mapping group-policy to users

Unanswered Question
Jan 15th, 2010
User Badges:


I'm trying to map VPN group-policy to users in local database on ASA (Cisco Adaptive Security Appliance Software Version 8.0(4)12). It is Remote access VPN. Is it possible to have one tunnel-group for all remote vpn users and to map different group-policies to different user, so when user is authenticated, his group policy is applied to him (address pool, filter liste, etc)? All my users are getting policy from group-policy which id defined as default policy under my tunnel-group (!?):

ASA# sh run tunnel-group

tunnel-group GROUP1 type remote-access
tunnel-group GROUP1 general-attributes

default-group-policy POLICY3

tunnel-group GROUP1 ipsec-attributes

  pre-shared-key *

ASA# sh run group-policy

group-policy POLICY2 internal

group-policy POLICY2 attributes

vpn-idle-timeout 60
  vpn-filter value

vpn-tunnel-protocol IPSec

  address-pools value POOL2

group-policy DfltGrpPolicy attributes

  vpn-tunnel-protocol IPSec webvpn

group-policy POLICY3 internal

group-policy POLICY3 attributes

  vpn-idle-timeout 30

vpn-tunnel-protocol IPSec
  password-storage enable

split-tunnel-policy tunnelspecified

  split-tunnel-network-list value NONAT

  user-authentication enable

  address-pools value POOL3

group-policy POLICY1 internal

group-policy POLICY1 attributes
  vpn-simultaneous-logins 7
  vpn-idle-timeout 60
  vpn-filter value FILTER1
  vpn-tunnel-protocol IPSec
  password-storage enable

address-pools value POOL1

ASA# sh run username

username USER2 password g9O3SBOu.Lds9mV4 encrypted

username USER2 attributes

  vpn-group-policy POLICY2

  service-type remote-access

username test password 274Y4GRAbNElaCoV encrypted

username test attributes

  vpn-group-policy POLICY2

  service-type remote-access

username USER3 password cNH.ND6XX2p2UgNJ encrypted privilege 15

username USER3 attributes

  vpn-group-policy POLICY3

username USER1 password jcSAXHlsFLpnIf2H encrypted

username USER1 attributes

  vpn-group-policy POLICY1

  service-type remote-access

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gammatel1 Fri, 01/15/2010 - 01:13
User Badges:

This can be done in a different way - hopefully achieving what you want.

Basically you define tunnel-groups for each of your different VPN Client groups.  So lets assume you have 3 client groups and each group has access to different internal resources, the tunnel-groups you create can apply a different IP pool thus allowing you to define different access policies in your group-policy configuration.  In essence - you will have 3 tunnel-group configurations and 3 group-policy configurations ie:

ip local pool client1-vpn mask

ip local pool client2-vpn mask
ip local pool client3-vpn mask

tunnel-group client1-vpn type ipsec-ra
tunnel-group client1-vpn general-attributes
address-pool client1-vpn
default-group-policy client1-vpn
tunnel-group client1-vpn ipsec-attributes
pre-shared-key *

tunnel-group client2-vpn type ipsec-ra
tunnel-group client2-vpn general-attributes
  address-pool client2-vpn
  default-group-policy client2-vpn
tunnel-group client2-vpn ipsec-attributes
  pre-shared-key *

tunnel-group client3-vpn type ipsec-ra
tunnel-group client3-vpn general-attributes
  address-pool client3-vpn
  default-group-policy client3-vpn
tunnel-group client3-vpn ipsec-attributes
  pre-shared-key *

group-policy client1-vpn internal
group-policy client1-vpn attributes
dns-server value x.x.x.x
vpn-filter value client1-vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value client1-vpn
default-domain value

group-policy client2-vpn internal
group-policy client2-vpn attributes
  dns-server value x.x.x.x
  vpn-filter value client2-vpn_filter
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value client2-vpn
  default-domain value

group-policy client3-vpn internal
group-policy client3-vpn attributes
  dns-server value x.x.x.x
  vpn-filter value client3-vpn_filter
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value client3-vpn
  default-domain value

Obviously you dont need to use split-tunneling - but this is just an example of how it can be done.

ivanbarkic Fri, 01/15/2010 - 03:54
User Badges:

Well, what is the purpose of group-policy if any tunnel-group must have ONLY one group-policy applied? So, I cannot have one tunnel group for all users and couple of group-policies which I will applied to users? If I have to do for every group of users new tunnel group, then I can configure address pool and similar stuff under tunnel attributes...Why there is an option to apply group-policy for each user when it cannot be in use when all users connect with the same tuunel group?

ivanbarkic Sun, 01/17/2010 - 13:59
User Badges:

bug in software 8.0.4(12).

after upgrade to 8.0.5 it's working with no problem.


This Discussion