We have an ASA 5510 firewall with the portal set up, working great. This sits in front of a Gridguard product using LDAP for authentication.
However we would like to restrict the Anyconnect function to certain users, so not everyone who authenticates to the portal will be able to use Anyconnect. Is it possible to set up another group in AD, or perhaps something in ACS to authenticate against when someone attempts to use Anyconnect to VPN?
You can create group-policy within the ASA to define differences between groups.. the relevant command that will permit IPSec, Anyconnect, and clientless for a group is:
group-policy FirstGroup attributes
vpn-tunnel-protocol IPSec svc webvpn
Just remove whichever protocol you don't want a group to be able to use, like:
group-policy SecondGroup attributes
vpn-tunnel-protocol IPSec webvpn
There are many other settings within the group policy, like dns servers, split tunnel policy, vpn filter (acl's), etc.. If you're not already using groups and group policies, you will need to return the group name from the authenticating server. In our ACS server we set on each group:
"IETF RADIUS Attribute #25" as ou=FirstGroup;
There may be other ways to do it, and you can probably do it from your LDAP also..
You assign the group policy to the group in the tunnel-group definition:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :