Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
986
Views
0
Helpful
3
Replies

User authentication and restricting to specific profile

Satisha k
Level 1
Level 1

‎11-28-2012 10:22 AM

             Hi

Could you please explain me about the how can i restrict users to allow to connect only specific connection profiles in Anyconnect VPN.

I will be using RSA and digital certificate for the authentication type.

Labels:
0 Helpful
3 Replies 3

Javier Portuguez
Level 9
Level 9

‎11-28-2012 11:29 AM

Hi Satisha,

If each user certificate has a specific attribute like the OU, you could create a certificate map and map the users to the specific profile.

Certificate mapping to anyconnect tunnel-group

If you are using a SDI over Radius you could use attribute 25 to define specific group-policies:

Configure ACS to Assign a Group Policy at Login using RADIUS

* It says ACS, but the configuration on the ASA is the same regardless of the RADIUS server.

HTH.

Portu.

Please rate any helpful posts.

0 Helpful

ju_mobile
Level 1
Level 1

‎11-28-2012 01:11 PM

Satisha,

What are you attempting to achieve by limiting on the Anyconnect profile and is it the best method?

The profiles allow you to verify the method of authentication and the potential grouping. If you can provide details of what you hope to achieve then I'm sure the responses will be better inline with your needs.

Best Regards

Julian

Sent from Cisco Technical Support iPad App

0 Helpful

Satisha k
Level 1
Level 1
In response to ju_mobile

‎11-29-2012 03:04 AM

Hi All,

Thanks for your valuable time to respond.

Bascially i am tring to achive,my remote vpn users should be authenticated only with allowed profiles in the drop down list. Once the user  connect to Anyconnect VPN gateway, gateway will list all the profiles users will have to choose the right profile to authenticate. if the user tri with the other profile the user should not be able to login. i would like to go with the multiple profiles based on roles.  Users with one profile should not be able to connect the other profiles in the drop down list.

Here with Ex:

users  : user1,user2,user3  user1 will be sales profile, user2 will be Engineering and user3 will be server proiles.

when the user1 connect remote Anyconnect VPN after the posture modules and pre login checks he shouled be able to connect only sales profile and the other profiles should be denied to login. similar to other users tool

hope this example make sense.

0 Helpful
Customers Also Viewed These Support Documents