Anyconnect with SAML+ISE authz (auto connecting)

tokis · ‎01-25-2024

Anyone had the same scenario if you have SAML+ISE authz for your anyconnect SSL VPN wherein after connecting to the FQDN of your SSL VPN it automatically connects to the tunnel group where SAML+ISE is configured?

We have (2) tunnel groups which is configured for ISE Auth only and another one which is SAML+ISE.

Is it normal that its auto connecting to the tunnel group wherein SAML+ISE is configured? We want to actually choose between the tunnel group options first.

Rob Ingram · ‎01-25-2024

@tokis do you have Trusted Network Detection (TND) configured so the client automatically establishes a tunnel to the preferred server configured in the anyconnect profile?

tokis · ‎01-25-2024

Hi @Rob Ingram On this newly configured tunnel group having SAML and ISE, I removed the xml file/vpn profile as part of the tunnel group/group policy configuration.

So probably we don't have that configured.

Rob Ingram · ‎01-25-2024

@tokis is AutoConnectOnStart configured? this would automatically connect to the last connected gateway

tokis · ‎01-25-2024

@Rob Ingram let me check that on asdm side, i do not see that on cli config

Rob Ingram · ‎01-25-2024

@tokis that setting is client side in the anyconnect XML profile, which can be deployed via the ASA.

tokis · ‎01-25-2024

@Rob Ingram actually, i forgot to mention, so the tunnel group with SAML do not have the xml profile assigned to it. But for the other tunnel group via ISE has this AutoConnectOnStart disabled.
I also opened a case, it could be the normal scenario if you are using SAML as it pops up a big window hiding the tunnel group drop down list.

Wherein its cached the last tunnel group you connected, will automatically connect you if you try to connect again to VPN