11-20-2013 03:24 AM - edited 02-21-2020 07:20 PM
I need to assign to anyconnect users different profiles. This is done easily with IPSec, with the group policy configured in the client. With anyconnect I have two options:
- Allow the user to select the connect profile: The problem here is the user can select any profile and connect with the rules and permissions configured in this profile. I do not how to force one specific profile for each user.
- Use the DefaultWebVPNGroup as connection profile for everybody combined with DAP. This what I am doing now. Everybody connect with the default anyconnect profile and I use DAP to assign each user the network ACL's, Bookmarks, etc. The problem here is that I can not use other options that are included in the profiles or in the policies, like split tunneling or user authentication method.
I have seen some answers about this point but none of them is clear enough. I am using ASA 5540 with 8.4(6) and Windows IAS radius.
Thanks.
11-20-2013 04:49 PM
You can configure you IAS to send the group-policy name on the attribute 25 (class), and have the user connect to the default. That way the ASA will force them to use the proper group policy and all of its advantages.
11-25-2013 03:15 AM
Thanks Elias. This works. Easy to configure. When I connect using the client it takes de group policy from the radius attribute 25 and apply it.
Just one little problem. This doesn't work with bookmarks when the user connect with WebVPN. In the logs I can see the connection taking the correct group policy but the bookmarks from that policy are not applied. Any idea?
08-27-2014 11:53 AM
I am looking to do the same thing. Do you have a link to documentation on what you did to set it up?
Thanks
09-10-2014 03:00 AM
I don't have any documentation. You just have to go to the IAS server, in your Remote Access Policy, Edit Profile, Advanced Options and add the attribute 25 called Class. In the value field you have to put the name of the ASA policy you want for this connection.
12-14-2020 07:31 AM
can we do same with Safenet tokens authentication ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide