Cisco VPN :: ASA 5520 / Restricting End User To One Specific Group With AnyConnect?

Feb 6, 2013

I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication.  I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account.  How do I restrict this so that the user can only use one profile?  Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks.  Is there a sample configuration guide to handle multiple profiles with different levels of access?

View 3 Replies


Cisco VPN :: Specific Tunnel-group With User On ASA 5510?

May 13, 2011

I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
and i have user around 20 user and i want to specific user to tunnel-groups like this
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01  password DDD01
So, How can i manag tunel-groups with user?

View 3 Replies View Related

Cisco VPN :: 5520 AnyConnect Can Auth A Machine And Then A User?

Aug 10, 2012

We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.)

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 User Roles And Restricting User Access To Add Items?

Sep 22, 2011

We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Restricting User Sessions In ACS 5.1?

Jul 26, 2011

We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.

View 2 Replies View Related

Cisco VPN :: ASA 5520 / Define Specific IKE Proposal For Specific L2L Tunnel?

May 24, 2011

ASA 5520 running 8.0.4
ASDM v.6.1
Need assistance understanding how in ASDM/Configuration/Site-to-Site VPN/Connection Profiles/ "Any Entry" I can specify that I only want to offer an IKE Proposal of pre-share-aes-256-sha?
The IKE Proposal field has a number of possible options including: pre-share-aes-256-md5, pre-share-3des-md5, pre-share-aes-256-sha, pre-share-aes-192-sha, pre-share-3des-md5, pre-share-aes-sha and pre-share-3des-sha.
I am able to pick a specific IPSec Proposal w/o issue but when I attempt to do the same for the IKE Proposal, and click OK the choice does not "stick" but rather returns to the entire list as defined above.

View 2 Replies View Related

Cisco Firewall :: 5510 - Display User Message When User Connects Using AnyConnect Client?

Apr 20, 2009

We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy?  Can the message be displayed when the action is "Continue" rather than "Terminate"?  I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.

View 4 Replies View Related

Cisco Firewall :: Create Local User In ASA 5520 To Allow User To Use ASDM In Read-Only Mode?

Oct 10, 2011

I want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.

View 1 Replies View Related

Cisco VPN :: ASA 8.2.2 Locking Down Anyconnect Authentication To AD Group

Nov 28, 2011

I can't seem to find any documentation to how to get this working. I'm trying to make it so that only users of a certain AD group are authenticated for my Anyconnect VPN on my ASA 8.2.2
I've found the documentation on how to prevent logins using the  msNPAllowDialin attribute, but not how to base it on group membership (memberOf) [code] I need to do any kind of restrictions inside the actual group-policy TESTGROUP ?

View 2 Replies View Related

Cisco VPN :: ASA5505 And AnyConnect Client - Allow Specific URL's

Oct 4, 2011

when it comes to IOS based SSL VPN setup, so have run into an issue which I can't seem to find an answer for.
What i'm after is a way to restrict access to an AnyConnect authenticated and connected client, on a specific profile, to a list of specific websites (all on the Intranet). Everything else must be blocked.
On the IOS device, I had it fudged to pretty much retstrict access to a certain IP and port, and used a mod rewrite in Apache to re-write a URL from that IP to the host the site actually resided on. It's cludged together and working, but it's not ideal (and it's not going to allow for scaling up to what I need).
I can find plenty of references here and on the net to using regex to create block lists based on a global policy to disallow specific URLS, but I need the inverse of that, and, only applied to a specific policy group.
Is this possible on an ASA5505? Is it possible on *any* ASA?

View 11 Replies View Related

Cisco Firewall :: ASA 5510 - Authenticate Users Of Specific LDAP Group

Apr 19, 2010

I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510

View 12 Replies View Related

Cisco Firewall :: Internet Access Through ASA 5540 For Specific Network Object Group

May 2, 2011

I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an  object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?

View 5 Replies View Related

Cisco :: LMS 4.0 User Defined Group

Aug 3, 2011

I'am a novice with LMS 4.0.I create 4 device group in Group Management, I restarted my server and since this reboot, I haven't any device in my groups. I would like to use the archive synchronization but I can't see my device in my groups.

View 6 Replies View Related

Cisco VPN :: ASA5510 - AnyConnect Client Profile / Group-URL In Server-List With OGS?

Dec 2, 2012

Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 7.0(2)
Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
#show webvpn anyconnect
1.disk0:/anyconnect-win-3.1.00495-k9.pkg 1 dyn-regex=/Windows NT/
CISCO STC win2k+
Hostscan Version 3.1.00495
Profile in atthach-file. After this profile is uploaded to client Optimal Gateway Selection doesn't work propertly: When '' (it best TTL server) is unreachable, then OGS try to be connected to other servers, but without group-url, for example '' (instead of '')

View 2 Replies View Related

Cisco Switching/Routing :: 2560 Create Dynamic VLAN For Specific Group Of Users

Feb 6, 2012

We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
can it possible and create dynamic VLAN for specific group of users.

View 6 Replies View Related

Cisco VPN :: 5510 - Authenticate One User In Only 1 Group?

Oct 20, 2011

I have two tunnel groups using WEBVPN , I have local users at ASA 5510 version 7.2.

How can I authenticate one user in only one group?Now with local users I can loggin in both tunnel groups

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 User Group Mapping?

Sep 12, 2012

We are using ACS with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL] 
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database"  works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Delete Specific Log For User X

Jun 25, 2012

on the acs 5.2 , how to delete specific log for user X, ?

View 3 Replies View Related

Block Multimedia Stream Per User Group?

Oct 1, 2012

I need to block the multimedia streaming to a certain group of users accessing my wireless connection.I'm using squid as my proxy server and the users are registered on a LDAP database. A RADIUS server provides authentication.

View 1 Replies View Related

Cisco :: LMS 4.0.1 Authenticate User On Group Base And Assign Different Privilege?

Sep 7, 2011

having LMS 4.0.1 is it possible to authenticate user on a group base and assign different privilege to different groups?. The user's group are available in the LDAP server.Do I have to use a TACACS/RADIUS server between the Ciscoworks LMS and the LDAP repository?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.1- Shell Command Works Under User But Not Group

Jul 27, 2011

This question might actually belong under tacacs server but it's only happening with the ACE.  I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor.  If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin.  We're running ACS ver 4.1 and the ACE is A4(1.1)

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Security For One Specific User

Jan 18, 2013

We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system.

View 1 Replies View Related

AAA/Identity/Nac :: ISE 1.0.4 Machine / User ActiveDirectory Group Retrieving

Mar 6, 2012

We are migrating our ACS 5.1 to ISE 1.0.4.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS.I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :

- AD logs show the second authentication doesn't engage a new group parsing from AD
- Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.
- Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.

View 0 Replies View Related

Cisco VPN :: ASA 8.2 Anyconnect User Authentication And Authorization

Jan 17, 2012

I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:

1) Create an AAA server group.
2) Add the AAA server to this group (here its RADIUS).
3) create an LDAP-cisco ASA group mapping (for authorization)
3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).
4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).

View 5 Replies View Related

Cisco VPN :: Adding User Profiles In AnyConnect VPN 2.5

Feb 15, 2012

I recently upgraded to Windows 7 in my company and the OS came bundled with Anyconnect VPN client version 2.5.
In the earlier version I used to add user profile using a .pcf file by importing it into the client to access customer LAN.
But in the Anyconnect VPN client I dint find any option to import the file. The IT support has told to edit the xml file to add it. The problem is I even after i edit the anyconnect-cert.xml with changes in host name and host address tags  I am not able to start a connection. I dont knw know exactly what address must be given in Host address tag. I copied the host address from .pcf file which i used earlier.
Whether I will be able to add a user profile in this way or any correction is to be done in the whole process of adding the user profile,

View 1 Replies View Related

Cisco :: 6506 Switch - SNMPv3 User Without Group Setting Showing

Sep 4, 2012

Why is it that when SNMPv3 user "TestV3-User" was added to my SNMPv3 implementation on my 6506 switch, the group/MD5/Emcryption settings are missing for this user (See "sh snmp user" output)???
router#sh snmp user
User name: TestV3-User
Engine ID: 80000009030000249706EFC0
storage-type: nonvolatile        active access-list: test


View 3 Replies View Related

Cisco VPN :: 5505 - Can Single Local User Belong To 2 Group-policies

Jan 13, 2013

I have a Cisco ASA 5505 that I've setup with an SSL VPN. This is for personal use, and I therefore don't have need for anything more than local authentication. [code]
I'd like to have one profile/policy where I only encrypt data going to my split-tunnel ACL, and I'd like to have one profile/policy where I encrypt all traffic.
The issue ive been fighting is - it doesn't seem like its possible to associate more than one group policy per user. If it IS possible - can you tell me how I associate both groups to my local account?

