prevente radius user to connect to Cisco anyconnect profile

Posted on 2011-10-12
Last Modified: 2012-05-12

how can i prevente radius authendicated users to connect to Cisco anyconnect connection profile, i have 2 Profiles can i restrict access to those groups, with AD groups ?
Question by:kimhed
    LVL 24

    Expert Comment

    by:Ken Boone CCIE #4649
    Yes it is much easier imho to do this with ldap instead.  With ldap you can set up an AD group and put the users in that group.  Then you can set up your anyconnect profile to authenticate the user against the AD server, via LDAP.  In addition it checks to see if the users is a member of the group you created, and if it is it will assign the appropriate policy after authentication.

    Here is a link you can look at:

    Also, here is another way of doing it passed on the Dial in allowed field:

    Hope this helps.

    Author Comment


    maybe i wasn't clear enough my fault .-)), i want to create 2 AD groups, if you are member of one group, you can connect to one off the Connection profiles but not the other.

    LVL 24

    Expert Comment

    by:Ken Boone CCIE #4649
    Well that is what you can do.  So you do not set a default policy on the tunnel group in the ASA.  You have a policy configured.  When the AD lookup occurs if they are in 1 specific AD group then you map it to that policy, if they are in a different AD group you do not map to that policy and therefore they don't match a policy in the ASA and they don't get in.

    Author Comment

    they dont need to be auto mapped to a connection profile, it is ok, if they can see both profiles when the logon, but if they choose lets say "VPNprofileAdmin" insted of "VPNprofileClient", they get an denied or somthing, just want the same thing as you can do with local users (bind them to a specific connection profile).
    LVL 24

    Expert Comment

    by:Ken Boone CCIE #4649
    That is how I bind them to a specific profile.  If they are a member of AD group A I bind them to VPNProfileAdmin  - they have no choices I automatically bind them.  If they are a member of AD group B I bind them to VPNProfileClient - again they have no choices.  This prevents them from selecting Admin instead of Client.

    Author Comment

    ok, can you specify how you do it, im not sure i fully understand it, do you use DAP ??
    LVL 24

    Accepted Solution

    So its like this:

    First we set up a VPN group called Admin-VPN in AD and make the admin vpn users a member of that group in AD.  Then we create an ldap attribute map which says IF the user is a member of Admin-VPN then we will map that user to the vpn profile of VPNProfileAdmin

    ldap attribute-map group_policy_map
      map-name  memberOf IETF-Radius-Class
      map-value memberOf CN=Admin-VPN,OU=Groups,DC=companyname,DC=com VPNProfileAdmin

    Then we set up our ldap stuff which will define our ldap server as well as an admin account that will be used when making the ldap queries.  We also attach the ldap attribute map we defined above:
    aaa-server LDAP-Server protocol ldap
    aaa-server LDAP-Server (inside) host
     ldap-base-dn dc=companyname, dc=com
     ldap-scope subtree
     ldap-naming-attribute sAMAccountName
     ldap-login-password ******
     ldap-login-dn CN=Administrator,CN=Users,DC=companyname,DC=com
     server-type microsoft
     ldap-attribute-map group_policy_map

    Them we build the VPNProfileAdmin:


    group-policy VPNprofileAdmin internal
    group-policy VPNprofileAdmin attributes
     dns-server value
     vpn-tunnel-protocol svc
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value Split-Tunnel
     default-domain value
     address-pools value SSLVPN-Pool
      svc keep-installer installed
      svc ask enable default svc


    Then we setup the tunnel-group:


    tunnel-group Customer-SSLVPN type remote-access
    tunnel-group Customer-SSLVPN general-attributes
     authentication-server-group LDAP-Server
    tunnel-group Customer-SSLVPN webvpn-attributes
     group-alias Customer-SSLVPN enable


    The key thing is that you do not specify a default group policy on the tunnel group.  So with what I just showed you the user must be in the AD group in order to connect to the vpn with the policy of VPNprofileAdmin.  If the user is not in the appropriate AD group, there will be no matching policy to map them to and there is no default policy so it will fail the user.

    You can also set up another AD group which would be for client vpn users, you can add another entry in the ldap attribute map to map those users to the VPNprofileClient group policy that you can set up.

    Now a user has to be in either one of the other of those groups to get access, and they will only be able to use the profile that is associated with that group.

    Hope that helps.

    Author Closing Comment

    its working, thx

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now