Anyconnect - Authenticate?

steve pearson · ‎09-28-2010

Hi

We have an ASA 5510 firewall with the portal set up, working great. This sits in front of a Gridguard product using LDAP for authentication.

However we would like to restrict the Anyconnect function to certain users, so not everyone who authenticates to the portal will be able to use Anyconnect. Is it possible to set up another group in AD, or perhaps something in ACS to authenticate against when someone attempts to use Anyconnect to VPN?

Any help would be great

Thanks

nohra · ‎09-28-2010

You can create group-policy within the ASA to define differences between groups.. the relevant command that will permit IPSec, Anyconnect, and clientless for a group is:

group-policy FirstGroup attributes

vpn-tunnel-protocol IPSec svc webvpn

Just remove whichever protocol you don't want a group to be able to use, like:

group-policy SecondGroup attributes

vpn-tunnel-protocol IPSec webvpn

There are many other settings within the group policy, like dns servers, split tunnel policy, vpn filter (acl's), etc.. If you're not already using groups and group policies, you will need to return the group name from the authenticating server. In our ACS server we set on each group:

"IETF RADIUS Attribute #25" as ou=FirstGroup;

There may be other ways to do it, and you can probably do it from your LDAP also..

You assign the group policy to the group in the tunnel-group definition:

tunnel-group FirstGroup general-attributes

default-group-policy FirstGroup

Hope this helps

More information about LDAP for this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml