cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
426
Views
0
Helpful
1
Replies

AD user connects to multiple VPN profiles

Hello, 

 

I have an ASA accessed by ASDM, used for Anyconnect VPN purposes. 

I have a profile A and the users connect to it via AAA(Active Directory).

I have a need for a second profile B that will give another access. 

Some users will be able to connect to both profiles. 

The problem I have is that if such a user tries to connect he gets an IP from the A pool. 

Another thing is that the ASA finds hin in Group GroupPolicy_B but gives him the group policy of GroupPolicy_A. 

 

In the logs I see the following:

 

6|Dec 24 2019|10:52:30|734001|||||DAP: User xxxx, Addr x.x.x.x, Connection AnyConnect: The following DAP records were selected for this connection: B, C, D, E, F
6|Dec 24 2019|10:52:30|113008|||||AAA transaction status ACCEPT : user = xxxx
6|Dec 24 2019|10:52:30|113009|||||AAA retrieved default group policy (GroupPolicy_B) for user = xxxx
6|Dec 24 2019|10:52:30|113011|||||AAA retrieved user specific group policy (GroupPolicy_A) for user = xxxx
6|Dec 24 2019|10:52:30|113003|||||AAA group policy for user xxxx is being set to GroupPolicy_A
6|Dec 24 2019|10:52:30|113004|||||AAA user authorization Successful : server = x.x.x.x : user = xxxx
6|Dec 24 2019|10:52:30|113011|||||AAA retrieved user specific group policy (GroupPolicy_A) for user = xxxx
6|Dec 24 2019|10:52:30|113003|||||AAA group policy for user xxxx is being set to GroupPolicy_A

 

I connect through a URL (like this sthing.com and sthing.com/b for each profile), but the behavior is the same whichever URL I connect to. 

How could I instruct the ASA to connect to a specific profile?

 

Thanks and regards, 

Konstantinos

1 Reply 1

harmesh88
Level 1
Level 1

Hi,

 

Please use below mentioned document as i know it will fulfilled your requirement .

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

 

You can use lDAP Attribute which will give specific access which is belogs to specific group