Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring AnyConnect to allow different users to have access to different network using RADIUS

     Hi, I am new to AnyConnect so please bear with me.  Anyway, I am trying to setup AnyConnect and right now, I got it to work.  One question that I have is, I would have multiple vendors wanting to dial-in and different Vendors need to access different segment of our network which is being separated by the ASA's VLAN configuration.

     I was able to accomplish the separation of our vendors access using the traditional VPN Client but am wondering if this is possible with AnyConnect.  I have the running configuration for AnyConnect and would love to get everybody's suggestion and input as to how to accomplish this.

access-list Split_Tunnel_List standard permit
access-list nonat_outside extended permit ip
access-list nonat_outside extended permit ip
access-list nonat_outside extended permit ip

ip local pool SSLClientPool1 mask
ip local pool SSLClientPool2 mask
ip local pool SSLClientPool3 mask

nat (outside) 0 access-list nonat_outside

aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host
key ***********

enable outside tls-only
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable

group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value domain.local
address-pools value SSLClientPool1
  svc keep-installer none
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default svc timeout 10

sysopt connection permit-vpn

tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group partnerauth
default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient1 enable

     Please let me know if you need to clarify something from me or if you have your input.

Thank you,



Re: Configuring AnyConnect to allow different users to have acce

There are a few different wasy to approach this.  First, you can configure a static VPN filter under the respective group policy.  The filter will tie to an extended ACL in which you define the access parameters.  You can also enable this functionality dynamically using RADIUS.  With RADIUS, you have a few different options including the IETF-Filter-11 authorization attribute as well as DACLs and Cisco AV Pair attributes.

Re: Configuring AnyConnect to allow different users to have acce

You can use VPN Filters for this.


access-list Offshore_VPN_Filter extended permit ip

This filter keeps OffShore contractors isolated to accessing (offshore contractors get IPs from a pool

group-policy OffshoreContractorPolicy internal
group-policy OffshoreContractorPolicy attributes
   vpn-filter value Offshore_VPN_Filter

This applies the VPN filter to the group-policy that offshore contractors get assigned to. You can use RADIUS to assign users to groups based on their credentials, and send back the attribute 25 as ou=; to dynamically allocate people to groups.

I use this to keep our phone vendors on the phone systems only, etc. It works quite well.



CreatePlease login to create content