Solved: How to create additional tunnel groups for RAVPN on FTD

NetworkMonkey101 · ‎10-22-2024

I was unable to use the migration tool so had to configure manually. Now I am in a situation where I only have one tunnel group showing on the anyconnect drop down as seen below.

I should have three other tunnel groups showing here. How do I configure these within FMC and what configuration should I be paying close attention to from the old ASA I have migrated from?

Also do I need to run through the RAVPN wizard for each tunnel group I want to add?

Do you create a new connection profile or add additional alias's to the already create profile?

Marius Gunnerud · ‎10-23-2024

You would need to configure a secondary authentication server under the connection profile.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Rob Ingram · ‎10-22-2024

@NetworkMonkey101 check your connection profiles and ensure the alias is enabled for the other connection profiles.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html#task_pvz_m35_5gb

Ensure that Allow Users to select connection profile while logging in is selected.

Choose Devices > VPN > Remote Access.

Select the following under Access Settings:

Allow Users to select connection profile while logging in—If you have multiple connection profiles, selecting this option allows the user to select the correct connection profile during login.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html#id_49114

NetworkMonkey101 · ‎10-22-2024

Should I have a separate connection profile for each tunnel group? and then set the Alias within it...?

this is ticked

Rob Ingram · ‎10-22-2024

@NetworkMonkey101 yes you define an alias for each.

NetworkMonkey101 · ‎10-22-2024

Thanks I can now see the different drop down options for each profile/alias.

On the old anyconnect connection when I select the portal profile it asks me for two passwords how do I set these settings?

When I select portal_no_split tunnel it should also be two passwords but split tunnel disabled. How do I amend that for this profile?

When I select Radio it should ask for a single password as seen below

And finally when I select BMS it should ask for a username and password and second username and password

How are these profiles amended for this, I have the old ASA configuration file to review but unsure what is missing.

Rob Ingram · ‎10-22-2024

@NetworkMonkey101 these settings (authentication method, AAA server and split tunneling) are configured under the respective connection profile.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-remote-access.html#concept_m3s_bty_bhb

Marius Gunnerud · ‎10-23-2024

You would need to configure a secondary authentication server under the connection profile.

--
Please remember to select a correct answer and rate helpful posts

NetworkMonkey101 · ‎10-23-2024

Thanks for your reply, I have configured the secondary server as suggested. How does each profile differentiate from the sign in options such as second username/password or just second password, is that pushed by the server?

Marius Gunnerud · ‎10-23-2024

The Firewall and Authentication server work together. It is the Firewall that prompts for authentication, but the backend authentication server must also accept the authentication request being passed from the Firewall.

--
Please remember to select a correct answer and rate helpful posts