AD user connects to multiple VPN profiles

kostasthedelegate · ‎01-20-2020

Hello,

I have an ASA accessed by ASDM, used for Anyconnect VPN purposes.

I have a profile A and the users connect to it via AAA(Active Directory).

I have a need for a second profile B that will give another access.

Some users will be able to connect to both profiles.

The problem I have is that if such a user tries to connect he gets an IP from the A pool.

Another thing is that the ASA finds hin in Group GroupPolicy_B but gives him the group policy of GroupPolicy_A.

In the logs I see the following:

6|Dec 24 2019|10:52:30|734001|||||DAP: User xxxx, Addr x.x.x.x, Connection AnyConnect: The following DAP records were selected for this connection: B, C, D, E, F
6|Dec 24 2019|10:52:30|113008|||||AAA transaction status ACCEPT : user = xxxx
6|Dec 24 2019|10:52:30|113009|||||AAA retrieved default group policy (GroupPolicy_B) for user = xxxx
6|Dec 24 2019|10:52:30|113011|||||AAA retrieved user specific group policy (GroupPolicy_A) for user = xxxx
6|Dec 24 2019|10:52:30|113003|||||AAA group policy for user xxxx is being set to GroupPolicy_A
6|Dec 24 2019|10:52:30|113004|||||AAA user authorization Successful : server = x.x.x.x : user = xxxx
6|Dec 24 2019|10:52:30|113011|||||AAA retrieved user specific group policy (GroupPolicy_A) for user = xxxx
6|Dec 24 2019|10:52:30|113003|||||AAA group policy for user xxxx is being set to GroupPolicy_A

I connect through a URL (like this sthing.com and sthing.com/b for each profile), but the behavior is the same whichever URL I connect to.

How could I instruct the ASA to connect to a specific profile?

Thanks and regards,

Konstantinos

harmesh88 · ‎01-21-2020

Hi,

Please use below mentioned document as i know it will fulfilled your requirement .

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

You can use lDAP Attribute which will give specific access which is belogs to specific group