Solved: Restrict local user from IPsec VPN

Joe Conklin · ‎05-03-2013

Below is the config I wrote up. Basically, I have an admin user previously defined with priv level 15, and a new user as defined below. I want the new user to be able to VPN in using the IPsec tunnel, but I do not want the admin to VPN in. How would I enable the user to be tied to a IPsec group like the one I defined, and if you're not a member of the a group you can't login. Normally I would do this through RADIUS, but the site in which I am deploying this VPN does not have a server running RADIUS right now. That may change.

aaa authentication login VPNauthentication1 local
aaa authorization network VPNauthorization1 local

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit udp any any eq isakmp
access-list 100 permit esp any any
access-list 100 permit ahp any any
access-list 100 deny ip any any
access-list 100 deny tcp any any
access-list 100 deny udp any any

ip local pool VPNPOOL1 192.168.50.100 192.168.50.200

crypto isakmp profile IKEprofile1
isakmp authorization list VPNauthorization1
client authentication list VPNauthentication1
match identity group VPNusers
client configuration address respond
exit

crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des
mode tunnel
exit

crypto ipsec profile IPsecProfile1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
set isakmp-profile IKEprofile1
exit

interface Virtual-Template1 type tunnel
exit

default interface Virtual-Template1
interface Virtual-Template1 type tunnel
no shutdown
ip unnumbered GigabitEthernet0/0
tunnel protection ipsec profile IPsecProfile1
tunnel mode ipsec ipv4
exit

crypto isakmp profile IKEprofile1
virtual-template 1
exit

crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit

crypto isakmp client configuration group VPNusers
key 0 ********************
pool VPNPOOL1
acl 101
include-local-lan
pfs
max-users 1
netmask 255.255.255.0
exit

username VPNUSER privilege 0 secret 0 ********************

Jatin Katyal · ‎05-04-2013

Joe,

I think this can be done.

Facts:

If local authentication is used, then the Group-Lock attribute is the only option to accomplish this task. The username in the local database must be of the following format:

username/group, username\group, username@group, or username%group

Please use the configuration that is in BOLD letters.

crypto isakmp client configuration group VPNusers

group-lock

now the user who should hae access to VPN needs to be defined as:

username VPNUSER@VPNusers password

where:

VPNUSER is the username

VPNusers is the vpn group name

The admin user will not be able to connect as it doesn't has vpn group name as a suffix.

you may also look at this example.

http://ltlnetworker.wordpress.com/2010/05/07/k-local-user-group-lock-in-ios-easy-vpn/

hope this helps.

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎05-04-2013

We can try to accomplish this by using the group-lock attribute under the username attribute . from example :

!

username admin password admin

username admin attribute

group-lock value remote-1

Creating a tunnel-group with group-policy set to no-access.

!

hostname(config)# tunnel-group remote-1 type ipsec-ra

hostname(config)# tunnel-group remote-1 general-attributes

hostname)config)# default group-policy NOACCESS

You can create a NOACCESS group-policy in order to deny the VPN connection when the user should not have access to any VPN tunnel-group. This configuration snippet is shown for your reference:

!

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec webvpn

Let me know how it goes. Afterwards we will work on your secondary question.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Gustavo Medina · ‎05-04-2013

Hello Guys,

Jatin what you provided is for ASA only. Joe, you may wanna look at the local aaa server feature:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_loc_aaa_srvr.html#wp1054586

HTH

Joe Conklin · ‎05-04-2013

Thank you for the link Gustavo. I read a large portion of that in the past few moments, but I'm running short on time. I also reviewed the available commands for a period of time last night and I couldn't see a way to do what I'm asking. I actually also deploy ASA devices and their group policy settings seem to exceed what is available in terms of IPsec configurations. In ASA I would just create a new group policy and assign it to the VPN, and disable IPsec on the default policy which is applied to the admin account by default.

As you said above the commands would work if I were using an ASA. However, I am not. I will review the rest of the page you provided but can anyone say for certain it is possible to do what I'm asking without using RADIUS on the IOS device? I believe the answer is currently no. I want to be sure before I ask for a RADIUS server to be deployed.

Jatin Katyal · ‎05-04-2013

Joe,

I think this can be done.

Facts:

If local authentication is used, then the Group-Lock attribute is the only option to accomplish this task. The username in the local database must be of the following format:

username/group, username\group, username@group, or username%group

Please use the configuration that is in BOLD letters.

crypto isakmp client configuration group VPNusers

group-lock

now the user who should hae access to VPN needs to be defined as:

username VPNUSER@VPNusers password

where:

VPNUSER is the username

VPNusers is the vpn group name

The admin user will not be able to connect as it doesn't has vpn group name as a suffix.

you may also look at this example.

http://ltlnetworker.wordpress.com/2010/05/07/k-local-user-group-lock-in-ios-easy-vpn/

hope this helps.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Jatin Katyal · ‎05-04-2013

Yup I agree Gustavo. I didn't realise its IOS Thanks. I will post the required config for IOS.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Joe Conklin · ‎05-04-2013

I forgot all about group lock! I guess two heads are better than one! Thanks for all your help!

Jatin Katyal · ‎05-04-2013

I agree. have a good day.

~Jatin