Anyconnect to assign a different group policy based on user agent

filterfilter · ‎03-29-2017

Hello,

I was wondering if it is possible to assign a different group policy based on anyconnect user agent? I did take a look on the dynamic access policy but I don't see any options to assign the group policy.

what we are trying to achieve is, if the user connected using mobile client, we would like to assign them a different address pool / different group policy.

Thanks,

Rahul Govindan · ‎03-30-2017

Yes, DAP cannot assign Group-policy to a user (including IP address pools). For your scenario, you would have to create different Tunnel-Groups for mobile and non-mobile devices and have group-urls associated with each, so that they directly hit that TG and group-policy. You can then restrict the usage so that only mobile devices can access their group and vice versa using DAP rules.

filterfilter · ‎04-04-2017

Hi Rahul,

Thank you for your response, I have considered to create a separate URL and group associated for mobile and non mobile user.

Say I have created 2 URLs and group, question is how to apply DAP for mobile url and DAP for non mobile user URL? I checked on my ASA, I can only configure one DAP only, which I assume it is shared among group-policy

Thanks,

Rahul Govindan · ‎04-04-2017

You would have to create 2 DAP rules, each with condition matching the Tunnel-Group/Connection Profile.This way Mobile and non-Mobile users will hit different DAP rules. You can create more than one DAP rule, but make sure to keep mutually exclusive conditions as a user can match multiple DAP rules.