cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

283
Views
0
Helpful
1
Replies
Beginner

FTD: Anyconnect VPN restriction to authenticate on other Connection Profile

HI,

 

I have two Anyconnect Profile one for Sales user and one for admin. How to restrict Sales user to login in to Admin user Connection profile.

 

In ASA i was doing it with Radius attributes and DAP policy, but how to do it in FTD.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: FTD: Anyconnect VPN restriction to authenticate on other Connection Profile

Hi  Piyush_Sharma,

 

You can try setting up radius mapping with attribute 25 on the NPS, the following guide includes exactly what you need to do from the server perspective since there is nothing you need to do on the FTD:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

 

Pass Group-policy Attribute (Attribute 25) from the NPS RADIUS Server

If the group-policy needs to be assigned to the user dynamically with the NPS RADIUS server, the group-policy RADIUS attribute (attribute 25) can be used.

Complete these steps in order to send the RADIUS attribute 25 for dynamic assignment of a group-policy to the user.

  1. After the Network Policy is added, right -click the required Network Policy  and click the Settings tab.

  2. Choose RADIUS Attributes > Standard. Click Add. Leave the Access type as All.

  3. In the Attributes box, choose Class and click Add. Enter the attribute value, that is, the name of the group-policy as a string. Remember that a group-policy with this name has to be configured in the ASA. This is so that the ASA assigns it to the VPN session after it receives this attribute in the RADIUS response.

 

Hope this info helps!!

 

Rate if helps you!! 

 

-JP- 

1 REPLY 1
Highlighted
Cisco Employee

Re: FTD: Anyconnect VPN restriction to authenticate on other Connection Profile

Hi  Piyush_Sharma,

 

You can try setting up radius mapping with attribute 25 on the NPS, the following guide includes exactly what you need to do from the server perspective since there is nothing you need to do on the FTD:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

 

Pass Group-policy Attribute (Attribute 25) from the NPS RADIUS Server

If the group-policy needs to be assigned to the user dynamically with the NPS RADIUS server, the group-policy RADIUS attribute (attribute 25) can be used.

Complete these steps in order to send the RADIUS attribute 25 for dynamic assignment of a group-policy to the user.

  1. After the Network Policy is added, right -click the required Network Policy  and click the Settings tab.

  2. Choose RADIUS Attributes > Standard. Click Add. Leave the Access type as All.

  3. In the Attributes box, choose Class and click Add. Enter the attribute value, that is, the name of the group-policy as a string. Remember that a group-policy with this name has to be configured in the ASA. This is so that the ASA assigns it to the VPN session after it receives this attribute in the RADIUS response.

 

Hope this info helps!!

 

Rate if helps you!! 

 

-JP-