cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1007
Views
0
Helpful
3
Replies

IOS anyconnect vpn group lock and user restriction

umairali.khan
Level 1
Level 1

Dear Experts,

i have following two questions regarding cisco IOS vpn on ISR G2:

1- is it possible to group lock a user in IOS anyconnect VPN like we can do in ASA ? if yes, can anyone share the steps for it?

2- a customer wants to restrict anyconnect user login such that he can enable/disable the user login on demand. i.e whenever the user wants to connect via vpn he has to ask the admin to enable his login. can we do that without deleting the username and creating it again? 

the second one can be on ASA or IOS.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Please see this guide:

http://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html#anc11

As it notes, "For the Cisco IOS group-lock and the ipsec:user-vpn-group, it works only for IPSec (easy VPN server). In order to group-lock specific users in specific WebVPN contexts (and attached group-policies), authentication domains should be used."

If you lock a user to a policy that authenticates but provides no real access authorization (say an ACL that blocks all traffic to the private network) then you've essentially made their login ability non-functional.

If you're using an external AAA server (e.g. RADIUS or LDAP) then you can move them in and out of the group that is authorized VPN access without disabling / deleting theuir account altogether.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Please see this guide:

http://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html#anc11

As it notes, "For the Cisco IOS group-lock and the ipsec:user-vpn-group, it works only for IPSec (easy VPN server). In order to group-lock specific users in specific WebVPN contexts (and attached group-policies), authentication domains should be used."

If you lock a user to a policy that authenticates but provides no real access authorization (say an ACL that blocks all traffic to the private network) then you've essentially made their login ability non-functional.

If you're using an external AAA server (e.g. RADIUS or LDAP) then you can move them in and out of the group that is authorized VPN access without disabling / deleting theuir account altogether.

thank you marvin for your reply. i will test your suggestions and share if it works or not.

i have also found another solution and will test that too.

also im not using any external aaa server. i need to do it with local aaa on the router.

Hi Marvin

i have tested the solution in the below link and it works fine for group-locking a user in webvpn. 

http://resources.intenseschool.com/using-the-cisco-routers-local-database-to-apply-different-policies-for-cisco-ios-anyconnect-users-2/

your solution also works. 

for login restriction im thinking of using default group policy with no access as u suggested. thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: