I am currently implementing a 5545-X using firmware 9.1.4 with a remote access configuration. I have a requirement to enable a full client SSL VPN (AnyConnect) for managed clients and a clientless webportal for other (unmanaged) clients (BYOD). I created 2 profiles, a managed profile with a managed policy, an unmanaged policy for BYOD devices. The managed profile uses a group policy that allows client ssl VPN, the unmanaged profile uses a group policy the allows clientless ssl only. Furthermore I have the defaultWEBVpnGroup and defaultRAgroup. DefaultWEBVpnGroup also uses the unmanaged policy, defaultRAgroup uses the managed policy.
Profile selection is based on certificate mapping. The managed client has a client certificate that is matched and then mapped to the managed connection profile. The rest falls back to the default. For clientless connections this all works as expected.
The problem though is that somehow I am also able to use AnyConnect in the same manner. When I use AnyConnect on a BYOD device and connect to the default URL (no group-url) I am also prompted with the authentication dialogue used for the unmanaged clients. It turns out that AnyConnect uses the DefaultWEBVpnGroup even though that has been disabled for client SSL.
Why is AnyConnect using the defaultWEBVpnGroup when this is disabled for client SSL?
Why isn't AnyConnect using the defaultRAGroup?
Bottom line is that I do not want BYOD even getting a login dialogue. The managed profile should kick in (configured in defaultRAGroup) and this should deny them.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...