Configuring AnyConnect to allow different users to have access to different network using RADIUS

rmanapat · ‎07-21-2010

Hi, I am new to AnyConnect so please bear with me. Anyway, I am trying to setup AnyConnect and right now, I got it to work. One question that I have is, I would have multiple vendors wanting to dial-in and different Vendors need to access different segment of our network which is being separated by the ASA's VLAN configuration.

I was able to accomplish the separation of our vendors access using the traditional VPN Client but am wondering if this is possible with AnyConnect. I have the running configuration for AnyConnect and would love to get everybody's suggestion and input as to how to accomplish this.

access-list Split_Tunnel_List standard permit 192.168.234.0 255.255.0.0
access-list nonat_outside extended permit ip 192.168.234.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list nonat_outside extended permit ip 192.168.235.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list nonat_outside extended permit ip 192.168.236.0 255.255.255.0 192.168.253.0 255.255.255.0

ip local pool SSLClientPool1 192.168.251.1-192.168.251.50 mask 255.255.255.0
ip local pool SSLClientPool2 192.168.252.1-192.168.252.50 mask 255.255.255.0
ip local pool SSLClientPool3 192.168.253.1-192.168.253.50 mask 255.255.255.0

nat (outside) 0 access-list nonat_outside

aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.234.105
key ***********

webvpn
enable outside tls-only
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable

group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.234.105
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value domain.local
address-pools value SSLClientPool1
webvpn
svc keep-installer none
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 10

sysopt connection permit-vpn

tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group partnerauth
default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient1 enable

Please let me know if you need to clarify something from me or if you have your input.

Thank you,

Russsell

Todd Pula · ‎08-03-2010

There are a few different wasy to approach this. First, you can configure a static VPN filter under the respective group policy. The filter will tie to an extended ACL in which you define the access parameters. You can also enable this functionality dynamically using RADIUS. With RADIUS, you have a few different options including the IETF-Filter-11 authorization attribute as well as DACLs and Cisco AV Pair attributes.

tprendergast · ‎08-04-2010

You can use VPN Filters for this.

Example:

access-list Offshore_VPN_Filter extended permit ip 10.10.10.0 255.255.255.0 10.11.0.0 255.255.0.0

This filter keeps OffShore contractors isolated to accessing 10.11.0.0/16 (offshore contractors get IPs from a pool 10.10.10.0/24)

group-policy OffshoreContractorPolicy internal
group-policy OffshoreContractorPolicy attributes
vpn-filter value Offshore_VPN_Filter

This applies the VPN filter to the group-policy that offshore contractors get assigned to. You can use RADIUS to assign users to groups based on their credentials, and send back the attribute 25 as ou=; to dynamically allocate people to groups.

I use this to keep our phone vendors on the phone systems only, etc. It works quite well.

Cheers,

Tim