AnyConnect FMC limit access to devices a connection profile

WanWhipserer · ‎01-04-2024

In FMC I have a local Relm with users in it.

I have a RA VPN Configuration set to use the Local realm and inside I have 3 connection profiles. One with the Authentication set for SSO the other two are set for LOCAL. Each connection profile with a user logging in the local realm has a different Group of policiy to restrict access to some IPs.

Right now a user logging into the LOCAL realm can select to connect to one of the two connection profiles. Remember each profile has its own Group policy with different restrictions.

The way I have it set up is not working because they can just choose to log in under a different connection profile.

What is the best way to restrict some users to some IP addresses over an AnyConnect VPN

Ruben Cocheno · ‎01-04-2024

@WanWhipserer

If using AD change the server to use LDAP you can then use the LDAP attribute map to assign different policy settings to members of different AD groups. For example give IT admin a different IP address pool, the Access Control rule give the users from that IP address pool full unrestricted access. Where a contractor is a member of a different AD group, which is assigned a different IP address pool, the Access Control rules for the Contractors IP pool restricts access.

Example of LDAP attribute map - https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/