Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
0
Helpful
6
Replies

Cisco Anyconnect SSL VPN

nikzad_beh
Level 1
Level 1

‎05-29-2016 08:21 AM - edited ‎02-21-2020 08:50 PM

Hi guys

I configured Cisco Anyconnect SSL VPN with the external authentication server (LDAP). now I want to restrict any user connect to VPN with using a session and no more than one. What can I do?

Labels:
0 Helpful
6 Replies 6

Michael Muenz
Level 5
Level 5

‎05-29-2016 09:21 AM

What exactly do you mean with session? You can configure that simultaneous logins are denied.

Michael Please rate all helpful posts
0 Helpful

nikzad_beh
Level 1
Level 1
In response to Michael Muenz

‎05-29-2016 11:10 AM

Thanks for your answer

I want each user for connecting to my network using a session.

for example, USER_A with PC1 connect to my network via SSL VPN with session ID 1001, now USER_A unable connect to my network with another PC unless the breakdown session ID 1001.

I know can use simultaneous-logins in LDAP attribute, but How can I do it? Do I need to changes user profile in Active Directory? and what are they changes?

0 Helpful

Michael Muenz
Level 5
Level 5
In response to nikzad_beh

‎05-29-2016 12:26 PM

Just set "vpn-simultaneous-logins 1" under the specific group policy

Michael Please rate all helpful posts
0 Helpful

nikzad_beh
Level 1
Level 1
In response to Michael Muenz

‎05-29-2016 11:37 PM

I check it and doesn't work correctly because that command specifies the number of accounts accepted from group policy for connecting to my network.

0 Helpful

Michael Muenz
Level 5
Level 5
In response to nikzad_beh

‎05-30-2016 01:44 AM

No, it specifies how many connections with the same user-id to this policy is allowed.

https://www.experts-exchange.com/questions/23979626/What-is-simultaneous-login-on-an-ASA-vpn-group-policy.html

Michael Please rate all helpful posts
0 Helpful

nikzad_beh
Level 1
Level 1

‎06-05-2016 09:08 AM

Hi Michael Muenz

I can do it. I have done these settings in order:

  1. I use LDAP attribute map for getting IP address from Dial-in tab in user profile (before that, I set IP address in Dial-in tab)
  2. I don't change "VPN-simultaneous-logins" under the group policy (rest by default)
  3. I omit "Client Address Pool" under the tunnel group ( Anyconnect Connection Profile)

Under these settings, USER_A can just one time connect to my network at the same time and it can not connect from any elsewhere.

If I do just item 2 (just set "VPN-simultaneous-logins 1" under the specific group policy). USER_A with PC1 connect to my network via SSL VPN with session ID 1001 and DHCP pool assign it IP address 192.168.1.2, now if USER_A with PC2 connect to my network, USER_A in PC2 force out USER_A in PC1 so This is very bad situation. I want in that situation ASA refuse USER_A login from elsewhere.

I apologize for my poor English language.

Good luck to you.

0 Helpful
Customers Also Viewed These Support Documents