09-04-2016 04:02 AM - edited 02-21-2020 08:57 PM
Is it possible to force Anyconnect client to always select a specific group ?
We have several different devices to support, laptops, iPhones, android, windows phones, etc and the client seems to work differently with each
Users can select a group if I enable the pop-ip on the ASA, but it would be simpler (especially if we enable the client before login) to auto-select the group based on the device/client that the request comes from - perhaps from a config file
It may also be possible to do this through a customised cert, but I can't find any relevant information on this
URL/Alias works with some devices but not others
Any ideas/suggestions ?
09-04-2016 05:09 PM
You can restrict your clients to a specific connection profile (AKA tunnel-group). You do this as part of an authorization policy.
You make the default "no access", require authorization and then check a username attribute (when authentication and authorization is local to the ASA) or group membership (when using an external source such as AD, LDAP or RADIUS server).
Here's some additional information:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
09-05-2016 05:37 AM
That would associate the profile with a user ID. I need to associate this with a device.
Some of our users have access to multiple devices, some which can only do SSL VPN and others can that only do IPSEC, and yet still others that can do both
I'm currenty looking at doing this with custom user certs and matching on SaN. That has it's own potential issues. If the profile name changes, then I'll need to create hundreds of replacement certs
I'll let you know how it goes, but if anyone has any other suggestions . . .
09-05-2016 06:06 PM
If you want to restrict / direct a device to a connection profile, the most flexible method is via ISE as your back end AAA server. ISE can match authorization policy based on any number of attributes, including endpoint OS. If you have an MDM system, you can even query it via ISE for device compliance status (i.e. is it registered, jailbroken etc.)
As you noted, you could potentially use certificate attributes but that would require some pretty imaginative certificate provisioning.
09-06-2016 11:17 PM
Hi sthmbc_netsupport ,
I think certificate-map fits your requirement , you can built customized cert and land the connection to specified tunnel-group
Please refer to below link
Let me know if that helps
Thanks
Shakti
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide