Solved: How to restrict certain users in a tunnel group with access hours

kraghupati · ‎07-06-2013

I created below ldap attribute-map and applied it to the AD server used for authentication. Then created time-range and applied to group policy.

In AD server, for users that should have access to VPN only during office hours, I have put value "OfficeHours" in Office field. However for users that should have access to vpn 24 hours, i have left this field blank.

Now only users with value "OfficeHours" in Office field are getting connected in the specified time range. However other users never get connected. How can i fix this issue?

ldap attribute-map AccessHours_LDAPMAP

map-name msNPAllowDialin Tunneling-Protocols

map-value msNPAllowDialin FALSE 1

map-value msNPAllowDialin TRUE 20

map-name physicalDeliveryOfficeName Access-Hours

time-range OfficeHours

periodic Monday Tuesday Wednesday Thursday Saturday Sunday 8:30 to 18:00

group-policy GroupPolicy_employees.domain.com attributes

wins-server none

dns-server value 4.2.2.2

vpn-access-hours value OfficeHours

vpn-tunnel-protocol ikev2 ssl-client

default-domain none

webvpn

anyconnect profiles value domain.com_client_profile type user

harvinder-s · ‎07-06-2013

Thanks Karishma,

The soultion you suggested is working.

Thanks for taking time to resolve this.

Regards

Harvinder

View solution in original post

kraghupati · ‎07-06-2013

Resolved:

Create another time-range "AllHours" allowing access for 24 hours and put this value in the "physicalDeliveryOfficeName" field in the AD server. This time-range is only binded to the users in AD server and not to group-policy. In group-policy still the "vpn-access-hours value OfficeHours" is same.

time-range AllHours

periodic daily 0:00 to 23:59

harvinder-s · ‎07-06-2013

Thanks Karishma,

The soultion you suggested is working.

Thanks for taking time to resolve this.

Regards

Harvinder