Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
634
Views
5
Helpful
3
Replies

AnyConnect - 3 local users / 2 profiles

Go to solution
ssherrill
Level 1
Level 1

ā€Ž09-21-2018 04:46 PM

I need help solving an AnyConnect issue.

I have an ASA-5515 HA pair running 9.4(4)20

I have 2 Tunnel groups configured with different group-alias enabled - we will call the groups Group-A & Group-B

Group-A assigns an address 192.168.10.1-6

Group-B assigns an address 192.168.20.1-6

Group-A can access any 10.10.10.0/24 server & Internet via Split Tunnel

Group-B can access any 10.20.20.0/24 server & Internet via Split Tunnel

Group-A cannot get to 10.20.20.0/24

Group-B cannot get to 10.10.10.0/24

There is an .xml file for each - Group-A is CP-A.xml & Group-B is CP-B.xml

 

I have 3 users configured - we will call the users User-A, User-B, & User-C

Currently User-A, User-B, & User-C can connect to the firewall under Group-A or Group-B with no issue.  This is the issue!

 

I want to restrict how each user can connect - I know I could do it with aaa-servers - I have done this on other firewalls - but on this firewall there is not one.  

Restrict User-A to only be able to connect to Group-A 

Restrict User-B to only be able to connect to Group-B

Allow User-C to be able to connect to Group-A or Group-B

 

I was thinking I could modify the .xml file but when I add the following to CP-A.xml it still allows all 3 to connect.

<?xml version="1.0" encoding="UTF-8"?>
 <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
  <ServerList>
   <HostEntry>
    <User>User-A</User>

 

Help or direction would be greatly appreciated. 

Thank you

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Martin Carr
Level 4
Level 4

ā€Ž09-22-2018 03:18 AM

You need to apply the GP group lock.

 

This locks a user to a tunnel group.

 

Martin

View solution in original post

Go to solution
ssherrill
Level 1
Level 1
In response to Martin Carr

ā€Ž09-22-2018 07:56 AM

Here is the code I used and it works

 

username User-A attributes
  group-lock value TG-A

  exit
username User-B attributes
  group-lock value TG-B

  exit

 

User-C I left alone because this is the admin account that can log onto any tunnel group.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž09-21-2018 10:37 PM

Hi

You're referring to group-policy assignment to local users right?

If so, you can assign them this way:

username User-A attributes
 vpn-group-policy Group-A
username User-B attributes
 vpn-group-policy Group-A
username User-C attributes
 vpn-group-policy Group-B

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Martin Carr
Level 4
Level 4

ā€Ž09-22-2018 03:18 AM

You need to apply the GP group lock.

 

This locks a user to a tunnel group.

 

Martin

Go to solution
ssherrill
Level 1
Level 1
In response to Martin Carr

ā€Ž09-22-2018 07:56 AM

Here is the code I used and it works

 

username User-A attributes
  group-lock value TG-A

  exit
username User-B attributes
  group-lock value TG-B

  exit

 

User-C I left alone because this is the admin account that can log onto any tunnel group.

0 Helpful
Customers Also Viewed These Support Documents