Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
2
Replies

Always On VPN

zedmoackel
Level 1
Level 1

‎02-28-2024 09:37 PM - last edited on ‎02-28-2024 10:49 PM by Community Manager

The small company that I am working for has run into a couple of end users that are raising cybersecurity concerns and now need to force an always on VPN to mitigate this.

This is where the caveat comes in; there are two users that we cannot force to have an always on VPN with for numerous reasons, the first being they own the company and often vacation to an area without any sort of internet access.

That being said, of our three person IT team, none of us are too familiar with Cisco’s ASA and could really use some help.

Our setup: Cisco ASA with Firepower module with ASA version 9.14(2)15 and ADSM with a version of 7.15(1)150.

VPN is configured already through AnyConnect and is functional however does not force an always on VPN. No AD/LDAP integration.

Currently have Active Directory on a windows server (2022).

Question: How do I go about forcing on a VPN for all users except 2?

https://vlc.onl/
Labels:
0 Helpful
2 Replies 2

Pavan Gundu
Cisco Employee
Cisco Employee

‎02-29-2024 08:28 AM

Here is the Cisco document for the same. Link

And yes, you can exempt users from Always ON, see Step #3 in Section "Configure Always ON".

0 Helpful

tvotna
Spotlight
Spotlight

‎02-29-2024 08:50 AM

For example, you can configure single connection profile in ASDM (tunnel-group in ASA CLI), but have two group-policies with different set of parameters. I assume you use LOCAL authentication (i.e. all VPN users are configured locally on the ASA). So, you can assign group-policy DfltGrpPolicy (or some named policy you created) to all of them except two users you mentioned:

group-policy pol1 attributes
 ... <standard stuff>
!
group-policy pol2 attributes
 always-on-vpn disable
!
tunnel-group <name> general-attributes
 default-group-policy pol1
!
username <name> attributes
 vpn-group-policy pol2

Per-user parameters set in the corresponding user group-policy override tunnel-group parameters set by the group-policy assigned by the "default-group-policy" command. Parameters not overridden are inherited. There is also DfltGrpPolicy which may not be assigned anywhere, but its parameters are still applied if they are not overridden per user or per tunnel-group.

 

0 Helpful
Customers Also Viewed These Support Documents