cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5609
Views
0
Helpful
5
Replies

How to restrict a VPN user with a specific anyconnect profile?

srivero
Level 1
Level 1

I need to assign to anyconnect users different profiles. This is done easily with IPSec, with the group policy configured in the client. With anyconnect I have two options:

- Allow the user to select the connect profile: The problem here is the user can select any profile and connect with the rules and permissions configured in this profile. I do not how to force one specific profile for each user.

- Use  the DefaultWebVPNGroup as connection profile for everybody combined with DAP. This what I am doing now. Everybody connect with the default anyconnect profile and I use DAP to assign each user the network ACL's, Bookmarks, etc. The problem here is that I can not use other options that are included in the profiles or in the policies, like split tunneling or user authentication method.

I have seen some answers about this point but none of them is clear enough. I am using ASA 5540 with 8.4(6) and Windows IAS radius.

Thanks.

5 Replies 5

elialope
Level 1
Level 1

You can configure you IAS to send the group-policy name on the attribute 25 (class), and have the user connect to the default. That way the ASA will force them to use the proper group policy and all of its advantages.

Thanks Elias. This works. Easy to configure. When I connect using the client it takes de group policy from the radius attribute 25 and apply it.

Just one little problem. This doesn't work with bookmarks when the user connect with WebVPN. In the logs I can see the connection taking the correct group policy but the bookmarks from that policy are not applied. Any idea?

I am looking to do the same thing. Do you have a link to documentation on what you did to set it up?

 

Thanks

I don't have any documentation. You just have to go to the IAS server, in your Remote Access Policy, Edit Profile, Advanced Options and add the attribute 25 called Class. In the value field you have to put the name of the ASA policy you want for this connection.

can we do same with Safenet tokens authentication ?