Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
0
Helpful
2
Replies

ssl group map

alexbak79
Level 1
Level 1

‎01-06-2012 10:07 AM

Hello ppl!

ssl webvpn client on ios routers question:

i'm trying to map users to diffent group policies. For example:

user a with pasword aaa should fall on 192.168.1.0 subnet

user b with password bbb should fall on 192.168.2.0  subnet

so far no luck :/

i tried also different webvpn context for each user but i cannot bind users to group maps. i suspect this has to do with aaa but i have no idea how to achieve this. Any ideas are welcome

Labels:
0 Helpful
2 Replies 2

Herbert Baerten
Cisco Employee
Cisco Employee

‎01-10-2012 01:48 AM 

Hi Alex,

I haven't tried this myself yet (so no guarantees :)), but I believe you should be able to do something like this:

     ip local pool poolA 192.168.1.1 192.168.1.254

     aaa attribute list listA
         attribute type addr-pool poolA

     username a password p4$$w0rd
     username a aaa attribute list listA

     aaa authorization network localauthor local

     webvpn gateway yourGW
         webvpn context yourCTX
           aaa authorization list localauthor

In the attribute list you can then also specify other attributes (do "attribute type ?" for a long list) if needed.

I'm assuming you want to configure everything locally. Alternatively you can use Radius or LDAP authentication/authorization.

hth

Herbert

0 Helpful

alexbak79
Level 1
Level 1
In response to Herbert Baerten

‎01-10-2012 12:04 PM

Hello Herbert

I tried this and yes, it solved partialy the problem assigning different IP addresses from local pool lists to different users using this way. However the main problem from my first post remains.. even though protected networks are specified on policy groups. Using attribute type command (that sure is the biggest list i've seen on a cisco router), i tried many commands like svc, split, policy, webvpn etc.. Still nothing

Here's a partial confing:

!
interface Virtual-Template2
exit
default interface Virtual-Template2
!
!
!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

!

!
aaa attribute list USER_ATR1
attribute type addr-pool VCL1
!
aaa attribute list USER2_ATR2
attribute type addr-pool VCL2
!
!
username USER1 aaa attribute list USER_ATR1
!
username USER2 aaa attribute list USER_ATR1
!
!
!
ip local pool CLIENT1 192.168.10.1
ip local pool CLIENT2 192.168.20.1
!
!
!
webvpn gateway GATEWAY
ip interface Dialer0 port 443
inservice
!
!
webvpn install svc flash:sslclient-win-1.1.4.176.pkg sequence 1
!
!
webvpn context ALXVSL
secondary-color white
title-color #FF9900
text-color black
ssl authenticate verify all
!
!
policy group POLICY_1
   functions svc-enabled
   svc address-pool "CLIENT1"
   svc split include 192.168.1.0 255.255.255.240

policy group POLICY_2
   functions svc-enabled
   svc address-pool "CLIENT2"
   svc split include 192.168.2.0 255.255.255.240
virtual-template 2
default-group-policy POLICY_1
aaa authentication list default
aaa authorization list default
gateway GATEWAY
inservice

Thank you once again for your help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents