Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
10
Helpful
4
Replies

VPN Setup using individual user instead of group

Go to solution
joeldoetsch
Level 1
Level 1

‎10-28-2021 02:31 PM

Hello,

We're looking to set up a VPN where instead of having users in a group and giving that group access to a subnet, we would like to have the VPN only have 1 IP address to the user's machine, which the user can then RDP to for the necessary network access.  I'm trying to figure out how that could work within the ASA config.  I understand that each user would need their own tunnel-group and ACL for split-tunnel, but I'm trying to determine the mechanism that would tie an LDAP user to a particular tunnel group.

If there's any documentation or examples out there that could shed some light on this, it would be appreciated.

Cheers,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-29-2021 01:45 AM

@joeldoetsch you don't need unique tunnel-group per user. As you are using LDAP authentication, use LDAP attibute maps. Map the users LDAP/AD group to an ASA group policy, which is referencing a split tunnel ACL.

 

More information:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc12

 

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-28-2021 02:50 PM

Personally, this is a large task and more manual work is required here for each user, (what kind of user base we are looking here)

 

Never tried this option : if you have ISE Look below may be helpful  ( apologies if this not suited to your needs)

 

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215432-configure-ssl-anyconnect-with-ise-authen.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-29-2021 01:45 AM

@joeldoetsch you don't need unique tunnel-group per user. As you are using LDAP authentication, use LDAP attibute maps. Map the users LDAP/AD group to an ASA group policy, which is referencing a split tunnel ACL.

 

More information:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc12

 

Go to solution
joeldoetsch
Level 1
Level 1
In response to Rob Ingram

‎10-29-2021 06:53 AM

Hi Rob,

Thanks for the documentation.  I looked through it and I still have a few questions. My intent isn't to have a group, it's to have the individual users set the policy.  AKA if I'm John Doe and my workstation is 10.1.2.3, when I login via AnyConnect, I should _only_ have access to 10.1.2.3.  if I'm Jane Doe and my workstation is 10.1.2.4, when I login I should only be able to access 10.1.2.4.

So if I take a look at example 2 in the above documentation, I would create an LDAP map to the username, and then create a group policy for that username, correct?  Rinse and repeat for each individual user?  I'm also confused how this can be done without individual tunnel groups.  Doesn't the tunnel group set the anyconnect URL and reference the group policy?  If I have a generic tunnel-group, how do I then get from there to the individualized group policies?

Thanks for engaging
- Joel

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to joeldoetsch

‎10-29-2021 07:10 AM

@joeldoetsch yes correct, create LDAP map for each user which maps to a unique Group Policy.

The users connect to the same tunnel-group it's the LDAP attribute map which determine which group policy is applied - this overrides the group policy assigned to the tunnel group.

Customers Also Viewed These Support Documents