09-24-2014 09:09 PM
Hi Everyone,
I have config separate connection profile and tunnel group for our external vendor.
I gave him xml file and he is able to connect fine.
This ASA has 2 connection profiles one for vendor and one for our internal users.
I need to make sure that vendor does not connect to internal users connection profile.
As per my understanding he is unable to connect to internal user connection profile unless i give him xml file for internal users connection right??
If under group policies of external vendor
connection profile tunnel group lock ---should i choose the vendor connection profile name from the drop down?
Currently it shows check mark --inherit.
We are using full tunnel and radius Auth for anyconnect.
Regards
MAhesh
09-25-2014 12:04 AM
Hi Mahesh,
You have configured Group lock, which restricts the users by verifying whether the profile configured in vpn client matches with the connection profile, where the user is authorized for..... if it doesn't matches ASA will block the connection.... if you remove it user is leveraged to connect to any profile.... ASA will authenticate the user irrespective of any assigned group.... this is an added security feature....
Regards
Karthik
09-26-2014 07:32 AM
Hi Karthik.
So you mean that if i config this feature then ASA will look at
c\programs data\----profile\xml file
Here ASA will look at xml profile and check the connection profile here and it has to match with
connection profile user is trying to connect right?
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide