Default Anyconnect Profile for Always On users

abhijith891 · ‎01-08-2019

Hi All,

We have 3 Anyconnect profiles X,Y,Z for three locations A, B, C. I want the users from location A to be connected to profile X by default, and fallback to Y & Z. Similarly, I want users from location B to be connected to profile Y by default, and fallback to X & Z and so on. So can someone please suggest how we can go about doing this? I saw something about modifying group-url and group-alias in the tunnel-group policies but I am not sure if it will work for Always-On VPN.

Mohammed al Baqari · ‎01-08-2019

If you have ISE then you can create general tunnel group as well as X,Y,Z
tunnel groups each with its profile.

All users connect to same tunnel group which is general and according to
their OUs, for example in case of AD authentication, ISE redirect the user
to corresponding tunnel group which provides the required profile.

This is the easiest way but if you don't have ISE or ACS then you can use
same concept with different URLs per location and combine it with group-url
feature to replace ISE

stsargen · ‎01-08-2019

If you deploy an AlwaysOn profile all other VPN profiles will be removed. You might want to look into doing this in a single profile with multiple server entries, or backup servers.