Issues with Anyconnect SSL access - need to restrict access.

Stephen Carter · ‎04-22-2013

Hi everyone who reads this,

Issue is as follows :-

I have an ASA, configured for Clientless SSL VPN access, and as such, there is a name in the aliases part of the profile. so far so good.

Existing users connect to a https://, get a drop down box, see name of alias and adds username and password and connects.

NOTE - Authenication is via RADIUS.

So, am now doing an anyconnect installation, and we want to auth via IKEv2, unfortunately, this access also needs to have SSL enable as well.

So I add a new profile, add a new alias, and tick all the right (but wrong if you know what i mean as it's now working connectly) boxes.

When then running the anyconnect client I get the sign on box, and both profiles appear - that's ok for the new users as they need anyconnect.

ISSUE is the existing users ( and these are to only be given access via clientless method ) can also see this new group - and as authenticated on the same server can then sign on and download the anyconnect client - which I don't want.

Any one with any ideas ? which will be gratefully recieved.

Stephen

harshisi_2 · ‎04-22-2013

Hi Stephen,

I think if you push a "group lock" attribute with the usernames, the existing users will fail to connect of they select a new group.

it's basically a feature with which you can restrict the users to select another group, i know how to use it with local authentication but with Radius , maybe there forums can help you.

Regards,

~Harry

Stephen Carter · ‎04-22-2013

Harry,

Yes, that's what I read, that it can be done but via local sign on, but through the RADIUS side, it seems a bit more tricky.

Stephen