11-15-2012 09:22 PM - edited 02-21-2020 06:29 PM
Hi All,
Appreciate helps from the expert here.
I am currently using Cisco ASA Firewall with Legacy Cisco VPN client.
Inside firewall configuration, I can configure pre-shared key under IPSec (IKev1) Connection Profile. I also set local pool for fixed IP address assignment, associated with the Connection Profile. User authentication is via LDAP Server. Every user have a fixed Connection Profile, with its fixed IP Address, and fixed Group Policies.
In this case, I have 2 authentication, one with pre-shared key in Connection Profile, and another one based on username in LDAP server.
When I configured AnyConnect connection profile, I can't set any preshared key. I can see list of Connection profiles that I configured in Cisco ASA Firewall. Using AnyConnect VPN Client, I can use another person's Connection profile and login with my name. In this case, I am able to use another persons assigned IP Address.
Using AnyConnect VPN Client, I only have one authentication, ie username authentication via LDAP server.
Is there a way for me to use Cisco AnyConnect VPN client and allow me to assign fix IP address using ip local pool for every individual user?
Thanks for any help given....
Best Regards
Lay Hin
11-16-2012 06:02 AM
You can actually use LDAP attribute map, to map the user to a specific group-policy. In this case, you only need 1 tunnel-group (connection profiles) and LDAP attribute map will automatically map it to the specific group policy.
And no, AnyConnect is SSL VPN and it doesn't have the concept of preshared key like IPsec VPN.
here is a configuration guide on how to configure ldap attribute map if you are interested:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
11-20-2012 02:18 AM
Thanks Jennifer.
I did manage to configure LDAP attribute map to the specific group policy.
Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
Example: let say my username is LLH.
Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
Only me know the preshared key and only me can login with my Connection Profile.
Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
Example:
AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
I hope above description can paint the scenario clearer.
Thanks in advance for all the help and comment given.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide