Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13944
Views
0
Helpful
11
Replies

Cisco VPN Anyconnect Group Password

Go to solution
avilt
Level 3
Level 3

‎08-16-2013 06:00 PM - edited ‎02-21-2020 07:06 PM

In earlier verions of Cisco VPN client (with VPN concentrator) we had the option to define Group password.

With anyconnect (SSL or IPSec, not browser based) there is no provision for that. How can I compensate this in

anyconnect since only the username and passwords are being used for establishing the vpn?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to avilt

‎08-21-2013 05:19 AM

I believe that the issue with this approach is how to prevent a user who should be in one group from logging in and choosing a different group on the login screen. The usual way to deal with this is with the group lock parameter. Group lock works if the users are authenticated using the ASA local user database. I got it to work when users are authenticated via Radius. I did not see a way to get TACACS to pass the group ID to the ASA and so am not sure that group lock will work when authenticating via TACACS.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎08-16-2013 08:43 PM

If I understand your question correctly you are looking for a way with the AnyConnect client to configure (or enforce) a group password that is shared with everyone in the group. A customer that I work with had this same question a while back. We came to the understanding that AnyConnect does not have the same concept of a group password that is shared by everyone in the group and that there is no way to have this functionality with AnyConnect client.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Richard Burts

‎08-17-2013 12:07 AM

So what is the best way with Anyconnect to distribute a unique profile to each group. I have a unique ACL's per VPN group.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to avilt

‎08-17-2013 12:54 PM

You can associate the client XML profile with a group policy which in turn is associated with a connection profile and it will be downloaded to the client upon connecting.

Have a look at this link:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1086782

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Marius Gunnerud

‎08-17-2013 09:57 PM

"it will be downloaded to the client upon connecting."

a) How can I force particular department to download only the specific profile and not what they wish? Let's say SALES department should be able to download only the SALES profile and IT DEPT the IT profile.

b) As an admin I would like to have all the profiles listed on my PC. How can I achieve this?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to avilt

‎08-18-2013 02:07 AM

I think I may have misunderstood you in the begining.  Are we talking about the XML client profiles or the connection profiles?  It now sounds like you mean the connection profiles.

A).  You can map the connection profile to the user thus only enabling them to use that connection profile.  If they choose a different profile they will not be granted access.

username cisco attributes

group-lock value

B). If you want all the profiles to show up so you can select them when you connect you would need to allow users to select connection profile.  This will be enabled for everyone eventhough they will only be able to connect to one specific profile.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Marius Gunnerud

‎08-18-2013 04:34 AM

How are your unique ACLs being assigned now? Are they coded and assigned in the ASA as part of the connection profile? Are they assigned by the authentication server? You probably can assign them the same way in AnyConnect.

The real issue with AnyConnect is the opportunity for a user to see other groups and to attempt to login as a member of the other group (and get access privileges of the other group). And the group-lock feature is how you would control which group the user is allowed to login to.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Richard Burts

‎08-18-2013 08:11 AM

You can also  issue identity certificates to the users and based on the content of the certificate, the user can be mapped to a specific profile.  This does get a bit more complicated, but it is an option.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Richard Burts

‎08-21-2013 03:23 AM

My current profile is on VPN concentrator nothing is defined thru AAA server. The login is integratd with TACACS/Active Directory.

I have a small setup, to make it simple, I will create client profile for each group using the profile editor. Place the XML profile file in the profile directory and run the anyconnect client installation manually. Am I following the right method?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to avilt

‎08-21-2013 05:19 AM

I believe that the issue with this approach is how to prevent a user who should be in one group from logging in and choosing a different group on the login screen. The usual way to deal with this is with the group lock parameter. Group lock works if the users are authenticated using the ASA local user database. I got it to work when users are authenticated via Radius. I did not see a way to get TACACS to pass the group ID to the ASA and so am not sure that group lock will work when authenticating via TACACS.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Richard Burts

‎08-23-2013 01:07 AM

Thank You,

Is it possible to deploy GINA package (SBL) thru web deployment on the client?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to avilt

‎08-23-2013 06:44 AM

Yes it is possible to deploy thru web deployment the GINA/SBL package. I have a customer who is doing this and it works pretty well.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents