Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5058
Views
0
Helpful
5
Replies

How to restrict a VPN user with a specific anyconnect profile?

srivero
Level 1
Level 1

‎11-20-2013 03:24 AM - edited ‎02-21-2020 07:20 PM

I need to assign to anyconnect users different profiles. This is done easily with IPSec, with the group policy configured in the client. With anyconnect I have two options:

- Allow the user to select the connect profile: The problem here is the user can select any profile and connect with the rules and permissions configured in this profile. I do not how to force one specific profile for each user.

- Use  the DefaultWebVPNGroup as connection profile for everybody combined with DAP. This what I am doing now. Everybody connect with the default anyconnect profile and I use DAP to assign each user the network ACL's, Bookmarks, etc. The problem here is that I can not use other options that are included in the profiles or in the policies, like split tunneling or user authentication method.

I have seen some answers about this point but none of them is clear enough. I am using ASA 5540 with 8.4(6) and Windows IAS radius.

Thanks.

Labels:
0 Helpful
5 Replies 5

elialope
Level 1
Level 1

‎11-20-2013 04:49 PM

You can configure you IAS to send the group-policy name on the attribute 25 (class), and have the user connect to the default. That way the ASA will force them to use the proper group policy and all of its advantages.

0 Helpful

srivero
Level 1
Level 1
In response to elialope

‎11-25-2013 03:15 AM

Thanks Elias. This works. Easy to configure. When I connect using the client it takes de group policy from the radius attribute 25 and apply it.

Just one little problem. This doesn't work with bookmarks when the user connect with WebVPN. In the logs I can see the connection taking the correct group policy but the bookmarks from that policy are not applied. Any idea?

0 Helpful

ivanpztorres
Level 1
Level 1
In response to srivero

‎08-27-2014 11:53 AM

I am looking to do the same thing. Do you have a link to documentation on what you did to set it up?

 

Thanks

0 Helpful

srivero
Level 1
Level 1
In response to ivanpztorres

‎09-10-2014 03:00 AM

I don't have any documentation. You just have to go to the IAS server, in your Remote Access Policy, Edit Profile, Advanced Options and add the attribute 25 called Class. In the value field you have to put the name of the ASA policy you want for this connection.

0 Helpful

suresh.mogalapu
Level 1
Level 1
In response to srivero

‎12-14-2020 07:31 AM

can we do same with Safenet tokens authentication ? 

0 Helpful
Customers Also Viewed These Support Documents