Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
2
Replies

Cisco Secure Desktop and Tunnel Group Profiles

Joshua Engels
Level 1
Level 1

‎06-03-2009 09:36 AM - edited ‎03-09-2019 10:20 PM

Okay Guys, I have a question. I am configuring remote vpn on an ASA 5540. Here is what I want to do but I am not sure if this is possible.

I want to set it up to where when a user goes to https://vpn.website.com they are prompted to select a GROUP and then logon. (Corporate users or Contract users) I have this part working. The problem comes in when I enable Cisco Secure Desktop. I only want my "Contract Users" to load CSD. The problem is when going to https://sslvpn.website.com it immediately starts to load CSD forcing all users to use CSD. My problem is I DO NOT want my corporate users being forced into CSD so I was hoping that you could FIRST select the profile and then CSD would load only if you are a "Contract User". I am aware of "without-csd" command for the Corporate Tunnel-group "" webvpn attributes, but it still loads CSD before allowing you to select a profile. Hope my scenario is making sense.

Here is my config:

CCCASA-5540# sho run webvpn

webvpn

enable outside

csd image disk0:/securedesktop_asa_3_3_0_129.pkg.zip

csd enable

svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1

svc enable

tunnel-group-list enable

CCCASA-5540# sho run tunn

CCCASA-5540# sho run tunnel-group

tunnel-group Corporate type remote-access

tunnel-group Corporate general-attributes

address-pool SSL_VPN_Pool

authentication-server-group SSL_VPN

default-group-policy Corporate

tunnel-group Corporate webvpn-attributes

group-alias Corporate enable

group-url https://0.0.0.0

/Corporate enable

without-csd

tunnel-group Consultant type remote-access

tunnel-group Consultant general-attributes

address-pool SSL_VPN_Pool

authentication-server-group SSL_VPN

default-group-policy Consultant

tunnel-group Consultant webvpn-attributes

group-alias Consultant enable

group-url https://0.0.0.0/Consultant enable

CCCASA-5540# sho run group-po

group-policy Corporate internal

group-policy Corporate attributes

dns-server value 10.x.x.x

vpn-tunnel-protocol svc

group-policy Consultant internal

group-policy Consultant attributes

vpn-tunnel-protocol svc

Labels:
0 Helpful
2 Replies 2

Not applicable

‎06-09-2009 07:48 AM

You can set up different login windows for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create a WebVPN tunnel group called sales that uses that customization profile, as the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1117540

0 Helpful

Todd Pula
Level 7
Level 7

‎06-10-2009 08:18 AM

In 8.2.1, you can disable CSD on a per tunnel-group basis when using group URLs as opposed to aliasing. If you intend to have users choose their respective connection profile using the alias drop down menu, then CSD will execute for all users.

http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp229690

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents