cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12436
Views
10
Helpful
8
Replies

Anyconnect profile editor - server list and backup servers

kapydan88
Level 4
Level 4

Hello for everybody.

 

What is difference between server list and backup servers in anyconnect profile editor for windows.

 

2020-09-19_22-04-31.png

 

For example, in server list i can add ip address or A record of my anyconnect server.

2020-09-19_22-04-52.png

2020-09-19_22-06-30.png

 

If i understand correctlt, int his particular case vpn.contoso.com - A record or ip address, and backup servers - 192.168.0.1 and 10.10.10.1 - server addresses for authenticating users when connecting to this vpn. 

2020-09-19_22-06-48.png

 

If its true, what is difference between next tab?

2020-09-19_22-05-04.png

 

2020-09-19_22-07-30.png

1 Accepted Solution

Accepted Solutions

You would define multiple aaa ldap servers on the ASA you connect to. You do not need to configure anything in the AnyConnect Profile Editor for backup domain controllers. The Backup server list in your screenshot above is for backup ASA/FTD headend devices, for when the primary is unavailable - it's these devices that would need configuring for authentication.

 

View solution in original post

8 Replies 8

Hi @kapydan88 

The "Backup Servers" defines global backup servers, applicable to all profiles. The backup servers defined under the "Server List" are unique to that profile only. You can have multiple profiles, so you could have different backup servers per profile - or use the global backup servers.

 

Reference:-

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-0000026c

 

HTH

Thanks for answer.

But, maybe i formulated question not exactly...

 

Lets describe next screen.

 

vpn.contoso.com - name of vpn server

For this connection we use ldap authentication - in other words, user can connect to vpn.contoso.com and get access depending on the membership in a particular active directory group.

For example, there are two domain controllers in contoso.com 192.168.0.1 and 10.10.10.1, and both should be used for user authentication. It turns out that in this particular case, users will send for authentication first to 192.168.0.1, and if it is unavailable to 10.10.10.1.

2020-09-19_22-06-30.png

 

Where you have defined vpn.contoso.com, it is only the display name within anyconnect, you also need to put vpn.contoso.com under”FQDN or IP address” field.

 

The backup server ip addresses or FQDN relates to the ASA or FTD, it has nothing to do with the authentication method. This section is purely used to identify which protocols to use and which VPN headend to connect to. The VPN headend device will be configured for authentication method.

 

If you use IP address, ensure the configured certificate has the IP address defined, otherwise you will receive an error. Usually you’d define the FQDN which is also defined in the certificate.

Thank you for answer.

 

Then how is the backup domain controller configured for user authentication? As i wrote earlier,users must send for authentication on 10.10.10.1 in case of unavailability 192.168.0.1. Is this set up somewhere else?

You would define multiple aaa ldap servers on the ASA you connect to. You do not need to configure anything in the AnyConnect Profile Editor for backup domain controllers. The Backup server list in your screenshot above is for backup ASA/FTD headend devices, for when the primary is unavailable - it's these devices that would need configuring for authentication.

 

Thank you for answer.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/aaa_ldap.html#23262

 

Like in this article for ASDM - "Configuring LDAP Server Groups"

Yes, that's correct.

Is there a similar method for firepower management center and firepower devices? There I found only creating radius server group groups (for Firepower Management Center Configuration Guide, Version 6.2.3).