Showing results for 
Search instead for 
Did you mean: 

User authentication and restricting to specific profile

Satisha k


Could you please explain me about the how can i restrict users to allow to connect only specific connection profiles in Anyconnect VPN.

I will be using RSA and digital certificate for the authentication type.

3 Replies 3

Hi Satisha,

If each user certificate has a specific attribute like the OU, you could create a certificate map and map the users to the specific profile.

Certificate mapping to anyconnect tunnel-group

If you are using a SDI over Radius you could use attribute 25 to define specific group-policies:

Configure ACS to Assign a Group Policy at Login using RADIUS

* It says ACS, but the configuration on the ASA is the same regardless of the RADIUS server.



Please rate any helpful posts.



What are you attempting to achieve by limiting on the Anyconnect profile and is it the best method?

The profiles allow you to verify the method of authentication and the potential grouping. If you can provide details of what you hope to achieve then I'm sure the responses will be better inline with your needs.

Best Regards


Sent from Cisco Technical Support iPad App

Hi All,

Thanks for your valuable time to respond.

Bascially i am tring to achive,my remote vpn users should be authenticated only with allowed profiles in the drop down list. Once the user  connect to Anyconnect VPN gateway, gateway will list all the profiles users will have to choose the right profile to authenticate. if the user tri with the other profile the user should not be able to login. i would like to go with the multiple profiles based on roles.  Users with one profile should not be able to connect the other profiles in the drop down list.

Here with Ex:

users  : user1,user2,user3  user1 will be sales profile, user2 will be Engineering and user3 will be server proiles.

when the user1 connect remote Anyconnect VPN after the posture modules and pre login checks he shouled be able to connect only sales profile and the other profiles should be denied to login. similar to other users tool

hope this example make sense.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers