[c-nsp] ASA 8.4 + AnyConnect 3.0 posture scenario

[Lauri Turunen]

Hi,

I am running ASA 8.4 + AnyConnect 3.0 in a following scenario

I have:

- Legacy Cisco VPN clients with local group-policies and tunnel-groups
- WebVPN URLs for customers/partners with bookmark resources
- AnyConnect access for different customers/partners with local
group-policies and tunnel-groups

The goal:

- Configure a new AnyConnect URL for a new customer
- Local tunnel-group attributes (addr pool, AAA-server, what ever I have
for legacy stuff, too)
- URL is accessible if Dynamic Access Policy is compliant (for example a
.txt file is found on the computer)
- If user does not meet the DAP, connection would be terminated with
explanation

What seems to be the challenge:

Default DAP is what I have now in the "legacy" setup as it always exists
and is checked. I would need to implement some kind of specific DAP
before the default DAP to state "For this specific customer (=group-url)
the connection is terminated if certain assessment is not met". Problem
is that I don't know a way to match the group-url/tunnel-group the user
is trying to access.

As DAPs apply to all URLs/tunnel-groups, all other customer access would
be terminated as they don't have the .txt file. I could build up all
legacy stuff based on DAP with some kind of methodology so that all
legacy clients would be recognized. Then I could change the default DAP
to terminate and the guy without .txt file would be terminated per
default DAP as the session doesen't match any other customers'
recognition pattern. This kind of solution is unacceptable unless the
recognition is based on tunnel-groups/group-url. I have no control on
some tunnel-groups regarding with what kind of endpoints some partners
are connecting.

The question:

How to achieve the goal without touching other locally defined
group-policies and tunnel-group attributes?

Regards,
//Lauri