Hi Rob,

Would it be a problem to apply a right policy if user login with same AD users credentails on the same machine while on and off network.

Also what identity i have to choose while creating policy for on and off network .

Hi Ivan,

Would it be a problem to apply a right policy if user login with same AD users credentails on the same machine while on and off network.

Also what identity i have to choose while creating policy for on and off network .

Hi Ivan,

I have created Policy A for on-prem user login with Ad user credentails(configure Public IP as Network configured) and other for off-prem user login their system using same Ad credentails (used anyconnect security module). 

Observed when user is off-network and login in their machine using Ad credentails he gets applied policy A which is created for on-prem users and not policy B which is created for 0ff-prem users

Hi,

Yes that is expected, the reason for that is because if you have Active Directory integration the AnyConnect will pass the User identity and it will match the policy that is matching the respective user or AD group this user belong to.

In order to accomplish On and Off-Network policies for Roaming Computers you need to have the following in place:

-Enable the "Disable DNS redirection while on an Umbrella Protected Network" under Roaming Computer Settings in the Umbrella dashboard

-Configure 2 policies

1. Policy matching the Network Identity must have higher precedence (only Network Identities do not use AD identities on this policy)
2. Policy matching the Roaming Clients must be below the Policy matching the Network Identity (you can also use AD user on this policy)

The above is specifically when you are using Network Protection and Roaming Clients, if you were to implement Virtual Appliances and start building policies based on AD groups you will need the policies configured in the following order:

1. Policy matching the Roaming Clients (For Off-network)
2. Policy matching based on AD users/groups (for On-Network)

I hope this helps to clarify your concerns.

Hi Ivan,

Thanks for your reply. I have followed your recommendation and gets resulted as expected for on-prem and roaming users login in their machine with their user credentails (without VA).

Regarding deployment with VA you have suggested we can create policy using Ad users for on-prem and roaming client for off-prem. So would it not be chances that on-prem policy might applied if same users login with their Ad user credentails while if they off-prem.

Just a doubt.

Hi,

The why you need to create the on-prem policy with AD user/group while keep the off-prem with Roaming Clients, is because if you enable "Active Directory Identity" for your Roaming Computers and you move the AD policy on top of the Roaming Computers, users with Roaming Client will always hit that policy while on or off-network, so that is the reason why you need to do that change from Network to Active Directory user/group identity in your on-prem policy.

I hope this helps!