{"id":182,"date":"2015-06-23T06:51:33","date_gmt":"2015-06-23T06:51:33","guid":{"rendered":"http:\/\/www.balajibandi.com\/blog\/?p=182"},"modified":"2024-02-04T19:52:17","modified_gmt":"2024-02-04T19:52:17","slug":"using-the-cisco-routers-local-database-to-apply-different-policies-for-cisco-ios-anyconnect-users-part-2","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=182","title":{"rendered":"Using the Cisco Router\u2019s Local Database to Apply Different Policies for Cisco IOS AnyConnect Users (part 2)"},"content":{"rendered":"

In the last article about this topic, we covered one of the ways to apply different policies to AnyConnect VPN users using the Cisco router\u2019s local database. In that article, we saw that even though the IOS WebVPN group lock feature is meant to tie a user to a particular context, this indirectly means that the policy configured under that context gets applied to the user.<\/p>\n

One of the reasons I don\u2019t like that method is that users need to know which context they will be connecting to beforehand. This may not necessarily be a problem if hostnames are used to connect but, still, it seems a bit a tacky. This brings us to the second solution.<\/p>\n

AAA Attribute Lists<\/strong><\/p>\n

Under a WebVPN context, one can configure several policies even though a context can have only one default group policy applied. While researching this topic, I discovered from a Cisco white paper that the attribute webvpn:user-vpn-group<\/em> can be returned by a RADIUS server to assign different policies to VPN users. However, I needed a way to achieve this locally.<\/p>\n

I recently started using AAA attribute lists extensively on the Cisco IOS and it has come in really handy in many instances. This feature basically turns a Cisco router into a local AAA server with many (if not all?) of the attributes that you can configure on an external AAA (e.g. RADIUS) server. Luckily for me (and you reading this article), \u201cuser-vpn-group\u201d is one of the attributes available under AAA attribute lists.<\/p>\n

Let me use the same network we had in the last article to show you how this can be configured:<\/p>\n

\"\"<\/p>\n

We will configure a single WebVPN context, but with three different policies:<\/p>\n

    \n
  1. \u201cSales_Policy,\u201d which will allow HTTP access to 192.168.10.100<\/li>\n
  2. \u201cAdministrator_Policy,\u201d which will allow unrestricted access.<\/li>\n
  3. \u201cNo_Access,\u201d which will be the default policy applied to any user who isn\u2019t assigned a policy. All traffic will be denied.<\/li>\n<\/ol>\n

    The configuration on the router is as follows:<\/p>\n

    \n
      \n
    1. aaa new-model<\/span><\/li>\n
    2. aaa authentication login webvpn local<\/span><\/li>\n
    3. !<\/span><\/li>\n
    4. interface FastEthernet0\/0<\/span><\/li>\n
    5. ip address 41.1.1.2 255.255.255.0<\/span><\/li>\n
    6. !<\/span><\/li>\n
    7. interface FastEthernet0\/1<\/span><\/li>\n
    8. ip address 192.168.10.1 255.255.255.0<\/span><\/li>\n
    9. !<\/span><\/li>\n
    10. interface Virtual-Template1<\/span><\/li>\n
    11. ip unnumbered FastEthernet0\/1<\/span><\/li>\n
    12. !<\/span><\/li>\n
    13. ip local pool ANYCONNECT_POOL 192.168.10.51 192.168.10.60<\/span><\/li>\n
    14. !<\/span><\/li>\n
    15. ip http server<\/span><\/li>\n
    16. ip http secure-server<\/span><\/li>\n
    17. !<\/span><\/li>\n
    18. ip access-list standard SPLIT_ACL<\/span><\/li>\n
    19. permit 192.168.10.0 0.0.0.255<\/span><\/li>\n
    20. !<\/span><\/li>\n
    21. ip access-list extended Administrator_ACL<\/span><\/li>\n
    22. permit ip any any<\/span><\/li>\n
    23. ip access-list extended Sales_ACL<\/span><\/li>\n
    24. permit tcp any host 192.168.10.100 eq 80<\/span><\/li>\n
    25. !<\/span><\/li>\n
    26. webvpn gateway AnyConnect_RTR<\/span><\/li>\n
    27. ip address 41.1.1.2 port 443<\/span><\/li>\n
    28. ssl trustpoint TP-self-signed-4279256517<\/span><\/li>\n
    29. inservice<\/span><\/li>\n
    30. !<\/span><\/li>\n
    31. webvpn install svc disk0:\/webvpn\/anyconnect-linux-3.1.08009-k9.pkg sequence 1<\/span><\/li>\n
    32. !<\/span><\/li>\n
    33. webvpn context Anyconnect<\/span><\/li>\n
    34. ssl authenticate verify all<\/span><\/li>\n
    35. !<\/span><\/li>\n
    36. policy group Sales_Policy<\/span><\/li>\n
    37. functions svc-enabled<\/span><\/li>\n
    38. filter tunnel Sales_ACL<\/span><\/li>\n
    39. svc address-pool “ANYCONNECT_POOL”<\/span><\/li>\n
    40. svc keep-client-installed<\/span><\/li>\n
    41. svc split include 192.168.10.0 255.255.255.0<\/span><\/li>\n
    42. !<\/span><\/li>\n
    43. policy group Administrator_Policy<\/span><\/li>\n
    44. functions svc-enabled<\/span><\/li>\n
    45. filter tunnel Administrator_ACL<\/span><\/li>\n
    46. svc address-pool “ANYCONNECT_POOL”<\/span><\/li>\n
    47. svc keep-client-installed<\/span><\/li>\n
    48. svc split include 192.168.10.0 255.255.255.0<\/span><\/li>\n
    49. !<\/span><\/li>\n
    50. policy group No_Access<\/span><\/li>\n
    51. functions svc-enabled<\/span><\/li>\n
    52. hide-url-bar<\/span><\/li>\n
    53. banner \u201cAccess Denied!\u201d<\/span><\/li>\n
    54. !<\/span><\/li>\n
    55. virtual-template 1<\/span><\/li>\n
    56. default-group-policy No_Access<\/span><\/li>\n
    57. aaa authentication list webvpn<\/span><\/li>\n
    58. gateway AnyConnect_RTR<\/span><\/li>\n
    59. inservice<\/span><\/li>\n<\/ol>\n<\/div>\n

      Notice that this configuration is just the normal IOS WebVPN\/SSL VPN configuration except that we have defined multiple policies under the WebVPN context.<\/p>\n

      Now what we need to do is make sure users get assigned the right policy when they connect and this is where we configure AAA attribute lists. These attributes are applied in the authorization phase so we must also configure an AAA authorization method to be applied to the WebVPN context.<\/p>\n

      \n
        \n
      1. aaa authorization network webvpn local<\/span><\/li>\n
      2. !<\/span><\/li>\n
      3. aaa attribute list Sales_AAA_List<\/span><\/li>\n
      4. attribute type user-vpn-group “Sales_Policy”<\/span><\/li>\n
      5. aaa attribute list Administrator_AAA_List<\/span><\/li>\n
      6. attribute type user-vpn-group “Administrator_Policy”<\/span><\/li>\n
      7. !<\/span><\/li>\n
      8. username user1 secret cisco<\/span><\/li>\n
      9. username user1 aaa attribute list Sales_AAA_List<\/span><\/li>\n
      10. username user2 secret cisco<\/span><\/li>\n
      11. username user2 aaa attribute list Administrator_AAA_List<\/span><\/li>\n
      12. username user3 secret cisco<\/span><\/li>\n
      13. !<\/span><\/li>\n
      14. webvpn context Anyconnect<\/span><\/li>\n
      15. aaa authorization list webvpn<\/span><\/li>\n<\/ol>\n<\/div>\n

        As you can see, I have created three users: user1 has the AAA attribute list \u201cSales_AAA_List\u201d attached; user2 has the AAA attribute list \u201cAdministrator_AAA_List\u201d attached; and user2 does not have any attribute list attached.<\/p>\n

        Let\u2019s test this configuration. We will start with user1, who should be assigned the \u201cSales_Policy.\u201d<\/p>\n

        \"\"<\/p>\n

        We can use the \u201cshow webvpn session user <username> context <context><\/em><\/strong>\u201d command to view information about the connected user\u2019s session.<\/p>\n

        \"\"<\/p>\n

        As you can see, even though the default group policy under the WebVPN context is \u201cNo_Access,\u201d user1 was successfully assigned the \u201cSales_Policy\u201d group policy, meaning that our AAA attribute list works.<\/p>\n

        Let\u2019s test user2 now.<\/p>\n

        \"\"<\/p>\n

        We can also check the WebVPN session for user2.<\/p>\n

        \"\"<\/p>\n

        Finally, let\u2019s test user3. Since this user has no AAA attribute list attached to it (meaning no user-vpn-group), it will use the default group policy under the WebVPN context. In summary, no access will be given and a banner will be displayed saying \u201cAccess Denied.\u201d<\/p>\n

        \"\"<\/p>\n

        After I click \u201cConnect\u201d, the banner we configured is displayed:<\/p>\n

        \"\"<\/p>\n

        If I click on \u201cAccept\u201d, the tunnel still attempts to be formed but, since I did not attach any IP address pool to that policy, the VPN session is not established.<\/p>\n

        Note<\/strong>: If user3 connects to the WebVPN service using a web browser, the \u201chide-url-bar\u201d (and no configured URL lists) will make sure that user cannot connect to any IP address<\/p>\n

        \"\"<\/p>\n

        \"\"<\/p>\n

        Summary<\/strong><\/p>\n

        This brings us to the end of this 2-part article on using the local database on a Cisco router to apply different policies to WebVPN\/AnyConnect VPN users. In the first part of this article, we used the Cisco IOS WebVPN group lock feature, which basically means we attach users to different WebVPN contexts and the policy configured under those WebVPN contexts will be applied to the user.<\/p>\n

        In this article, we configured different policies under a single WebVPN context and then used AAA attribute lists to attach these group policies to different users.<\/p>\n

        I hope you have found this article helpful.<\/p>\n

        References and Further Reading<\/strong><\/p>\n

          \n
        • ASA and Cisco IOS Group-lock Features and AAA Attributes and WebVPN Configuration Example:http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/ios-easy-vpn\/117634-configure-asa-00.html<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

          In the last article about this topic, we covered one of the ways to apply different policies to AnyConnect VPN users using the Cisco router\u2019s local database. In that article, we saw that even though the IOS WebVPN group lock feature is meant to tie a user to a particular context, this indirectly means that […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-182","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=182"}],"version-history":[{"count":2,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/182\/revisions"}],"predecessor-version":[{"id":2065,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/182\/revisions\/2065"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}