04-22-2013 03:06 AM - edited 02-21-2020 06:50 PM
Hi everyone who reads this,
Issue is as follows :-
I have an ASA, configured for Clientless SSL VPN access, and as such, there is a name in the aliases part of the profile. so far so good.
Existing users connect to a https://, get a drop down box, see name of alias and adds username and password and connects.
NOTE - Authenication is via RADIUS.
So, am now doing an anyconnect installation, and we want to auth via IKEv2, unfortunately, this access also needs to have SSL enable as well.
So I add a new profile, add a new alias, and tick all the right (but wrong if you know what i mean as it's now working connectly) boxes.
When then running the anyconnect client I get the sign on box, and both profiles appear - that's ok for the new users as they need anyconnect.
ISSUE is the existing users ( and these are to only be given access via clientless method ) can also see this new group - and as authenticated on the same server can then sign on and download the anyconnect client - which I don't want.
Any one with any ideas ? which will be gratefully recieved.
Stephen
04-22-2013 04:30 AM
Hi Stephen,
I think if you push a "group lock" attribute with the usernames, the existing users will fail to connect of they select a new group.
it's basically a feature with which you can restrict the users to select another group, i know how to use it with local authentication but with Radius , maybe there forums can help you.
Regards,
~Harry
04-22-2013 05:04 AM
Harry,
Yes, that's what I read, that it can be done but via local sign on, but through the RADIUS side, it seems a bit more tricky.
Stephen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide