Cisco VPN :: One User Associated With Two VPN Profiles ASA 5510
Apr 3, 2011
Is there a way that i can associate one user with two VPN profiles. Now here is the scenario.Our company has bought a win 7 64 bit pc for some of the employees , so i had to create anyconnect. But the same users are also connecting via normal cisco vpn client. they will give away these old pc but for the time being my need is that both users shall connect to anyconnect profile and ipsec profile.
I tried ti to assign same profile with both ipsec and svc so that they could use single profile but anyconnect didn't work. I am having cisco ASA 5510 as VPN gateway.And How many licenses does cisco asa have by default for anyconnect users. Here is the configuration for anyconnect
group-policy Broad_Anyconnet internalgroup-policy Broad_Anyconnet attributes dns-server value 4.2.2.2 vpn-tunnel-protocol svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value Nit_Broadcast_Network_Tunn_ACL address-pools value Broadcast_AnyPool webvpn svc ask none default svc
[Code]...
View 5 Replies
ADVERTISEMENT
May 21, 2012
I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:ACS 5.3 group hierarchy:VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles),VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A),VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
View 3 Replies
View Related
Feb 15, 2012
I recently upgraded to Windows 7 in my company and the OS came bundled with Anyconnect VPN client version 2.5.
In the earlier version I used to add user profile using a .pcf file by importing it into the client to access customer LAN.
But in the Anyconnect VPN client I dint find any option to import the file. The IT support has told to edit the xml file to add it. The problem is I even after i edit the anyconnect-cert.xml with changes in host name and host address tags I am not able to start a connection. I dont knw know exactly what address must be given in Host address tag. I copied the host address from .pcf file which i used earlier.
Whether I will be able to add a user profile in this way or any correction is to be done in the whole process of adding the user profile,
View 1 Replies
View Related
Nov 9, 2011
I use a Cisco ASA 5510 with the AnyConnect VPN for remote workers. Now we want to give access to a select group of consultants who only need access to one sever and block everything else.
I was thinking this could be done by creating a separate AnyConnect Connection Profile on the ASA. From that new connection will come a new GroupPolicy with a ACL to only allow access to the one system. That GroupPolicy will point to the Radius Server looking for an account in a specific MemberOf group.
My question is - Could you explain how the ASA knows what Connection Profile to use when a user tries to authenticate? Does it automatically hunt down each Connection Profile until there is a username match via RADIUS in the Connect Profile?
View 1 Replies
View Related
Sep 11, 2012
We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
1. Employees and clients will access the URL
2. They will select the appropriate group on where they should login.
3. Enter credentials, etc.
4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.
View 4 Replies
View Related
Jan 18, 2012
We have 2 ASA 5510's running in a Active/Standby configuration. It appears that most of the changes we make on the active unit are replicated to the standby unit. However, there are 3 AnyConnect Client Profiles on the active unit and none of them show up on the standby, the standby has no AnyConnect Profiles. We also have 1 OnConnect script on the active unit and it does not appear on the standby unit either.
I was under the assumption that all config items on the active unit would replicate to the standby. Is this not correct? Do I need to do something extra to get everything replicated? Are there other items that do not replicate?
View 3 Replies
View Related
Apr 20, 2009
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
View 4 Replies
View Related
Apr 5, 2011
We are changing our old Pix 515e this weekend and for brand new ASA 5510.With this new installation, I would like to implement the Radius authentication for remote vpn user. Changing the firewall of the company has many impact and for the first phase the user will keep authenticating locally but I need that in phase 2, they will be authenticated via a radius server.Is there a way to configure both authentication for remote vpn user?
All user will be authenticated locally except the member of the IT Department who will be authenticated by the radius server for testing.I have remote vpn users around the world so I do not want these users to be blocked by the testing of the radius authentication. What I want is that users in group1 will be authenticated locally on the ASA and users in group2 will be authenticated by the radius. When testing will be done, all users will be transfer to the radius authentication gradually.
View 1 Replies
View Related
May 5, 2013
I have a client that wants to segment their wireless network behind their ASA. We currently have a normal setup, 5510, 2 interfaces, outside, inside. On the inside network there are Cisco Wireless APs that allow for internal access to the network. We want to move the APs to a new interface on the ASA and only allow traffic bettwen this new "Wireless" network and the internal network by using remote user VPN. So my question is, can you use remote user VPN from the new Wireless network to the inside network??
View 1 Replies
View Related
Nov 30, 2011
I have a an issue with one particular VPN user. They are using the built in Windows Vista client to connect to my ASA 5510.
All other users do not have an issue and i receive the following error at roughly the same time of day when the drop happens. Authentication is done by my AD Server which handles all logins.
[code]...
View 2 Replies
View Related
Nov 23, 2011
We are using ASA 5510 Version 7.2(4) at our organisation. The requirement is we need to give an access to a user with limited access so that he can run only specific commands on configuration mode. We don't have Cisco TACACS server instead of that we are using a microsoft radius server.
View 6 Replies
View Related
Oct 20, 2011
I have two tunnel groups using WEBVPN , I have local users at ASA 5510 version 7.2.
How can I authenticate one user in only one group?Now with local users I can loggin in both tunnel groups
View 1 Replies
View Related
Oct 4, 2010
Can any VPN user change their user account password through tunnel which configured on local database of ASA 5510?
View 3 Replies
View Related
Apr 25, 2012
We currently have one Cisco ASA 5510 firewall at our mailn office. Our firewall does not let users access the internet. We currently have a web proxy that lets users access this. I need to let users access one website through the firewall without going through the firewall. I believe this is possible if I use dynamic NAT.
View 1 Replies
View Related
Oct 20, 2011
ip local pool VPNPOOL 192.168.200.1-192.168.200.100.
i can access servers with remote vpn which they located at dmz zone at asa(write nonat access-lsit) but i can not 192.168.193.0 subnet at asa.i configurated proxy server. my proxy server inside interface get ip address my dmz zone(172.16.10.254) and outside is ip adddress asa outside interface (10.0.0.254).the users (192.168.193.0/24) go internet from proxy server.
[code]....
View 4 Replies
View Related
May 13, 2011
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
and i have user around 20 user and i want to specific user to tunnel-groups like this
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01 password DDD01
So, How can i manag tunel-groups with user?
View 3 Replies
View Related
Oct 31, 2011
I have a 20/20 MB circuit and an ASA 5510 and I am able to setup policing were the interace gets 512k down and 128k up so when I conduct a speed test with one user I get 512k and 128k and when I conduct a speed test with two users each gets 256k and 64k. [code] What I want to happen is that each user gets 512k and 128k until a saturation point is hit and then I want the ASA to slow all users down equally.
View 1 Replies
View Related
Jan 18, 2013
We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system.
View 1 Replies
View Related
Jun 4, 2011
here is my situation:
home users ------ internet ------ ASA 5510----- CORP LAN
we have anyconnect VPN and remote Ipsec VPN, i think the solution should works on both of them. my question is : "How to enforce home user internet traffic to VPN tunnel ?" we have "split tunnel" to pass only ""interesting traffic" to VPN tunnel access CORP LAN. but now , i need enforce all user traffic (internet +CORP LAN) pass through VPN tunnel. so far , i did what i know :
1. remove "split tunnle" from group-policy
2. the address in "remote VPN user address pool" are could be NAT/PAT through ASA5510
but i don't get that why it doesn't work.
View 9 Replies
View Related
Jun 30, 2011
ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not. I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...". I created a new Group Policy with split-tunnel enabled. I created a new Connection Profile and assigned to it the new Group Policy. When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want. Each of them works, enabling or disabling split-tunnel. But I want to assign a connection profile to the particular user, not give the user a choice. The problem is I'm using LDAP authentication. The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing. I really don't want to give up LDAP and force people back to another local password. But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile. At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile". If I clear that switch every user will be assigned the same default profile, which does not work.
View 2 Replies
View Related
Feb 3, 2007
We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?
View 11 Replies
View Related
Feb 17, 2013
I've searched the release notes for 7.2+, but I haven't found a documented number of how many active RF Profiles a 5508 can support. Any limitation of how many RF Profiles they can have?
View 3 Replies
View Related
Feb 11, 2010
I need to disable approxematly 40 different VPN profiles in our ASA5550`s without deleting them (need the ability to quickly activate them again if needed). I thought maybe i could disable IPSec for those profiles, but since the IPSec is an attribute for Group Policy, i cant do it - as many other profiles are sharing the same policy.
