01-06-2012 10:07 AM
Hello ppl!
ssl webvpn client on ios routers question:
i'm trying to map users to diffent group policies. For example:
user a with pasword aaa should fall on 192.168.1.0 subnet
user b with password bbb should fall on 192.168.2.0 subnet
so far no luck :/
i tried also different webvpn context for each user but i cannot bind users to group maps. i suspect this has to do with aaa but i have no idea how to achieve this. Any ideas are welcome
01-10-2012 01:48 AM
Hi Alex, I haven't tried this myself yet (so no guarantees :)), but I believe you should be able to do something like this: ip local pool poolA 192.168.1.1 192.168.1.254 aaa attribute list listA attribute type addr-pool poolA username a password p4$$w0rd username a aaa attribute list listA aaa authorization network localauthor local webvpn gateway yourGW webvpn context yourCTX aaa authorization list localauthor
In the attribute list you can then also specify other attributes (do "attribute type ?" for a long list) if needed.
I'm assuming you want to configure everything locally. Alternatively you can use Radius or LDAP authentication/authorization.
hth
Herbert
01-10-2012 12:04 PM
Hello Herbert
I tried this and yes, it solved partialy the problem assigning different IP addresses from local pool lists to different users using this way. However the main problem from my first post remains.. even though protected networks are specified on policy groups. Using attribute type command (that sure is the biggest list i've seen on a cisco router), i tried many commands like svc, split, policy, webvpn etc.. Still nothing
Here's a partial confing:
!
interface Virtual-Template2
exit
default interface Virtual-Template2
!
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
aaa attribute list USER_ATR1
attribute type addr-pool VCL1
!
aaa attribute list USER2_ATR2
attribute type addr-pool VCL2
!
!
username USER1 aaa attribute list USER_ATR1
!
username USER2 aaa attribute list USER_ATR1
!
!
!
ip local pool CLIENT1 192.168.10.1
ip local pool CLIENT2 192.168.20.1
!
!
!
webvpn gateway GATEWAY
ip interface Dialer0 port 443
inservice
!
!
webvpn install svc flash:sslclient-win-1.1.4.176.pkg sequence 1
!
!
webvpn context ALXVSL
secondary-color white
title-color #FF9900
text-color black
ssl authenticate verify all
!
!
policy group POLICY_1
functions svc-enabled
svc address-pool "CLIENT1"
svc split include 192.168.1.0 255.255.255.240
policy group POLICY_2
functions svc-enabled
svc address-pool "CLIENT2"
svc split include 192.168.2.0 255.255.255.240
virtual-template 2
default-group-policy POLICY_1
aaa authentication list default
aaa authorization list default
gateway GATEWAY
inservice
Thank you once again for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide