Using the Cisco Router’s Local Database to Apply Different Policies for Cisco IOS AnyConnect Users (part 2)

Balaji BandiCCIE - Sec, CISCO

In the last article about this topic, we covered one of the ways to apply different policies to AnyConnect VPN users using the Cisco router’s local database. In that article, we saw that even though the IOS WebVPN group lock feature is meant to tie a user to a particular context, this indirectly means that the policy configured under that context gets applied to the user.

One of the reasons I don’t like that method is that users need to know which context they will be connecting to beforehand. This may not necessarily be a problem if hostnames are used to connect but, still, it seems a bit a tacky. This brings us to the second solution.

AAA Attribute Lists

Under a WebVPN context, one can configure several policies even though a context can have only one default group policy applied. While researching this topic, I discovered from a Cisco white paper that the attribute webvpn:user-vpn-group can be returned by a RADIUS server to assign different policies to VPN users. However, I needed a way to achieve this locally.

I recently started using AAA attribute lists extensively on the Cisco IOS and it has come in really handy in many instances. This feature basically turns a Cisco router into a local AAA server with many (if not all?) of the attributes that you can configure on an external AAA (e.g. RADIUS) server. Luckily for me (and you reading this article), “user-vpn-group” is one of the attributes available under AAA attribute lists.

Let me use the same network we had in the last article to show you how this can be configured:

We will configure a single WebVPN context, but with three different policies:

  1. “Sales_Policy,” which will allow HTTP access to 192.168.10.100
  2. “Administrator_Policy,” which will allow unrestricted access.
  3. “No_Access,” which will be the default policy applied to any user who isn’t assigned a policy. All traffic will be denied.

The configuration on the router is as follows:

  1. aaa new-model
  2. aaa authentication login webvpn local
  3. !
  4. interface FastEthernet0/0
  5. ip address 41.1.1.2 255.255.255.0
  6. !
  7. interface FastEthernet0/1
  8. ip address 192.168.10.1 255.255.255.0
  9. !
  10. interface Virtual-Template1
  11. ip unnumbered FastEthernet0/1
  12. !
  13. ip local pool ANYCONNECT_POOL 192.168.10.51 192.168.10.60
  14. !
  15. ip http server
  16. ip http secure-server
  17. !
  18. ip access-list standard SPLIT_ACL
  19. permit 192.168.10.0 0.0.0.255
  20. !
  21. ip access-list extended Administrator_ACL
  22. permit ip any any
  23. ip access-list extended Sales_ACL
  24. permit tcp any host 192.168.10.100 eq 80
  25. !
  26. webvpn gateway AnyConnect_RTR
  27. ip address 41.1.1.2 port 443
  28. ssl trustpoint TP-self-signed-4279256517
  29. inservice
  30. !
  31. webvpn install svc disk0:/webvpn/anyconnect-linux-3.1.08009-k9.pkg sequence 1
  32. !
  33. webvpn context Anyconnect
  34. ssl authenticate verify all
  35. !
  36. policy group Sales_Policy
  37. functions svc-enabled
  38. filter tunnel Sales_ACL
  39. svc address-pool “ANYCONNECT_POOL”
  40. svc keep-client-installed
  41. svc split include 192.168.10.0 255.255.255.0
  42. !
  43. policy group Administrator_Policy
  44. functions svc-enabled
  45. filter tunnel Administrator_ACL
  46. svc address-pool “ANYCONNECT_POOL”
  47. svc keep-client-installed
  48. svc split include 192.168.10.0 255.255.255.0
  49. !
  50. policy group No_Access
  51. functions svc-enabled
  52. hide-url-bar
  53. banner “Access Denied!”
  54. !
  55. virtual-template 1
  56. default-group-policy No_Access
  57. aaa authentication list webvpn
  58. gateway AnyConnect_RTR
  59. inservice

Notice that this configuration is just the normal IOS WebVPN/SSL VPN configuration except that we have defined multiple policies under the WebVPN context.

Now what we need to do is make sure users get assigned the right policy when they connect and this is where we configure AAA attribute lists. These attributes are applied in the authorization phase so we must also configure an AAA authorization method to be applied to the WebVPN context.

  1. aaa authorization network webvpn local
  2. !
  3. aaa attribute list Sales_AAA_List
  4. attribute type user-vpn-group “Sales_Policy”
  5. aaa attribute list Administrator_AAA_List
  6. attribute type user-vpn-group “Administrator_Policy”
  7. !
  8. username user1 secret cisco
  9. username user1 aaa attribute list Sales_AAA_List
  10. username user2 secret cisco
  11. username user2 aaa attribute list Administrator_AAA_List
  12. username user3 secret cisco
  13. !
  14. webvpn context Anyconnect
  15. aaa authorization list webvpn

As you can see, I have created three users: user1 has the AAA attribute list “Sales_AAA_List” attached; user2 has the AAA attribute list “Administrator_AAA_List” attached; and user2 does not have any attribute list attached.

Let’s test this configuration. We will start with user1, who should be assigned the “Sales_Policy.”

We can use the “show webvpn session user <username> context <context>” command to view information about the connected user’s session.

As you can see, even though the default group policy under the WebVPN context is “No_Access,” user1 was successfully assigned the “Sales_Policy” group policy, meaning that our AAA attribute list works.

Let’s test user2 now.

We can also check the WebVPN session for user2.

Finally, let’s test user3. Since this user has no AAA attribute list attached to it (meaning no user-vpn-group), it will use the default group policy under the WebVPN context. In summary, no access will be given and a banner will be displayed saying “Access Denied.”

After I click “Connect”, the banner we configured is displayed:

If I click on “Accept”, the tunnel still attempts to be formed but, since I did not attach any IP address pool to that policy, the VPN session is not established.

Note: If user3 connects to the WebVPN service using a web browser, the “hide-url-bar” (and no configured URL lists) will make sure that user cannot connect to any IP address

Summary

This brings us to the end of this 2-part article on using the local database on a Cisco router to apply different policies to WebVPN/AnyConnect VPN users. In the first part of this article, we used the Cisco IOS WebVPN group lock feature, which basically means we attach users to different WebVPN contexts and the policy configured under those WebVPN contexts will be applied to the user.

In this article, we configured different policies under a single WebVPN context and then used AAA attribute lists to attach these group policies to different users.

I hope you have found this article helpful.

References and Further Reading

  • ASA and Cisco IOS Group-lock Features and AAA Attributes and WebVPN Configuration Example:http://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html