https://community.cisco.com/t5/network-security/can-ldap-authenticated-remote-user-be-assigned-a-connection/m-p/1678812#M536774 <P>ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not.&nbsp; I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...".&nbsp; I created a new Group Policy with split-tunnel enabled.&nbsp; I created a new Connection Profile and assigned to it the new Group Policy.&nbsp; When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want.&nbsp; Each of them works, enabling or disabling split-tunnel.&nbsp; But I want to assign a connection profile to the particular user, not give the user a choice.&nbsp; The problem is I'm using LDAP authentication.&nbsp; The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing.&nbsp; I really don't want to give up LDAP and force people back to another local password.&nbsp; But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile.&nbsp; At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page.&nbsp; Otherwise, DefaultWebVPNGroup will be the connection profile".&nbsp; If I clear that switch every user will be assigned the same default profile, which does not help.&nbsp; So I'm feeling kind of stuck.&nbsp; Any ideas?&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 20:53:48 GMT mcmurphytoo 2019-03-11T20:53:48Z https://community.cisco.com/t5/network-security/can-ldap-authenticated-remote-user-be-assigned-a-connection/m-p/1678812#M536774 <P>ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not.&nbsp; I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...".&nbsp; I created a new Group Policy with split-tunnel enabled.&nbsp; I created a new Connection Profile and assigned to it the new Group Policy.&nbsp; When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want.&nbsp; Each of them works, enabling or disabling split-tunnel.&nbsp; But I want to assign a connection profile to the particular user, not give the user a choice.&nbsp; The problem is I'm using LDAP authentication.&nbsp; The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing.&nbsp; I really don't want to give up LDAP and force people back to another local password.&nbsp; But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile.&nbsp; At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page.&nbsp; Otherwise, DefaultWebVPNGroup will be the connection profile".&nbsp; If I clear that switch every user will be assigned the same default profile, which does not help.&nbsp; So I'm feeling kind of stuck.&nbsp; Any ideas?&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 20:53:48 GMT https://community.cisco.com/t5/network-security/can-ldap-authenticated-remote-user-be-assigned-a-connection/m-p/1678812#M536774 mcmurphytoo 2019-03-11T20:53:48Z https://community.cisco.com/t5/network-security/can-ldap-authenticated-remote-user-be-assigned-a-connection/m-p/1678813#M536776 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can switch the LDAP users group-policy through an ldap attribute-map.</P><P>This is explained in details under the following link: </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml</A></P><P></P><P>Regards,</P><P>Nicolas</P></BODY></HTML> Sun, 03 Jul 2011 20:44:38 GMT https://community.cisco.com/t5/network-security/can-ldap-authenticated-remote-user-be-assigned-a-connection/m-p/1678813#M536776 Nicolas Fournier 2011-07-03T20:44:38Z https://community.cisco.com/t5/network-security/can-ldap-authenticated-remote-user-be-assigned-a-connection/m-p/1678814#M536778 <HTML><HEAD></HEAD><BODY><P> Thanks.&nbsp; I had the LDAP Attribute map set up to allow or not allow connection, based on the Active Directory remote access Allow or No attribute.&nbsp; I can revise that to use group policy membership to get multiple choice - Allow, Allow without split tunnel, Allow with split tunnel.</P></BODY></HTML> Tue, 05 Jul 2011 18:12:57 GMT https://community.cisco.com/t5/network-security/can-ldap-authenticated-remote-user-be-assigned-a-connection/m-p/1678814#M536778 mcmurphytoo 2011-07-05T18:12:57Z