Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
3
Replies

Group for Clientless VPN Only

Matthew Martin
Level 5
Level 5

‎10-20-2021 09:44 AM

Hello All,

ASA 5525-X

I created a new Group Policy and new Tunnel Group that we want to only be accessible for Clientless VPN access only.

In the Group Policy, under Tunneling Protocols, I only enabled the checkbox (*on ASDM) for Clientless SSL VPN.

However, the Group is still being made available when connecting through the AnyConnect client. Is there anyway to hide this group for those logging in via AnyConnect and have it only display on Clientless logins?

 

Thanks in Advance,
Matt

Labels:
0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-20-2021 09:58 AM - edited ‎10-20-2021 09:59 AM

So for webvpn there are the following methods to select which tunnel group: group url, group-alias, cert maps.  I think what you are looking for based on description is to disable the group-alias selection.  I would navigate in asdm to: Configuration->RAVPN->Clientless SSL VPN Access->Connection Profiles.  On this page there should be a setting stating something along the lines of: Allow user to select connection via alias.  Disable this and test again.  Note that in doing this your clientless webvpn users will need the group url to browse to.  Example:  < https://xxxx/group1>

HTH!

 

0 Helpful

Matthew Martin
Level 5
Level 5
In response to Mike.Cifelli

‎10-20-2021 10:34 AM

Hey Mike, thanks for the reply.

 

So it sounds like in order to remove the option of being able to select this Group from the AnyConnect VPN login's group selection drop-down box, it needs to be removed from both Client and Clientless Group selections..?

Then, in order to login using this group with WebVPN, those users would have a separate URL to login with. Does that sound accurate?

 

Thanks Again,

Matt

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-20-2021 12:06 PM

So it sounds like in order to remove the option of being able to select this Group from the AnyConnect VPN login's group selection drop-down box, it needs to be removed from both Client and Clientless Group selections..?

-When you disable it under 'Connection Profiles' in asdm it automatically disables it in both clientless and client.  You can do it in either location.

Then, in order to login using this group with WebVPN, those users would have a separate URL to login with. Does that sound accurate?

-Yes.  In asdm navigate to: Configuration->RAVPN->Clientless SSL VPN Access->Connection Profiles: then select the profile in question. Once selected, click edit, go to advanced, Clientless SSL VPN settings and refer to "Group URLs" section and configure accordingly.  Then dish out that url to users which will directly map them to their respective tunnel group via that url you just configured under the respective connection profile.

0 Helpful
Customers Also Viewed These Support Documents