Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2677
Views
0
Helpful
2
Replies

Multiple profiles ASA

Go to solution
garystephens1
Level 1
Level 1

‎07-11-2016 05:53 AM

So 1 ASA 5525

Scenario:-

Currently user authenticate using their AD credential in the pop up box as the anyconnect tunnel comes up, I now need to add access via mobile devices dial on demand. Obviously using certificates for these devices is the answer so what I want to know is can I use a certificate for mobiles and a different authentication system for other devices. I know this should be possible but cannot find the answer outside of running 2 asa's one for authentication mobiles and the 2nd for laptop mobile warriors, realising I could user multiple contexts but this is a virtual solution of the 2 box solution, Ideally I would want a profile that if authentication a fails then it moves onto test 2 if that fails final is fail

any thoughts?

Presently no ISE but we do have a radius

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mdussana
Level 1
Level 1

‎07-11-2016 02:03 PM

Hi Gary,

Certificates for your mobile devices is a good way to go. Then you will need two different tunnel groups/connection profiles. You are able to define custom URLs for different tunnel groups, for instance, your PCs will use https://vpn.yourvpn.com/primary and Mobile will use https://vpn.yourvpn.com/mobile. Of course, you should disable the List feature in order to have an effective solution.

Now, to avoid your mobile users to access https://vpn.yourvpn.com/primary I will configure DAP rules (Dynamic Access Policy) to block mobile devices when they try to connect to the wrong tunnel group. Please refer to: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#t4.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mdussana
Level 1
Level 1

‎07-11-2016 02:03 PM

Hi Gary,

Certificates for your mobile devices is a good way to go. Then you will need two different tunnel groups/connection profiles. You are able to define custom URLs for different tunnel groups, for instance, your PCs will use https://vpn.yourvpn.com/primary and Mobile will use https://vpn.yourvpn.com/mobile. Of course, you should disable the List feature in order to have an effective solution.

Now, to avoid your mobile users to access https://vpn.yourvpn.com/primary I will configure DAP rules (Dynamic Access Policy) to block mobile devices when they try to connect to the wrong tunnel group. Please refer to: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#t4.

0 Helpful

Go to solution
garystephens1
Level 1
Level 1

‎07-11-2016 10:44 PM

Thanks for the pointer, not sure how I missed that section in the manual, I seem to have been back through it on more than one occasion!!

Br

G

0 Helpful
Customers Also Viewed These Support Documents