Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2097
Views
0
Helpful
3
Replies

Anyconnect Tunnel Group hiding

somerset-cc
Level 1
Level 1

‎01-06-2011 02:05 PM - edited ‎02-21-2020 05:04 PM

Using Anyconnect 2.5 ASA 8.3

I have 2 organisations connecting to this ASA using anyconnect. Each one has 2 tunnel groups.

I would like to hide the tunnel groups from the other organisations as this is a requirement from the customer.

I can see how to do this using the group-url feature under the tunnel group but this will only work if the organisation

wants one drop down alias/tunnel group.

I can not use ldap mapping also because some users will use more than one tunnel group.

Does anyone know how this is possible without configuring 4 different alias's and them being visible to everyone?

Many Thanks

Sam

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-06-2011 02:54 PM

Sam,

Think more - how can ASA know that particular user/machine should land on a particular tunnel-group?

I've seen a solution where users would have different certificates on their machine and would provide anyconnect (via the option to choose certificate on windows) particular certificate depending on which group they wanted to connect (on ASA they had tunnel-group-map to land on particular tunnel-group).

If you cannot identify ANYTHING that is paritcular to none of the user groups... well it will be hard for ASA to know beforehand ;-)

I know this does not answer your question... I would investigate if CSD in pre-login policy can identify what you might need.

Hope I'm making sense - it's midnight here ;-)

Marcin

0 Helpful

somerset-cc
Level 1
Level 1
In response to Marcin Latosiewicz

‎01-07-2011 06:26 AM

I thought it was going to be difficult.

I was thinking that if i create 2 tunnel groups and they both use the group-url feature it might work?

If i create group url's as follows:

1. ras.remote.co.uk/tunnel1

2. ras.remote.co.uk/tunnel2

Then the user at organisation 1 that may want to use tunnel 1 or tunnel 2 could use these url's to connect

to the ASA. I can't think how I can make shortcut's or run the connect to of the anyconnect client using

these url's though.

Hope this makes sense!

The only option if this doesn't work would be to have 4 alias's and each organisation would have visibility

over all 4.

Unless CSD can stop these being shown if certain criteria are met?

Many Thanks

Sam

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to somerset-cc

‎01-07-2011 08:46 AM

Sam,

For anyconnect you can send the group you want to use withing anyconnect user profile. (UserGroup  it's called)

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac09xml.html

Problem might be clientless ;-)

Indeed there is no way to make everyone use particular group-url (except for using group-lock)

CSD pre-login can make a deciossion based on certificate/file/registry entry .... OR IP address, maybe you could identify them case on IP? :-)

You can identify policy later on in DAP.

Marcin

Preview file
158 KB
0 Helpful
Customers Also Viewed These Support Documents