Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1293
Views
0
Helpful
3
Replies

ASA Remote Vpn Configuration doubt

Alfredcfc
Level 1
Level 1

‎05-12-2020 02:25 PM

We have a cisco anyconnect vpn currently configured with group-alias method to select connection profile.

 

We are in the midst of migrating remote VPN groups from an old firewall into this new vpn firewall with the group-alias.

 

There are more than 65 group policies in the old firewall.We suggested a plan to remove the group-alias method in the new vpn and just use the default webvpn and use the same authentication parameters for all users and configure ldap maps to select the group-policies.

 

But the client wants to use separate authentication mechanism for the company users and a separate authentication mechanism for the partner users.

 

Is it possible to have one connection profile for the internal users and call the group policy for the company users in the connection profile itself and create another connection profile for all the other users with group-policy set to default and use the LDAP attribute mapping to select the  group policies.

 

I have never tested this half-half kind of configuration.

 

Sorry for the long explanation.

 

 

 

 

 

 

 

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎05-12-2020 02:53 PM

Hi,
You can create and additition connection profile aka tunnel-group (via CLI) for the contractors, which will reference a unique group-policy. When they connect to this unique connection profile/tunnel-group they will use a different authentication method to your internal users.

 

Yes, you can use LDAP mapping to map the users to the required group-policies, reference here.

 

What is the requirement for 65 group-policies? Which unique attributes differ?

You could probably simplify your configuration by have 1 group-policy and dynamically applying the required settings via RADIUS.

 

HTH

0 Helpful

Alfredcfc
Level 1
Level 1
In response to Rob Ingram

‎05-12-2020 03:50 PM

Hello Thanks for your reply,

 

The client want's to have possibly just two options in the drop-down menu they get the login prompt via group-alias.

 

1.CORPO-USERS

2.OTHER-USERS

 

My confusion how to reference all the group-policies which belong to other users with one connection profile.

 

For COPRO-USERS profile i can simply reference the unique group-policy created directly in the connection profile.

 

But for "OTHER-USERS" profile if I leave the group-policy as Default-group policy,will the ldap mapping work properly and choose the correct group policy and ip pool for the user ?.

 

The unique parameters per group-policies are the vpn filter for each remote vpn group.(we have left sysopt-vpn enabled).

 

The other unique parameter is the ip pool per group policy rest all are same 

(i.e) same split-tunnel and banner and timeout values for all 65 grp-polices.

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Alfredcfc

‎05-12-2020 11:27 PM

The OTHER-USERS Connection Profile/Tunnel Group, this will use LDAP authentication, which will use an LDAP attribute map to map the correct group-policy for the users.

 

The CORPO-USERS Connection Profile/Tunne Group, this will use a different authentication method and will reference the unique group-policy.

 

I think this post covers your scenario

 

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card