06-06-2022 08:11 AM
Hi
I'm looking for some help. We have deployed both Client VPNs for Remote access by Staff and WebVPNs for support access by 3rd parties on the same ASA. We are using Aliases as a method of 3rd parties to choose their "profile". However we have noticed that the 3rd party Aliases show up in the drop down list on the AnyConnect client and vice versa the Staff remote access alias is showing up on the WebVPN drop down list.
Is there a way to separate the two sets of aliases so that the staff only see the staff profile on the client and the 3rd parties only see the aliases meant for them? At the moment they seem to be linked i.e. if we delete the alias from the client settings it also gets removed from the WebVPN and vice versa.
Kind Regards
Ryan
06-06-2022 09:14 AM
Any published profiles with aliases (e.g. those listed in the dropdown) will be visible to all users pre-authentication.
A more secure method is to use no access as the default policy and then assign users dynamically via LDAP attribute-map. i.e. if a user is staff then assign to staff profile, if vendor A then assign to vendor A profile etc.
If you still need the ability to manually go to a different profile you can still create a URL specifically for it but just don't create an alias. Users needing to override the dynamically-assigned policy can just type in the alias directly (assuming they are authorized) to get access.
06-06-2022 09:15 AM
06-06-2022 12:17 PM
can you try
for Anyconnect client use group-alias
for clientless use group-url
this make clienteles direct to group without select the group in group-alias
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide