SSL VPN Group Policy

David Grimm · ‎10-15-2010

Hello,

I am running an ASA 5510 v8.32. I have a perfectly working SSL VPN for my internal users. I need to create a second connection profile, security policy, etc for a group of contractor accounts. With that policy, I want to assign each Contractor a static IP address so I can control their access via ACLs. No matter what I do, the account will continue to authenticate to the DfltGrpPolicy rather than the new policy I created. Is this possible, and if so, how do I have particular user accounts pick up the new profile/policy?

Any help would be great!

Thanks

Marcin Latosiewicz · ‎10-15-2010

David,

Under tunnel-group you can specify your default group policy for this tunnel, if you have a separate tunnel-group for your contractors and depending on settings like "tunnel-group-list" under webvpn global config.

bsns-asa5520-10(config)# tunnel-group TEST general-attributes
bsns-asa5520-10(config-tunnel-general)# %ASA-5-111008: User 'enable_15' executed the 'tunnel-group TEST general-attributes' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'tunnel-group TEST general-attributes'
defa
bsns-asa5520-10(config-tunnel-general)# default-group-policy ?

tunnel-group-general mode commands/options:
WORD < 65 char Name of the default group policy

You can also group-lock a group-policy to tunnel groups:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/gh.html#wp1777576

or do it per user:

bsns-asa5520-10(config)# username cisco attributes
%ASA-5-111008: User 'enable_15' executed the 'username cisco attributes' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'username cisco attributes'
bsns-asa5520-10(config-username)# group-lock ?

username mode commands/options:
none Specify that there is no group-lock restriction
value Specify the name of an existing tunnel-group that the user is required
to connect with

Hope this helps :-)

Marcin