Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2472
Views
5
Helpful
5
Replies

How to restrict what user can use a tunnel-group for AnyConnect?

uzimmermannatc
Level 1
Level 1

‎07-30-2013 06:56 PM

I currently have an ASA running with 8.4.(x). The configuration has a group-policy and tunnel-policy for corporate users. This policy authenticates against SDI (RSA server with tokens).

I now need to create another group-policy and tunnel-policy, the differences to the corp group are only:

- Different IP pool

- only certain users are allowed

This second group is for IT personal only when they do certain administrative work. I.e. for normal login to get to their desktop or email, they should be using the corp access. If they login to do work on let us say network switches, they need to use this second group.Only the IP pool of the second group is allowed on another firewall to access the network where the network switches are on.

So how can I restrict what users can use the second group? DAP?

Labels:
0 Helpful
5 Replies 5

uzimmermannatc
Level 1
Level 1

‎07-30-2013 09:12 PM

Yes, DAP will do it.

Created DAP entries which match aaa.cisco.username AND aaa.cisco.grouppolicy for each of the users I want to allow access in the second group. Then an entry for our main group and default set to deny.

0 Helpful

Christopher Bell
Level 4
Level 4

‎07-31-2013 07:00 PM

DAP is a great option. If you have RADIUS support on your RSA box you can also use radius attributes to return tunnel-group attributes and configure tunnel-group lock. LDAP will do this also, but I've never done it with that.

Sent from Cisco Technical Support iPhone App

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-31-2013 10:38 PM

DAP does require the Advanced Endpoint Assessment license on your ASA.

0 Helpful

Christopher Bell
Level 4
Level 4
In response to Marvin Rhoads

‎08-01-2013 04:10 AM

@Marvin - We use DAP along with RADIUS attributes to accomplish what this user is asking and we do not have the Advanced Endpoint Assessment license.  My understanding is that the AEA license is more for posture assesment and remediation.

Advanced Endpoint Assessment      : Disabled       perpetual

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

alexandro.angel@softtek.com
Level 1
Level 1

‎06-26-2019 08:24 AM

Hello Team - Please allow me to resurect this old post, is there another way to do this besides DAP or RADIUS (ISE or ACS)?

 

Kind Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents