View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0125 - SSL VPN AnyConnect Client External Group Policy

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video helps you centralize your Cisco ASA AnyConnect VPN client group-policy configuration to your RADIUS server in case you would like to maintain configuration consistency on multiple ASA VPN devices. We will convert the group-policy configured in the previous lab into RADIUS attributes and, in addition, push out a Downloadable ACL (DACL). We will also demonstrate how per-user authorization still overwrites the configuration received from the group-policy. 
 
Topic:
  • Group-Policy (External)
  • Cisco VPN RADIUS Attributes
    • Banner1[15]
    • Simultaneous-Logins[2]
    • Tunneling-Protocols[11]
    • Address-Pools[217]
    • IPSec-Split-Tunneling-Policy[55]
    • IPSec-Split-Tunnel-List[27]
    • IPSec-Split-DNS-Names [29]
  • Per-User Authorization

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

3 comments

has anyone tried to implement external group-policies on ISE with the external group policy being applied on posture compliant status? Basically every user starts with a tunnel-all group-policy during posture unknown then gets an updated group-policy (split-tunnel in my case) when they are compliant. i see the radius attributes being sent to the ASA after the CoA but the group-policy is not being applied to the user session.

Our expience shows that you cannot switch group-policy once VPN session is up. You can however try to have ISE send an updated RADIUS attribute, such as DACL, to the existing group-policy and make it behave the way you want for that session, although we are not sure if split-tunnel attribute is supported. Give it a try and let us know

thanks, my results seem to be the same as yours. Cannot send split-tunnel after the session is established. dACL however does work, so i've been able to work around the limitation and still meet the customers requirement. thank you for your response.