07-01-2011 07:32 AM - edited 03-11-2019 01:53 PM
ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not. I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...". I created a new Group Policy with split-tunnel enabled. I created a new Connection Profile and assigned to it the new Group Policy. When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want. Each of them works, enabling or disabling split-tunnel. But I want to assign a connection profile to the particular user, not give the user a choice. The problem is I'm using LDAP authentication. The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing. I really don't want to give up LDAP and force people back to another local password. But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile. At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile". If I clear that switch every user will be assigned the same default profile, which does not help. So I'm feeling kind of stuck. Any ideas?
Solved! Go to Solution.
07-03-2011 01:44 PM
Hi,
You can switch the LDAP users group-policy through an ldap attribute-map.
This is explained in details under the following link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Regards,
Nicolas
07-03-2011 01:44 PM
Hi,
You can switch the LDAP users group-policy through an ldap attribute-map.
This is explained in details under the following link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Regards,
Nicolas
07-05-2011 11:12 AM
Thanks. I had the LDAP Attribute map set up to allow or not allow connection, based on the Active Directory remote access Allow or No attribute. I can revise that to use group policy membership to get multiple choice - Allow, Allow without split tunnel, Allow with split tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide