Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
3
Helpful
5
Replies

Anyconnect

Go to solution
Raimund Schimanovits
Level 1
Level 1

‎01-16-2024 05:42 AM

Hi

How can i assign a policy group to a user in a router?  

So i will assign a policy to a group of members and an other group to other members. There are differesnt acl for different services.

 

br

 

webvpn context SSL_Context
gateway SSLVPN_GATEWAY
!
ssl authenticate verify all
inservice
!
policy group SSL_Policy
functions svc-enabled
timeout idle 300
svc address-pool "SDM_POOL_1" netmask 255.255.255.0
svc split include acl 1
default-group-policy SSL_Policy

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight

‎01-16-2024 06:44 AM

Should be

aaa authorization network WebVPN local

aaa attribute list AssignPolicy1
 attribute type user-vpn-group "SSL_Policy1"

aaa attribute list AssignPolicy2
 attribute type user-vpn-group "SSL_Policy2"

username user1 password 0 cisco
username user1 aaa attribute list AssignPolicy1

username user2 password 0 cisco
username user2 aaa attribute list AssignPolicy2

webvpn context SSL_Context
 aaa authorization list WebVPN
 ...
 policy group SSL_Policy1
  ...
 policy group SSL_Policy2
  ...

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎01-16-2024 05:48 AM

@Raimund Schimanovits what authentication method are you using? The best way to achieve this is using RADIUS where you can send the specific settings (ACL, address pool) based on the user's group membership.

0 Helpful

Go to solution
Raimund Schimanovits
Level 1
Level 1
In response to Rob Ingram

‎01-16-2024 06:03 AM

i have only 3 members so i use local authentication. 

br

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Raimund Schimanovits

‎01-16-2024 06:27 AM

Check group-lock option 

We use it for asa ssl ra vpn and I think it also available in router IOS.

MHM

Go to solution
tvotna
Spotlight
Spotlight

‎01-16-2024 06:44 AM

Should be

aaa authorization network WebVPN local

aaa attribute list AssignPolicy1
 attribute type user-vpn-group "SSL_Policy1"

aaa attribute list AssignPolicy2
 attribute type user-vpn-group "SSL_Policy2"

username user1 password 0 cisco
username user1 aaa attribute list AssignPolicy1

username user2 password 0 cisco
username user2 aaa attribute list AssignPolicy2

webvpn context SSL_Context
 aaa authorization list WebVPN
 ...
 policy group SSL_Policy1
  ...
 policy group SSL_Policy2
  ...
Customers Also Viewed These Support Documents