Anyconnect Profiles

Kudetauk77 · ‎01-12-2016

Hi All

I am hoping someone can tell me a simple way to do this .

Scenario

My network has approx 1000 schools . Currently for remote access we use VPN client , the users authenticate against a radius server whcih talks to a modem which sends out an new password everytime they login . Currently we send them the pcf profile they then import it into the client and away they go. This avoids them knowing any other of the groups we have as there is no way of locking the group to the user, so if they know of another group their credentials will allow them in .

I am now building an any connect platform but cannot find a way of simply importing a profile into the client . I need to find a way to do this without allowing them to see other groups that are configured on the ASA , only their own .

Ideally I would like to be able to import the profile directly into the anyconnect client and disable the option to show a dropdown list or link the login name to the profile so they can auto download the group profile ( radius server is free radius )

Does any one have a simple solution or any suggestions I can approach this to keep it secure and easy for the user to install ?

Any help would be greatly appreciated

The only way I currently see is

1. User dowloads client and I send them the profile , but they would then need to put the profile in the correct registery on a windows box

2. I somehow link freeradius user to the ASA to lock down the group to user , the caveat is thta the modem sending the texts is where the user is configured and I and terrible with linux and AD which are used

Karsten Iwen · ‎01-12-2016

You try to apply what you have done with the legacy VPN-client to AnyConnect, but AC works completely different. Here is the way to go:

You configure the ASA for AnyConnect. If all users authenticate through your FreeRadius, then you only need one connection-profile. This could also be the default connection-profile.
On the ASA you disable the drop-down-menu where the users can choose the connection-profile. Your connection-profile is configured with the URL that should be used.
You configure as many group-policies as you need with your preferred settings of VPN-pool, vpn-filter, split-tunneling ans so on.
You configure one AnyConnect-profile and assign it to your groups.
The users initially connect to the configured URL, FreeRadius authenticates the user and assigns the right group-policy (RADIUS-attribure 25, "class"). The ASA now knows that for this user a profile is available and sends it to the client where it gets installed.
The next time your user finds an entry in the drop-down-menu of the AnyConnect client.

Kudetauk77 · ‎01-14-2016

Hi Karsten ,

Thanks for the detailed info , I'll take a look at the radius server and try and figure it out , I'll let you know how I get on

Thanks again

Craig

Kudetauk77 · ‎01-20-2016

Hi Karsten

Do you know if there is a way I can deploy/ send a predeployed client with a profile to a user ?

I am trying to achieve this with it being as simple as possible for the user

Regards

Craig

Karsten Iwen · ‎01-20-2016

Download the AnyClient and extract the archive. There you find a profile-folder where you can place you profile. Distribute that to the user and the profile gets automatically installed with the client. More on this topic is found in the Admin-Guide:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect42/b_AnyConnect_Administrator_Guide_4-2/deploy-anyconnect.html#d32472e1458a1635

Kudetauk77 · ‎01-19-2016

Hi Karsten ,

Only just had a chance to look a this , All of the info is great and looks fine until I get to the free radius group 25 att . Would you know where this is located and how to configure it ?

Thanks

Craig

Karsten Iwen · ‎01-19-2016

I can't tell you where to configure that in FreeRADIUS, but it's a standard IETF RADIUS attribute.