Solved: Re: Control SSL VPN profile user access.

nsiddiqui · ‎06-02-2011

I have two ssl vpn profile, can I restricts user to access only one ssl vpn profile when they get the ssl vpn service page. Each profile I create different type of access and they will get different client IP address.

Gustavo Medina · ‎06-02-2011

Hi,

Yes, with many different ways; one of them is by using group-lock which is a simple check to validate if the Tunnel Group or Connection Profile as you called it you connect with matches what you have defined under the group-policy. If the Tunnel-Group-Lock value matches (true condition), the VPN remote access session is allowed to setup; otherwise the session is not allowed to establish.

The tunnel-group-lock featurecan be set in the following ways:

via group-policy setting locally on ASA
via LDAP attribute
via Radius attribute

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1134870

***Step 4

Regards,

View solution in original post

andamani · ‎06-02-2011

Hi,

You can do that.

e.g.

Username cisco password cisco

username cisco attriubutes

group-lock

Hope this helps.

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

andamani · ‎06-03-2011

Hi,

That is nice.. Please mark this thread as answered so that others can benefit from your post.

Regards,

Anisha

View solution in original post

Gustavo Medina · ‎06-05-2011

Right, remember to rate the posts that help you and mark your questions as resolved if you don't need further help.

View solution in original post

Gustavo Medina · ‎06-02-2011

Hi,

Yes, with many different ways; one of them is by using group-lock which is a simple check to validate if the Tunnel Group or Connection Profile as you called it you connect with matches what you have defined under the group-policy. If the Tunnel-Group-Lock value matches (true condition), the VPN remote access session is allowed to setup; otherwise the session is not allowed to establish.

The tunnel-group-lock featurecan be set in the following ways:

via group-policy setting locally on ASA
via LDAP attribute
via Radius attribute

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1134870

***Step 4

Regards,

nsiddiqui · ‎06-02-2011

Thanks, I created local users in ASA, I am not using LDAP or RADIUS server. Am I still be able to use group-lock command?

Gustavo Medina · ‎06-02-2011

Yes, absolutely.

andamani · ‎06-02-2011

Hi,

You can do that.

e.g.

Username cisco password cisco

username cisco attriubutes

group-lock

Hope this helps.

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

nsiddiqui · ‎06-03-2011

With your help I am able to find the answer.

username cisco password cisco

username cisco attributes
      service-type remote-access
      group-policy VPN_Inside attributes
      group-lock value VPN_Inside

Thank you all.

andamani · ‎06-03-2011

Hi,

That is nice.. Please mark this thread as answered so that others can benefit from your post.

Regards,

Anisha

Gustavo Medina · ‎06-05-2011

Right, remember to rate the posts that help you and mark your questions as resolved if you don't need further help.