05-03-2014 08:40 AM
Hi there,
having an ASA5512x is it possible to have anyconnect-dial-in-PC-users asking for their login credentials AND also an one-time-password
whereas smartphone users only need to provide their login and a password without the need to manually choose the profile?
I set up two tunnel-groups:
1) is asking a LDAP server for authentication
2) is contacting an RADIUS server running One Time Password software.
Is there a way to have the asa assigning smartphone users (based on their OS) to automatically use the first profile (which has limited access to intranet ressouces) and have Anyconnect-PC-users pinned to the second tunnel group? Dynamic Access Policies seem to be able to differenciate only "within" a tunnel-group.
Thank you very much!
Regards,
David
Solved! Go to Solution.
05-03-2014 09:03 AM
I never tried it that way, but if it doesn't work (what I suspect) there is a workaround:
05-03-2014 09:18 AM
That doesn't matter, each tunnel-group can have a unique url:
tunnel-group TG1 webvpn-attributes
group-alias TG1 enable
group-url https://vpn.example.net/tg1 enable
!
tunnel-group TG2 webvpn-attributes
group-alias TG2 enable
group-url https://vpn.example.net/tg2 enable
05-03-2014 09:03 AM
I never tried it that way, but if it doesn't work (what I suspect) there is a workaround:
05-03-2014 09:07 AM
Thanks a lot for this info!
Since PC and smartphone users have the anyconnect (mobile) client the DNS name of the security gateway is the same for booth :-/
05-03-2014 09:18 AM
That doesn't matter, each tunnel-group can have a unique url:
tunnel-group TG1 webvpn-attributes
group-alias TG1 enable
group-url https://vpn.example.net/tg1 enable
!
tunnel-group TG2 webvpn-attributes
group-alias TG2 enable
group-url https://vpn.example.net/tg2 enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide