cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1013
Views
5
Helpful
5
Replies

Anyconnect only matches the DltGrpPolicy

clark.d
Level 1
Level 1

I used the ssl vpn wizard to create an SSL vpn with a new group policy called sslvvpnpolicy. This worked fine, but while testing, it wouldn't connect unless ClientSSL is enabled on the dftgrppolicy. Even if I enable clientSSL on the new group policy, it does work, it will only connect if it is enable on the defaultgrppolicy. I don't wat the defaultgrppolicy yo control this, what am I missing?

Auth=LDAP

ASA IOS = 8.2

ASDM = 6.49

Thanks

5 Replies 5

The user has to choose the right tunnel-group while connection-setup. For that you have to assign aliases to the tunnel-group or add a URL to the tunnel-group that is used by the user.

If the user doesn't choose the Tunnel-group, then always the Default-GP is used for that connection.

If you dont't want to let the user choose, you can assign the group-policy from the user-settings (local or also from a remote-server like RADIUS).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Good day Clark,

I do agree with Karsten.

In addition, I want to share this link with you:

ASA SSL VPN Tunnel Group Group-URL and Group-Alias selection methods

Please make sure your connection profiles are properly defined.

On the other hand, are you trying to assign a group-policy via RADIUS attribute 25?

If so, could you please run the following commands and collect the output of the AAA test?

1- debug aaa common 255

2- debug radius all

3- test aaa authentication MY_RADIUS_SERVER host SERVER_IP username myuser password mypassword

Thanks.

Portu.

juaherre
Level 1
Level 1

Probably the alias is disabled here is a template of how it should looks like the anyconnect client from the CLI (this is a basic setup with tunnelall and alias nat exemption not included) :

webvpn

enable outside

svc image disk0:/anyconnect-no-dart-win-2.3.0254-k9.pkg 1

svc enable

tunnel-group-list enable

ip local pool TEST 10.0.0.2-10.0.0.3 mask 255.255.255.0

group-policy TEST internal

group-policy TEST attributes

vpn-tunnel-protocol svc

tunnel-group TEST1 type remote-access

tunnel-group TEST1 general-attributes

address-pool TEST

default-group-policy TEST

tunnel-group TEST1 webvpn-attributes

group-alias TEST enable

group-url https://10.198.16.148/TEST enable

HI Clark,

As mentioned before, please make sure there is an ALIAS or Group-URL define for the specific connection profile.

Keep us posted.

Thanks.

Portu.

clark.d
Level 1
Level 1

Thanks guys....that was it. Alias was not set.

Sent from Cisco Technical Support iPad App