10-01-2009 09:13 AM
I am demoing the AnyConnect VPN client. I have (1) 5505 in-house and I need to provide access to to 4 different groups. Company A with standard LDAP logins, Company A with LDAP and RSA Tokens, Company B with standard LDAP logins and Company B with LDAP and RSA Tokens.
I want to use the same hostname mainly because I dont want to buy multiple certificates and I dont want users to have to choose between profiles at login. I have no problem creating 4 custom clients.
What is the best way to do this ? Is this an alias type thing ? How do I build this into the client ?
Thanks in advance,
Justin
10-02-2009 07:49 AM
Justin-
In the client you can specify a User Group, but the client takes the user group name along with the host address and creates a URL for that specific group.
For an example lets use departments. I configure SSLVPN for my company, acme.com. I have three departments; marketing, engineering and support. I first create the XML file for marketing-
The client now builds the customer URL and tries to connect to it. The URL is marketing.acme.com.
You would then continue with engineering and support. The problem you will have is there is only one valid URL and you can not specify the User Group. The only work around I know of is to use a wildcard certificate on the ASA. Then you can configure as many client groups as you wish.
10-05-2009 11:49 AM
Justin,
You want to create unique IP Scopes, VPN Filters, Group-Policy, and Tunnel-groups for these companies.
IE:
Company A has
* a DHCP Scope of 10.1.1.10-250/24
* a VPN Filter that restricts their access to only one subnet inside your VPN
* a Group-Policy that specifies the dns-servers/vpn timeouts/split-tunneling policy/specific DHCP Pool to assign addresses from
* and a Tunnel-Group that tells the concentrator which authentication server(s) to use as well as tying it all together by linking the group with the policy created above.
You can dynamically assign tunnel-groups (so the user doesn't have to select from a dropdown) using SecureACS RADIUS option 25 (class) (set it to "ou=
Hope that helps. Rate if it does!
10-07-2009 04:35 AM
Thank you both for your replies. I've set it up to so the uri's are unique.
ie.
vpn.acme.com/company1
vpn.acme.com/company2
Then I edit the preferences.xml during a custom install to point to the appropriate URL. On the switch side, I've attached the URLs to the appropriate connection profiles.
I'm assuming this is an ok approach? It seems to work ok. Let me know if you see any problems with it.
Thanks again,
Justin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide