Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7808
Views
0
Helpful
6
Replies

Setup Group on VPN Client

Go to solution
laurabolda
Level 1
Level 1

‎05-25-2010 08:21 AM

We are running IOS 8.2(2). We setup VPN groups to authenticate locally to the ASA.  We have about 10 different groups (marketing, engineering, accounting, tech support, etc.) that I need to setup which is no problem.  My problem is I need to setup 10 different groups on the VPN client based on their user name.  Is there a way to setup a generic group such as Everyone on the VPN client and the users will only have access to the internal resources based on their user name when they login to VPN client?

Please let me know if you have any questions or need additional information.

Thanks.

Laura

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-25-2010 09:22 AM

Hi Laura,

You can have all the users connecting to the same group.

Then, individually on each user, create a VPN filter...

username test attributes

     vpn-filter ....

Federico.

View solution in original post

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to laurabolda

‎05-25-2010 01:31 PM

Laura,

I don't have an ASA here to test it, but it should work.

You should be able to assign a different policy based on the user and then all users are part of the same tunnel-group.

So, you're going to have a single VPN group that all users will use.

Then, depending on the user credentials, will match a specific group-policy.

I don't see why it would not work.

Federico.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to laurabolda

‎05-25-2010 03:24 PM

Hi Laura,

Federico is right.

Every user can log in to the same tunnel-group (this is the group name when you connect via the IPSec VPN), and depending on which user authenticates via xauth (ASA local user), I saw that you already configure user attributes to be assigned to specific group-policy (eg: vpn-group-policy accounting).

If you would like to check if the user is connected to the correct group-policy, after user is connected, you can issue the following on the ASA:

show vpn-sessiondb remote filter name

Hope that helps confirmed it.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to laurabolda

‎05-26-2010 02:54 AM

Yes, looks perfect. The user attribute group-policy will take precedence over the tunnel-group default group-policy "everyone", and you can check using the "show vpn-sessiondb remote filter name " to make sure that that particular user is assigned the correct group-policy.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-25-2010 09:22 AM

Hi Laura,

You can have all the users connecting to the same group.

Then, individually on each user, create a VPN filter...

username test attributes

     vpn-filter ....

Federico.

0 Helpful

Go to solution
laurabolda
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-25-2010 01:27 PM

Thanks Federico,

This is what config looks like.  Is it possible for me to setup  all the users with ONE group name "Accounting" in Cisco VPN client?  Then, it does not matter if JDoe or ASmith logins to Cisco VPN client with the group name "Accounting".   If JDoe logins, he can only access the network resources in Accounting department.  If ASmith logins, he can only access network resources in Marketing department.  Is this what you are suggesting?

I don't want to setup the Accounting group name in Cisco VPN client for JDoe, Marketing group name for ASmith, etc.  Please let me know if you have any questions.  Thanks.

group-policy accounting internal
group-policy accounting attributes
dns-server value 192.168.100.10 4.2.2.2
vpn-filter value accounting
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value accounting1
split-dns value lacoe.edu
address-pools value vpnpool

group-policy marketing internal
group-policy marketing attributes
dns-server value 192.168.100.10 4.2.2.2
vpn-filter value marketing
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value marketing1
default-domain value lacoe.edu
address-pools value vpnpool

group-policy support internal
group-policy support attributes
dns-server value 192.168.100.10 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
default-domain value lacoe.edu
address-pools value vpnpool

username jdoe password ccekn7owDmHC783a encrypted
username jdoe attributes
vpn-group-policy accounting
vpn-filter value accounting
vpn-tunnel-protocol IPSec
service-type remote-access

username asmith password Xed6edyxbP4e7d5t0v encrypted
username asmith attributes
vpn-group-policy marketing
vpn-filter value marketing
vpn-tunnel-protocol IPSec
service-type remote-access

username lbolda password EzNhGeU6zIhI93e encrypted
username lbolda attributes
vpn-group-policy support
vpn-filter none
vpn-tunnel-protocol IPSec
service-type remote-access

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to laurabolda

‎05-25-2010 01:31 PM

Laura,

I don't have an ASA here to test it, but it should work.

You should be able to assign a different policy based on the user and then all users are part of the same tunnel-group.

So, you're going to have a single VPN group that all users will use.

Then, depending on the user credentials, will match a specific group-policy.

I don't see why it would not work.

Federico.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to laurabolda

‎05-25-2010 03:24 PM

Hi Laura,

Federico is right.

Every user can log in to the same tunnel-group (this is the group name when you connect via the IPSec VPN), and depending on which user authenticates via xauth (ASA local user), I saw that you already configure user attributes to be assigned to specific group-policy (eg: vpn-group-policy accounting).

If you would like to check if the user is connected to the correct group-policy, after user is connected, you can issue the following on the ASA:

show vpn-sessiondb remote filter name

Hope that helps confirmed it.

0 Helpful

Go to solution
laurabolda
Level 1
Level 1
In response to Jennifer Halim

‎05-25-2010 06:17 PM

Thanks Federico and Halijenn.  I appreciate both of you taking time to respond to my questions promptly. So, I am going to setup one tunnel-group called "everyone" and setup this "everyone" group on the Cisco VPN client and have every user logins under "everyone" group.  It is a big help since I do not have to customize 10 different profiles for Cisco VPN client for 10 different departments.  Again, thanks very much.

tunnel-group everyone type remote-access
tunnel-group everyone general-attributes
authentication-server-group (Inside) LOCAL
default-group-policy everyone
strip-group
tunnel-group everyone ipsec-attributes
pre-shared-key *****

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to laurabolda

‎05-26-2010 02:54 AM

Yes, looks perfect. The user attribute group-policy will take precedence over the tunnel-group default group-policy "everyone", and you can check using the "show vpn-sessiondb remote filter name " to make sure that that particular user is assigned the correct group-policy.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents