05-03-2013 07:59 PM - edited 02-21-2020 06:52 PM
Below is the config I wrote up. Basically, I have an admin user previously defined with priv level 15, and a new user as defined below. I want the new user to be able to VPN in using the IPsec tunnel, but I do not want the admin to VPN in. How would I enable the user to be tied to a IPsec group like the one I defined, and if you're not a member of the a group you can't login. Normally I would do this through RADIUS, but the site in which I am deploying this VPN does not have a server running RADIUS right now. That may change.
aaa authentication login VPNauthentication1 local
aaa authorization network VPNauthorization1 local
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit udp any any eq isakmp
access-list 100 permit esp any any
access-list 100 permit ahp any any
access-list 100 deny ip any any
access-list 100 deny tcp any any
access-list 100 deny udp any any
ip local pool VPNPOOL1 192.168.50.100 192.168.50.200
crypto isakmp profile IKEprofile1
isakmp authorization list VPNauthorization1
client authentication list VPNauthentication1
match identity group VPNusers
client configuration address respond
exit
crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des
mode tunnel
exit
crypto ipsec profile IPsecProfile1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
set isakmp-profile IKEprofile1
exit
interface Virtual-Template1 type tunnel
exit
default interface Virtual-Template1
interface Virtual-Template1 type tunnel
no shutdown
ip unnumbered GigabitEthernet0/0
tunnel protection ipsec profile IPsecProfile1
tunnel mode ipsec ipv4
exit
crypto isakmp profile IKEprofile1
virtual-template 1
exit
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp client configuration group VPNusers
key 0 ********************
pool VPNPOOL1
acl 101
include-local-lan
pfs
max-users 1
netmask 255.255.255.0
exit
username VPNUSER privilege 0 secret 0 ********************
Solved! Go to Solution.
05-04-2013 01:03 PM
Joe,
I think this can be done.
Facts:
If local authentication is used, then the Group-Lock attribute is the only option to accomplish this task. The username in the local database must be of the following format:
username/group, username\group, username@group, or username%group
Please use the configuration that is in BOLD letters.
crypto isakmp client configuration group VPNusers
group-lock
now the user who should hae access to VPN needs to be defined as:
username VPNUSER@VPNusers password
where:
VPNUSER is the username
VPNusers is the vpn group name
The admin user will not be able to connect as it doesn't has vpn group name as a suffix.
you may also look at this example.
http://ltlnetworker.wordpress.com/2010/05/07/k-local-user-group-lock-in-ios-easy-vpn/
hope this helps.
Jatin Katyal
- Do rate helpful posts -
05-04-2013 04:56 AM
We can try to accomplish this by using the group-lock attribute under the username attribute . from example :
!
!
username admin password admin
username admin attribute
group-lock value remote-1
Creating a tunnel-group with group-policy set to no-access.
!
!
hostname(config)# tunnel-group remote-1 type ipsec-ra
hostname(config)# tunnel-group remote-1 general-attributes
hostname)config)# default group-policy NOACCESS
You can create a NOACCESS group-policy in order to deny the VPN connection when the user should not have access to any VPN tunnel-group. This configuration snippet is shown for your reference:
!
!
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn
Let me know how it goes. Afterwards we will work on your secondary question.
Jatin Katyal
- Do rate helpful posts -
05-04-2013 08:55 AM
Hello Guys,
Jatin what you provided is for ASA only. Joe, you may wanna look at the local aaa server feature:
HTH
05-04-2013 12:19 PM
Thank you for the link Gustavo. I read a large portion of that in the past few moments, but I'm running short on time. I also reviewed the available commands for a period of time last night and I couldn't see a way to do what I'm asking. I actually also deploy ASA devices and their group policy settings seem to exceed what is available in terms of IPsec configurations. In ASA I would just create a new group policy and assign it to the VPN, and disable IPsec on the default policy which is applied to the admin account by default.
As you said above the commands would work if I were using an ASA. However, I am not. I will review the rest of the page you provided but can anyone say for certain it is possible to do what I'm asking without using RADIUS on the IOS device? I believe the answer is currently no. I want to be sure before I ask for a RADIUS server to be deployed.
05-04-2013 01:03 PM
Joe,
I think this can be done.
Facts:
If local authentication is used, then the Group-Lock attribute is the only option to accomplish this task. The username in the local database must be of the following format:
username/group, username\group, username@group, or username%group
Please use the configuration that is in BOLD letters.
crypto isakmp client configuration group VPNusers
group-lock
now the user who should hae access to VPN needs to be defined as:
username VPNUSER@VPNusers password
where:
VPNUSER is the username
VPNusers is the vpn group name
The admin user will not be able to connect as it doesn't has vpn group name as a suffix.
you may also look at this example.
http://ltlnetworker.wordpress.com/2010/05/07/k-local-user-group-lock-in-ios-easy-vpn/
hope this helps.
Jatin Katyal
- Do rate helpful posts -
05-04-2013 12:55 PM
Yup I agree Gustavo. I didn't realise its IOS Thanks. I will post the required config for IOS.
Jatin Katyal
- Do rate helpful posts -
05-04-2013 06:13 PM
I forgot all about group lock! I guess two heads are better than one! Thanks for all your help!
05-04-2013 11:58 PM
I agree. have a good day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide