Solved: Re: How to restrict a VPN user with a specific anyconnect profile?

suresh.mogalapu · ‎12-14-2020

we have multiple VPN profiles - for a Specific profile, users should not get option to select any other profile. as well as we need to use same 2FA server for all Profile users. can this be achieved ?

ASA5516 - 9.8(4)22

Mohammed al Baqari · ‎12-14-2020

Sorry , forgot to paste URL.

https://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html

***** please remember to rate useful posts

View solution in original post

Mohammed al Baqari · ‎12-14-2020

Hi,

There are many ways to do this. You can use group-alias with group-lock
feature to make sure that certain users can use certain profiles only. They
won't be able to login with other profiles (even with valid creds). But you
need to make sure that you have a unique parameter for the same group of
users such as memberOf

Another way of doing this using certificate-maps if you use cert
authentication to match parameters from the client cert and automatically
assign the designated profile. This way users don't get the option to
select a profile.

Sharing the same 2FA will not have an impact.

Here are some examples of group-lock with local auth but the same can be
applied to AD login with ldap-attribute map.

**** please remember to rate useful posts

suresh.mogalapu · ‎12-14-2020

Thank you for your reply Mohammed - you haven't posted any examples.

Mohammed al Baqari · ‎12-14-2020

Sorry , forgot to paste URL.

https://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html

***** please remember to rate useful posts

Peter Koltl · ‎12-19-2020

Do you use local authentication or RADIUS server? ISE?