Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
3
Replies

Allow AnyConnect user just to 2 servers?

Gonzo1
Beginner
Beginner

‎02-18-2018 08:29 AM - edited ‎03-12-2019 05:02 AM

Hello,

 

We use the AnyConnect VPN for our Corperate users which have access to most servers on various ports on a /24 subnet.  I have been asked to allow an external company to 2 of our internal servers on file share ports (usual TCP/UDP 135-139, TCP 445).  How can I achieve this without have to create a new subnet, do all the routing and create the new VPN profile, is there an easier way where I can use our existing AnyConnect profile and lock down a single IP for this user as they only need 1 user to connect?

 

Thanks

Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor

‎02-18-2018 08:58 AM

If your anyocnnect use AD authentication then its easy. Use AD attributes
such as company name to select specific group
-policy/tunnelgroup. This group-policy should have split tunnel ACL to
allow access to these servers only from any IP in the local pool. You can
have a vpn-filter ACL as well under the group-policy

In this case, no matter what IP they get then won't connect to anything
outside the split ACL and vpn-filter. You can also use group-lock to make
sure that their accounts can connect to this group-policy only and nothing
else from the dropdown (in case you have group select enabled).
0 Helpful

Gonzo1
Beginner
Beginner
In response to Mohammed al Baqari

‎02-18-2018 12:14 PM

Hi,

 

Yes we use AD authentication.  All VPN users currently use 1 AD group to get access.  We use an AD Radius server (NPS - Network Policy Server).

 

For example would I need to create a new AD group and put this user into it, then Add a new policy to the NPS server to allow access?

 

I then use this new AD group for the group-policy?  This group-policy would then have split tunnel ACL to allow access to these 2 servers only?

 

0 Helpful

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
In response to Gonzo1

‎02-18-2018 09:16 PM

That is another way of doing it which will work as well. Then you can
download your crypto ACLs using radius attributes. What I was referring to
is to use same AD group but different AD attribute (such as company or
position).
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents