Cisco Support Community
Community Member

AnyConnect Client

Dear all,

We have currently IPSec  VPN configured on our ASA 5520 for our corporate users and for all our consultants, authentications to our AD by our Radius servers. Now we want to upgrade all those people to AnyConnect, so my question is:

As the pre shared key for each profiles was replaced by alias on AnyConnect client how differentiate profiles if users are doing authentication against AD by Radius.???

To be clear I will give you example:

We have profiles on our ASA for IPSec client like below:

Our company users:

VPN-users -> Authentication = user and password “AD”


VPN-Q -> Authentication = user and password “AD”

VPN-L -> Authentication = user and password “AD”

VPN-Y -> Authentication = user and password “AD”

VPN-Z -> Authentication = user and password “AD”

Here everything’s works well so we gave each consultant the according group name and pre shared key and they configured their Cisco VPN client with all those information’s.

Now if I take all those profiles and enable Anyconnect, I have to create alias for each profiles, so in the http main pages or in the Anyconnect client they will see on a drop/down menu all those alias and they can choice which they want and as they are all into our AD they can connect to all those profiles even a consultant on (VPN-users) profile for our company users.

Is someone had the same scenario on his infrastructure? Or has someone response for this question?

Thanks a lot in advance


Accepted Solutions
Cisco Employee

Re: AnyConnect Client

You can configure LDAP policy mapping to map user to the right group-policy.

Here is the sample configuration for your reference:

Hope that helps.

Cisco Employee

Re: AnyConnect Client

You can configure LDAP policy mapping to map user to the right group-policy.

Here is the sample configuration for your reference:

Hope that helps.

Community Member

Re: AnyConnect Client


Very helpful, its solved my issue, thanks a lot

Now I have another question:

So we have 10 consultants with profiles, GP and different alias for each of them, and we have our company users also with profiles=alias, when you lunch anyconnect client on the pc you see on the drop down menu all profiles=aliases. My manager don’t like our users company to see all those consultant profiles=aliases. I did a lot of testing but I couldn’t find the way to hide profiles in this window, the only solutions that I found out to remove alias is to create URL for each profiles but users have to connect by this URL each time instead of anyconnect client ??

Do you have idea about this??

Thanks again for your help

Cisco Employee

Re: AnyConnect Client

Since you already configured LDAP mapping, you can essentially just configure 1 tunnel-group, and let the LDAP mapping map each group to specificy group-policy.

So, remove all the group-alias, or group-url configuration, and just use 1 tunnel-group.

When user connects, there shouldn't be the dropdown menu once you remove the group-alias. After user authenticates, LDAP mapping will map the user to the corresponding group-policy.

Hope that helps. Please mark the question answered and rate useful post. Thanks.

Community Member

Re: AnyConnect Client


Thanks for your quick answer, but I have to tell you first that, I implement LDAP authentication and test with test users and present this to our manager, but unfortunately he didn’t like it, for him its very complicated to create LDAP policy math to GP an ASA and so on, so we go back to old config, mean:

10 consultant with Tunnel group and aliases for each of them and ASA local user authentication. And our company users are one Tunnel group with alias and RADIUS authentication.

So I have to find out solutions with this config to hide or remove aliases.?


Cisco Employee

Re: AnyConnect Client

Still can be achievable using local database.

Configure 1 tunnel-group, and remove the group-alias configuration.

On the username attributes, you can assign the group-policy per user.


username consultant1 attributes


Hope that helps.

Community Member

Re: AnyConnect Client

Yes this is what I did already for all consultants, but when I remove aliases the defaultwebvpngroup will be de connection profile, so on the default…. Group authentication method selected to RAIUS (this because our internal users are authenticate by RAIUS) so for consultants doesn’t work.. ?

Cisco Employee

Re: AnyConnect Client

In that case, just configure 1 tunnel-group with the group-alias. So in the drop down list, there will only be 1 entry in the drop down list. In the group-alias, just type in something generic - like SSLVPN for example.

Community Member

Re: AnyConnect Client

It doesn’t work like this I configured two test account like below:

Tunnel group

Local user

Group policy












So I see VPN-Test on the drop down menu, I assigned user-1 to GP1, user-2 to GP-2 and user-3 to GP-3, I can log with user-1 but not with two other users, on the debug I can see that the authentication works with user-2 and user-3 but the webvpn session doesn’t start???

CreatePlease to create content