Showing results for 
Search instead for 
Did you mean: 

Anyconnect SSL VPN best practices


Currently we are authenticating user by below 2 methods, please advise that is this sufficient security/ best practice or do you recommend extra security.

1) Corporate User ONLY: Anyconnect User Authenticate against AAA(Radius), then in ACS we have configured dACL in user groups to restrict the user access.

2) Non-Corporate Users ONLY: About 200 Non-Corporate users authenticate to Anyconnect vpn via SecureID, then in ACS we have configured dACL in user groups to restrict their access. in Anyconnect client user just enter its username and then enter RSA SecureID autogenerated keys then they are authorized.


1) Do you think that for Corporate/ Non-Corporate User, this is enough security, if not then please suggest a better solution

2)  RSA SecureID key maintenance and its postage to clients is a lenghty procedure, do you recommend if we finish RSA SecureID procedure and instead create Non-Corporate users in AAA and also authenticate them like Corporate users, obviously create a group for them and apply the dACL with restricted subnets for this group. OR please suggest a better solution.


Everyone's tags (4)
Hall of Fame Guru

Anyconnect SSL VPN best practices

Only you can answer the "is this enough security" question based on your company's individual risk assessment. Generally speaking two-factor authentication is considered a best practice. One thing to consider is that the administrative burden of maintaining separate systems and lists of users for different access levels may negate the additional security obtained thus. For that reason, among others, one very sustainable standard is your AAA server proxying back to your AD / LDAP identity store which is itself configured to require two-factor authentication. All users would use this method and, based on their individual identity and group membership, would be granted to necessary access levels. Using that scheme, revocation or change of any user is always done at the same administrative control point.

As far as the overhead of mailing out SecureID fobs or cards, have you considered using the SecureID smartphone application?