[c-nsp] ASA VPN groups... pointer/howto/cookbook?

Scott Granados scott at granados-llc.net
Wed Sep 28 14:22:32 EDT 2011


Sounds like what you want is the anyconnect client.  You can have your users 
browse to a URL and install the clients that way instead of having to push 
out pcf files.  Infact I believe this is the preferred method.  You can also 
control group access or have groups available from a pulldown.  Clients are 
available for most platforms including Linux and Android so it might be 
something to look at.

Thanks
Scott




-----Original Message----- 
From: Jeff Kell
Sent: Wednesday, September 28, 2011 2:05 PM
To: cisco-nsp
Subject: [c-nsp] ASA VPN groups... pointer/howto/cookbook?

I have been running standard VPN client profiles for VPN access for quite a 
few years,
on PIX and now on ASA.  I'm working on our next generation prototype now, 
and the number
of VPN groups are growing a bit out of hand.

Up to this point we have been distributing groups/roles by providing a 
suitable .pcf
connection profile with the VPN client to each user.  The .pcf contains the 
group name
and preshared key (yes, admittedly not that secure).

The current scheme is working fine, just getting a bit out of hand with the 
growing
number of groups and necessity of distributing the .pcf files.

It would be "nicer" if the client simply connected to the VPN server, 
authenticated (we
are using TACACS+, but I also have a working Active Directory profile for a 
more
general-purpose group), and had the appropriate group supplied by TACACS+ 
(or AD).

It would be even nicer still if the client could connect either split-tunnel 
(from home
or a secure location) or full-tunnel (to encrypt everything, if on a hotspot 
or WiFi for
example).  Currently this is done with two .pcf files (and two corresponding 
groups on
the ASA).

There are a dizzying number of possibilities and methods outlined in the 
documentation,
but I was hoping for a more direct approach to accomplishing this goal.

Pointers?  References?  Suggestions?  (I would RTFM if it weren't so F'ing 
huge :)  )

Thanks in advance,

Jeff
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 



More information about the cisco-nsp mailing list