Hi Ryan,
It help me a lot. My scenario is one ASA5540 with the next license:
ASA5540# sh ver | i AnyConnect
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
ASA5540#
And I have a test ASA5505 with the next license:
ASA-AnyConnect# sh ver | i AnyConnect
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
ASA-AnyConnect#
Not sure yet which are the differences between these two, I am just reading
the docs.
I also have a Cisco Secure ASA 5.1 where users get authenticated. What I am
trying to do is to move from regular Remote IPSec VPN to AnyConnect or Scan
Safe. AnyConnect can give me web security using the WSA. Scan Safe can give
me web security on the cloud. So I am trying to see if AnyConnect will have
all the features we had with the old remote VPN IPSec. It seems that yes,
but I will need to test it and even make things better.
AnyConnect V3.0 supports also Scan Safe, so my first step is to try out
AnyConnect 2.5, then move to V3.0. I want to have the group-policy is tied
to ACS 5.1 rather than tied to LDAP or RADIUS, but this is the last step.
My approach is that at the end roaming users should have web security,
latest AV updates and latest OS patches, I am starting first of all with web
security.
Thanks Man !.,
Regards.
-----Original Message-----
From: Ryan West
Sent: Thursday, January 20, 2011 4:01 PM
To: Edouard Zorrilla ; ccielab_at_groupstudy.com ; security_at_groupstudy.com
Subject: RE: Anyconnect profiles
The group-policy is tied either to the user locally on the ASA or is
determined via LDAP or RADIUS. The profiles are defined under the
group-policy.
After re-reading your first email, we may be talking about two different
things.. If you're talking about the group authentication name with the
classic IPSec VPN client, you have the option of creating a
tunnel-group-list and alias that allows for a drop down on the webvpn
authentication page. You can also use a host header option (group-url) that
Tyson brought up a couple of months back. If you're feeling fancy, you can
enable both.
If you're trying to get things like start before logon working, then you'll
need to create the profiles that I mentioned earlier.
Can you explain your scenario a bit better?
Thanks,
-ryan
-----Original Message-----
From: Edouard Zorrilla [mailto:ezorrilla_at_tsf.com.pe]
Sent: Thursday, January 20, 2011 6:50 PM
To: Ryan West; ccielab_at_groupstudy.com; security_at_groupstudy.com
Subject: Re: Anyconnect profiles
Thanks Ryan,
If I allow the user choose his profile, it would mean then that an user can
choose a wrong profile and connect to the network. Is that all right ?. I
will read all the document and hopefully I can find there where can I tie
the user and its profile.
Regards !.,
-----Original Message-----
From: Ryan West
Sent: Thursday, January 20, 2011 2:44 PM
To: Edouard Zorrilla ; ccielab_at_groupstudy.com ; security_at_groupstudy.com
Subject: RE: Anyconnect profiles
Check here:
This mentions using it via ASDM, but you can download the profile editor
standalone too. Then you create the xml profile, upload it to the ASA, and
reference it under the webvpn global section. Then you can call to it from
your group-policies.
-ryan
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Edouard Zorrilla
Sent: Thursday, January 20, 2011 5:38 PM
To: ccielab_at_groupstudy.com; security_at_groupstudy.com
Subject: Anyconnect profiles