View 2 Replies
View Related
Jul 14, 2012
We've set our WCS up to do AAA through our ACS 5.3 which works great. So in order to log into the WCS for Administration or as a Lobby Ambassador (to create guest users etc) the AAA is all done by the ACS, GREAT!
I have assigned a set of users the Lobby Ambassador role as passed that back through TACACS to the WCS, so those users have their role setup as Lobby Ambassador and are limited from doing anything else, as expected.
What I want to know is: With normal local AAA on the WCS, when you created a Lobby Ambassador account, you could give the account a set of defaults for any guests accounts created by that Lobby Ambassador account, which was good, so Lobby Ambassadors couldn't set up unlimited time accounts and stuff like that.
What I want to know now is that since I'm now doing all the AAA on the ACS, is there an attribute I can pass to the WCS in the Shell Profile, along with the roles etc telling the WCS what the guest user creation defaults for the Lobby Ambassador account is, so that we can continue to limit the defaults of any guest account that the Lobby Ambassador accounts create, as it used to be? We'd really like different lobby ambassadors to be able to do different things as well. i.e., Lobby Ambassador X can only create accounts for one region. Lobby Ambassador Y can create Unlimited time accounts where the others can not. We used to do this by assigning different guest user creation defaults to different lobby ambassador accounts on the WCS.
View 1 Replies
View Related
Sep 8, 2011
In regards to QoS profiles on the WLC. I have applied a profile to a newly created WLAN and set the Per User Bandwidth to 512k and it seems to be kicking in on the ingress only, this is supposed to work ingress AND egress or is it just designed to work one way? I have a 4402-25 with Cisco 3500 AP's and am running the 7.0.98 code. If it is designed to work one way only is there a different way to apply it ingress and egress simultaneously off the WLC?
View 3 Replies
View Related
Aug 21, 2012
Is there way to group APs to get different profiles. I need to have some that have the 2.4GHz turned down and some wiht the 2.4 and 5.0 GHz on.
View 7 Replies
View Related
Jun 13, 2012
Customer has a WLC 4402 and 21 AP's LAP1131AG, there is a PDA wlan created to give PDA's and wireless Phones access to the webmail. This is done by access lists and firewalls. Now the customer wants more access to the internet in this PDA wlan, maybe in a later phase to the other vlans, can we use an ISE server and make profiles, is this the only additional server that we need or is an upgrade of the WLC and ÄP's also needed.
View 1 Replies
View Related
Dec 18, 2012
I just bought new 942L (HW Rev3, 1.12 FW) and the only profile which is used to stream to iPhone or Web browser in mydlink is profile 3 which is limited to JPEG. Is there some way how to change the profile to be used for streams or is there a way how to make to profile 3 something else then JPEG?
View 1 Replies
View Related
Apr 17, 2013
For ACS 5.4: In Network Access -> Authorization Profiles there is a Permit Access profile. If you try to edit it a message pop's up that says: "The profile you have selected is reserved and cannot be deleted or modified". What this profile contains in its rule base? If I wanted to create a similar profile what Common Tasks, or Radius Attributes would I need to use? The same would go for a Deny Access profile. I have looked at the Common Tasks and Radius Attributes for a new profile and it doesn't seem very intuitive.
View 2 Replies
View Related
Mar 23, 2013
In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.
View 3 Replies
View Related
May 19, 2009
WLC Model
---------
WLC 4402
Software Version
----------------
5.2.178
Problem Statement
-----------------
Do we have any Cisco WLC MIB to get WLAN profile (Order in which WLAN profiles are added inside an AP Group) information present in an AP group?
View 3 Replies
View Related
Mar 3, 2010
I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
If at all possible, I do not users to have to pick a conenction profile or use different URL's.
View 1 Replies
View Related
May 16, 2011
i have recently added to a domain. The initial setup is a server running windows 2003 and several xp machines which logon to the domain using mandatory profiles. However, after adding windows 7 machines and logging them on to the system it doesnt load the profiles. (which is fine as I understand you cannot use the same profiles with windows 7+xp)The problem is it automatically creates a roaming profile when logging off and saves it back to the same path as the other profiles under user.V2 which is growing considerably and causing huge logoff and logon times.How can I get the windows 7 machines to not attempt roaming profiles back to the server and instead to just save the profiles locally when logging off.
View 14 Replies
View Related