Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2105
Views
10
Helpful
7
Replies

ISE delivery XML file

marcio.tormente
Level 4
Level 4

‎04-19-2021 07:00 AM

Hello Folks!

 

I'm using one anyconnect VPN URL to different access and it is working, but the users have to type the URL every time that they will connect to the VPN.

Example: I have department X,Y and Z, when the user try to connect, the ISE will see if the user belongs to AD group from X, Y or Z and give you the correct IP (each department have their own IP range).

This is working fine, but the users are not soo clever and forget the URL all the time, to fix the URL on the anyconnect client, the user should receive the XML file.

I can´t include the XML file on de FTD configuration because each department has different configuration.

Is there any way to ISE do it?

 

Thanks

0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎04-19-2021 07:19 AM

Hi @marcio.tormente 

What other settings are unique to the department users? If the users just receive an IP address from a different range, then this configuration can be pushed out via ISE. So if ISE can apply all the unique department settings, then all the users can connect to the FTD using the same URL.

marcio.tormente
Level 4
Level 4
In response to Rob Ingram

‎04-19-2021 08:07 AM

Hello Rob!

 

I appreciated your support.

 

The IP is already working, ISE is delivering the correct IP, the problem is that the URL to connect to the VPN is not fixed on the anyconnect client.

The same group-policy is used for different department and different locations, for this reason, is not possible to include the XML on the group-policy configuration on the FTD.

For this reason, I think the ISE should check the AD group and delivery the IP and XML file.

 

0 Helpful

Rob Ingram
VIP
VIP
In response to marcio.tormente

‎04-19-2021 08:26 AM

I don't forsee a problem here. The only difference is you've multiple connection profiles with a unique URL for each department?

 

Just create a new shared connection profile for all departments, using the current group-policy and configure a URL. Configure an XML file referencing this new URL, push this out to all clients. Authenticate and Authorise the users via ISE and continue to push out the IP address based on AD group membership.

0 Helpful

marcio.tormente
Level 4
Level 4
In response to Rob Ingram

‎04-19-2021 08:34 AM

What you mean with "new shared connection profile"?

Another detail, we have differents URLs based on location using the same group-policy, just changing the aliase 

0 Helpful

Rob Ingram
VIP
VIP

‎04-19-2021 08:42 AM

THe URL is configured under a connection profile aka tunnel-group. What I am saying is just use one and let ISE apply the different configuration settings based on AD group.

marcio.tormente
Level 4
Level 4
In response to Rob Ingram

‎04-19-2021 11:35 AM

Yes, but the idea was to use only one profile for all users.

 

0 Helpful

Rob Ingram
VIP
VIP

‎04-19-2021 11:42 AM

@marcio.tormente 

Which profile are you referring to?

 

I am saying you can have one XML profile on the client computers, configured using the same URL. ISE can do the complicated work, assign different attributes based on AD group membership. Thus making the ASA/FTD configuration simplier and easier for the users when connecting.

 

If you don't want ISE to do that, then you'd have to use multiple URLs in the connection profiles on ASA/FTD.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card