Re: ASA webvpn anyconnect config override

Madura Malwatte · ‎04-06-2019

I have default webvpn configuration which has the anyconnect image and anyconnect profiles xml file specified. This is for the existing anyconnect/ISE deployment. I need to test a new deployment of ISE and is there a way I can override the default webvpn config by having webvpn settings for anyconnect image and anyconnect profiles under the new test group-policy?

Will the webvpn config under the group-poliocy attributes override the global webvpn config?

So under my test group-policy attributes I can out the new anyconnect image and profile config which will ignore the global settings? Ex:

webvpn

anyconnect image disk0:/anyconnect-win-4.0.pkg
anyconnect profiles anyconnect.current disk0:/anyconnect.current.xml

group-policy TEST attributes

webvpn

anyconnect image disk0:/anyconnect-win-4.7.pkg

anyconnect profiles anyconnect.test disk0:/anyconnect.test.xml

Is this possible? Or if not how can I achieve this?

Francesco Molino · ‎04-06-2019

Hi

First of all, anyconnect image set the minimum requirement and you can use a higher version on a desktop it won’t matter.

You can also add as many anyconnect image you want into webvpn configuration by setting a priority at the end of the command anyconnect image like:

anyconnect image disk0:/anyconnectxxxx.pkg 1

The 1 here indicates the higest priority and you can add a new one with value of 5 for example. The 1st is the most important but again don’t need to do it if you’re using 4.7 version when 4.0 is configured.

For anyconnect profile, you’ll need to configure it under global webvpn section and then call it under your group-policy.

Instead of re-typing it, take a look here (it’s well explained on section Enabling AnyConnect Client Profile Downloads): https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_anyconnect.html#pgfId-1109905

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Madura Malwatte · ‎04-07-2019

Hi @Francesco Molino

I have an existing ISE deployment using the ASA for VPN, and I have another completely separate ISE deployment running in parallel. I need to be able to have two group-policies with their own separate xml profiles, so a separate group-policy for each ISE deployment.

So from what I understand now, I can have something like this?

webvpn

anyconnect image disk0:/anyconnect-win-4.0.pkg
anyconnect profiles old.ise disk0:/anyconnect.old.ise.xml

anyconnect profiles new.ise disk0:/anyconnect.new.ise.xml

group-policy OLD-ISE attributes

...

webvpn

anyconnect profiles value old.ise type user

...

group-policy NEW-ISE attributes

...

webvpn

anyconnect profiles value new.ise type user

...

Have I got the config correct? If so what about the anyconnect image? how do I tell group-policy NEW-ISE to use a different anyconnect image than the one already configured under the global webvpn?

Francesco Molino · ‎04-08-2019

You're going to push the anyconnect using a GPO for example. If you modify it on your ASA, it's gonna update all your old-ise users.
I'm thinking and don't see any workaround to configure 2 images for 2 group policies.
I can check on my LAB to see if there's a way.
Honnestly I don't see any except by pushing it through ISE using the posture url redirect for example. The issue is that you're going to push the posture module even if we don't use it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question