Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
0
Helpful
2
Replies

Anyconnect tunnel-group and group-policy from LDAP

Fabian L
Level 1
Level 1

‎07-17-2014 03:27 AM - edited ‎02-21-2020 07:44 PM

Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.

To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.

It is my understanding that the authentication method is provided by the tunnel-group.

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group LDAP_AD

This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.

Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.

When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.

To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

 

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-17-2014 04:27 AM

Fabian, 

Your connection lands on a tunnel group and picks a group policy. 

A typical way to overcome the problem you're indicating is by using group-url. 

a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 

vide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

M.

0 Helpful

Fabian L
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-17-2014 04:51 AM

Thanks for the suggestion, but just like enabling tunnel-group-list  group-url provides a 'variable' to a user which allows the user to change the tunnel-group. I'm aware it's possible to deny certain users to certain tunnel-groups but providing the tunnel-group option might cause confusion.

I'd like users to only remeber a username/password and let LDAP do the rest.

 

0 Helpful
Customers Also Viewed These Support Documents