Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect tunnel-group and group-policy from LDAP

Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.

To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.

It is my understanding that the authentication method is provided by the tunnel-group.

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group LDAP_AD

This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.

Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.

When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.

To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?


Everyone's tags (1)
Cisco Employee

Fabian, Your connection lands


Your connection lands on a tunnel group and picks a group policy. 

A typical way to overcome the problem you're indicating is by using group-url. 

a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 



New Member

Thanks for the suggestion,

Thanks for the suggestion, but just like enabling tunnel-group-list  group-url provides a 'variable' to a user which allows the user to change the tunnel-group. I'm aware it's possible to deny certain users to certain tunnel-groups but providing the tunnel-group option might cause confusion.

I'd like users to only remeber a username/password and let LDAP do the rest.