04-06-2019 09:32 AM - edited 02-21-2020 09:36 PM
I have default webvpn configuration which has the anyconnect image and anyconnect profiles xml file specified. This is for the existing anyconnect/ISE deployment. I need to test a new deployment of ISE and is there a way I can override the default webvpn config by having webvpn settings for anyconnect image and anyconnect profiles under the new test group-policy?
Will the webvpn config under the group-poliocy attributes override the global webvpn config?
So under my test group-policy attributes I can out the new anyconnect image and profile config which will ignore the global settings? Ex:
webvpn
anyconnect image disk0:/anyconnect-win-4.0.pkg
anyconnect profiles anyconnect.current disk0:/anyconnect.current.xml
group-policy TEST attributes
webvpn
anyconnect image disk0:/anyconnect-win-4.7.pkg
anyconnect profiles anyconnect.test disk0:/anyconnect.test.xml
Is this possible? Or if not how can I achieve this?
04-06-2019 08:20 PM
Hi
First of all, anyconnect image set the minimum requirement and you can use a higher version on a desktop it won’t matter.
You can also add as many anyconnect image you want into webvpn configuration by setting a priority at the end of the command anyconnect image like:
anyconnect image disk0:/anyconnectxxxx.pkg 1
The 1 here indicates the higest priority and you can add a new one with value of 5 for example. The 1st is the most important but again don’t need to do it if you’re using 4.7 version when 4.0 is configured.
For anyconnect profile, you’ll need to configure it under global webvpn section and then call it under your group-policy.
Instead of re-typing it, take a look here (it’s well explained on section Enabling AnyConnect Client Profile Downloads): https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_anyconnect.html#pgfId-1109905
04-07-2019 01:52 AM - edited 04-07-2019 01:52 AM
I have an existing ISE deployment using the ASA for VPN, and I have another completely separate ISE deployment running in parallel. I need to be able to have two group-policies with their own separate xml profiles, so a separate group-policy for each ISE deployment.
So from what I understand now, I can have something like this?
webvpn
anyconnect image disk0:/anyconnect-win-4.0.pkg
anyconnect profiles old.ise disk0:/anyconnect.old.ise.xml
anyconnect profiles new.ise disk0:/anyconnect.new.ise.xml
group-policy OLD-ISE attributes
...
webvpn
anyconnect profiles value old.ise type user
...
group-policy NEW-ISE attributes
...
webvpn
anyconnect profiles value new.ise type user
...
Have I got the config correct? If so what about the anyconnect image? how do I tell group-policy NEW-ISE to use a different anyconnect image than the one already configured under the global webvpn?
04-08-2019 12:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide