Hi, I am running ASA 8.4 + AnyConnect 3.0 in a following scenario
I have: - Legacy Cisco VPN clients with local group-policies and tunnel-groups - WebVPN URLs for customers/partners with bookmark resources - AnyConnect access for different customers/partners with local group-policies and tunnel-groups The goal: - Configure a new AnyConnect URL for a new customer - Local tunnel-group attributes (addr pool, AAA-server, what ever I have for legacy stuff, too) - URL is accessible if Dynamic Access Policy is compliant (for example a .txt file is found on the computer) - If user does not meet the DAP, connection would be terminated with explanation What seems to be the challenge: Default DAP is what I have now in the "legacy" setup as it always exists and is checked. I would need to implement some kind of specific DAP before the default DAP to state "For this specific customer (=group-url) the connection is terminated if certain assessment is not met". Problem is that I don't know a way to match the group-url/tunnel-group the user is trying to access. As DAPs apply to all URLs/tunnel-groups, all other customer access would be terminated as they don't have the .txt file. I could build up all legacy stuff based on DAP with some kind of methodology so that all legacy clients would be recognized. Then I could change the default DAP to terminate and the guy without .txt file would be terminated per default DAP as the session doesen't match any other customers' recognition pattern. This kind of solution is unacceptable unless the recognition is based on tunnel-groups/group-url. I have no control on some tunnel-groups regarding with what kind of endpoints some partners are connecting. The question: How to achieve the goal without touching other locally defined group-policies and tunnel-group attributes? Regards, //Lauri _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
