Showing results for 
Search instead for 
Did you mean: 


ASA Remote Vpn Configuration doubt

We have a cisco anyconnect vpn currently configured with group-alias method to select connection profile.


We are in the midst of migrating remote VPN groups from an old firewall into this new vpn firewall with the group-alias.


There are more than 65 group policies in the old firewall.We suggested a plan to remove the group-alias method in the new vpn and just use the default webvpn and use the same authentication parameters for all users and configure ldap maps to select the group-policies.


But the client wants to use separate authentication mechanism for the company users and a separate authentication mechanism for the partner users.


Is it possible to have one connection profile for the internal users and call the group policy for the company users in the connection profile itself and create another connection profile for all the other users with group-policy set to default and use the LDAP attribute mapping to select the  group policies.


I have never tested this half-half kind of configuration.


Sorry for the long explanation.








VIP Advisor

You can create and additition connection profile aka tunnel-group (via CLI) for the contractors, which will reference a unique group-policy. When they connect to this unique connection profile/tunnel-group they will use a different authentication method to your internal users.


Yes, you can use LDAP mapping to map the users to the required group-policies, reference here.


What is the requirement for 65 group-policies? Which unique attributes differ?

You could probably simplify your configuration by have 1 group-policy and dynamically applying the required settings via RADIUS.




Hello Thanks for your reply,


The client want's to have possibly just two options in the drop-down menu they get the login prompt via group-alias.





My confusion how to reference all the group-policies which belong to other users with one connection profile.


For COPRO-USERS profile i can simply reference the unique group-policy created directly in the connection profile.


But for "OTHER-USERS" profile if I leave the group-policy as Default-group policy,will the ldap mapping work properly and choose the correct group policy and ip pool for the user ?.


The unique parameters per group-policies are the vpn filter for each remote vpn group.(we have left sysopt-vpn enabled).


The other unique parameter is the ip pool per group policy rest all are same 

(i.e) same split-tunnel and banner and timeout values for all 65 grp-polices.



The OTHER-USERS Connection Profile/Tunnel Group, this will use LDAP authentication, which will use an LDAP attribute map to map the correct group-policy for the users.


The CORPO-USERS Connection Profile/Tunne Group, this will use a different authentication method and will reference the unique group-policy.


I think this post covers your scenario



Content for Community-Ad