

VPN-L -> Authentication = user and password “AD”

VPN-Y -> Authentication = user and password “AD”

VPN-Z -> Authentication = user and password “AD”

Here everything’s works well so we gave each consultant the according group name and pre shared key and they configured their Cisco VPN client with all those information’s.

Now if I take all those profiles and enable Anyconnect, I have to create alias for each profiles, so in the http main pages or in the Anyconnect client they will see on a drop/down menu all those alias and they can choice which they want and as they are all into our AD they can connect to all those profiles even a consultant on (VPN-users) profile for our company users.

Is someone had the same scenario on his infrastructure? Or has someone response for this question?

Thanks a lot in advance

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

You can configure LDAP policy mapping to map user to the right group-policy.

Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
belal.sadozai Wed, 06/02/2010 - 05:56

Hello,

Very helpful, its solved my issue, thanks a lot

Now I have another question:

So we have 10 consultants with profiles, GP and different alias for each of them, and we have our company users also with profiles=alias, when you lunch anyconnect client on the pc you see on the drop down menu all profiles=aliases. My manager don’t like our users company to see all those consultant profiles=aliases. I did a lot of testing but I couldn’t find the way to hide profiles in this window, the only solutions that I found out to remove alias is to create URL for each profiles but users have to connect by this URL each time instead of anyconnect client ??

Do you have idea about this??

Thanks again for your help

Jennifer Halim Wed, 06/02/2010 - 06:00

Since you already configured LDAP mapping, you can essentially just configure 1 tunnel-group, and let the LDAP mapping map each group to specificy group-policy.

So, remove all the group-alias, or group-url configuration, and just use 1 tunnel-group.

When user connects, there shouldn't be the dropdown menu once you remove the group-alias. After user authenticates, LDAP mapping will map the user to the corresponding group-policy.

Hope that helps. Please mark the question answered and rate useful post. Thanks.

belal.sadozai Wed, 06/02/2010 - 06:21

Hello,

Thanks for your quick answer, but I have to tell you first that, I implement LDAP authentication and test with test users and present this to our manager, but unfortunately he didn’t like it, for him its very complicated to create LDAP policy math to GP an ASA and so on, so we go back to old config, mean:

10 consultant with Tunnel group and aliases for each of them and ASA local user authentication. And our company users are one Tunnel group with alias and RADIUS authentication.

So I have to find out solutions with this config to hide or remove aliases.?

Thanks

Jennifer Halim Wed, 06/02/2010 - 06:25

Still can be achievable using local database.

Configure 1 tunnel-group, and remove the group-alias configuration.

On the username attributes, you can assign the group-policy per user.

Example:

username consultant1 attributes

     vpn-group-policy

Hope that helps.

belal.sadozai Wed, 06/02/2010 - 06:56

Yes this is what I did already for all consultants, but when I remove aliases the defaultwebvpngroup will be de connection profile, so on the default…. Group authentication method selected to RAIUS (this because our internal users are authenticate by RAIUS) so for consultants doesn’t work.. ?

Jennifer Halim Thu, 06/03/2010 - 04:19

In that case, just configure 1 tunnel-group with the group-alias. So in the drop down list, there will only be 1 entry in the drop down list. In the group-alias, just type in something generic - like SSLVPN for example.

belal.sadozai Tue, 06/08/2010 - 01:18

It doesn’t work like this I configured two test account like below:

Tunnel group

Local user

Group policy

alias

test-1

user-1

GP-1

VPN-Test

test-2

user-2

GP2

test-3

user-3

GP-3

So I see VPN-Test on the drop down menu, I assigned user-1 to GP1, user-2 to GP-2 and user-3 to GP-3, I can log with user-1 but not with two other users, on the debug I can see that the authentication works with user-2 and user-3 but the webvpn session doesn’t start???

Actions

This Discussion