Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1662
Views
0
Helpful
2
Replies

AnyConnect VPN per user restrictions

Go to solution
Edrissa
Level 1
Level 1

‎12-02-2022 12:58 PM

We are running FTD firewalls connected to FMC and have AnyConnect fully configured and setup. We are using Active Directory to authenticate users for VPN login.

Our office network consists of multiple VLANs that are restricted with ACL rules. All the VLANs of interest are included in the AnyConnect setup. I need to find a way to restrict access per user. For example, when I as the IT admin login to VPN, I should have full non-restricted access to all the subnets, but when one of our contractors logs in, I want to lock it down to only one specific subnet or even only one or a few IP addresses. Is there any way to do this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-02-2022 01:09 PM

@Edrissa If using AD change the server to use LDAP you can then use the LDAP attribute map to assign different policy settings to members of different AD groups. For example give IT admin a different IP address pool, the Access Control rule give the users from that IP address pool full unrestricted access. Where a contractor is a member of a different AD group, which is assigned a different IP address pool, the Access Control rules for the Contractors IP pool restricts access.

Example of LDAP attribute map - https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎12-02-2022 01:09 PM

@Edrissa If using AD change the server to use LDAP you can then use the LDAP attribute map to assign different policy settings to members of different AD groups. For example give IT admin a different IP address pool, the Access Control rule give the users from that IP address pool full unrestricted access. Where a contractor is a member of a different AD group, which is assigned a different IP address pool, the Access Control rules for the Contractors IP pool restricts access.

Example of LDAP attribute map - https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

 

0 Helpful

Go to solution
Edrissa
Level 1
Level 1
In response to Rob Ingram

‎12-02-2022 02:45 PM

Awesome! This worked perfectly. Thank you very much!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card