Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to restrict what user can use a tunnel-group for AnyConnect?

I currently have an ASA running with 8.4.(x). The configuration has a group-policy and tunnel-policy for corporate users. This policy authenticates against SDI (RSA server with tokens).

I now need to create another group-policy and tunnel-policy, the differences to the corp group are only:

- Different IP pool

- only certain users are allowed

This second group is for IT personal only when they do certain administrative work. I.e. for normal login to get to their desktop or email, they should be using the corp access. If they login to do work on let us say network switches, they need to use this second group.Only the IP pool of the second group is allowed on another firewall to access the network where the network switches are on.

So how can I restrict what users can use the second group? DAP?

Everyone's tags (2)
4 REPLIES
New Member

How to restrict what user can use a tunnel-group for AnyConnect?

Yes, DAP will do it.

Created DAP entries which match aaa.cisco.username AND aaa.cisco.grouppolicy for each of the users I want to allow access in the second group. Then an entry for our main group and default set to deny.

Re: How to restrict what user can use a tunnel-group for AnyConn

DAP is a great option. If you have RADIUS support on your RSA box you can also use radius attributes to return tunnel-group attributes and configure tunnel-group lock. LDAP will do this also, but I've never done it with that.

Sent from Cisco Technical Support iPhone App

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Hall of Fame Super Silver

How to restrict what user can use a tunnel-group for AnyConnect?

DAP does require the Advanced Endpoint Assessment license on your ASA.

Re: How to restrict what user can use a tunnel-group for AnyConn

@Marvin - We use DAP along with RADIUS attributes to accomplish what this user is asking and we do not have the Advanced Endpoint Assessment license.  My understanding is that the AEA license is more for posture assesment and remediation.

Advanced Endpoint Assessment      : Disabled       perpetual

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
1089
Views
0
Helpful
4
Replies
CreatePlease to create content