cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1659
Views
17
Helpful
8
Replies

ASA Remote VPN multiple Profile

manvik
Level 3
Level 3

ASA Remote VPN (Ipsec) users connecting from home. ASA is authenticated to AAA servers.

 

Anyway to achieve the below.

If user1 connects via anyconnect ASA should send authentication request too AAA server 1

If user2 connects via anyconnect ASA should send authentication request too AAA server 2

 

It's ok if custom anyconnect profile needs to be added at user-end.

8 Replies 8

Hi, you can create two group policies with 2 aaa servers, one for each
user. If you enable group alias the users will get a drop down to select
their relevant group when connecting to vpn. Then the user will
authenticate against his aaa server depending on his group selection from
the drop down. You use group lock feature to avoid users mixing groups.

***** please remember to rate useful posts

Thank you,

Issue is users are already connected and working via RVPN. We want few of those users to authenticate against AAA server 2.

In this case, how can we force the users to select their group.

They are already using anyconnect with single group/profile in it.

You don't force them to select, you tell the ASA to lock them to a single selection. As @Mohammed al Baqari mentioned, we do that with group-lock.

The specifics of how you do that are covered in several free online videos and articles. Just google "cisco anyconnect group lock ad authentication" (for example).

Can someone give steps on configuring group alias in IPSEC RVPN.

 

It would be helpful with step-by-step methods. Req is -

When end-user selects Profile 1 in anyconnect, they would be authenticating to AAA server1

When end-user selects Profile 2 in anyconnect, they would be authenticating to AAA server2

 

Can someone help with steps to achieve the above.

Hi,

Here you go:

ciscoasa(config)# *tunnel-group remote-1 type ipsec-ra*
ciscoasa(config)# *tunnel-group remote-1 general-attributes*
ciscoasa(config-general)# *authentication-server-group aaa_1*

ciscoasa(config)# *tunnel-group remote-2 type ipsec-ra*
ciscoasa(config)# *tunnel-group remote-2 general-attributes*
ciscoasa(config-general)# *authentication-server-group aaa_2*

This is where you assign different aaa groups to different profiles. Rest
is normal anyconnect configuration. Follow this configuration guide.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-extserver.html

***** please remember to rate useful posts

Thank You @Mohammed al Baqari 

How can the remote users select "tunnel-group remote-2" from anyconnect.

Just enable group-alaias under webvpn config. Then a dropdown will be
presented on the client when they sign in.

**** please remember to rate useful posts

They use different profile! So each profile have it auth/authorz aaa.

If both profile use same group key

then group-lock need config with max-users

 

what happened when we use both

for example

user1 will use profile 1 with aaa1 and max-users=1, with group-lock this user will always use this group

user2 will use profile 2 with aaa2 and max-users=1, with group-lock this user will always use this group

 

without max-users

both user1 and user2 will use profile1 and group-lock make then always use this profile.

 

please correct me if I wrong.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: