Friday, August 27, 2021

Cisco AnyConnect Dynamic Split Tunneling

I’m looking to disable the “allow user to select connection profile on the login page” option for our Cisco AnyConnect environment and apply settings dynamically based on a user’s LDAP group membership. I’m able to dynamically apply an ACL to a specific user group via Dynamic Access Policies. However, I’d like to also dynamically apply split tunneling settings, including whether or not split tunneling is enabled, based on user group membership and there does not appear to be a way to set this using Dynamic Access Policies.

I attempted to make this work using an LDAP Attribute Map that maps a user group to a Group Policy, since the split tunnel settings are present in Group Policies. But the Dynamic Access Policies seem to override any LDAP Attribute Map that I create. For instance, if there is no matching Dynamic Access Policy for the user group that I’m testing with, the DfltAccessPolicy gets applied before the LDAP Attribute Map and terminates the vpn client session at logon.

Am I trying to do something impossible here? Will I have to keep allowing users to select a connection profile in order to only enable split tunneling for some users?



No comments:

Post a Comment