Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3073
Views
0
Helpful
4
Replies

Force Anyconnect to use specified group

sthmbc_netsupport
Level 1
Level 1

‎09-04-2016 04:02 AM - edited ‎02-21-2020 08:57 PM

Is it possible to force Anyconnect client to always select a specific group ?

We have several different devices to support, laptops, iPhones, android, windows phones, etc and the client seems to work differently with each

Users can select a group if I enable the pop-ip on the ASA, but it would be simpler (especially if we enable the client before login) to auto-select the group based on the device/client that the request comes from - perhaps from a config file

It may also be possible to do this through a customised cert, but I can't find any relevant information on this

URL/Alias works with some devices but not others

Any ideas/suggestions ?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-04-2016 05:09 PM

You can restrict your clients to a specific connection profile (AKA tunnel-group). You do this as part of an authorization policy.

You make the default "no access", require authorization and then check a username attribute (when authentication and authorization is local to the ASA) or group membership (when using an external source such as AD, LDAP or RADIUS server).

Here's some additional information:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

0 Helpful

sthmbc_netsupport
Level 1
Level 1
In response to Marvin Rhoads

‎09-05-2016 05:37 AM

That would associate the profile with a user ID. I need to associate this with a device.

Some of our users have access to multiple devices, some which can only do SSL VPN and others can that only do IPSEC, and yet still others that can do both

I'm currenty looking at doing this with custom user certs and matching on SaN. That has it's own potential issues. If the profile name changes, then I'll need to create hundreds of replacement certs

I'll let you know how it goes, but if anyone has any other suggestions . . .

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sthmbc_netsupport

‎09-05-2016 06:06 PM

If you want to restrict / direct a device to a connection profile, the most flexible method is via ISE as your back end AAA server. ISE can match authorization policy based on any number of attributes, including endpoint OS. If you have an MDM system, you can even query it via ISE for device compliance status (i.e. is it registered, jailbroken etc.)

As you noted, you could potentially use certificate attributes but that would require some pretty imaginative certificate provisioning.

0 Helpful

Shakti Kumar
Cisco Employee
Cisco Employee

‎09-06-2016 11:17 PM

Hi 

I think certificate-map fits your requirement , you can built customized cert and land the connection to specified tunnel-group

Please refer to below link

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc16

Let me know if that helps

Thanks

Shakti

0 Helpful
Customers Also Viewed These Support Documents