View 1 Replies View Related

Cisco VPN :: PIX515e / 713060 / Tunnel Rejected / User Not Member Of Group

Dec 17, 2011

I just configure VPN for end users in PIX515e with IOS 8 and get stuck with "Tunnel Rejected: User (msveden) not member of group (VPN-shared), group-lock check failed.". tell me how I add user to my VPN group?

View 1 Replies View Related

Cisco WAN :: 10008 - PPPOE Setup / How To Show Specific User

Dec 17, 2012

Working on setting up a Cisco 10008 with PPPOE and it seems like we kind of have it working but only one user can get on.
Here is part of the config:
Cisco-10008#show run
Building configuration...
Current configuration : 4134 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

Also is there a way to show a specific user once they are connected with PPPOE? I'm currently using "show aaa sessions", but was thinking it would be "show pppoe something"

View 9 Replies View Related

Home Network :: Setting Up A Wireless User Group In Town

Aug 29, 2011

We want to set up a wireless user group in our town between a few friends and new people who are interested to join. As far as I heard I don't need a ICASA License for the 5.8GHz Frequency if we are using it for a non profit orginization, so we may use that.

1 x Routerboard
3 x Radio Plugin Boards
3 x 120degree Antennas

to set up a 360degree HS (Highsite).Then at each person's house we will need:

1 x Routerboard
1 x Radio Plugin Board
1 x Whichever Antenna

Is that correct? Then also if we wanto run VoIP on our network, how do I do that? Basicly we want to use it for gaming, file sharing and VoIP. No Internet of anything else.

View 2 Replies View Related

NSA 2400 - Tool To Monitor Web Traffic For One Specific User?

Feb 5, 2013

I am trying to find a tool that will monitor the web traffic for one specific user. If it is capable of bundling it into a report that would also be a benefit. I have searched, but not come up with much aside from broad network monitoring tools. All that is really needed is to capture all the activity from http traffic for this one specific user/PC (since she uses the same PC all the time). We have a Sonicwall NSA 2400 as our internet filter, but I was not able to locate anything on there for specific user reporting.

View 2 Replies View Related

Cisco VPN :: ASA 8.4(1) AnyConnect Premium User Upgrade Licensing?

Feb 22, 2012

Prior to version 8.4(1) Cisco called their licensing name for SSL/VPN users AnyConnect Premium SSL VPN and currently the new name of the licensing is simply AnyConnect Premium.  Also, the IOS display name for the amount of SSL/VPN users enabled via your licensing (ex. 2, 10, 25, 50, ...) by running a 'show activation-key' was changed from SSL VPN Peers to AnyConnect Premium Peers.With that said, my question is if the license for upgrading 10 users to 25 users (L-ASA-SSL-10-25= - ASA 5500 SSL VPN 10 to 25 Premium User Upgrade License) on an ASA prior to 8.4(1) and an ASA with 8.4(1) is still valid and the correct part number to peform these upgrades for both ASAs.  The description of this part number is throwing me off because it says SSL VPN to Premium User, which was the name prior to 8.4(1).  I could not locate any documentation regarding this part number or upgrading 10 users to 25 users for both ASAs.

View 4 Replies View Related

Cisco VPN :: ASA5510 Anyconnect Permission With NT Domain User

Aug 21, 2012

I am trying to setup a VPN with AnyConnect on my ASA5510 and it works fine.  I have setup an AAA server group for my Active Directory with the "NT Domain" protocol".  Right now, every user is able to connect with their Active Directory credentials.  I would like to restrict access to the Anyconnect VPN to only a few users in AD.

View 1 Replies View Related

Copyrights 2005-15, All rights reserved