We've been running different ASA profiles together with a LDAP Description to Profile mapping enabled. This works fine, but i've always had issue's on finding the right way to let people get their right .xml profile downloaded.
Every profile has it's own Custom URL which works fine through Internet Explorer 11 (with the site added to Trusted Sites) but every other browser fails. I know you can also enter your own URL directly in the AnyConnect box (where it normally shows your profiles) but if i enter one of the Custom URL's i'm getting a "Unknown IKEv2 Received" in the logging.
1. Is it even possible to enter a URL or something directly in AnyConnect to download the profile .xml that way
2. We're running AnyConnect 4.4 right now. If i would upgrade AnyConnect, will that make WebLaunch work again through Firefox and/or Chrome? Adding a site to Trusted Sites and using IE11 (in stead of Edge) is still really hard for some users.
Thanks in advance,
Yes you can add a custom URL directly in AnyConnect. It can be a published or non-published alias.
You can also have people just use the common "top level" URL and then change their group-policy based on the LDAP map dynamically.
My colleague @Rahul Govindan mentions the alternatives in this thread:
Oh and by the way FTD does a nice job at getting away from the issues that Firefox and Chrome have with the old style web launch on ASAs. It doesn't have 100% parity in all features but it does get that one right (finally!).
Thanks for the fast reply. I tried exactly what you said, and what was described in the linked topic, but without success. It might be cause we have a bit of a "exotic" configuration". Like i said, we use LDAP Description to Group Policy mapping to "force" people in the right Tunnel Profile:
ldap attribute-map AC_LDAP_AUTHORIZATION map-name description Group-Policy
This is the configuration of one of the Tunnel Groups:
group-policy TESTCASE internal group-policy TESTCASE attributes vpn-simultaneous-logins 2 vpn-idle-timeout 30 vpn-session-timeout 720 vpn-filter value TESTCASE_FILTER vpn-tunnel-protocol ikev2 split-tunnel-policy tunnelspecified split-tunnel-network-list value TESTCASE_TUNNEL default-domain value testcase.com anyconnect-custom DeferredUpdateDismissTimeout value Time anyconnect-custom DeferredUpdateDismissResponse value Response anyconnect-custom DeferredUpdateAllowed value Allowed anyconnect-custom DeferredUpdateMinimumVersion value Version webvpn anyconnect profiles value TESTCASE_PROFILE type user tunnel-group TESTCASE type remote-access tunnel-group TESTCASE general-attributes address-pool AC_POOL authentication-server-group RSA authorization-server-group LDAP default-group-policy AC_NOACCESS authorization-required username-from-certificate CN tunnel-group TESTCASE webvpn-attributes group-alias TESTCASE enable group-url https://testcase.com/test enable without-csd
I didn't build it, but i think i started understandig. What my former colleague wanted to do, is force everyone in the "AC_NOACCESS" policy first so that if someone somehow would get unauthorized access, you'll be forced in a group policy where you can do literally nothing. That's why we're also using LDAP, and the LDAP mapping to group policy.
The following happens when i manually enter a/the URL in AnyConnect:
I have a feeling this happens because everyone is "forced" in the AC_NOACCESS policy first. When i try one of the above 4 options, the ASA is logging the following error:
6 Aug 06 2019 09:32:06 113044 Client <PUBLIC_IP> User <testuser> requested tunnel protocol (ssl-client) not allowed by group-policy <TESTCASE> configuration.
Could it be that the group policy "TESTCASE" is only set to "vpn-tunnel-protocol ikev2" and initiating the connection directly through the address bar in AnyConnect by default initiates a "ssl-client" connection?