Restrict Connection Profile Selection for a User Group
When you want to enforce a single connection profile on a user or user group, you can choose to disable the connection profile so that the group alias or URLs are not available for the users to select when they connect using the AnyConnect VPN client.
For example, if your organization wants to use specific configurations for different VPN user groups such as mobile users, corporate-issued laptop users, or personal laptop users, you can configure connection a profile specific to each of these user groups and apply the appropriate connection profile when the user connects to the VPN.
The AnyConnect client, by default, shows a list of the connection profiles ( by connection profile name, alias, or alias URL) configured in Cisco Defense Orchestrator and deployed on Firepower Threat Defense. If custom connection profiles are not configured, AnyConnect shows the DefaultWEBVPNGroup connection profile. Use the following procedure to enforce a single connection profile for a user group.
Before you begin
-
On your Cisco Defense Orchestrator web interface, configure remote access VPN using the remote access VPN policy wizard with Authentication Method as 'Client Certificate Only' or 'Client Certificate + AAA'. Choose the username fields from the certificate.
-
Configure ISE or RADIUS server for authorization and associate the group policy with the authorization server.
Procedure
Step 1 | On your Cisco Defense Orchestrator web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access policy and click Edit. |
Step 3 | Select Access Interfaces and disable Allow users to select connection profile while logging in. |
Step 4 | Click Advanced > Certificate Maps. |
Step 5 | Select Use the configured rules to match a certificate to a Connection Profile. |
Step 6 | Select the Certificate Map Name or click the Add icon to add a certificate rule. |
Step 7 | Select the Connection Profile, and click Ok. With this configuration, when a user connects from the AnyConnect client, the user will have the mapped connection profile and will be authenticated to use the VPN. |