07-12-2013 05:28 PM
Hi all
I need a help with Cisco VPN Client, customer is asking configure a message (banner) to user that is not allowed access to VPN.
My customer use the auth from LDAP, just tried include a banner to Group-Policy but it will not work once the vpn-simultaneous-logins 0, below is my sample config:
ASA 8.2
VPN Client
=================================================
ldap attribute-map AccessRestrict
map-name msNPAllowDialin cVPN3000-IETF-Radius-Class
map-value msNPAllowDialin TRUE AllowVPN
map-value msNPAllowDialin FALSE NoVPN
group-policy AllowVPN internal
group-policy AllowVPN attributes
banner value *** Welcome to My Virtual Private Network ***
dns-server value 172.16.0.10
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
default-domain value myvpn.com
group-policy NoVPN internal
group-policy NoVPN attributes
vpn-simultaneous-logins 0
=================================================
There any way to show to users that aren't permited access to VPN a message to contact the administrator?
Any sugestion will be helpful
Cheers
Bruno Rangel
"Se você quiser alguém em quem confiar, confie em si mesmo. Quem acredita sempre alcança"
Renato Russo
Solved! Go to Solution.
07-13-2013 02:26 AM
I guess banner actually appear when a group-policy is applied with a message once user is successfully authenticates.
This is
Disconnect Continue
See here:
Since in case of NoVpn group-policy, user never reach to that point so it didn't show up banner.
This is what I guess, someone may have a better answer.
~BR
Jatin Katyal
**Do rate helpful posts**
07-13-2013 06:49 AM
I believe Jatin is correct. With the legacy IPSec VPN client you cannot send a banner to non-authenticated clients.
If you were to migrate to SSL VPN and use AnyConnect, you could customize your portal to display a page of your own creation (text, images etc.). Detailed instructions for that are here.
07-13-2013 02:26 AM
I guess banner actually appear when a group-policy is applied with a message once user is successfully authenticates.
This is
Disconnect Continue
See here:
Since in case of NoVpn group-policy, user never reach to that point so it didn't show up banner.
This is what I guess, someone may have a better answer.
~BR
Jatin Katyal
**Do rate helpful posts**
07-13-2013 06:49 AM
I believe Jatin is correct. With the legacy IPSec VPN client you cannot send a banner to non-authenticated clients.
If you were to migrate to SSL VPN and use AnyConnect, you could customize your portal to display a page of your own creation (text, images etc.). Detailed instructions for that are here.
07-15-2013 07:38 AM
Hey Guys
Thanks for the help!!! +5 for both
Cheers
Bruno Rangel
08-01-2013 09:13 PM
Hi
Just to keep you guys in touch... I did a workaround on it. And is working like a charm!
Basically configured an ACL do deny all traffic and timeout on the section :-)
group-policy NoVPN attributes
vpn-simultaneous-logins 1
banner value ***You aren't permitted to access this system ***
vpn-filter novpnaccess
vpn-session-timeout 1
access-list novpnaccess extended deny ip any any
I hope this help someone else.
Sent from Cisco Technical Support Android App
08-02-2013 06:09 AM
That's innovative. I'll put that one in my toolbox.
+5 for following up with the solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide