Hi Marvin

thanks for your reply.

toomorow test this solution in my office.

But i'm using anyconnect  whit "ipsec" to replace vpn client.

in my company the user usualy connect at right group in the pcf files, but  i have plus 50 groups and the dropdown menu may be confused.

is there another way to inhibit the users select in dropdown menu the groups selection?

Marziano,

Yes, it is completely possible to opt not to publish any (or only a subset) or the group aliases (which point to tunnel-groups aka connection profiles) in the ASAs VPN home page. I originally answered not knowing if you were asking as an end user or as an administrator.

The admin has many options available to customize the user experience. In addition to deciding whether or not to publish the aliases in the dropdown, or whether or not to enable group-urls, the admin can also direct users (or groups of users) if you are using either local or RADIUS external authentication to certain connection profiles.

Those are all covered elsewhere in the configuration guide I linked above and in various published sources here at cisco.com and elsewhere.

hi Marvin, johnlloyd

i solved in this way.

from asa i disabled tunnel-group-list enable under webvpn config.

I created 1 group-policy and 1 gorup-url for any tunnel group

by broser i type https://x.x.x.x/name_group (only internet explorer)

while from anyconnect client, on popup i type x.x.x.x/name_group

in both cases the connection are succesfully.

thank you for your suggest

best regards

You're welcome, marziano77.

Please mark your question as answered and rate any helpful replies.

Best regards.

Hi Marvin,

Good day!

Sorry for taking this topic up again since it has a relative situation in my implementation right now.

I also want to filter out the drop-down list in the Cisco Anyconnect profiles however, I am using Cisco ISE 1.2, how can I do it?

Can I filter out per Group Policy of the ASA? For example, all Group A can only see Group A tunnel group in their Cisco Anyconnect drop-down list of profiles.

Thank you very much for the help!

cheers,

niks

If you publish the alias in the dropdown it will be visible for all users. You can restrict who can use it (and enforce that in the configuration) but you cannot make it not appear for those users.

That's the case whether or not you use ISE - either as your simple AAA server or doing COA with ISE And the latest ASA software.

hi,

i have a different approach to your situation. (marvin, you could correct me here).

you could edit the group policy and bind/lock it to the respective connection profile (tunnel-group).

you can do so by unchecking the "Inherit" under "Connection Profile (Tunnel Group) Lock." see attached.

That's certainly another option, John.

As I noted "The admin has many options available to customize the user experience." :)

john

your suggest lock only the user to tunnel-group but i see ever all tunnel-group in the dropbox menu of cisco anyconnect client.