Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
5
Helpful
2
Replies

WebVPN and AnyConnect VPN Access Condition

Go to solution
rjadhav163
Level 1
Level 1

‎11-20-2016 07:31 AM - edited ‎03-12-2019 01:33 AM

Hi

we have implemented AnyConnect RA SSL VPN as well as Clientless VPN on outside interface of a ASA 5525-X. The users can choose which vpn they want when they connect via a browser using drop down profile box.

The users are authenticated with a RADIUS server (fallback LOCAL)

Now there is a new requirement that: for some of these users, AnyConnect access has to be revoked. That means that they should not be able to connect even if they have anyconnect client already installed or if they navigate to firewall with broswer and select AnyConnect Profile in the dropdown menu. They should be only able to access clientless vpn. For rest of the users, both types of connections must be available.

So,

1. Is this construct possible? I am not sure how to implement since all the users are authenticated via RADIUS.

2. Will this be possible if the authentication server is LDAP instead of RADIUS?

Thanks and Regards,

R

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-20-2016 08:35 AM

That can easily be achieved with RADIUS. One way would be to configure the RADIUS-Server to send the Class-Attribute in Authorization. The name of the class-attribute is the name of a local group-policy that the user will be placed in. The restricted users can now be placed in a group that only has a vpn-protocol of clientless configured.

Instead of sending the class-attribute, you could also directly send the attribute "Tunneling-Protocols" through RADIUS.

It can also be done with LDAP, there is an example for exactly this scenario in the documentation:

View solution in original post

2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎11-20-2016 08:35 AM

That can easily be achieved with RADIUS. One way would be to configure the RADIUS-Server to send the Class-Attribute in Authorization. The name of the class-attribute is the name of a local group-policy that the user will be placed in. The restricted users can now be placed in a group that only has a vpn-protocol of clientless configured.

Instead of sending the class-attribute, you could also directly send the attribute "Tunneling-Protocols" through RADIUS.

It can also be done with LDAP, there is an example for exactly this scenario in the documentation:

Go to solution
rjadhav163
Level 1
Level 1
In response to Karsten Iwen

‎12-20-2016 11:57 PM

Thanks Karsten! It worked!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card