Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
3
Replies

Anyconnect Clien & Clientless Aliases

RWilliams2
Level 1
Level 1

‎06-06-2022 08:11 AM

Hi

 

I'm looking for some help. We have deployed both Client VPNs for Remote access by Staff and WebVPNs for support access by 3rd parties on the same ASA. We are using Aliases as a method of 3rd parties to choose their "profile". However we have noticed that the 3rd party Aliases show up in the drop down list on the AnyConnect client and vice versa the Staff remote access alias is showing up on the WebVPN drop down list. 

Is there a way to separate the two sets of aliases so that the staff only see the staff profile on the client and the 3rd parties only see the aliases meant for them? At the moment they seem to be linked i.e. if we delete the alias from the client settings it also gets removed from the WebVPN and vice versa.

 

Kind Regards

Ryan

0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-06-2022 09:14 AM

Any published profiles with aliases (e.g. those listed in the dropdown) will be visible to all users pre-authentication.

A more secure method is to use no access as the default policy and then assign users dynamically via LDAP attribute-map. i.e. if a user is staff then assign to staff profile, if vendor A then assign to vendor A profile etc.

If you still need the ability to manually go to a different profile you can still create a URL specifically for it but just don't create an alias. Users needing to override the dynamically-assigned policy can just type in the alias directly (assuming they are authorized) to get access.

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎06-06-2022 09:15 AM

Hi,

You can use URL map or Certificate Map features to automatically map users
to their connection profiles without seeing the others. You can also use
group-lock feature to ensure that users can access their profiles only

https://community.cisco.com/t5/network-security/ftd-remote-access-vpn-allow-only-ad-group/td-p/3300446

https://integratingit.wordpress.com/2022/03/23/asa-group-url-and-alias/

https://itsecworks.com/2011/07/15/certificate-mapping-to-anyconnect-tunnel-group/

****** please remember to rate useful posts

0 Helpful

MHM Cisco World
VIP
VIP

‎06-06-2022 12:17 PM

can you try 
for Anyconnect client use group-alias
for clientless use group-url 
this make clienteles direct to group without select the group in group-alias

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card