[c-nsp] ASA VPN groups... pointer/howto/cookbook?

Bruce Pinsky bep at whack.org
Wed Sep 28 15:56:57 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Granados wrote:
> Sounds like what you want is the anyconnect client.  You can have your
> users browse to a URL and install the clients that way instead of having to
> push out pcf files.  Infact I believe this is the preferred method.  You
> can also control group access or have groups available from a pulldown. 
> Clients are available for most platforms including Linux and Android so it
> might be something to look at.
> 

Agreed.  Plus you can define AnyConnect client profiles that can be pushed
down to the client upon login time in addition to the VPN connection
profiles and group policies that can be defined on the ASA itself.

The other nice thing is that the AnyConnect client can either be
pre-installed or downloaded at login time from a Web portal as mentioned
above.  The pre-install is nice in situations where users are not granted
admin privs on their systems.  When downloaded from the web portal, the
first install requires admin privs, however, if you choose to leave the
client installed on the system, subsequent logins to the web portal will
not require the client to be downloaded again.  Once installed, the user
has the option of connecting to the web portal or directly from the client
(if you so choose) on their system via a pre-defined host list in the
client or by typing in a hostname/ip addr.

By defining different connection and group policies, you can even setup
different VPN policies for connecting from someone's own laptop vs
connecting from a public location where you would want to remove the client
and sanitize the environment at logoff.

Contact me off-list if you have some more questions.

- -- 
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6DfAgACgkQE1XcgMgrtybN8QCgxhVz0qMPdoRBmlbGWHZgajln
GYQAn3x+D2iJ4q1GPOzWkkIArpj2G0aq
=l/k0
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list