Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Anyconnect - How does an SSL VPN user choose their group

Anyconnect - How does an SSL VPN user choose their group

Anyconnect - How does an SSL VPN user choose their group

Here is the background....
Users in several different administrative groups need to use the SSL VPN (i.e., Finance, Engineering, etc).
When a user logs on how do they choose the group that they should belong to?
I need to allocate specific IP ranges based upon their group assignment, etc.
..also we're using Radius (ACS) that backends the authentication to Microsoft AD

This was easy to do with Cisco VPN Client/IPSec because of the Group password and mapping it to the ASA and/or ACS but how is this done with the SSL VPN Client (Anyconnect). I see ways to configure tunnel groups, group policies, etc, but how does ASA know which group that the user SHOULD belong to?


RE: Anyconnect - How does an SSL VPN user choose their group

1) Group URL's
2) Using RADIUS to pass values back to the ASA when the user authenticates. For example, you can set up groups in AD that correspond to your VPN profiles. Add users to their respective group. I use MS IAS so I create a new RADIUS policy for each AD group that I have created, use Windows-Groups as the criteria, and specify the group that should be matched. In the attributes section I choose the Class attribute and place the string OU=accounting_vpn_policy,  OU=engineering_vpn_policy, etc. Within the ASA create a new group-policy matching the value that you placed in the Class attribute (group-policy engineering_vpn_policy internal, group-policy accounting_vpn_policy internal, etc). Go into the ASDM and create a new Dynamic Access Policy specifying that those users who match this DAP should have RADIUS value 25 (Class) equal to OU=engineering_vpn_policy, OU=accounting_vpn_policy, etc.  

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close