Re: AnyConnect VPN's AD group restriction.

tinhnho123 · ‎03-01-2021

Hi Guys,

I have FTD/FMC setup for AnyConnect. The ISE is for authentication. In our AD's IT_Group_VPN which currently has almost 300 users for AnyConnect VPN. As setup today, everyone who is in this AD group 'IT_Group_VPN' would have access to AnyConnect VPN. We have about 20 peoples (helpdesk, server, architect, network teams) who has permission and can add user to IT_Group_VPN, recently I've found there are a lot of users whom have been added to this AD group for VPN access without informed network team. For security and licensing purposes, is there a way to prevent new user to connect to AnyConnect VPN from FTD or ISE even they're in this AD group 'IT_Group_VPN' ?

Thanks.

Rob Ingram · ‎03-01-2021

@tinhnho123

You could issue a certificate to the computers that are allowed to connect to the VPN, then change authentication to be "aaa + certificate". So any user that is member of "IT_Group_VPN" group could not connect without a certificate.

You should really get this sorted out with the AD team really, get the users that should not be in that group removed.

tinhnho123 · ‎03-01-2021

I'm using the certificate today for AnyConnect VPN. All our joined domain laptops (500 plus laptops) have certificates.

The 300 members of this IT_Group_VPN carry our joined domain laptops that have certificates.

we hate to see that 500 users access AnyConnect VPN some days. Beside to work with AD team, is there any other way to restrict the access?

Rob Ingram · ‎03-01-2021

Well you need to authenticate the users with something unique to differentiate them.

Add the users you want to access the VPN to another AD group and authorise in ISE using the new group.

Or change user authentication to the ISE internal user database and create a user account for each user.