topic Re: ASA Remote VPN multiple Profile in Network Security

ASA Remote VPN multiple Profile

manvik — Mon, 19 Oct 2020 06:22:07 GMT

ASA Remote VPN (Ipsec) users connecting from home. ASA is authenticated to AAA servers.

Anyway to achieve the below.

If user1 connects via anyconnect ASA should send authentication request too AAA server 1

If user2 connects via anyconnect ASA should send authentication request too AAA server 2

It's ok if custom anyconnect profile needs to be added at user-end.

Re: ASA Remote VPN multiple Profile

Mohammed al Baqari — Mon, 19 Oct 2020 07:21:37 GMT

Hi, you can create two group policies with 2 aaa servers, one for each
user. If you enable group alias the users will get a drop down to select
their relevant group when connecting to vpn. Then the user will
authenticate against his aaa server depending on his group selection from
the drop down. You use group lock feature to avoid users mixing groups.

***** please remember to rate useful posts

Re: ASA Remote VPN multiple Profile

manvik — Mon, 19 Oct 2020 08:23:49 GMT

Thank you,

Issue is users are already connected and working via RVPN. We want few of those users to authenticate against AAA server 2.

In this case, how can we force the users to select their group.

They are already using anyconnect with single group/profile in it.

Re: ASA Remote VPN multiple Profile

Marvin Rhoads — Mon, 19 Oct 2020 08:52:42 GMT

You don't force them to select, you tell the ASA to lock them to a single selection. As @Mohammed al Baqari mentioned, we do that with group-lock.

The specifics of how you do that are covered in several free online videos and articles. Just google "cisco anyconnect group lock ad authentication" (for example).

ASA Remote VPN multiple Profile

MHM Cisco World — Wed, 21 Oct 2020 13:37:49 GMT

They use different profile! So each profile have it auth/authorz aaa.

If both profile use same group key

then group-lock need config with max-users

what happened when we use both

for example

user1 will use profile 1 with aaa1 and max-users=1, with group-lock this user will always use this group

user2 will use profile 2 with aaa2 and max-users=1, with group-lock this user will always use this group

without max-users

both user1 and user2 will use profile1 and group-lock make then always use this profile.

please correct me if I wrong.

Re: ASA Remote VPN multiple Profile

manvik — Wed, 04 Nov 2020 05:20:15 GMT

Can someone give steps on configuring group alias in IPSEC RVPN.

It would be helpful with step-by-step methods. Req is -

When end-user selects Profile 1 in anyconnect, they would be authenticating to AAA server1

When end-user selects Profile 2 in anyconnect, they would be authenticating to AAA server2

Can someone help with steps to achieve the above.

Re: ASA Remote VPN multiple Profile

Mohammed al Baqari — Wed, 04 Nov 2020 06:40:13 GMT

Hi,

Here you go:

ciscoasa(config)# *tunnel-group remote-1 type ipsec-ra*
ciscoasa(config)# *tunnel-group remote-1 general-attributes*
ciscoasa(config-general)# *authentication-server-group aaa_1*

ciscoasa(config)# *tunnel-group remote-2 type ipsec-ra*
ciscoasa(config)# *tunnel-group remote-2 general-attributes*
ciscoasa(config-general)# *authentication-server-group aaa_2*

This is where you assign different aaa groups to different profiles. Rest
is normal anyconnect configuration. Follow this configuration guide.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-extserver.html

***** please remember to rate useful posts

Re: ASA Remote VPN multiple Profile

manvik — Wed, 04 Nov 2020 06:46:39 GMT

Thank You @Mohammed al Baqari

How can the remote users select "tunnel-group remote-2" from anyconnect.

Re: ASA Remote VPN multiple Profile

Mohammed al Baqari — Wed, 04 Nov 2020 07:37:13 GMT

Just enable group-alaias under webvpn config. Then a dropdown will be
presented on the client when they sign in.

**** please remember to rate useful posts