Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
1
Helpful
7
Replies

Users cannot choose a profile when connecting to a VPN (AnyConnect)

Go to solution
andrycorry
Level 1
Level 1

‎02-15-2024 05:29 AM - edited ‎02-15-2024 05:33 AM

Hello!

I can't find a solution to my problem.

I have a cisco asa configured, it has several profiles with SSO authorization and everything works fine.

The problem is that users are not able to change the profiles because after clicking "Connect" they are immediately authorized through the MS account, which does not allow them to change the profile. The problem exists in both Windows and MacOS.

Could you please tell me how to configure ASA so that users can select a profile before automatic authorization?

If you need more information, I will share it

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
7 Replies 7

Go to solution
andrycorry
Level 1
Level 1

‎02-15-2024 05:30 AM - edited ‎02-15-2024 05:31 AM

n

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎02-15-2024 05:57 AM

If I understood correctly, you want the users to be able to select the tunnel group they want to connect to? if so, you need to enable group alias list under webvpn global config, and then you would need to create your aliases under each tunnel group similar to this:

webvpn
   tunnel-group-list enable

tunnel-group Group1 webvpn-attri
   group-alias Group1 enable
tunnel-group Group2 webvpn-attri
   group-alias Group2 enable
tunnel-group Group3 webvpn-attri
   group-alias Group3 enable

0 Helpful

Go to solution
andrycorry
Level 1
Level 1
In response to Aref Alsouqi

‎02-15-2024 07:16 AM

Thank you for your reply!

You may have misunderstood me, so I'll try to describe the configuration and the problem in more detail.

Cisco ASA is installed on local servers and I use Cisco ASDM to configure it.

I use the "Remote access VPN", on which I have several connection profiles configured with different group policies and addressing. SSO authorization via Microsoft Azure is configured on each profile.

When connecting to the VPN, a window appears with a microsoft login "2" and a window with a choice of a profile for connection "1", but due to the fact that authorization in Microsoft is automatic, I have no way to select a group in the window "1". Is it possible to configure so that users first select a group and then the Microsoft login window opens?

Screenshot 2024-02-15 at 15.37.08.png

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎02-15-2024 09:35 AM

Could you please share your ASA VPN sanitized configs for review?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to andrycorry

‎02-19-2024 01:02 AM - edited ‎02-19-2024 01:03 AM

That was exactly what I referred to as the group alias enablement in my first post :-D. Glad to know the issue is fixed now.

0 Helpful

Go to solution
andrycorry
Level 1
Level 1
In response to Aref Alsouqi

‎02-19-2024 01:15 AM - edited ‎02-19-2024 01:15 AM

Sorry, I don't have enough experience to understand everything so easily :-D.

Thank you for your support

0 Helpful
Customers Also Viewed These Support Documents