You are here
SEC0125 - SSL VPN AnyConnect Client External Group Policy
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video helps you centralize your Cisco ASA AnyConnect VPN client group-policy configuration to your RADIUS server in case you would like to maintain configuration consistency on multiple ASA VPN devices. We will convert the group-policy configured in the previous lab into RADIUS attributes and, in addition, push out a Downloadable ACL (DACL). We will also demonstrate how per-user authorization still overwrites the configuration received from the group-policy.
Topic:
- Group-Policy (External)
-
Cisco VPN RADIUS Attributes
- Banner1[15]
- Simultaneous-Logins[2]
- Tunneling-Protocols[11]
- Address-Pools[217]
- IPSec-Split-Tunneling-Policy[55]
- IPSec-Split-Tunnel-List[27]
- IPSec-Split-DNS-Names [29]
- Per-User Authorization
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
3 comments
External Group Policy + Posture
has anyone tried to implement external group-policies on ISE with the external group policy being applied on posture compliant status? Basically every user starts with a tunnel-all group-policy during posture unknown then gets an updated group-policy (split-tunnel in my case) when they are compliant. i see the radius attributes being sent to the ASA after the CoA but the group-policy is not being applied to the user session.
External Group Policy + Posture
Our expience shows that you cannot switch group-policy once VPN session is up. You can however try to have ISE send an updated RADIUS attribute, such as DACL, to the existing group-policy and make it behave the way you want for that session, although we are not sure if split-tunnel attribute is supported. Give it a try and let us know
thanks, my results seem to be
thanks, my results seem to be the same as yours. Cannot send split-tunnel after the session is established. dACL however does work, so i've been able to work around the limitation and still meet the customers requirement. thank you for your response.