We have an ASA 5510 running 9.1 and using ASDM 7.13 with 1 gig of memory and all the required licenses.
I need a sanity check on whether this is possible and if I am losing some functionality.
I have user1 with group policy a and connection profile a. This example uses the native IPSec client and works fine from Macs and PCs.
I also have user2 with group policy b and connection profile b. This example uses AnyConnect 3.0 and works fine from Macs, I-Phones, and a Kindle Fire.
I would like to know if user1 can login with the same credentials and group policy on both IPSec and AnyConnect.
Thank you in advance for your real world examples and explanations.
We do not have enough information to give you good answers. You tell us that there are 2 connection profiles and 2 policies. But do not tell us anything about what is in the policies. In particular we need to know how the 2 groups authenticate. And we also need to know if there are restrictive things in the 2 policies that might apply differently to the 2 users.
In general if both groups use the same authentication mechanisms then it is likely that user 1 might be able to login both groups.
Thanks for the fast reply. Everyone authenticates locally. The policies are the same and have identical restrictions, namely, these individuals can go anywhere. Just can't seem to configure them to login without designating them for a single group.
Thanks for the additional information. I am a bit puzzled about your environment. If I am understanding correctly both groups authenticate the same and have the same policy. So why are there two different groups?
Thinking about that question, it occurs to me that perhaps the difference is that one group is configured to use only tunnel type ipsec and ISAKMP v1 and the second group is configured to use only tunnel type webvpn (or whatever term is used in 9.1 to indicate only SSL VPN). If that is the case, and if user 1 uses only the IPSec client then they would be able to login only to group 1. And if user 2 uses only AnyConnect SSL then they would be able to login only to group 2. Is this the case?
Thanks for the reply.
We had an environemnt for years where group 1 users logged in via IPSec. We just recently added the memory, licenses, and operating system to allow for AnyConnect usage on a large scale.
To fully test Anyconnect without impacting production, I created test users and a test group. All works fine. I even was able to use a group one login with AnyConnect but I had to move the user into the newly created test group.
I am missing some bit of configuration in maybe the Connection Profile where an individual could be assigned allowed to use IPSec with the Native Client and AnyConnect.
Do I need the IPSec Native client and can I just rely upon AnyConnect to achieve all the functionality I require?
Thank you in advance.
I do not fully understand this response. But I believe that we have sufficient information to answer most of your questions. You have told us that to allow a user in group 1 to use AnyConnect that you had to move the user to group 2. So that says that whether it is some difference in authentication method or whether it is some difference in tunnel protocol (as I suggested in my recent post) that there are differences in the groups sufficient that a user from group 1 can not just freely use group 2. If you post the details of how both groups are configured we could possibly help you figure out what you need to do to allow a user to use either group, assuming that your goal is to have users be able to use either group.
I do wonder if there is really a need to have two groups. Assuming that your goal is to have users able to use either the IPSec client or the AnyConnect client it should be possible to have one group configured that allows users to use either client. I have customers who are doing this - having a single group of users and the user can use either of the clients.
I believe that it is pretty clear that going forward the choice is going to be to use AnyConnect. It is clear that the IPSec client is on its way out and that your strategic direction should be to move toward AnyConnect.
For most of us the type of protocol used (IPSec or SSL) in the client does not matter so much. Perhaps there are some cases where an organization prefers to use IPSec rather than SSL. For those organizations it is interesting to note that in recent versions of AnyConnect Cisco has added the capability of the AnyConnect client to use IPSec as the encrypting protocol rather than just SSL as has been the case. So we can no longer say that if you want IPSec support that you must use the traditional client because there now is support for IPSec in AnyConnect.
Many thanks once again. We removed the Tunnel Lock and now have what we want in terms of using Local Accounts with both AnyConnect and Cisco IPSec clients.
Thanks for posting back and letting us know that you now have it doing what you wanted in terms of using both AnyConnect and the traditional IPSec client. I am glad that my advice was helpful in this.