Info message in AnyConnect when connecting to a specific tunnel-group

akhon0001 · ‎12-22-2022

Informational message in cisco AnyConnect when connecting to a specific tunnel-group

Hi all!
Help please solve the problem.
In our organization, to subdue VPN clients, we use several different tunnel groups with different URLs.
We need to make an informational message when connecting through a specific URL.
I searched for information, but I just found that you can apply GUI Text and Messages, but this applies to all connections. Or you can apply the banner only to a specific group policy. But that doesn't work for us.

The bottom line is that when connecting to a certain YURL through anyconect cisco, a message was displayed, the user read it, clicked OK, and then entered the credentials.

Help with information please.

MaxShantar · ‎12-22-2022

To configure a warning banner for a tunnel group in you can use the "banner" command in the tunnel group config mode.

banner warning "This VPN is for authorized users only."

! Configuration for tunnel group "example_tunnel_banner"
tunnel-group mytunnelgroup type ipsec-ra
tunnel-group mytunnelgroup general-attributes
  banner warning "This VPN is for authorized users only."
  default-group-policy mytunnelpolicy
tunnel-group mytunnelgroup ipsec-attributes
  ikev1 pre-shared-key mypre-sharedkey
  ikev2 remote-authentication pre-shared-key mypre-sharedkey
  ikev2 local-authentication pre-shared-key mypre-sharedkey

akhon0001 · ‎12-23-2022

hello
I apologize for not immediately specifying our tunnel group has the type remote-access
And when we go into the tunnel group configuration settings, there is simply no banner command

tunnel-group VPN-RA type remote-access
tunnel-group VPN-RA general-attributes
authentication-server-group RADIUS
default-group-policy DEFAULT-RAVPN-GR
password management
authorization-required
tunnel-group VPN-RA webvpn-attributes
group-url https://URLxxx.xx/enable

That's all there is

ASA(config-tunnel-general)# ?

tunnel-group configuration commands:
accounting-server-group
address-pool
annotation
authenticated-session-username
authentication-attr-from-server
authentication-server-group
authorization-required
authorization-server-group
default-group-policy
dhcp-server
exit
help
ipv6-address-pool
nat-assigned-to-public-ip
no
password-management
scep-enrollment
secondary-authentication-server-group
secondary-username-from-certificate
secondary-username-from-certificate-choice
strip-group
strip-realm
username-from-certificate
username-from-certificate-choice

MHM Cisco World · ‎12-23-2022

tunnel-group VPN-RA general-attributes
? <<- banner appear here under the tunnel=group general attributes

akhon0001 · ‎12-23-2022

Hello
I managed to enter this command.
But after I pressed enter, I was thrown into configuration mode. and when checking show run, there is no banner there.

I tried to connect via anyConnect, but no message came up. I just successfully connected

ASA# conf t
ASA(config)# tunnel-group VPN-RA general-attributes
ASA(config-tunnel-general)# ban
ASA(config-tunnel-general)# banner ?

configure mode commands/options:
asdm Display a post login banner (ASDM only)
exec Display a banner whenever an EXEC process in initiated
login Display a banner before the username and password login prompts
motd Display a message-of-the-day banner
ASA(config-tunnel-general)# banner log
ASA(config-tunnel-general)# banner login ?

configure mode commands/options:
LINE A line of message to be displayed, it will be added to the end of an existing banner. The token $(domain) and $(hostname) will be replaced with the domain name and host
name
<cr>
ASA(config-tunnel-general)# banner login HELLOW!
ASA(config)#
ASA(config)#

MHM Cisco World · ‎12-23-2022

Yes I check in my FW lab and see it under
group-policy x.x.x.x attributes
banner

akhon0001 · ‎12-23-2022

Oh yes, I found it, it is located in the main ASA configuration.
It appears when I ssh into the ASA itself, but this is not what I need)
I want to have a message appear in AnyConnect
As in the screenshot. This picture is just taken from the internet.

MHM Cisco World · ‎12-23-2022

sorry see me correct comment

akhon0001 · ‎12-23-2022

Yes thank you!
I know about settings of a banner in politicians. I pointed this out in the test of my main problem.

The fact is that we have several different URLs that are used by different groups of people, such as for example different companies. Each company connects with its own URL, but they use the same policies.

That's why I was interested in the question, is it possible to set up an informational message for tunnel groups, in which the URL itself is specified. Separately.

For example, COMPANY1, connects to the URL vpn.company.com/com1, an information window appears at AnyConnect, "Welcome, you are connecting to Company1. Your job description is such and such"

COMPANY2 is connected by URL vpn.company.com/com2
The message may already be different. For example, "Your organization is subject to strict quality control, do your work carefully."

These are all examples, but the bottom line is that I need to do it this way. I looked through the documentation and didn't find any options.

Is there such a possibility at all?

MHM Cisco World · ‎12-23-2022

get it I will check and update you.

akhon0001 · ‎12-26-2022

Good afternoon
Please tell me, if I add a banner in the group policy, can I insert a link to some resource here, for example

conf t
group-policy %PolicyName% attributes
banner login “https://mycompany.com/knowledgebase/usermanuals/docs/”

Will it work as a link?

MHM Cisco World · ‎12-27-2022

for using http:// I dont so sure but you can try and see
for your original post I make some research and find that
you can add new group-policy then inherit it value from the other gropy-policy
via
group-policy MHM1 internal from MHM2
then config under each group-policy different banner.

please make my review and check it twice before apply it.
thanks