Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
733
Views
0
Helpful
3
Replies

How to give different Anyconnect profiles for some users

Go to solution
Terry Whitford
Level 1
Level 1

‎10-15-2010 04:26 AM - edited ‎02-21-2020 04:54 PM

Hi,

I'm very new to Anyconnect but have managed to configure our ASA5510 with 2 connection files, one with split tunnelling enabled and one without.  How do I configure the ASA/Anyconnect client so that most of the users only see the connection profile with split tunnelling disable but some other get to see both connection profiles in the client ?  Currently all users get to see both profiles in the client and I'm stuck at the moment trying to work out how I controll what connection profiles they get to see..  The users are authenticated against a Microsoft IAS server if that matters and the ASA is running V8.2(1) and ASDM 6.2(5)53.  Thanks for any help.

Regards,

Terry

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-16-2010 03:47 PM

Microsoft IAS is a good piece of information. Thanks.

So I assume that you are using Radius for authentication.

You have 2 options:

1) Configure the IAS radius server to map user to a particular group-policy using radius attribute.

Here is a sample configuration using Cisco ACS radius server for your reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

(sorry, couldn't find a sample configuration using Microsoft IAS server, but the concept is the same)

2) Since you are running microsoft IAS, I assume that you are using Active Directory? Assuming that is true, you can actually authenticate using LDAP and perform LDAP mapping to place user into specific group-policy.

Here is the sample configuration for LDAP authentication:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

and here is the sample configuration for LDAP attribute mapping:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

Hope either option helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-16-2010 03:47 PM

Microsoft IAS is a good piece of information. Thanks.

So I assume that you are using Radius for authentication.

You have 2 options:

1) Configure the IAS radius server to map user to a particular group-policy using radius attribute.

Here is a sample configuration using Cisco ACS radius server for your reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

(sorry, couldn't find a sample configuration using Microsoft IAS server, but the concept is the same)

2) Since you are running microsoft IAS, I assume that you are using Active Directory? Assuming that is true, you can actually authenticate using LDAP and perform LDAP mapping to place user into specific group-policy.

Here is the sample configuration for LDAP authentication:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

and here is the sample configuration for LDAP attribute mapping:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

Hope either option helps.

0 Helpful

Go to solution
Terry Whitford
Level 1
Level 1
In response to Jennifer Halim

‎10-16-2010 06:04 PM

Hi Jeniffer,

This information was very helpful.  I followed the instructions in your option (2) and set up LDAP for authentication, created the attribute mapping and now have it working the way I wanted.  Thanks

Regards,

Terry

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Terry Whitford

‎10-16-2010 06:07 PM

Great to hear it's working now. Please kindly mark the post as answered. Thanks.

0 Helpful
Customers Also Viewed These Support Documents