Anyconnect/clientless VPN per user rules

azitahotmail · ‎05-15-2013

Hi all , i am setting up Clientless VPN and Anyconnect . i have created a connection proffile and group policy and everything is working fine. however i am confused as to how i set up per-user rules? I am using AD to authenticate users to log in but at the moment when they log in they can access anywhere where as i would like different user to have different icons on a per-user (not pre group) basis, based on their AD credentials. I am at a loss as to find out how this links in with AD. I know the Web ACL's do this job but only for users in the local database.

e.g.

user 1 has pc01 rdp icon on their webtop

user 2 has pc02 rdp icon on their webtop

any ideas?

Alex Pfeil · ‎05-15-2013

I know that you can use Dynamic Access Policies to map an active directory group to a VPN group policy. This would probably be the best way to do it.

Alex Pfeil · ‎05-15-2013

This is an example provided by Cisco.

The Selection Criteria section is where an administrator would configure AAA and Endpoint attributes used to select a specific DAP record. A DAP record is used when a user’s authorization attributes match the AAA attribute criteria and every endpoint attribute has been satisfied.

For example, if the AAA Attribute Type: LDAP (Active Directory) is selected, the Attribute Name string is memberOf and the Value string is Contractors, as shown in Figure 5a, the authenticating user must be a member of the Active Directory group Contractors to match the AAA attribute criteria.

In addition to satisfying the AAA attribute criteria, the authenticating user will also be required to satisfy the endpoint attribute criteria. For example, if the administrator configured Cisco Secure Desktop (CSD) to determine the posture of the connecting endpoint and based on that posture assessment, the endpoint was placed in the CSD Location Unmanaged, the administrator could then use this assessment information as selection criteria for the endpoint attribute shown in Figure 5b.

Figure 5a. AAA Attribute Criteria

Figure 5b. Endpoint Attribute Criteria

azitahotmail · ‎05-15-2013

Hi , i already have DAP rules per group set up as above, however i am trying to do it per-user .

i have ahd a look at the attribute maps but i cant find the cisco equivelent of username ? is it possible to have a Attribute Name value = username from AD or will the above only work with AD groups?

Alex Pfeil · ‎05-15-2013

For the above setup, you can only use groups.

azitahotmail · ‎05-15-2013

i thought so - ok, so back to my original question, how to define pre-user rules based on AD usernames? i can't imagine i am the first person trying to achieve this?

Alex Pfeil · ‎05-15-2013

Use the username field in the AAA Attribute for the dynamic access policy.

From Cisco:

The username of the authenticated user. Maximum 64 characters. Applies if you are using Local, RADIUS, LDAP authentication/authorization or any other authentication type.

Alex Pfeil · ‎05-15-2013

You could be even more specific by saying user has all of the following AAA attributes:

username = alex

ldap memberof = security

Alex Pfeil · ‎05-15-2013

Did this fix your issue?

Alex Pfeil · ‎05-16-2013

Will you please rate helpful posts and mark the question as answered if this fixed your issue?

Thanks,

Alex