×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ssl group map

Unanswered Question
Jan 6th, 2012
User Badges:

Hello ppl!


ssl webvpn client on ios routers question:



i'm trying to map users to diffent group policies. For example:


user a with pasword aaa should fall on 192.168.1.0 subnet

user b with password bbb should fall on 192.168.2.0  subnet


so far no luck :/



i tried also different webvpn context for each user but i cannot bind users to group maps. i suspect this has to do with aaa but i have no idea how to achieve this. Any ideas are welcome

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Herbert Baerten Tue, 01/10/2012 - 01:48
User Badges:
  • Cisco Employee,
Hi Alex,

I haven't tried this myself yet (so no guarantees :)), but I believe you should be able to do something like this:

     ip local pool poolA 192.168.1.1 192.168.1.254

     aaa attribute list listA
         attribute type addr-pool poolA

     username a password p4$$w0rd
     username a aaa attribute list listA

     aaa authorization network localauthor local

     webvpn gateway yourGW
         webvpn context yourCTX
           aaa authorization list localauthor


In the attribute list you can then also specify other attributes (do "attribute type ?" for a long list) if needed.


I'm assuming you want to configure everything locally. Alternatively you can use Radius or LDAP authentication/authorization.


hth

Herbert

alexbak79 Tue, 01/10/2012 - 12:04
User Badges:

Hello Herbert


I tried this and yes, it solved partialy the problem assigning different IP addresses from local pool lists to different users using this way. However the main problem from my first post remains.. even though protected networks are specified on policy groups. Using attribute type command (that sure is the biggest list i've seen on a cisco router), i tried many commands like svc, split, policy, webvpn etc.. Still nothing

Here's a partial confing:

!
interface Virtual-Template2
exit
default interface Virtual-Template2
!
!
!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

!

!
aaa attribute list USER_ATR1
attribute type addr-pool VCL1
!
aaa attribute list USER2_ATR2
attribute type addr-pool VCL2
!
!
username USER1 aaa attribute list USER_ATR1
!
username USER2 aaa attribute list USER_ATR1
!
!
!
ip local pool CLIENT1 192.168.10.1
ip local pool CLIENT2 192.168.20.1
!
!
!
webvpn gateway GATEWAY
ip interface Dialer0 port 443
inservice
!
!
webvpn install svc flash:sslclient-win-1.1.4.176.pkg sequence 1
!
!
webvpn context ALXVSL
secondary-color white
title-color #FF9900
text-color black
ssl authenticate verify all
!
!
policy group POLICY_1
   functions svc-enabled
   svc address-pool "CLIENT1"
   svc split include 192.168.1.0 255.255.255.240

policy group POLICY_2
   functions svc-enabled
   svc address-pool "CLIENT2"
   svc split include 192.168.2.0 255.255.255.240
virtual-template 2
default-group-policy POLICY_1
aaa authentication list default
aaa authorization list default
gateway GATEWAY
inservice


Thank you once again for your help

Actions

This Discussion