This is configured centrally on the ASA. Chosing groups can be done via dropdown list on the client, specifying group within the conncet link, or via certificate attributes.

Michael

Please rate all helpful posts

I am using the "Anyconnect Secure Mobility Client"  I dont find the option to specify group name/password/domain authentication etc. At one place I only have the option to specify the VPN server.

When I press ALT+CTL+DEL on my Windows PC, the VPN client should pop up, connect to the VPN ASA and then login to the domain. How can I setup this with the "Anyconnect Secure Mobility Client"

I guess you should user start-before-login module/feature of anyconnect client for the PC to be able to vpnconnect first and then register with the AD. What modules will be downloaded to the client from server is controlled in hte Group-policy/Advanced/Anyconnect Client/Optional client modules to download. There you should choose Anyconnect SBL (Image with all the modules should be in the ASA's flash). Plus, in the anyconnect client profile, you should check the box "Use start before login".

For the part, regarding authentication, if you're looking where to specify group/password - it's not applicable to the sslvpn, cause there's no such thing as group authentication. That was only applicable for IKE. Group selection is done as ciscomax said, "via dropdown list on the client, specifying group within the conncet link, or via certificate attributes". So, if you configured group-url like https://serverIP/webvpngroup1 (Settings done in the connection-profile tab if using ASDM), you should specify exactly this url, when connecting from the client PC. Server will know, that if you're using this link, it should associate the client with the tunnel group, for wich this group-url was specified.

That means, the "Start Before Login" can only be enabled from the ASA side?

In such a case whoever wants to use the VPN client, for the first time require to login to the domain (may be using cached credentials), connect to VPN server and then use this  "Start Before Login" feature for future logins.

In the above case, let's assume the PC is at the remote location and the user never logged into the PC (domain) even once. How can we address this issue?

a) When we setup Anyconnect VPN, how do clients get's the anyconnect imaage? What needs to be enabled in order to get the image from the ASA to the client? Is it both IPSec & SSL? Why is that device certificate is must for IPSec?

b) Are the ACL's for the anyconnect group stateful?