Edouard,
I think most of your answers are here:
To summarize; your licensing looks fine for ScanSafe, but you'll need to run AnyConnect 3.0 in order for it to work. Although the licensing page is confusing, I think Table 2 covers it.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html
-ryan
-----Original Message-----
From: Edouard Zorrilla [mailto:ezorrilla_at_tsf.com.pe]
Sent: Thursday, January 20, 2011 8:07 PM
To: Ryan West; ccielab_at_groupstudy.com; security_at_groupstudy.com
Subject: Re: Anyconnect profiles
(Disregard the last one, read this please)
Hi Ryan,
It help me a lot. My scenario is one ASA5540 with the next license:
ASA5540# sh ver | i AnyConnect
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
ASA5540#
And I have a test ASA5505 with the next license:
ASA-AnyConnect# sh ver | i AnyConnect
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
ASA-AnyConnect#
Not sure yet which are the differences between these two, I am just reading the docs.
I also have a Cisco Secure ASA 5.1 where users get authenticated. What I am trying to do is to move from regular Remote IPSec VPN to AnyConnect or Scan Safe. AnyConnect can give me web security using the WSA. Scan Safe can give me web security on the cloud. So I am trying to see if AnyConnect will have all the features we had with the old remote VPN IPSec. It seems that yes, but I will need to test it and even make things better.
AnyConnect V3.0 supports also Scan Safe, so my first step is to try out AnyConnect 2.5, then move to V3.0. I want to thave the user tied to ACS 5.1 rather than tied to LDAP or RADIUS as there are no groups on my AD, but this is the last step.
My approach is that at the end roaming users should have web security, latest AV updates and latest OS patches, I am starting first of all with web security.
Thanks Man !.,
Regards.
-----Original Message-----
From: Ryan West
Sent: Thursday, January 20, 2011 4:01 PM
To: Edouard Zorrilla ; ccielab_at_groupstudy.com ; security_at_groupstudy.com
Subject: RE: Anyconnect profiles
The group-policy is tied either to the user locally on the ASA or is determined via LDAP or RADIUS. The profiles are defined under the group-policy.
After re-reading your first email, we may be talking about two different things.. If you're talking about the group authentication name with the classic IPSec VPN client, you have the option of creating a tunnel-group-list and alias that allows for a drop down on the webvpn authentication page. You can also use a host header option (group-url) that Tyson brought up a couple of months back. If you're feeling fancy, you can enable both.
If you're trying to get things like start before logon working, then you'll need to create the profiles that I mentioned earlier.
Can you explain your scenario a bit better?
Thanks,
-ryan
-----Original Message-----
From: Edouard Zorrilla [mailto:ezorrilla_at_tsf.com.pe]
Sent: Thursday, January 20, 2011 6:50 PM
To: Ryan West; ccielab_at_groupstudy.com; security_at_groupstudy.com
Subject: Re: Anyconnect profiles
Thanks Ryan,
If I allow the user choose his profile, it would mean then that an user can choose a wrong profile and connect to the network. Is that all right ?. I will read all the document and hopefully I can find there where can I tie the user and its profile.
Regards !.,
-----Original Message-----
From: Ryan West
Sent: Thursday, January 20, 2011 2:44 PM
To: Edouard Zorrilla ; ccielab_at_groupstudy.com ; security_at_groupstudy.com
Subject: RE: Anyconnect profiles
Check here:
This mentions using it via ASDM, but you can download the profile editor standalone too. Then you create the xml profile, upload it to the ASA, and reference it under the webvpn global section. Then you can call to it from your group-policies.
-ryan
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Edouard Zorrilla
Sent: Thursday, January 20, 2011 5:38 PM
To: ccielab_at_groupstudy.com; security_at_groupstudy.com
Subject: Anyconnect profiles