View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0125 - SSL VPN AnyConnect Client External Group Policy

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0125 - Video Download $7.00
Purchase SEC0125 - Video Download $7.00
The video helps you centralize your Cisco ASA AnyConnect VPN client group-policy configuration to your RADIUS server in case you would like to maintain configuration consistency on multiple ASA VPN devices. We will convert the group-policy configured in the previous lab into RADIUS attributes and, in addition, push out a Downloadable ACL (DACL). We will also demonstrate how per-user authorization still overwrites the configuration received from the group-policy. 
  • Group-Policy (External)
  • Cisco VPN RADIUS Attributes
    • Banner1[15]
    • Simultaneous-Logins[2]
    • Tunneling-Protocols[11]
    • Address-Pools[217]
    • IPSec-Split-Tunneling-Policy[55]
    • IPSec-Split-Tunnel-List[27]
    • IPSec-Split-DNS-Names [29]
  • Per-User Authorization

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


has anyone tried to implement external group-policies on ISE with the external group policy being applied on posture compliant status? Basically every user starts with a tunnel-all group-policy during posture unknown then gets an updated group-policy (split-tunnel in my case) when they are compliant. i see the radius attributes being sent to the ASA after the CoA but the group-policy is not being applied to the user session.

Our expience shows that you cannot switch group-policy once VPN session is up. You can however try to have ISE send an updated RADIUS attribute, such as DACL, to the existing group-policy and make it behave the way you want for that session, although we are not sure if split-tunnel attribute is supported. Give it a try and let us know

thanks, my results seem to be the same as yours. Cannot send split-tunnel after the session is established. dACL however does work, so i've been able to work around the limitation and still meet the customers requirement. thank you for your response.

Lab Minutes Classifieds