Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
3
Replies

mapping group-policy to users

ivanbarkic
Level 1
Level 1

‎01-15-2010 12:29 AM

Hi,

I'm trying to map VPN group-policy to users in local database on ASA (Cisco Adaptive Security Appliance Software Version 8.0(4)12). It is Remote access VPN. Is it possible to have one tunnel-group for all remote vpn users and to map different group-policies to different user, so when user is authenticated, his group policy is applied to him (address pool, filter liste, etc)? All my users are getting policy from group-policy which id defined as default policy under my tunnel-group (!?):

ASA# sh run tunnel-group

tunnel-group GROUP1 type remote-access
tunnel-group GROUP1 general-attributes

default-group-policy POLICY3

tunnel-group GROUP1 ipsec-attributes

  pre-shared-key *

ASA# sh run group-policy


group-policy POLICY2 internal


group-policy POLICY2 attributes


vpn-idle-timeout 60
  vpn-filter value

vpn-tunnel-protocol IPSec

  address-pools value POOL2

group-policy DfltGrpPolicy attributes

  vpn-tunnel-protocol IPSec webvpn

group-policy POLICY3 internal

group-policy POLICY3 attributes

  vpn-idle-timeout 30

vpn-tunnel-protocol IPSec
  password-storage enable

split-tunnel-policy tunnelspecified

  split-tunnel-network-list value NONAT

  user-authentication enable

  address-pools value POOL3

group-policy POLICY1 internal

group-policy POLICY1 attributes
  vpn-simultaneous-logins 7
  vpn-idle-timeout 60
  vpn-filter value FILTER1
  vpn-tunnel-protocol IPSec
  password-storage enable

address-pools value POOL1


ASA# sh run username


username USER2 password g9O3SBOu.Lds9mV4 encrypted


username USER2 attributes


  vpn-group-policy POLICY2


  service-type remote-access


username test password 274Y4GRAbNElaCoV encrypted


username test attributes


  vpn-group-policy POLICY2


  service-type remote-access


username USER3 password cNH.ND6XX2p2UgNJ encrypted privilege 15


username USER3 attributes


  vpn-group-policy POLICY3


username USER1 password jcSAXHlsFLpnIf2H encrypted


username USER1 attributes

  vpn-group-policy POLICY1

  service-type remote-access

Labels:
0 Helpful
3 Replies 3

gammatel1
Level 1
Level 1

‎01-15-2010 01:13 AM

This can be done in a different way - hopefully achieving what you want.

Basically you define tunnel-groups for each of your different VPN Client groups.  So lets assume you have 3 client groups and each group has access to different internal resources, the tunnel-groups you create can apply a different IP pool thus allowing you to define different access policies in your group-policy configuration.  In essence - you will have 3 tunnel-group configurations and 3 group-policy configurations ie:


ip local pool client1-vpn 10.0.24.1-10.0.24.63 mask 255.255.255.192

ip local pool client2-vpn 10.0.20.64-10.0.24.127 mask 255.255.255.192
ip local pool client3-vpn 10.0.24.128-10.0.24.159 mask 255.255.255.224

tunnel-group client1-vpn type ipsec-ra
tunnel-group client1-vpn general-attributes
address-pool client1-vpn
default-group-policy client1-vpn
tunnel-group client1-vpn ipsec-attributes
pre-shared-key *

tunnel-group client2-vpn type ipsec-ra
tunnel-group client2-vpn general-attributes
  address-pool client2-vpn
  default-group-policy client2-vpn
tunnel-group client2-vpn ipsec-attributes
  pre-shared-key *

tunnel-group client3-vpn type ipsec-ra
tunnel-group client3-vpn general-attributes
  address-pool client3-vpn
  default-group-policy client3-vpn
tunnel-group client3-vpn ipsec-attributes
  pre-shared-key *

group-policy client1-vpn internal
group-policy client1-vpn attributes
dns-server value x.x.x.x
vpn-filter value client1-vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value client1-vpn
default-domain value somewhere.com

group-policy client2-vpn internal
group-policy client2-vpn attributes
  dns-server value x.x.x.x
  vpn-filter value client2-vpn_filter
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value client2-vpn
  default-domain value somewhere.com

group-policy client3-vpn internal
group-policy client3-vpn attributes
  dns-server value x.x.x.x
  vpn-filter value client3-vpn_filter
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value client3-vpn
  default-domain value somewhere.com

Obviously you dont need to use split-tunneling - but this is just an example of how it can be done.

0 Helpful

ivanbarkic
Level 1
Level 1
In response to gammatel1

‎01-15-2010 03:54 AM

Well, what is the purpose of group-policy if any tunnel-group must have ONLY one group-policy applied? So, I cannot have one tunnel group for all users and couple of group-policies which I will applied to users? If I have to do for every group of users new tunnel group, then I can configure address pool and similar stuff under tunnel attributes...Why there is an option to apply group-policy for each user when it cannot be in use when all users connect with the same tuunel group?

0 Helpful

ivanbarkic
Level 1
Level 1
In response to ivanbarkic

‎01-17-2010 01:59 PM

bug in software 8.0.4(12).

after upgrade to 8.0.5 it's working with no problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents