Solved: How to restrict use of Anyconnect Connection Profile to traffic from one interface?

cisco · ‎02-21-2011

Hi,

A couple of questions about Anyconnect Connection Profiles and Dynamic Access Policies:

I have configured several Anyconnect Connection Profiles with different characteristics. I want one of the profiles to be useable/visible only when the Anyconnect-client connect via a specific interface (not the Outside-interface). How can this be configured? As it is now all the profiles are visible via all VPN-enabled interfaces.
About DAP: When Dynamic Access Policies are configured, will these be global or is it possible to bind a policy to one specific connection profile? I would like to configure the DAP so that it is effective only when using a specific connection profile. Is this a correct way of thinking? What I want is: When a Anyconnect-user choose a specific connection profile it should connect using a DAP that requires membership to an AD-group and that a local file exist.

Best regards,

Thor-Egil

Jennifer Halim · ‎02-21-2011

Unfortunately you can't restrict which interfaces the AnyConnect Connection Profile gets assigned to. AnyConnect Connection Profiles are global settings, not interface specific setttings, hence, it will be available no matter which interface the AnyConnect is connected to.
DAP policies work like an access-list. It inspects it from the lowest priority to the highest priority and it will stop on first match. So you can create a number of policies on what you would like to match it on. You can not however force user to authenticate against AD when they choose a specific tunnel group. DAP is used to enforce that only users who meets the policy is allowed access. Eg: if the user belongs to a specific AD group, and also have a file exist, the user will be allowed access to use the AnyConnect. So it's enforcing that the user connects from a company laptop where you have specified the policy, ie: exist in AD and have a specific file in his laptop. This is to ensure that people who is trying to connect from non-company laptop, or internet kiosk don't have accessed to the VPN as they might not be protected and might infect your company network if they are allowed access.

Hope that makes sense.

Jennifer Halim · ‎02-21-2011

Unfortunately you can't restrict which interfaces the AnyConnect Connection Profile gets assigned to. AnyConnect Connection Profiles are global settings, not interface specific setttings, hence, it will be available no matter which interface the AnyConnect is connected to.
DAP policies work like an access-list. It inspects it from the lowest priority to the highest priority and it will stop on first match. So you can create a number of policies on what you would like to match it on. You can not however force user to authenticate against AD when they choose a specific tunnel group. DAP is used to enforce that only users who meets the policy is allowed access. Eg: if the user belongs to a specific AD group, and also have a file exist, the user will be allowed access to use the AnyConnect. So it's enforcing that the user connects from a company laptop where you have specified the policy, ie: exist in AD and have a specific file in his laptop. This is to ensure that people who is trying to connect from non-company laptop, or internet kiosk don't have accessed to the VPN as they might not be protected and might infect your company network if they are allowed access.

Hope that makes sense.