02-12-2014 04:04 AM - edited 02-21-2020 07:29 PM
Hello All,
I'm reading through all the Anyconnect documentation I can find online and feel like I'm missing the fundamentals still.
I'm following through the configs and managing to get a "half" working remote access setup. I'm really just following the examples without much understanding behind what is being done.
Regarding Anyconnect Client Profiles / Connection / Group Policies etc.. What is each for, how do these tie together with each other to give the desired end result of a successful working VPN solution? I'm just being shown how to configure each, but I'm trying to understand what each is and why it's needed.
Could someone explain in an easy to follow maner who has a bit of experience with the ASA? Routing and Switching I can handle, but the ASA / Anyconnect is just something I'm learning as I go along..
Thank You
02-16-2014 01:14 AM
Hi Grant
to add to the confusion, the CLI and ASDM sometimes use different terminology
But in short, the basics are as follows:
1) a tunnel-group (connection profile in ASDM) is what a user connects to and which defines how AAA is done.
User-to-TG mapping depends on what type of VPN is used and can range from trivial (everyone connects to the default TG) to rather complex (users with certificates can get mapped to a TG based on a field in the cert, users can select a TG, etc.)
2) a group-policy is basically a set of policy attributes that is applied to a connection. Includes attributes that get pushed to the client (ip address, dns server etc.) and things like what time of day a user is allowed to connect, for how long, etc.
By default, the TG config specifies which GP is applied.
In a more advanced setup, user-specifc config or external AAA (e.g. Radius or LDAP) can override which GP is used, or can override specific attributes in the GP.
3) a client profile (aka XML profile) is a set of client configuration settings that is pushed down from the ASA, i.e. the ASA admin can use this to e.g. configure the client to auto-connect on startup, or to block all network traffic when disconnected, etc.
The group-policy defines which client profile is pushed down (if any).
This is just a very basic and incomplete description with very limited examples but I hope this gives you a starting point.
hth
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide