cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
147
Views
0
Helpful
2
Replies
Highlighted
Beginner

Anyconnect tunnel-group and group-policy from LDAP

Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.

To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.

It is my understanding that the authentication method is provided by the tunnel-group.

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group LDAP_AD

This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.

Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.

When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.

To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

 

Everyone's tags (1)
2 REPLIES 2
Highlighted
Cisco Employee

Fabian, Your connection lands

Fabian, 

Your connection lands on a tunnel group and picks a group policy. 

A typical way to overcome the problem you're indicating is by using group-url. 

a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 

vide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

M.

Highlighted
Beginner

Thanks for the suggestion,

Thanks for the suggestion, but just like enabling tunnel-group-list  group-url provides a 'variable' to a user which allows the user to change the tunnel-group. I'm aware it's possible to deny certain users to certain tunnel-groups but providing the tunnel-group option might cause confusion.

I'd like users to only remeber a username/password and let LDAP do the rest.