Solved: VPN Setup using individual user instead of group

joeldoetsch · ‎10-28-2021

Hello,

We're looking to set up a VPN where instead of having users in a group and giving that group access to a subnet, we would like to have the VPN only have 1 IP address to the user's machine, which the user can then RDP to for the necessary network access. I'm trying to figure out how that could work within the ASA config. I understand that each user would need their own tunnel-group and ACL for split-tunnel, but I'm trying to determine the mechanism that would tie an LDAP user to a particular tunnel group.

If there's any documentation or examples out there that could shed some light on this, it would be appreciated.

Cheers,

Rob Ingram · ‎10-29-2021

@joeldoetsch you don't need unique tunnel-group per user. As you are using LDAP authentication, use LDAP attibute maps. Map the users LDAP/AD group to an ASA group policy, which is referencing a split tunnel ACL.

More information:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc12

View solution in original post

balaji.bandi · ‎10-28-2021

Personally, this is a large task and more manual work is required here for each user, (what kind of user base we are looking here)

Never tried this option : if you have ISE Look below may be helpful ( apologies if this not suited to your needs)

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215432-configure-ssl-anyconnect-with-ise-authen.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎10-29-2021

@joeldoetsch you don't need unique tunnel-group per user. As you are using LDAP authentication, use LDAP attibute maps. Map the users LDAP/AD group to an ASA group policy, which is referencing a split tunnel ACL.

More information:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc12

joeldoetsch · ‎10-29-2021

Hi Rob,

Thanks for the documentation. I looked through it and I still have a few questions. My intent isn't to have a group, it's to have the individual users set the policy. AKA if I'm John Doe and my workstation is 10.1.2.3, when I login via AnyConnect, I should _only_ have access to 10.1.2.3. if I'm Jane Doe and my workstation is 10.1.2.4, when I login I should only be able to access 10.1.2.4.

So if I take a look at example 2 in the above documentation, I would create an LDAP map to the username, and then create a group policy for that username, correct? Rinse and repeat for each individual user? I'm also confused how this can be done without individual tunnel groups. Doesn't the tunnel group set the anyconnect URL and reference the group policy? If I have a generic tunnel-group, how do I then get from there to the individualized group policies?

Thanks for engaging
- Joel

Rob Ingram · ‎10-29-2021

@joeldoetsch yes correct, create LDAP map for each user which maps to a unique Group Policy.

The users connect to the same tunnel-group it's the LDAP attribute map which determine which group policy is applied - this overrides the group policy assigned to the tunnel group.