Setup Group on VPN Client

Answered Question
May 25th, 2010

We are running IOS 8.2(2). We setup VPN groups to authenticate locally to the ASA.  We have about 10 different groups (marketing, engineering, accounting, tech support, etc.) that I need to setup which is no problem.  My problem is I need to setup 10 different groups on the VPN client based on their user name.  Is there a way to setup a generic group such as Everyone on the VPN client and the users will only have access to the internal resources based on their user name when they login to VPN client?

Please let me know if you have any questions or need additional information.

Thanks.

Laura

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 6 months ago

Yes, looks perfect. The user attribute group-policy will take precedence over the tunnel-group default group-policy "everyone", and you can check using the "show vpn-sessiondb remote filter name " to make sure that that particular user is assigned the correct group-policy.

Correct Answer by Jennifer Halim about 6 years 6 months ago

Hi Laura,

Federico is right.

Every user can log in to the same tunnel-group (this is the group name when you connect via the IPSec VPN), and depending on which user authenticates via xauth (ASA local user), I saw that you already configure user attributes to be assigned to specific group-policy (eg: vpn-group-policy accounting).

If you would like to check if the user is connected to the correct group-policy, after user is connected, you can issue the following on the ASA:

show vpn-sessiondb remote filter name

Hope that helps confirmed it.

Correct Answer by Federico Coto F... about 6 years 6 months ago

Laura,

I don't have an ASA here to test it, but it should work.

You should be able to assign a different policy based on the user and then all users are part of the same tunnel-group.

So, you're going to have a single VPN group that all users will use.

Then, depending on the user credentials, will match a specific group-policy.

I don't see why it would not work.

Federico.

Correct Answer by Federico Coto F... about 6 years 6 months ago

Hi Laura,

You can have all the users connecting to the same group.

Then, individually on each user, create a VPN filter...

username test attributes

     vpn-filter ....

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Federico Coto F... Tue, 05/25/2010 - 09:22

Hi Laura,

You can have all the users connecting to the same group.

Then, individually on each user, create a VPN filter...

username test attributes

     vpn-filter ....

Federico.

laurabolda Tue, 05/25/2010 - 13:27

Thanks Federico,

This is what config looks like.  Is it possible for me to setup  all the users with ONE group name "Accounting" in Cisco VPN client?  Then, it does not matter if JDoe or ASmith logins to Cisco VPN client with the group name "Accounting".   If JDoe logins, he can only access the network resources in Accounting department.  If ASmith logins, he can only access network resources in Marketing department.  Is this what you are suggesting?

I don't want to setup the Accounting group name in Cisco VPN client for JDoe, Marketing group name for ASmith, etc.  Please let me know if you have any questions.  Thanks.

group-policy accounting internal
group-policy accounting attributes
dns-server value 192.168.100.10 4.2.2.2
vpn-filter value accounting
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value accounting1
split-dns value lacoe.edu
address-pools value vpnpool

group-policy marketing internal
group-policy marketing attributes
dns-server value 192.168.100.10 4.2.2.2
vpn-filter value marketing
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value marketing1
default-domain value lacoe.edu
address-pools value vpnpool

group-policy support internal
group-policy support attributes
dns-server value 192.168.100.10 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
default-domain value lacoe.edu
address-pools value vpnpool

username jdoe password ccekn7owDmHC783a encrypted
username jdoe attributes
vpn-group-policy accounting
vpn-filter value accounting
vpn-tunnel-protocol IPSec
service-type remote-access

username asmith password Xed6edyxbP4e7d5t0v encrypted
username asmith attributes
vpn-group-policy marketing
vpn-filter value marketing
vpn-tunnel-protocol IPSec
service-type remote-access

username lbolda password EzNhGeU6zIhI93e encrypted
username lbolda attributes
vpn-group-policy support
vpn-filter none
vpn-tunnel-protocol IPSec
service-type remote-access

Correct Answer
Federico Coto F... Tue, 05/25/2010 - 13:31

Laura,

I don't have an ASA here to test it, but it should work.

You should be able to assign a different policy based on the user and then all users are part of the same tunnel-group.

So, you're going to have a single VPN group that all users will use.

Then, depending on the user credentials, will match a specific group-policy.

I don't see why it would not work.

Federico.

Correct Answer
Jennifer Halim Tue, 05/25/2010 - 15:24

Hi Laura,

Federico is right.

Every user can log in to the same tunnel-group (this is the group name when you connect via the IPSec VPN), and depending on which user authenticates via xauth (ASA local user), I saw that you already configure user attributes to be assigned to specific group-policy (eg: vpn-group-policy accounting).

If you would like to check if the user is connected to the correct group-policy, after user is connected, you can issue the following on the ASA:

show vpn-sessiondb remote filter name

Hope that helps confirmed it.

laurabolda Tue, 05/25/2010 - 18:17

Thanks Federico and Halijenn.  I appreciate both of you taking time to respond to my questions promptly. So, I am going to setup one tunnel-group called "everyone" and setup this "everyone" group on the Cisco VPN client and have every user logins under "everyone" group.  It is a big help since I do not have to customize 10 different profiles for Cisco VPN client for 10 different departments.  Again, thanks very much.

tunnel-group everyone type remote-access
tunnel-group everyone general-attributes
authentication-server-group (Inside) LOCAL
default-group-policy everyone
strip-group
tunnel-group everyone ipsec-attributes
pre-shared-key *****

Correct Answer
Jennifer Halim Wed, 05/26/2010 - 02:54

Yes, looks perfect. The user attribute group-policy will take precedence over the tunnel-group default group-policy "everyone", and you can check using the "show vpn-sessiondb remote filter name " to make sure that that particular user is assigned the correct group-policy.

Actions

This Discussion