01-06-2011 02:05 PM - edited 02-21-2020 05:04 PM
Using Anyconnect 2.5 ASA 8.3
I have 2 organisations connecting to this ASA using anyconnect. Each one has 2 tunnel groups.
I would like to hide the tunnel groups from the other organisations as this is a requirement from the customer.
I can see how to do this using the group-url feature under the tunnel group but this will only work if the organisation
wants one drop down alias/tunnel group.
I can not use ldap mapping also because some users will use more than one tunnel group.
Does anyone know how this is possible without configuring 4 different alias's and them being visible to everyone?
Many Thanks
Sam
01-06-2011 02:54 PM
Sam,
Think more - how can ASA know that particular user/machine should land on a particular tunnel-group?
I've seen a solution where users would have different certificates on their machine and would provide anyconnect (via the option to choose certificate on windows) particular certificate depending on which group they wanted to connect (on ASA they had tunnel-group-map to land on particular tunnel-group).
If you cannot identify ANYTHING that is paritcular to none of the user groups... well it will be hard for ASA to know beforehand ;-)
I know this does not answer your question... I would investigate if CSD in pre-login policy can identify what you might need.
Hope I'm making sense - it's midnight here ;-)
Marcin
01-07-2011 06:26 AM
I thought it was going to be difficult.
I was thinking that if i create 2 tunnel groups and they both use the group-url feature it might work?
If i create group url's as follows:
1. ras.remote.co.uk/tunnel1
2. ras.remote.co.uk/tunnel2
Then the user at organisation 1 that may want to use tunnel 1 or tunnel 2 could use these url's to connect
to the ASA. I can't think how I can make shortcut's or run the connect to of the anyconnect client using
these url's though.
Hope this makes sense!
The only option if this doesn't work would be to have 4 alias's and each organisation would have visibility
over all 4.
Unless CSD can stop these being shown if certain criteria are met?
Many Thanks
Sam
01-07-2011 08:46 AM
Sam,
For anyconnect you can send the group you want to use withing anyconnect user profile. (UserGroup it's called)
Problem might be clientless ;-)
Indeed there is no way to make everyone use particular group-url (except for using group-lock)
CSD pre-login can make a deciossion based on certificate/file/registry entry .... OR IP address, maybe you could identify them case on IP? :-)
You can identify policy later on in DAP.
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide