ā09-21-2018 04:46 PM
I need help solving an AnyConnect issue.
I have an ASA-5515 HA pair running 9.4(4)20
I have 2 Tunnel groups configured with different group-alias enabled - we will call the groups Group-A & Group-B
Group-A assigns an address 192.168.10.1-6
Group-B assigns an address 192.168.20.1-6
Group-A can access any 10.10.10.0/24 server & Internet via Split Tunnel
Group-B can access any 10.20.20.0/24 server & Internet via Split Tunnel
Group-A cannot get to 10.20.20.0/24
Group-B cannot get to 10.10.10.0/24
There is an .xml file for each - Group-A is CP-A.xml & Group-B is CP-B.xml
I have 3 users configured - we will call the users User-A, User-B, & User-C
Currently User-A, User-B, & User-C can connect to the firewall under Group-A or Group-B with no issue. This is the issue!
I want to restrict how each user can connect - I know I could do it with aaa-servers - I have done this on other firewalls - but on this firewall there is not one.
Restrict User-A to only be able to connect to Group-A
Restrict User-B to only be able to connect to Group-B
Allow User-C to be able to connect to Group-A or Group-B
I was thinking I could modify the .xml file but when I add the following to CP-A.xml it still allows all 3 to connect.
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
<ServerList>
<HostEntry>
<User>User-A</User>
Help or direction would be greatly appreciated.
Thank you
Solved! Go to Solution.
ā09-22-2018 03:18 AM
You need to apply the GP group lock.
This locks a user to a tunnel group.
Martin
ā09-22-2018 07:56 AM
Here is the code I used and it works
username User-A attributes
group-lock value TG-A
exit
username User-B attributes
group-lock value TG-B
exit
User-C I left alone because this is the admin account that can log onto any tunnel group.
ā09-21-2018 10:37 PM
Hi
You're referring to group-policy assignment to local users right?
If so, you can assign them this way:
username User-A attributes vpn-group-policy Group-A
username User-B attributes
vpn-group-policy Group-A
username User-C attributes
vpn-group-policy Group-B
ā09-22-2018 03:18 AM
You need to apply the GP group lock.
This locks a user to a tunnel group.
Martin
ā09-22-2018 07:56 AM
Here is the code I used and it works
username User-A attributes
group-lock value TG-A
exit
username User-B attributes
group-lock value TG-B
exit
User-C I left alone because this is the admin account that can log onto any tunnel group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide