Showing results for 
Search instead for 
Did you mean: 

Anyconnect Authentication

Level 1
Level 1



We are currently using a Radius server to authenticate users using Anyconnect. The Radius server is tied to MS AD\Domain Users & \Domain Computers. So, any user who has an AD account can login using their AD creds.


I have an assignment to create a new connection profile so that specific end-users can authenticate against specific AD group called "SG_NtwkSupport"


How do I go about configuring a Connection profile/Global Policy where it points/links to the Radius server where that Radius server in linked to the AD\SG_NtwkSupport group?


Thanks in advance.



3 Replies 3



below will give good guide

Please rate this and mark as solution/answer, if this resolved your issue
Good luck

Marvin Rhoads
Hall of Fame
Hall of Fame

We do this most commonly with an LDAP Attribute map.

However it can also be done in a pure RADIUS environment. Generally speaking, the VPN headend has a default group policy that allows zero connections. Once a user authenticates (and assuming they are in the group that the RADIUS server checks for) the RADIUS server returns an Authorization result overriding the default group policy and directing the VPN headend to assign a group policy that allows connections.

Depending on what RADIUS server you are using, there may be some step by step guides you can reference. Cisco ISE and Microsoft NPS are the most common ones in this scenario.

Cisco Employee
Cisco Employee

You can do this with LDAP attribute mapping on Cisco Firewalls: 


But depending on what type of Radius server you are using you should be able to pass back attributes as well. Several methods to do this depending upon your topology. 


Guide is here:



Review Cisco Networking for a $25 gift card