cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
3
Helpful
2
Replies

How to restrict certain users in a tunnel group with access hours

kraghupati
Level 1
Level 1

I created below ldap attribute-map and applied it to the AD server used for authentication. Then created time-range and applied to group policy.

In AD server, for users that should have access to VPN only during office hours, I have put value "OfficeHours" in Office field. However for users that should have access to vpn 24 hours, i have left this field blank.

Now only users with value "OfficeHours" in Office field are getting connected in the specified time range. However other users never get connected. How can i fix this issue?

ldap attribute-map AccessHours_LDAPMAP

  map-name  msNPAllowDialin Tunneling-Protocols

  map-value msNPAllowDialin FALSE 1

  map-value msNPAllowDialin TRUE 20

  map-name  physicalDeliveryOfficeName Access-Hours

time-range OfficeHours

periodic Monday Tuesday Wednesday Thursday Saturday Sunday 8:30 to 18:00

group-policy GroupPolicy_employees.domain.com attributes

wins-server none

dns-server value 4.2.2.2

vpn-access-hours value OfficeHours

vpn-tunnel-protocol ikev2 ssl-client

default-domain none

webvpn

  anyconnect profiles value domain.com_client_profile type user

1 Accepted Solution

Accepted Solutions

Thanks Karishma,

The soultion you suggested is working.

Thanks for taking time to resolve this.

Regards

Harvinder

View solution in original post

2 Replies 2

kraghupati
Level 1
Level 1

Resolved:

Create another time-range "AllHours" allowing access for 24 hours and put this value in the "physicalDeliveryOfficeName" field in the AD server. This time-range  is only binded to the users in AD server and not to group-policy. In group-policy still the "vpn-access-hours value OfficeHours" is same.

time-range AllHours

periodic daily 0:00 to 23:59

Thanks Karishma,

The soultion you suggested is working.

Thanks for taking time to resolve this.

Regards

Harvinder