Connection profile tunnel group lock -- connection profile name

mahesh18 · ‎09-24-2014

Hi Everyone,

I have config separate connection profile and tunnel group for our external vendor.

I gave him xml file and he is able to connect fine.

This ASA has 2 connection profiles one for vendor and one for our internal users.

I need to make sure that vendor does not connect to internal users connection profile.

As per my understanding he is unable to connect to internal user connection profile unless i give him xml file for internal users connection right??

If under group policies of external vendor

connection profile tunnel group lock ---should i choose the vendor connection profile name from the drop down?

Currently it shows check mark --inherit.

We are using full tunnel and radius Auth for anyconnect.

Regards

MAhesh

nkarthikeyan · ‎09-25-2014

Hi Mahesh,

You have configured Group lock, which restricts the users by verifying whether the profile configured in vpn client matches with the connection profile, where the user is authorized for..... if it doesn't matches ASA will block the connection.... if you remove it user is leveraged to connect to any profile.... ASA will authenticate the user irrespective of any assigned group.... this is an added security feature....

Regards

Karthik

mahesh18 · ‎09-26-2014

Hi Karthik.

So you mean that if i config this feature then ASA will look at

c\programs data\----profile\xml file

Here ASA will look at xml profile and check the connection profile here and it has to match with

connection profile user is trying to connect right?

Regards

MAhesh