[c-nsp] ASA VPN groups... pointer/howto/cookbook?

Ian Henderson ianh at ianh.net.au
Wed Sep 28 23:40:24 EDT 2011


On 29/09/2011, at 4:05 AM, Jeff Kell wrote:

> It would be even nicer still if the client could connect either split-tunnel (from home
> or a secure location) or full-tunnel (to encrypt everything, if on a hotspot or WiFi for
> example).  Currently this is done with two .pcf files (and two corresponding groups on
> the ASA).

I do this at the moment using multiple VPN groups and AnyConnect. 

When the user auths, RADIUS returns the group name they should use. If the source IP address is known, we send back one group, if the address isn't known, we send back a different group, with a different ACL and split tunnel list.

Not sure if you can specify a group via TACACS, though.




More information about the cisco-nsp mailing list