Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1314
Views
0
Helpful
4
Replies

Anyconnect vpn on Cisco Router | multiple group policy

musthafa786
Level 1
Level 1

‎11-08-2013 03:24 PM - edited ‎02-21-2020 07:18 PM

Hi,

I configured SSL vpn in 3825 router , below is my configuration , I configured multiple group policy , but when I am connecting with cisco anyconnect clinet application  I cant see group option , only showing username and password option ( see attachment ).

webvpn gateway gateway_1

ip address 88.100.155.161 port 443

http-redirect port 80

ssl trustpoint TP-self-signed-67891034556

inservice

!

webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence 1

!

webvpn context VPN-1

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "pool1" netmask 255.255.255.255

   svc keep-client-installed

   svc split include 172.16.1.0 255.255.255.0

!

policy group policy_2

   functions svc-enabled

   mask-urls

   svc address-pool "pool2" netmask 255.255.255.255

   svc keep-client-installed

   svc rekey method new-tunnel

   svc split include 172.16.2.0255.255.255.0

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

Labels:
Preview file
446 KB
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-08-2013 04:57 PM

Hello,

After doing some research I found this:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/904-cisco-router-anyconnect-webvpn.html

Administrators and engineers who have worked with the classic Cisco IPSec VPN client will wonder how they can support multiple groups with different access rights using AnyConnect.  The fact is that AnyConnect does support multiple groups, however it requires a radius server at the backend.

AnyConnect on a Cisco router without a radius server will only allow support for one group policy.

The radius server is needed so they provide the right attribute ( In this case the one that determines to which group a user belongs to)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

musthafa786
Level 1
Level 1
In response to Julio Carvajal

‎11-09-2013 12:06 AM

Hi,

I am using CISCO ACS v 4.2 , Can you help me how to setup with ACS ?

Regards,

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to musthafa786

‎11-09-2013 09:32 PM

Hello Mohamme,

I could help u with this but unfortunetly I do not have an ACS with me that I could use to try to make this happen

At least you know where the problem is and what the solution is .

Basically:

Configure your ACS Radius daemon so that it provide the correct webvpn group policy to each of the users being authenticated.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

musthafa786
Level 1
Level 1
In response to Julio Carvajal

‎11-12-2013 02:42 PM

Thanks , I will check it and update you.

0 Helpful
Customers Also Viewed These Support Documents