Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Allow SSL VPN Group choice for select users

The goal is this:

Most users will be locked to a specific group which does not allow AnyConnect. Certain users will be allowed to use either the portal-only or anyconnect group. However, the anyconnect group must not allow use on machines which are not joined to our domain. Setting up Secure Desktop to limit this works, but the select users who should have the choice between groups always end up in the dynamic access policy which requires the endpoint attribute for our domain. This happens even though the RADIUS attribute sent by their Active Directory group is matched in either dynamic access policy. How can these select users be given the option to use the portal-only profile simply by group choice on the login page?

Community Member

Re: Allow SSL VPN Group choice for select users

SSL VPN users (both AnyConnect/SVC and Clientless) can choose which tunnel group [Connection Profile in Adaptive Security Device Manager (ASDM)] to access using these different methods:


2)group-alias (tunnel group drop-down list on login page)

3)certificate-maps, if using certificates

We can configure the Adaptive Security Appliance (ASA) to allow users to select a group via a drop-down menu when they login to the WebVPN service. The groups that appear in the menu are either aliases or URLs of real connection profiles (tunnel groups) configured on the ASA.

Community Member

Re: Allow SSL VPN Group choice for select users

Thank you for the reply. I forgot that in our current setup, users are getting mapped to groups based on the value we pass via radius class 25. So, therefore they will never be able to choose a different group using the drop-down?

CreatePlease to create content