Showing results for 
Search instead for 
Did you mean: 
Frequent Contributor

Anyconnect Profiles / Group Policies

Hello All,

I'm reading through all the Anyconnect documentation I can find online and feel like I'm missing the fundamentals still.

I'm following through the configs and managing to get a "half" working remote access setup. I'm really just following the examples without much understanding behind what is being done.

Regarding Anyconnect Client Profiles / Connection /  Group Policies etc.. What is each for, how do these tie together with each other to give the desired end result of a successful working VPN solution? I'm just being shown how to configure each, but I'm trying to understand what each is and why it's needed.

Could someone explain in an easy to follow maner who has a bit of experience with the ASA? Routing and Switching I can handle, but the ASA / Anyconnect is just something I'm learning as I go along..

Thank You

Cisco Employee

Hi Grant

to add to the confusion, the CLI and ASDM sometimes use different terminology

But in short, the basics are as follows:

1) a tunnel-group (connection profile in ASDM) is what a user connects to and which defines how AAA is done.

User-to-TG mapping depends on what type of VPN is used and can range from trivial (everyone connects to the default TG) to rather complex (users with certificates can get mapped to a TG based on a field in the cert, users can select a TG, etc.)

2) a group-policy is basically a set of policy attributes that is applied to a connection. Includes attributes that get pushed to the client (ip address, dns server etc.) and things like what time of day a user is allowed to connect, for how long, etc.

By default, the TG config specifies which GP is applied.

In a more advanced setup, user-specifc config or external AAA (e.g. Radius or LDAP) can override which GP is used, or can override specific attributes in the GP.

3) a client profile (aka XML profile) is a set of client configuration settings that is pushed down from the ASA, i.e. the ASA admin can use this to e.g. configure the client to auto-connect on startup, or to block all network traffic when disconnected, etc.

The group-policy defines which client profile is pushed down (if any).

This is just a very basic and incomplete description with very limited examples but I hope this gives you a starting point.



Content for Community-Ad