Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Select Tunnel-Group based on devices's OS

Hi there,

having an ASA5512x is it possible to have anyconnect-dial-in-PC-users asking for their login credentials AND also an one-time-password

whereas smartphone users only need to provide their login and a password without the need to manually choose the profile?

I set up two tunnel-groups:

1) is asking a LDAP server for authentication

2) is contacting an RADIUS server running One Time Password software.

Is there a way to have the asa assigning smartphone users (based on their OS) to automatically use the first profile (which has limited access to intranet ressouces) and have Anyconnect-PC-users pinned to the second tunnel group? Dynamic Access Policies seem to be able to differenciate only "within" a tunnel-group.

 

Thank you very much!

Regards,

David

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

I never tried it that way,

I never tried it that way, but if it doesn't work (what I suspect) there is a workaround:

  1. Point your clients to the two different tunnel-groups with the help of tunnel-group-urls.
  2. Later in the DAP enforce that the client doesn't use the wrong tunnel-group.
VIP Purple

That doesn't matter, each

That doesn't matter, each tunnel-group can have a unique url:

tunnel-group TG1 webvpn-attributes
  group-alias TG1 enable
  group-url https://vpn.example.net/tg1 enable
!
tunnel-group TG2 webvpn-attributes
  group-alias TG2 enable
  group-url https://vpn.example.net/tg2 enable

 

3 REPLIES
VIP Purple

I never tried it that way,

I never tried it that way, but if it doesn't work (what I suspect) there is a workaround:

  1. Point your clients to the two different tunnel-groups with the help of tunnel-group-urls.
  2. Later in the DAP enforce that the client doesn't use the wrong tunnel-group.
Community Member

Thanks a lot for this info

Thanks a lot for this info!

Since PC and smartphone users have the anyconnect (mobile) client the DNS name of the security gateway is the same for booth :-/

VIP Purple

That doesn't matter, each

That doesn't matter, each tunnel-group can have a unique url:

tunnel-group TG1 webvpn-attributes
  group-alias TG1 enable
  group-url https://vpn.example.net/tg1 enable
!
tunnel-group TG2 webvpn-attributes
  group-alias TG2 enable
  group-url https://vpn.example.net/tg2 enable

 

44
Views
0
Helpful
3
Replies
CreatePlease to create content