Solved: Anyconnect profile editor - server list and backup servers

kapydan88 · ‎09-19-2020

Hello for everybody.

What is difference between server list and backup servers in anyconnect profile editor for windows.

For example, in server list i can add ip address or A record of my anyconnect server.

If i understand correctlt, int his particular case vpn.contoso.com - A record or ip address, and backup servers - 192.168.0.1 and 10.10.10.1 - server addresses for authenticating users when connecting to this vpn.

If its true, what is difference between next tab?

Rob Ingram · ‎09-20-2020

You would define multiple aaa ldap servers on the ASA you connect to. You do not need to configure anything in the AnyConnect Profile Editor for backup domain controllers. The Backup server list in your screenshot above is for backup ASA/FTD headend devices, for when the primary is unavailable - it's these devices that would need configuring for authentication.

View solution in original post

Rob Ingram · ‎09-19-2020

Hi @kapydan88

The "Backup Servers" defines global backup servers, applicable to all profiles. The backup servers defined under the "Server List" are unique to that profile only. You can have multiple profiles, so you could have different backup servers per profile - or use the global backup servers.

Reference:-

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-0000026c

HTH

kapydan88 · ‎09-19-2020

Thanks for answer.

But, maybe i formulated question not exactly...

Lets describe next screen.

vpn.contoso.com - name of vpn server

For this connection we use ldap authentication - in other words, user can connect to vpn.contoso.com and get access depending on the membership in a particular active directory group.

For example, there are two domain controllers in contoso.com 192.168.0.1 and 10.10.10.1, and both should be used for user authentication. It turns out that in this particular case, users will send for authentication first to 192.168.0.1, and if it is unavailable to 10.10.10.1.

Rob Ingram · ‎09-19-2020

Where you have defined vpn.contoso.com, it is only the display name within anyconnect, you also need to put vpn.contoso.com under”FQDN or IP address” field.

The backup server ip addresses or FQDN relates to the ASA or FTD, it has nothing to do with the authentication method. This section is purely used to identify which protocols to use and which VPN headend to connect to. The VPN headend device will be configured for authentication method.

If you use IP address, ensure the configured certificate has the IP address defined, otherwise you will receive an error. Usually you’d define the FQDN which is also defined in the certificate.

kapydan88 · ‎09-20-2020

Thank you for answer.

Then how is the backup domain controller configured for user authentication? As i wrote earlier,users must send for authentication on 10.10.10.1 in case of unavailability 192.168.0.1. Is this set up somewhere else?

Rob Ingram · ‎09-20-2020

You would define multiple aaa ldap servers on the ASA you connect to. You do not need to configure anything in the AnyConnect Profile Editor for backup domain controllers. The Backup server list in your screenshot above is for backup ASA/FTD headend devices, for when the primary is unavailable - it's these devices that would need configuring for authentication.

kapydan88 · ‎09-20-2020

Thank you for answer.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/aaa_ldap.html#23262

Like in this article for ASDM - "Configuring LDAP Server Groups"

Rob Ingram · ‎09-20-2020

Yes, that's correct.

kapydan88 · ‎09-20-2020

Is there a similar method for firepower management center and firepower devices? There I found only creating radius server group groups (for Firepower Management Center Configuration Guide, Version 6.2.3).