01-11-2011 08:53 AM
Hi,
Just wondering if someone could assist... I have a single 1801 ISR router and have 3 VLANs. Say we name them 1, 2 and 3.
If I create a VPN connection, obviously I can define which VLAN I want the router to pass traffic to. However is it possible at all to have say:
User A > VLAN 1
User B > VLAN 2
So in other words, different users have access to different VLAN's when connecting via VPN?
01-11-2011 11:20 AM
Hi,
If you're talking about a small amount of users and want to do the configuration local, you can create a separate VPN group per user.
So, the ISR will have say 5 groups (one group = one user).
You can then define each group access separately.
In this way, the users will connect to each corresponding group and each group will have access to the VLANs/IPs you define.
Obviously this will not scale.
There are other solutions when the amount of users is considerable.
Hope it helps.
01-11-2011 11:49 AM
Hi Federico,
Yes, there will only be 3 for 4 users. However I would be interested in reading about the other options (I'm no VPN expert, yet) if you could point me in the right direction.
Do you have a basic configuration for the group/vlan > user linkage?
01-11-2011 12:36 PM
Gareth,
For example you can have:
crypto isakmp client configuration group ONE
key KEY1
acl 1
pool POOL1
crypto isakmp client configuration group TWO
key KEY2
acl 2
pool POOL2
If this is a small scenario where you have full control, you can provide the users access to each group individually.
Each group will have its own access determined with the ACL 1,2, etc.
A better alternative might be using a Radius server (for example ACS) that can inject per-user downloadable ACLs.
Federico.
01-11-2011 01:23 PM
That makes sense. Thank you.
Just a quick one, how is group applied to a specific local authenticated user?
01-11-2011 01:36 PM
I don't recall being an option to map a local user to a VPN group in IOS.
I was suggesting basically a separate PCF for each client, so that a user can connect to a separate group and have separate access.
This won't work if you provide the same PCF for all users, because all users can connect to the same group then...
Again... maybe not the best solution but it will accomplish giving different access to different users based on the group they connect to.
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: