cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
347
Views
0
Helpful
2
Replies

Anyconnect tunnel-group and group-policy from LDAP

Fabian L
Level 1
Level 1

Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.

To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.

It is my understanding that the authentication method is provided by the tunnel-group.

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group LDAP_AD

This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.

Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.

When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.

To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

 

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Fabian, 

Your connection lands on a tunnel group and picks a group policy. 

A typical way to overcome the problem you're indicating is by using group-url. 

a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 

vide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

M.

Thanks for the suggestion, but just like enabling tunnel-group-list  group-url provides a 'variable' to a user which allows the user to change the tunnel-group. I'm aware it's possible to deny certain users to certain tunnel-groups but providing the tunnel-group option might cause confusion.

I'd like users to only remeber a username/password and let LDAP do the rest.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: