Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SSL VPN Group Policy

Hello,

I am running an ASA 5510 v8.32. I have a perfectly working SSL VPN for my internal users. I need to create a second connection profile, security policy, etc for a group of contractor accounts. With that policy, I want to assign each Contractor a static IP address so I can control their access via ACLs. No matter what I do, the account will continue to authenticate to the DfltGrpPolicy rather than the new policy I created. Is this possible, and if so, how do I have particular user accounts pick up the new profile/policy?

Any help would be great!

Thanks

1 REPLY
Cisco Employee

Re: SSL VPN Group Policy

David,

Under tunnel-group you can specify your default group policy for this tunnel, if you have a separate tunnel-group for your contractors and depending on settings like "tunnel-group-list" under webvpn global config.

bsns-asa5520-10(config)# tunnel-group TEST general-attributes
bsns-asa5520-10(config-tunnel-general)# %ASA-5-111008: User 'enable_15' executed the 'tunnel-group TEST general-attributes' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'tunnel-group TEST general-attributes'
defa
bsns-asa5520-10(config-tunnel-general)# default-group-policy ?

tunnel-group-general mode commands/options:
  WORD < 65 char  Name of the default group policy

You can also group-lock a group-policy to tunnel groups:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/gh.html#wp1777576

or do it per user:

bsns-asa5520-10(config)# username cisco attributes
%ASA-5-111008: User 'enable_15' executed the 'username cisco attributes' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'username cisco attributes'
bsns-asa5520-10(config-username)# group-lock ?

username mode commands/options:
  none   Specify that there is no group-lock restriction
  value  Specify the name of an existing tunnel-group that the user is required
         to connect with

Hope this helps :-)

Marcin

468
Views
0
Helpful
1
Replies
CreatePlease to create content