Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11191
Views
5
Helpful
2
Replies

Cisco Anyconnect VPN Group Policy and Connection profiles

Go to solution
Craddockc
Level 3
Level 3

‎10-27-2017 08:05 AM - edited ‎03-12-2019 04:40 AM

Community,

 

I have a question regarding the group policies in the ASA for Anyconnect clients. How does the ASA decide which connection profile it will use for a certain VPN connection being established? For instance if I have two connection profiles set up, and a user connects with Anyconnect (or any other VPN supplicant), how does the ASA decide which connection profile to use, and subsequent Group Policies to use?

 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-27-2017 08:42 AM

If you do not have any special config on the ASA, the AnyConnect connection will always fall into the DefaultWebvpnGroup, even if you have multiple other groups defined.
You can have the user fall into another tunnel-group (connection profile) using the following mechanisms:
1) Create a group-url for a new tunnel-group and have user go directly to that URL.
2) Enable tunnel-group-list so that the user can chose between multiple groups (alias needs to be defined for it to show up in the list)
3) Use some sort of certificate to tunnel-group mapping for Cert auth connection profiles.

This list may not be exhaustive, just the ones that I could recall.
For group-policy, you can use AAA or local user attributes to assign a group-policy to the user. If those don't exist, the default-group-policy setting from the matched tunnel-group is chosen

View solution in original post

2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-27-2017 08:42 AM

If you do not have any special config on the ASA, the AnyConnect connection will always fall into the DefaultWebvpnGroup, even if you have multiple other groups defined.
You can have the user fall into another tunnel-group (connection profile) using the following mechanisms:
1) Create a group-url for a new tunnel-group and have user go directly to that URL.
2) Enable tunnel-group-list so that the user can chose between multiple groups (alias needs to be defined for it to show up in the list)
3) Use some sort of certificate to tunnel-group mapping for Cert auth connection profiles.

This list may not be exhaustive, just the ones that I could recall.
For group-policy, you can use AAA or local user attributes to assign a group-policy to the user. If those don't exist, the default-group-policy setting from the matched tunnel-group is chosen

Go to solution
Craddockc
Level 3
Level 3
In response to Rahul Govindan

‎11-01-2017 11:23 AM

Rahul,

 

Thank you! This was very helpful. I was able to create a new tunnel group and alias it with an intuitive name. The options are then presented before login by the Anyconnect client!

 

Thanks!

0 Helpful
Customers Also Viewed These Support Documents