ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

AnyConnect - Group URLs - Hide Connections Profiles from the VPN Client drop down menu.

3152
Views
15
Helpful
0
Comments

How to have only one profile shown under the AnyConnect Client drop-down menu and implement group URL to use other connection profiles.

The purpose of this document is to hide from the end user certain connections profiles that we don’t want them to have access directly or we simple don’t want them to see them with a group alias; this could also be applicable when you only want the users to see a connection profile alias so they don’t get confused when VPN into the ASA.

Let’s consider the following three connections profiles:

According to this output only the “AnyConnect” group has an alias {Two-Factor-Authentication}; therefore, this is the only group that is going to be seen by the users. Let’s consider a hypothetical scenario where the secondary authentication server is down but we need the VPN client to connect using only their username and password. As there is no group-alias we need to define a group URL on the connection-profile as follows:

 

On this example an IP address is being used, however the public registered DNS entry can be used as well.

On the AnyConnect client, instead of using the FQDN of the public IP address of the ASA URL, now you will use the group URL you just created {it could be with or without the https://}

On this example if users VPN using the above group-URL; they are going to fall directly into the AnyConnect-RADIUS connection-profile, which is only performing username and password authentication.

The same method can be applied for the “Confidential” connection profile which is using certificate authentication only.

 

As a conclusion, AnyConnect group-URLs can be used to hide certain connection-profiles from most remote users as only the people knowing the group-URL would be able to access the connection-profile.