一、需求:
如何利用anyconnet 指定账户只访问指定服务器,例如user1只可访问server1;user2只可访问server2。
二、两种解决方案:
1/ Group-policy general attribute下添加vpn-filter+DAP
2/ Username attribute下添加vpn-filter
三、两种方案预设配置:
---------------------
1. webvpn config
---------------------
webvpn
enable inside
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
---------------------
2. ip local pool
---------------------
ip local pool VPN-POOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
---------------------
3. SSL-ACL config:
---------------------
access-list SSL-ACL1 extended permit ip any host 10.1.1.1 //for user1 visit server1
access-list SSL-ACL2 extended permit ip any host 10.1.1.2 //for user2 visit server2
---------------------
4. group-policy
---------------------
group-policy SSL-POLICY1 internal
group-policy SSL-POLICY1 attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value VPN-POOL
-----------------------------------------------------
group-policy SSL-POLICY2 internal
group-policy SSL-POLICY2 attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value VPN-POOL
---------------------
5. tunnel-group
---------------------
tunnel-group SSL-TUNNEL1 type remote-access
tunnel-group SSL-TUNNEL1 general-attributes
default-group-policy SSL-POLICY1
tunnel-group SSL-TUNNEL1 webvpn-attributes
group-alias SSLVPN1 enable
-----------------------------------------------------
tunnel-group SSL-TUNNEL2 type remote-access
tunnel-group SSL-TUNNEL2 general-attributes
default-group-policy SSL-POLICY2
tunnel-group SSL-TUNNEL2 webvpn-attributes
group-alias SSLVPN2 enable
---------------------
6. user attributes
---------------------
username user1 password cisco
username user1 attributes
service-type remote-access
-----------------------------------------------------
username user2 password cisco
username user2 attributes
service-type remote-access
四、具体方案
方案1:
1/ 在group-policy下添加vpn-filter
group-policy SSL-POLICY1 attributes
vpn-filter value SSL-ACL1
group-policy SSL-POLICY2 attributes
vpn-filter value SSL-ACL2
2/ 在DAP中分别添加aaa attribute,如下图:
1. 添加DAP策略(参考图1-1)
2. 配置DAP策略,主要添加“Group Policy”和“Username”两个过滤条件(参考图1-2)
方案2:
1/ 在username attribute下添加vpn-filter
username user1 attributes
vpn-filter value SSL-ACL1
username user2 attributes
vpn-filter value SSL-ACL2
五、需要注意的问题:
1/ 第二种方案,不管group-alias下拉列表选什么,user都可以登录(因为 username attribute 下没有tunnel-group webvpn-attributes/group-alias选项),但具体访问策略依然还是要看user下的vpn-filter value;
2/ 第二种方案,如果对group-alias下拉列表严格要求(即group-alias1只有使用user1来登录),请采用第一种方案。
如何利用anyconnet 指定账户只访问指定服务器,例如user1只可访问server1;user2只可访问server2。
二、两种解决方案:
1/ Group-policy general attribute下添加vpn-filter+DAP
2/ Username attribute下添加vpn-filter
三、两种方案预设配置:
---------------------
1. webvpn config
---------------------
webvpn
enable inside
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
---------------------
2. ip local pool
---------------------
ip local pool VPN-POOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
---------------------
3. SSL-ACL config:
---------------------
access-list SSL-ACL1 extended permit ip any host 10.1.1.1 //for user1 visit server1
access-list SSL-ACL2 extended permit ip any host 10.1.1.2 //for user2 visit server2
---------------------
4. group-policy
---------------------
group-policy SSL-POLICY1 internal
group-policy SSL-POLICY1 attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value VPN-POOL
-----------------------------------------------------
group-policy SSL-POLICY2 internal
group-policy SSL-POLICY2 attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value VPN-POOL
---------------------
5. tunnel-group
---------------------
tunnel-group SSL-TUNNEL1 type remote-access
tunnel-group SSL-TUNNEL1 general-attributes
default-group-policy SSL-POLICY1
tunnel-group SSL-TUNNEL1 webvpn-attributes
group-alias SSLVPN1 enable
-----------------------------------------------------
tunnel-group SSL-TUNNEL2 type remote-access
tunnel-group SSL-TUNNEL2 general-attributes
default-group-policy SSL-POLICY2
tunnel-group SSL-TUNNEL2 webvpn-attributes
group-alias SSLVPN2 enable
---------------------
6. user attributes
---------------------
username user1 password cisco
username user1 attributes
service-type remote-access
-----------------------------------------------------
username user2 password cisco
username user2 attributes
service-type remote-access
四、具体方案
方案1:
1/ 在group-policy下添加vpn-filter
group-policy SSL-POLICY1 attributes
vpn-filter value SSL-ACL1
group-policy SSL-POLICY2 attributes
vpn-filter value SSL-ACL2
2/ 在DAP中分别添加aaa attribute,如下图:
1. 添加DAP策略(参考图1-1)
2. 配置DAP策略,主要添加“Group Policy”和“Username”两个过滤条件(参考图1-2)
方案2:
1/ 在username attribute下添加vpn-filter
username user1 attributes
vpn-filter value SSL-ACL1
username user2 attributes
vpn-filter value SSL-ACL2
五、需要注意的问题:
1/ 第二种方案,不管group-alias下拉列表选什么,user都可以登录(因为 username attribute 下没有tunnel-group webvpn-attributes/group-alias选项),但具体访问策略依然还是要看user下的vpn-filter value;
2/ 第二种方案,如果对group-alias下拉列表严格要求(即group-alias1只有使用user1来登录),请采用第一种方案。
