IPsec client to Anyconnect migration....a few questions.

ROD FRANKLIN · ‎02-14-2013

Hello,

My current VPN setup consists of using ASA 5510's acting as VPN gateway's. Our users must download and install the cisco IPsec VPN client and then fill out a connection entry using the Group name and Group password that we supply them. After that, they must enter individual username and password to finish the VPN connection.

In this scenario we have many different VPN "groups" created on the ASA which utilize individual group policy on the IPsec profles on the ASA and ACL's to define what network resources each group has access to.

We are looking to migrate to the Cisco Anyconnect client now and I have done some prelimary testing and have a few questions. With the Any connect I have it so that users can connect to the ASA by using the https:xxx.xxx.xxx address of the ASA, which then downloads and installs the Anyconnect client.

Once the Anyconnect client is installed I see there are some options to have a a drop down box appear so the user can select different "groups" to connect to. These groups are the equivelant of the IPsec groups it seems...so that each group can have a different group policy on the ASA which will define what resources they have access too. There is no longer a need to have the user create a connection entry and fill out a "group name and password" like there is on the Ipsec client.

My concerns with this is that we have a lot of different groups and I would not like to have the users see all of them but only the ones they need access too, or none for that matter.

If I hide the group selection box..how do I specify which group the user will be connecting with? We run a mixed enviornment of ACS (radius) and Active Directory for user authentication, but all access rights are defined by the group policy's on the ASA VPN profiles. (split tunneling, and IP filters)

I am struggling a bit with this......the IPsec client was pretty straightforward, the users could only see the "groups" that we manually setup for them on the client but with Anyconnect it seems they either see all the groups, or none.

Can anyone shed some light on this or have any other suggestions for a migration from IPsec client to Anyconnect?

malshbou · ‎02-14-2013

Hi,

i think that the feature that is most suitable for you is "group-url" while disabling "tunnel-group-list".

you should go to webvpn configuration mode, and type "no tunnel-group-list enable", then under each tunnel-group webvpn-attributes, type "group-url" then the url you want for that group. after that you can tell the users about their group and ask them to connect to that url:

webvpn

no tunnel-group-list enable

tunnel-group TG webvpn-attributes

group-url https://asa-vpn1.companyA.com/Employees enable

------

Hope this helps

Mashal

------------------ Mashal Shboul

ROD FRANKLIN · ‎02-14-2013

Well that will work for the first time a user connects and needs to downoad the Anyconnect client.

After that however, when they start the Anyconnect client it breaks down. The reason why is that we use "tunnel-group lock" on our ACS/Radius server. This means the user must be trying to connect with VPN using ONLY the group they are assigned to.

In the above method when I log in using the any connect client (after going to web url and installing it) it tries to log in using the default webvpn group (I assume?) since the group selection box is now gone.....and this fails user authentication because our ACS box will only allow that user to connect if they are using the correct group.

This prevents users from using any group they wish and still passing..and enforces them only using the group they assigned to..thus getting the correct "Group Policy" rules from the ASA and limiting their resource access.

Any other ideas or suggestions?