Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2715
Views
0
Helpful
4
Replies

Annyconnect users authenticating via NPS Radius Server. Issue with multiple Group Policies

Go to solution
n-russell-biggie
Level 1
Level 1

‎04-19-2017 03:29 AM

Hello,

We have managed to set up authentication via NPS Radius server for out anyconnect VPN users as per the below document:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

This works fine, however, we have two policies on the NPS server, one that matches certain users to a GroupPolicy1 on the ASA and the other that matches GroupPolicy2 on the ASA.

The issue is that when editing the anyconnect connection profile I am only able to enter one GroupPolicy under the "Default Group Policy" section.

I do not want to create multiple anyconnect conection profiles if possible. I did see that we can create a group policy called NOACCESS or the likes and set this for the policy of the conection profile but can not see much info on this.

Any help in getting this working would be great.

Thanks

Nick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to n-russell-biggie

‎04-19-2017 05:39 AM

Yes, set this value to 0 for NOACCESS and 3 for GroupPolicy1 and GroupPolicy2.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-19-2017 05:17 AM

What you have done so far looks right. Group-policies that get assigned via AAA attributes take preference over locally defined GP. So when a user that receives GroupPolicy1 from NPS, it will override the settings of the default-grouppolicy for that connection profile. Ideally, the default group-policy is set to one that has "simultaneous logins" as 0, thus denying access to anyone who does not belong to GroupPolicy 1 or 2.

Another thing to note is that AAA assignment of group-policy does not mean that all the settings of the default-group-policy are ignored. I still need to define Simultaneous-login as 3 in group-policy 1 and 2 to override the setting from the default group-policy.

0 Helpful

Go to solution
n-russell-biggie
Level 1
Level 1
In response to Rahul Govindan

‎04-19-2017 05:31 AM

Many thanks Rahul,

I have configured a policy called "NOACCESS" as below:

group-policy NOACCESS internal
group-policy NOACCESS attributes
 wins-server none
 dns-server value 10.50.20.9 8.8.8.8
 vpn-tunnel-protocol ssl-client
 password-storage disable
 split-tunnel-all-dns disable

And assigned it to the anyconnect connection profile. So from what I understand, and please correct me if I am wrong, is that when a user logs into his anyconnect connection with his AD credentials this will check the NPS and see that the NPS isconfigured to match GroupPolicy1 on the ASA, this then overides the NOACCESS policy and the user gets the correct split tunneling that is assigned to the GroupPolicy1 and also the same for users that the NPS matches against GroupPolicy2 (NOACCESS will be overridden and GroupPolicy2 will be appied).

So when you mention "simultaneous logins" can you let me know where I can set the vaules for this? Is there an option to do this via ASDM or do I need to do via the command line?

Thanks alot

Nick

0 Helpful

Go to solution
n-russell-biggie
Level 1
Level 1
In response to n-russell-biggie

‎04-19-2017 05:32 AM

Ah... just found the option. I have set it to 0 and will test. If this fails I will try and set it to 2.

Thanks

Nick

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to n-russell-biggie

‎04-19-2017 05:39 AM

Yes, set this value to 0 for NOACCESS and 3 for GroupPolicy1 and GroupPolicy2.

0 Helpful
Customers Also Viewed These Support Documents