ASA Remote VPN multiple Profile

manvik · ‎10-18-2020

ASA Remote VPN (Ipsec) users connecting from home. ASA is authenticated to AAA servers.

Anyway to achieve the below.

If user1 connects via anyconnect ASA should send authentication request too AAA server 1

If user2 connects via anyconnect ASA should send authentication request too AAA server 2

It's ok if custom anyconnect profile needs to be added at user-end.

Mohammed al Baqari · ‎10-19-2020

Hi, you can create two group policies with 2 aaa servers, one for each
user. If you enable group alias the users will get a drop down to select
their relevant group when connecting to vpn. Then the user will
authenticate against his aaa server depending on his group selection from
the drop down. You use group lock feature to avoid users mixing groups.

***** please remember to rate useful posts

manvik · ‎10-19-2020

Thank you,

Issue is users are already connected and working via RVPN. We want few of those users to authenticate against AAA server 2.

In this case, how can we force the users to select their group.

They are already using anyconnect with single group/profile in it.

Marvin Rhoads · ‎10-19-2020

You don't force them to select, you tell the ASA to lock them to a single selection. As @Mohammed al Baqari mentioned, we do that with group-lock.

The specifics of how you do that are covered in several free online videos and articles. Just google "cisco anyconnect group lock ad authentication" (for example).

manvik · ‎11-03-2020

Can someone give steps on configuring group alias in IPSEC RVPN.

It would be helpful with step-by-step methods. Req is -

When end-user selects Profile 1 in anyconnect, they would be authenticating to AAA server1

When end-user selects Profile 2 in anyconnect, they would be authenticating to AAA server2

Can someone help with steps to achieve the above.

Mohammed al Baqari · ‎11-03-2020

Hi,

Here you go:

ciscoasa(config)# *tunnel-group remote-1 type ipsec-ra*
ciscoasa(config)# *tunnel-group remote-1 general-attributes*
ciscoasa(config-general)# *authentication-server-group aaa_1*

ciscoasa(config)# *tunnel-group remote-2 type ipsec-ra*
ciscoasa(config)# *tunnel-group remote-2 general-attributes*
ciscoasa(config-general)# *authentication-server-group aaa_2*

This is where you assign different aaa groups to different profiles. Rest
is normal anyconnect configuration. Follow this configuration guide.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-extserver.html

***** please remember to rate useful posts

manvik · ‎11-03-2020

Thank You @Mohammed al Baqari

How can the remote users select "tunnel-group remote-2" from anyconnect.

Mohammed al Baqari · ‎11-03-2020

Just enable group-alaias under webvpn config. Then a dropdown will be
presented on the client when they sign in.

**** please remember to rate useful posts

MHM Cisco World · ‎10-21-2020

They use different profile! So each profile have it auth/authorz aaa.

If both profile use same group key

then group-lock need config with max-users

what happened when we use both

for example

user1 will use profile 1 with aaa1 and max-users=1, with group-lock this user will always use this group

user2 will use profile 2 with aaa2 and max-users=1, with group-lock this user will always use this group

without max-users

both user1 and user2 will use profile1 and group-lock make then always use this profile.

please correct me if I wrong.