cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4017
Views
5
Helpful
3
Comments
Rusty Gadberry
Level 1
Level 1

I was needing two WEBVPN group policies, one for business users the other for SCADA users.  The business and SCADA servers are on separate networks.  The goal was to set VPN split tunneling for its respective network.  

Following are the steps I took to make this work.

  1. Created two Active Directory VPN group profiles.
  2. Created business VPN NPS network policy.
    • Under the Constraints tab I added the Authentication Method constraint specifying "Microsoft Encrypted Authentication version 2 (MS-CHAP)".
    • Under the Conditions tab I added a user group condition specifying the business VPN group file. I then added a Client Friendly Name condition specifying the friendly name I setup in the RADIUS client.
    • Under the settings tab I created a vendor specific attribute. In the vendor drop down, I selected Cisco. I then selected the Cisco-AV-Pair attribute then click on Add. For the attribute I entered: "webvpn:user-vpn-group=BUSINESS" without the quotes.
  3. Created SCADA VPN NPS network policy as in step 2 above specifying SCADA values. For the vendor specific attribute I specified "webvpn:user-vpn-group=SCADA" for its value.
  4. I then tested using Cisco AnyConnect and a business user logon username and password. In the AnyConnect advanced window route details tab it showed the business networks. I was able to ping servers in the business networks.
  5. I then tested using a SCADA user logon username and password. In the AnyConnect advanced window route details tab it showed the SCADA networks. I was able to ping servers in the SCADA networks.

Router WEBVPN configuration.

webvpn gateway WTP_SSL_VPN
 hostname wtp2901.companydomain.com
 ip address xxx.xxx.xxx.xxx port 8443
 ssl encryption rc4-md5
 ssl trustpoint GoDaddySecureCA
 inservice
 !
webvpn context WTP_SSL_VPN
 secondary-color white
 title-color #CCCC66
 text-color black
 aaa authentication list WTPVPN
 gateway WTP_SSL_VPN
 max-users 10
 !
 ssl authenticate verify all
 inservice
 !
 policy group BUSINESS
   functions svc-enabled
   svc address-pool "poolVPN" netmask 255.255.255.255
   svc keep-client-installed
   svc split dns "companydomain.com"
   svc split include 192.168.20.0 255.255.255.0
   svc split include 192.168.21.0 255.255.255.0
   svc dns-server primary 192.168.20.20
 !
 policy group SCADA
   functions svc-enabled
   svc address-pool "poolVPN" netmask 255.255.255.255
   svc keep-client-installed
   svc split dns "companydomain.com"
   svc split include 192.168.11.0 255.255.255.0
   svc split include 192.168.12.0 255.255.255.0
 !
 policy group default_policy
   functions svc-enabled
   svc address-pool "poolVPN" netmask 255.255.255.255
   svc keep-client-installed
   svc split include 192.168.21.0 255.255.255.0
 default-group-policy default_policy
!
end

Comments
aldrabkin
Level 1
Level 1

Hello Rusty!

 

Why you didn't configure default-group-policy for webvpn context, like this:

webvpn context NAME

...

default-group-policy POLICY_NAME

...

 

I think this should be done to split user's accessible networks. Am i right ?

Rusty Gadberry
Level 1
Level 1

That may have been a better way of doing it but the way I did it does work.

When a business user logs into the VPN, all he/she has access to is the business networks, 192.168.20.0/24 and 192.168.21.0/24.  When a SCADA engineer logs into the VPN, all he/she has access to is the SCADA networks, 192.168.11.0/24 and 192.168.12.0/24.

The default group policy is only used in the event the NPS service is not reachable. An administrator VPN log in is enable on the router and is only used when NPS service is not available.  This log in only has access to the local business network, 192.168.21.0/24.

rmnr
Level 1
Level 1

Hi Rusty,

Could you mind explaining how you have configured the below? I know it is definitely not using terminal -

  1. Created business VPN NPS network policy.
    • Under the Constraints tab I added the Authentication Method constraint specifying "Microsoft Encrypted Authentication version 2 (MS-CHAP)".
    • Under the Conditions tab I added a user group condition specifying the business VPN group file. I then added a Client Friendly Name condition specifying the friendly name I setup in the RADIUS client.
    • Under the settings tab I created a vendor specific attribute. In the vendor drop down, I selected Cisco. I then selected the Cisco-AV-Pair attribute then click on Add. For the attribute I entered: "webvpn:user-vpn-group=BUSINESS" without the quotes.
  2. Created SCADA VPN NPS network policy as in step 2 above specifying SCADA values. For the vendor specific attribute I specified "webvpn:user-vpn-group=SCADA" for its value.

I am also trying to setup multiple profiles and I could not get it working. CLI configs for the above would be much helpful.

Thanks,

Rijath Mohammed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: