ā05-31-2010 06:58 AM - edited ā02-21-2020 04:40 PM
Dear all,
We have currently IPSec VPN configured on our ASA 5520 for our corporate users and for all our consultants, authentications to our AD by our Radius servers. Now we want to upgrade all those people to AnyConnect, so my question is:
As the pre shared key for each profiles was replaced by alias on AnyConnect client how differentiate profiles if users are doing authentication against AD by Radius.???
To be clear I will give you example:
We have profiles on our ASA for IPSec client like below:
Our company users:
VPN-users -> Authentication = user and password āADā
Consultants:
VPN-Q -> Authentication = user and password āADā
VPN-L -> Authentication = user and password āADā
VPN-Y -> Authentication = user and password āADā
VPN-Z -> Authentication = user and password āADā
Here everythingās works well so we gave each consultant the according group name and pre shared key and they configured their Cisco VPN client with all those informationās.
Now if I take all those profiles and enable Anyconnect, I have to create alias for each profiles, so in the http main pages or in the Anyconnect client they will see on a drop/down menu all those alias and they can choice which they want and as they are all into our AD they can connect to all those profiles even a consultant on (VPN-users) profile for our company users.
Is someone had the same scenario on his infrastructure? Or has someone response for this question?
Thanks a lot in advance
Solved! Go to Solution.
ā06-01-2010 01:49 AM
You can configure LDAP policy mapping to map user to the right group-policy.
Here is the sample configuration for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
Hope that helps.
ā06-01-2010 01:49 AM
You can configure LDAP policy mapping to map user to the right group-policy.
Here is the sample configuration for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
Hope that helps.
ā06-02-2010 05:56 AM
Hello,
Very helpful, its solved my issue, thanks a lot
Now I have another question:
So we have 10 consultants with profiles, GP and different alias for each of them, and we have our company users also with profiles=alias, when you lunch anyconnect client on the pc you see on the drop down menu all profiles=aliases. My manager donāt like our users company to see all those consultant profiles=aliases. I did a lot of testing but I couldnāt find the way to hide profiles in this window, the only solutions that I found out to remove alias is to create URL for each profiles but users have to connect by this URL each time instead of anyconnect client ??
Do you have idea about this??
Thanks again for your help
ā06-02-2010 06:00 AM
Since you already configured LDAP mapping, you can essentially just configure 1 tunnel-group, and let the LDAP mapping map each group to specificy group-policy.
So, remove all the group-alias, or group-url configuration, and just use 1 tunnel-group.
When user connects, there shouldn't be the dropdown menu once you remove the group-alias. After user authenticates, LDAP mapping will map the user to the corresponding group-policy.
Hope that helps. Please mark the question answered and rate useful post. Thanks.
ā06-02-2010 06:21 AM
Hello,
Thanks for your quick answer, but I have to tell you first that, I implement LDAP authentication and test with test users and present this to our manager, but unfortunately he didnāt like it, for him its very complicated to create LDAP policy math to GP an ASA and so on, so we go back to old config, mean:
10 consultant with Tunnel group and aliases for each of them and ASA local user authentication. And our company users are one Tunnel group with alias and RADIUS authentication.
So I have to find out solutions with this config to hide or remove aliases.?
Thanks
ā06-02-2010 06:25 AM
Still can be achievable using local database.
Configure 1 tunnel-group, and remove the group-alias configuration.
On the username attributes, you can assign the group-policy per user.
Example:
username consultant1 attributes
vpn-group-policy
Hope that helps.
ā06-02-2010 06:56 AM
Yes this is what I did already for all consultants, but when I remove aliases the defaultwebvpngroup will be de connection profile, so on the defaultā¦. Group authentication method selected to RAIUS (this because our internal users are authenticate by RAIUS) so for consultants doesnāt work.. ?
ā06-03-2010 04:19 AM
In that case, just configure 1 tunnel-group with the group-alias. So in the drop down list, there will only be 1 entry in the drop down list. In the group-alias, just type in something generic - like SSLVPN for example.
ā06-08-2010 01:18 AM
It doesnāt work like this I configured two test account like below:
Tunnel group | Local user | Group policy | alias |
test-1 | user-1 | GP-1 | VPN-Test |
test-2 | user-2 | GP2 |
|
test-3 | user-3 | GP-3 |
|
So I see VPN-Test on the drop down menu, I assigned user-1 to GP1, user-2 to GP-2 and user-3 to GP-3, I can log with user-1 but not with two other users, on the debug I can see that the authentication works with user-2 and user-3 but the webvpn session doesnāt start???
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: