Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

mapping group-policy to users

Hi,

I'm trying to map VPN group-policy to users in local database on ASA (Cisco Adaptive Security Appliance Software Version 8.0(4)12). It is Remote access VPN. Is it possible to have one tunnel-group for all remote vpn users and to map different group-policies to different user, so when user is authenticated, his group policy is applied to him (address pool, filter liste, etc)? All my users are getting policy from group-policy which id defined as default policy under my tunnel-group (!?):

ASA# sh run tunnel-group

tunnel-group GROUP1 type remote-access
tunnel-group GROUP1 general-attributes

default-group-policy POLICY3

tunnel-group GROUP1 ipsec-attributes

  pre-shared-key *

ASA# sh run group-policy


group-policy POLICY2 internal


group-policy POLICY2 attributes


vpn-idle-timeout 60
  vpn-filter value

vpn-tunnel-protocol IPSec

  address-pools value POOL2

group-policy DfltGrpPolicy attributes

  vpn-tunnel-protocol IPSec webvpn

group-policy POLICY3 internal

group-policy POLICY3 attributes

  vpn-idle-timeout 30

vpn-tunnel-protocol IPSec
  password-storage enable

split-tunnel-policy tunnelspecified

  split-tunnel-network-list value NONAT

  user-authentication enable

  address-pools value POOL3

group-policy POLICY1 internal

group-policy POLICY1 attributes
  vpn-simultaneous-logins 7
  vpn-idle-timeout 60
  vpn-filter value FILTER1
  vpn-tunnel-protocol IPSec
  password-storage enable

address-pools value POOL1


ASA# sh run username


username USER2 password g9O3SBOu.Lds9mV4 encrypted


username USER2 attributes


  vpn-group-policy POLICY2


  service-type remote-access


username test password 274Y4GRAbNElaCoV encrypted


username test attributes


  vpn-group-policy POLICY2


  service-type remote-access


username USER3 password cNH.ND6XX2p2UgNJ encrypted privilege 15


username USER3 attributes


  vpn-group-policy POLICY3


username USER1 password jcSAXHlsFLpnIf2H encrypted


username USER1 attributes

  vpn-group-policy POLICY1

  service-type remote-access

3 REPLIES
New Member

Re: mapping group-policy to users

This can be done in a different way - hopefully achieving what you want.

Basically you define tunnel-groups for each of your different VPN Client groups.  So lets assume you have 3 client groups and each group has access to different internal resources, the tunnel-groups you create can apply a different IP pool thus allowing you to define different access policies in your group-policy configuration.  In essence - you will have 3 tunnel-group configurations and 3 group-policy configurations ie:


ip local pool client1-vpn 10.0.24.1-10.0.24.63 mask 255.255.255.192

ip local pool client2-vpn 10.0.20.64-10.0.24.127 mask 255.255.255.192
ip local pool client3-vpn 10.0.24.128-10.0.24.159 mask 255.255.255.224

tunnel-group client1-vpn type ipsec-ra
tunnel-group client1-vpn general-attributes
address-pool client1-vpn
default-group-policy client1-vpn
tunnel-group client1-vpn ipsec-attributes
pre-shared-key *

tunnel-group client2-vpn type ipsec-ra
tunnel-group client2-vpn general-attributes
  address-pool client2-vpn
  default-group-policy client2-vpn
tunnel-group client2-vpn ipsec-attributes
  pre-shared-key *

tunnel-group client3-vpn type ipsec-ra
tunnel-group client3-vpn general-attributes
  address-pool client3-vpn
  default-group-policy client3-vpn
tunnel-group client3-vpn ipsec-attributes
  pre-shared-key *

group-policy client1-vpn internal
group-policy client1-vpn attributes
dns-server value x.x.x.x
vpn-filter value client1-vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value client1-vpn
default-domain value somewhere.com

group-policy client2-vpn internal
group-policy client2-vpn attributes
  dns-server value x.x.x.x
  vpn-filter value client2-vpn_filter
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value client2-vpn
  default-domain value somewhere.com

group-policy client3-vpn internal
group-policy client3-vpn attributes
  dns-server value x.x.x.x
  vpn-filter value client3-vpn_filter
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value client3-vpn
  default-domain value somewhere.com

Obviously you dont need to use split-tunneling - but this is just an example of how it can be done.

New Member

Re: mapping group-policy to users

Well, what is the purpose of group-policy if any tunnel-group must have ONLY one group-policy applied? So, I cannot have one tunnel group for all users and couple of group-policies which I will applied to users? If I have to do for every group of users new tunnel group, then I can configure address pool and similar stuff under tunnel attributes...Why there is an option to apply group-policy for each user when it cannot be in use when all users connect with the same tuunel group?

New Member

Re: mapping group-policy to users

bug in software 8.0.4(12).

after upgrade to 8.0.5 it's working with no problem.

297
Views
0
Helpful
3
Replies