Multiple WEBVPN policy groups using local AAA server (C1900 IOS 15.4(3)M2)

Herman Skubic · ‎11-14-2017

Hi,

I would like to configure and map a local user to a specific webvpn policy group, but without a success.

Here is the current config:

aaa new-model
!
!
aaa authentication login SSL-VPN local 
!
aaa attribute list vpn_policy_group
attribute type user-vpn-group "SSLVPN_POLICY" 

username vpn-local password 0 test123
username vpn-local aaa attribute list vpn_policy_group
!

webvpn gateway WEBSSL-GATEWAY
ip interface GigabitEthernet0/0 port 8443
ssl trustpoint star_company_com
inservice
!
webvpn context SSLVPN-ctx1
login-message "SSL VPN Service"
virtual-template 3
aaa authentication list SSL-VPN
gateway WEBSSL-GATEWAY
max-users 10
logging enable
!
ssl authenticate verify all
inservice
!
policy group SSLVPN_POLICY
functions svc-enabled
svc address-pool "vpn_pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc dns-server primary 192.168.222.217
mask-urls
!
policy group VPN_CLOUD1_POLICY
functions svc-enabled
filter tunnel ACL_VPN_CLOUD1
svc address-pool "vpn_pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include acl VPN_LAN_SPLIT
svc dns-server primary 192.168.222.217
mask-urls
!
policy group VPN_CLOUD2_POLICY
functions svc-enabled
filter tunnel ACL_VPN_CLOUD2
svc address-pool "vpn_pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include acl VPN_LAN_SPLIT
svc dns-server primary 192.168.222.217
mask-urls
default-group-policy VPN_CLOUD1_POLICY
!

As you can see I was trying to achieve this by applying the user-vpn-group attribute, but it has no effect.

Every time the default group policy is applied.

Does anybody have experience how to apply different group policies to local users in general?

Thank you!

Regards,

Herman