Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
3
Replies

Select Tunnel-Group based on devices's OS

Go to solution
DOMJAHN DAVID
Level 1
Level 1

‎05-03-2014 08:40 AM

Hi there,

having an ASA5512x is it possible to have anyconnect-dial-in-PC-users asking for their login credentials AND also an one-time-password

whereas smartphone users only need to provide their login and a password without the need to manually choose the profile?

I set up two tunnel-groups:

1) is asking a LDAP server for authentication

2) is contacting an RADIUS server running One Time Password software.

Is there a way to have the asa assigning smartphone users (based on their OS) to automatically use the first profile (which has limited access to intranet ressouces) and have Anyconnect-PC-users pinned to the second tunnel group? Dynamic Access Policies seem to be able to differenciate only "within" a tunnel-group.

 

Thank you very much!

Regards,

David

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-03-2014 09:03 AM

I never tried it that way, but if it doesn't work (what I suspect) there is a workaround:

  1. Point your clients to the two different tunnel-groups with the help of tunnel-group-urls.
  2. Later in the DAP enforce that the client doesn't use the wrong tunnel-group.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to DOMJAHN DAVID

‎05-03-2014 09:18 AM

That doesn't matter, each tunnel-group can have a unique url:

tunnel-group TG1 webvpn-attributes
  group-alias TG1 enable
  group-url https://vpn.example.net/tg1 enable
!
tunnel-group TG2 webvpn-attributes
  group-alias TG2 enable
  group-url https://vpn.example.net/tg2 enable

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎05-03-2014 09:03 AM

I never tried it that way, but if it doesn't work (what I suspect) there is a workaround:

  1. Point your clients to the two different tunnel-groups with the help of tunnel-group-urls.
  2. Later in the DAP enforce that the client doesn't use the wrong tunnel-group.
0 Helpful

Go to solution
DOMJAHN DAVID
Level 1
Level 1
In response to Karsten Iwen

‎05-03-2014 09:07 AM

Thanks a lot for this info!

Since PC and smartphone users have the anyconnect (mobile) client the DNS name of the security gateway is the same for booth :-/

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to DOMJAHN DAVID

‎05-03-2014 09:18 AM

That doesn't matter, each tunnel-group can have a unique url:

tunnel-group TG1 webvpn-attributes
  group-alias TG1 enable
  group-url https://vpn.example.net/tg1 enable
!
tunnel-group TG2 webvpn-attributes
  group-alias TG2 enable
  group-url https://vpn.example.net/tg2 enable

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents