We are running IOS 8.2(2). We setup VPN groups to authenticate locally to the ASA. We have about 10 different groups (marketing, engineering, accounting, tech support, etc.) that I need to setup which is no problem. My problem is I need to setup 10 different groups on the VPN client based on their user name. Is there a way to setup a generic group such as Everyone on the VPN client and the users will only have access to the internal resources based on their user name when they login to VPN client?
Please let me know if you have any questions or need additional information.
Yes, looks perfect. The user attribute group-policy will take precedence over the tunnel-group default group-policy "everyone", and you can check using the "show vpn-sessiondb remote filter name " to make sure that that particular user is assigned the correct group-policy.
Federico is right.
Every user can log in to the same tunnel-group (this is the group name when you connect via the IPSec VPN), and depending on which user authenticates via xauth (ASA local user), I saw that you already configure user attributes to be assigned to specific group-policy (eg: vpn-group-policy accounting).
If you would like to check if the user is connected to the correct group-policy, after user is connected, you can issue the following on the ASA:
show vpn-sessiondb remote filter name
Hope that helps confirmed it.
I don't have an ASA here to test it, but it should work.
You should be able to assign a different policy based on the user and then all users are part of the same tunnel-group.
So, you're going to have a single VPN group that all users will use.
Then, depending on the user credentials, will match a specific group-policy.
I don't see why it would not work.
You can have all the users connecting to the same group.
Then, individually on each user, create a VPN filter...
username test attributes