Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
3
Replies

How to control what users can access over AnyConnect VPN

ronald.nutter
Level 1
Level 1

‎07-02-2013 11:26 AM - edited ‎02-21-2020 07:00 PM

I am in the process of setting up AnyConnect for my department.  We will be providing access with another group as well.  I want to be able to limit access to hosts/subnets based on what group they are in.  One way I have handled this in the past was to do multiple vpn-groups using vpn-filter.

Since I will be using 8.2.5 and have a ACS 5.4 server in the mix, is there a better way to do it ?  I have thought about downloadable ACL's.  Since I have control over AD as well, that may give me another option as well.

Also interested in a way where I can limit the users access without them having to select the right group when they login via AnyConnect.

Thanks,

Ron                  

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-02-2013 08:58 PM

Your use case is what the Identity Firewall features are desinged for. It is an 8.4+ feature however.

Details here and here.

0 Helpful

ronald.nutter
Level 1
Level 1
In response to Marvin Rhoads

‎07-03-2013 10:50 AM

Ok.  Will take a look at 8.4.  Is downloadable ACL's still an option without going to 8.4 ?  I remember seeing references to this in earlier versions of ACS.  That would give me an option of controlling access via ACS and not having to get fancy with the ASA. 

0 Helpful

kssinha
Level 1
Level 1

‎07-03-2013 12:58 PM

Hi Ronald,

From what I understand what you want is that you have multiple users who connect using anyconnect client. Let us say you have users a, b and c. If user A connects to the tunnel group then he can only access 192.168.1.0/24 subnet if user "B" connects he can acccess 192.168.2.0/24 subnet if "C" connects he can access 192.168.1.0 and 192.168.2.0 both the networks.

If this is what you are trying to achieve and you are using a AAA server for authentication of the users you can create different groups for the different users and then bind a different group policy for the different groups. In those different group policies you can specify different split tunnel ACL as per your requirement or define VPN filters whatever is your requirement.

Below is an example for ACS server with Radius assigning different group policies,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

If my understanding of your problem was incorrect please correct me,

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents