Doubts in VPN groups
Hi Guys,
Is it possible to define a single user in a two separate VPN Group? If yes, if the user is connecting, which group will take into effect?
PS: Acc to my knowledge, u can add many users to one group, the users will have access and permission depending upon the group he is in. Please correct me if I am wrong.
Hi rizwan,
Thanks for the reply. Consider this example.
username is: Adam. I am adding this user in two VPN groups namely, VPN1 and VPN2.
For VPN1 group, I have set permission to admin level(for eg).
For VPN2 group, I have set permission to operator level(for eg).
1)So, when he login with his username, which group he will be into?
2)So It is possible to have one user in two groups, right?
PS:The user doesn't know the group he is added to, he will just type his username
Regards,
M.Viswesh
Similar Messages
-
CAS SSO not working for VPN Group
Hello,
I am trying to get SSO working for a CAS/CAM in a inband virtual gateway for VPN users coming in off a ASA5520. There are two VPN groups each with its own group policy and tunnel group. One group uses a Windows IAS Radius Server and the other a token based RADIUS RSA device.
Users use the AnyConnect client to connect to the ASA where they are dumped into a vlan. SSO works for the group that uses the Winodws radius server. On the CAS the Cisco VPN Auth server has the Unauthenticated Group as the default group, and then I use mapping rules (Framed_IP_Address) to get the different vpn groups into the right roles. This works for the one group, but since SSO is not working on the second group the CAS never gets the chance to assign them into the correct role.
The only thing I got is this from the ASA:
AAA Marking RADIUS server billybob in aaa-server group cas_accounting as ACTIVE
AAA Marking RADIUS server billybob in aaa-server group cas_accounting as FAILED
I am so close but cant call this done yet....Hey Faisel,
Thanks for the question.
This is the stange thing. For days Group A (Windows Radius Server) was working and Group B (RSA Radius Server) would not work. Then for some reason I had to reboot the CAS and BOOM...Group B started working and Group A STOPPED working.
So on the ASA I now get these:
AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as ACTIVE
AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as FAILED
Where cas_accounting2 is the AAA server group for Group A
On the ASA I can see that the FW sends a packet to the cas:
"send pkt cas2-hvn-3515/1813"
but the FW never gets an answer back from the CAS for Group A whereas with Group B I can see the response from the CAS.
"rad_vrfy() : response message verified"
What can I look for in the CAS logs to see where the problem is. I will try and setup a packet capture on the CAS and debug it too. -
Gatta rework the remote VPN groups
Hey guys,
So I've been tasked with reworking the VPN groups and what I'd like to do is use a seperate subnet all together.
Right now everyone is getting an IP address of 10.x.x.x
I'd like to put everyone into a 172.x.x.x subnet of there own depending upon group.
So my question is actually about routing. I'm running OSPF and am wondering if I need to make an entry for the network or if there is some sort of route injection that will take place. It's an ASA 5510 by the way.
If anyone has some good docs that would much appreciated.
Thanks.You can do 1 of 2 things in my opinion:-
1) Have a static route in the closest layer 3 router point to the ASA for the 172.x.x.x subnet - then redistribute the static route into OSPF.
2) Configure the ASA to be part of the OSPF process:-
http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00809a417a.shtml
HTH> -
10.4.7: Cisco, VPN, Groups ... How?
I see in the release notes for OS X 10.4.7 that it now supports the Cisco VPN "groups". Since my company uses that, I'm very interested! But I can't see how to configure that ... Internet Connect still looks the same, doesn't appear to have anywhere to enter the group name / password.
Clues?
MacBook Pro (2x2.16GHz, 2Gb RAM, 100Gbx7200) Mac OS X (10.4.6) iMac G5, iBook, Parallels/WinXP, linuxYeah, go to the Configuration drop down menu and select Edit Configurations... you can then enter the advanced info there. However don't expect it to work. At this point I don't believe anything Apple says about VPN connectivity with Cisco anymore. They've been saying it's fixed since 10.4.5 and it continues to fail everytime I try to connect.
Here's my log with the url and ip of our server obfuscated.
Tue Jun 27 16:57:54 2006 : L2TP connecting to server 'vpn url' (vpn ip)...
Tue Jun 27 16:58:57 2006 : L2TP cannot connect to the server
Tue Jun 27 16:59:47 2006 : L2TP connecting to server 'failover vpn url' (failover vpn ip)...
Tue Jun 27 17:00:46 2006 : L2TP cannot connect to the server
Tue Jun 27 17:00:46 2006 : L2TP cannot connect to the server -
ASA 5505 VPN Group Policies (RADIUS) and tunnel group
I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries).
Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
Session Type: WebVPN
Username : kaisaron78 Index : 1
Public IP : 172.16.0.3
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)RC4 Hashing : Clientless: (1)SHA1
Bytes Tx : 518483 Bytes Rx : 37549
Group Policy : RemoteAC Tunnel Group : DefaultWEBVPNGroup
Login Time : 10:59:33 CEDT Mon Aug 18 2014
Duration : 0h:00m:23s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801fa0000100053f1c075
Security Grp : none
Asa5505# sh vpn-sessiondb webvpn
Session Type: WebVPN
Username : manintra Index : 2
Public IP : 172.16.0.3
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)RC4 Hashing : Clientless: (1)SHA1
Bytes Tx : 238914 Bytes Rx : 10736
Group Policy : SSLPolicy Tunnel Group : DefaultWEBVPNGroup
Login Time : 11:01:02 CEDT Mon Aug 18 2014
Duration : 0h:00m:05s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801fa0000200053f1c0ce
Security Grp : none
As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
! ADDRESS POOLS AND NAT
names
ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_27
subnet 192.168.10.0 255.255.255.224
access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
! RADIUS SETUP
aaa-server OpenOTP protocol radius
aaa-server OpenOTP (inside) host 192.168.1.8
key ******
authentication-port 1812
accounting-port 1814
radius-common-pw ******
acl-netmask-convert auto-detect
webvpn
port 10443
enable outside
dtls port 10443
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
anyconnect enable
! LOCAL POLICIES
group-policy SSLPolicy internal
group-policy SSLPolicy attributes
vpn-tunnel-protocol ssl-clientless
vlan 3
dns-server value 10.5.1.5
default-domain value management.local
webvpn
url-list value Management_List
group-policy RemoteAC internal
group-policy RemoteAC attributes
vpn-tunnel-protocol ikev2 ssl-client
vlan 1
address-pools value AnyConnect_Pool
dns-server value 192.168.1.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_Anyconnect
default-domain value home.local
webvpn
anyconnect profiles value AnyConnect_Profile_client_profile type user
group-policy SSLLockdown internal
group-policy SSLLockdown attributes
vpn-simultaneous-logins 0
! DEFAULT TUNNEL
tunnel-group DefaultRAGroup general-attributes
authentication-server-group OpenOTP
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group OpenOTP
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
authentication-server-group OpenOTP
default-group-policy SSLLockdown
!END
I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
Any help will be more than appreciated.
Cesare GiulianiOk, it makes sense.
Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
Thank you again for your precious and kind help, and for your patience as well!
Cesare Giuliani -
Hi,
I am trying to lock groups to a specific tunnel group but unfortunitly no matter what I do the group-lock feature doesnt seem to work. Basically here is what I want to do:
1-Users detail is pulled from AD through LDAP
2-AD group is mapped to the appropriate group on the ASA using attribute mapping
3-user should only use the tunnel that he/she is locked to
4-this all should be done without the user needing to select a group the vpn portal
5-we will be using Any connect and VPN portal for communication
All works fine except the group-lock feature. If enabled and set to "group-lock value NET_ADMIN_G" I get the following error on debug webvpn and the user is not allowed in.
webvpn_auth.c:http_webvpn_post_authentication[1503]
WebVPN: user: (test) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2905]
User came in on group he wasn't supposed to come in on!
when removed no matter what I do the user is mapped to DefaultWEBVPNGroup tunnel group,
SSLVPN(config-group-policy)# sho vpn-sessiondb webvpn
Session Type: WebVPN
Username : test Index : 132
Public IP : 10.1.1.1
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)AES256 Hashing : Clientless: (1)SHA1
Bytes Tx : 252897 Bytes Rx : 48894
Group Policy : NET_ADMIN Tunnel Group : DefaultWEBVPNGroup
Login Time : 11:18:13 EDT Fri Mar 22 2013
Duration : 0h:01m:12s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Asa is on 9.11.4.
group policy:
group-policy NET_ADMIN internal
group-policy NET_ADMIN attributes
wins-server none
dns-server value 2.2.2.2
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-session-timeout alert-interval 25
vpn-filter value VPN_SPLIT_TUNNEL
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
password-storage disable
ip-comp enable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT_TUNNEL
default-domain value brightstarcorp.com
split-dns value brightstarcorp.com
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn value svgmelb.au.brightstarcorp.com
leap-bypass disable
nem disable
backup-servers clear-client-config
msie-proxy method no-modify
vlan none
nac-settings none
address-pools value SSL_POOL
ipv6-address-pools none
scep-forwarding-url none
client-firewall none
client-access-rule none
webvpn
url-list value NETADMIN_BOOKMARK
filter value INTERNAL_WEBACL
homepage use-smart-tunnel
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value posture
anyconnect profiles value net_admin_p type user
anyconnect ask none default webvpn
customization value NETADMIN_PORTAL
hidden-shares visible
activex-relay enable
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting
auto-signon allow uri * auth-type all
Tunnel Group:
tunnel-group NET_ADMIN_G type remote-access
tunnel-group NET_ADMIN_G general-attributes
address-pool SSL_POOL
authentication-server-group LDAP
authorization-server-group LDAP
accounting-server-group RGROUPADMIN
default-group-policy NET_ADMIN
authorization-required
tunnel-group NET_ADMIN_G webvpn-attributes
customization NETADMIN_PORTAL
group-alias infra_network enable
group-url https://x.x.x.x/network enable
dns-group DNSGROUP
Any ideas?
Thanks in advanceHi Portu,
Heres debug Ldap:
SLVPN#
[553] Session Start
[553] New request Session, context 0x00007fff33beb228, reqType = Authentication
[553] Fiber started
[553] Creating LDAP context with uri=ldap://1.1.1.13:389
[553] Connect to LDAP server: ldap://1.1.1.13:389, status = Successful
[553] supportedLDAPVersion: value = 3
[553] supportedLDAPVersion: value = 2
[553] Binding as bind
[553] Performing Simple authentication for test to 1.1.1.13
[553] LDAP Search:
Base DN = [OU=xx ENTERPRISE,DC=xxx,DC=com]
Filter = [sAMAccountName=test]
Scope = [SUBTREE]
[553] User DN = [CN=test,OU=Users,OU=xx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com]
[553] Talking to Active Directory server 1.1.1.13
[553] Reading password policy for test, dn:CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com
[553] Read bad password count 0
[553] Binding as test
[553] Performing Simple authentication for test to 1.1.1.13
[553] Processing LDAP response for user test
[553] Message (test):
[553] Authentication successful for test to 1.1.1.13
[553] Retrieved User Attributes:
[553] objectClass: value = top
[553] objectClass: value = person
[553] objectClass: value = organizationalPerson
[553] objectClass: value = user
[553] cn: value = test
[553] sn: value =
[553] c: value = AU
[553] l: value = xxx
[553] st: value = xxx
[553] title: value = test user / IT
[553] description: value = Network
[553] postalCode: value = xxx
[553] physicalDeliveryOfficeName: value = xxx
[553] telephoneNumber: value = xxx
[553] givenName: value = test
[553] distinguishedName: value = CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=br
[553] instanceType: value = 4
[553] whenCreated: value = 20110327224420.0Z
[553] whenChanged: value = 20130319223953.0Z
[553] displayName: value = test
[553] uSNCreated: value = 84454809
[553] memberOf: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=
[553] mapped to IETF-Radius-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] mapped to LDAP-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] memberOf: value = CN=Networks,OU=Distribution Groups,OU=xxx,OU=Australia,OU=APAC,OU=
[553] mapped to IETF-Radius-Class: value = NET_ADMIN
[553] mapped to LDAP-Class: value = NET_ADMIN
[553] memberOf: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate
[553] mapped to IETF-Radius-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] mapped to LDAP-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com
aaa common debug:
AAA API: In aaa_open
AAA session opened: handle = 3
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
Initiating authentication to primary server (Svr Grp: LDAP)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 1.1.1.13
AAA FSM: In AAA_SendMsg
User: test
Resp:
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authentication Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = ACCEPT
AAA_NextFunction: authen svr = BSTAR_LDAP, author svr = LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_USER_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(NET_ADMIN)
Got server ID 0 for group policy DB
Initiating user group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: NET_ADMIN
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up NET_ADMIN
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
User Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_USER_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_AUTHORIZE,
AAA FSM: In AAA_InitTransaction
Initiating authorization query (Svr Grp: LDAP)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 1.1.1.13
AAA FSM: In AAA_SendMsg
User: test
Resp:
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authorization Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_AUTHORIZE, auth_status = ACCEPT
AAA_NextFunction: author svr = BSTAR_LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_AUTH_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(NET_ADMIN)
Got server ID 0 for group policy DB
Initiating authorization group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: NET_ADMIN
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up NET_ADMIN
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authorization Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_AUTH_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_TUNN_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(DfltGrpPolicy)
Got server ID 0 for group policy DB
Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: DfltGrpPolicy
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up DfltGrpPolicy
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Tunnel Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
Class attribute created from LDAP-Class attribute
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
Checking simultaneous login restriction (max allowance=3) for user test
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 6 "test"
2 User-Password(2) 10 (hidden)
3 Group-Policy(4121) 9 "NET_ADMIN"
4 AAA-AVP-Table(4243) 11268 "[04],[00][00]t[00][00][00][F8][03][00][00][0F][04][00]"
5 LDAP-Class(20520) 10 "NET_ADMIN[00]"
6 LDAP-Class(20520) 11 "USERS[00]"
user policy attributes:
1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"
2 Session-Timeout(27) 4 0
3 Idle-Timeout(28) 4 30
4 Access-Hours(4097) 0 0x00007fff35d685e0 ** Unresolved Attribute **
5 Simultaneous-Logins(4098) 4 3
6 Primary-DNS(4101) 4 IP: 1.1.1.13
7 Secondary-DNS(4102) 4 IP: 1.1.1.30
8 Primary-WINS(4103) 4 IP: 0.0.0.0
9 Secondary-WINS(4104) 4 IP: 0.0.0.0
10 Tunnelling-Protocol(4107) 4 52
11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"
12 Store-PW(4112) 4 0
13 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"
14 Default-Domain-Name(4124) 18 "xxxxcorp.com"
15 Secondary-Domain-Name-List(4125) 18 "xxxxcorp.com"
16 Nat-Enabled-IPSec(4130) 4 0
17 IPSec-UDP-Port(4131) 4 10000
18 IPComp(4135) 4 1
19 Authentication-On-Rekey(4138) 4 0
20 Required-Firewall-Vendor-Code(4141) 0 0x0000000002e006b0 ** Unresolved Attribute **
21 Required-Firewall-Product-Code(4142) 0 0x0000000002e006b0 ** Unresolved Attribute **
22 Required-Firewall-Description(4143) 0 0x00007fff35d687fa ** Unresolved Attribute **
23 Secure-unit-config(4144) 4 0
24 Individual-user-auth-config(4145) 4 0
25 User-auth-idle-timeout(4146) 4 0
26 Cisco-IP-telephony-config(4147) 4 0
27 Split-Tunneling-Policy(4151) 4 1
28 Required-Firewall-Capability(4152) 0 0x0000000002e006b0 ** Unresolved Attribute **
29 Client Firewall Optional(4154) 0 0x0000000002e006b0 ** Unresolved Attribute **
30 Backup-Ip-Sec-Peers-Enabled(4155) 4 2
31 Network-Extension-Mode-Allowed(4160) 4 0
32 URL list name(4167) 17 "NETADMIN_BOOKMARK"
33 ACL-like filters(4169) 8 "INTERNAL_WEBACL"
34 Cisco-LEAP-Passthrough-config(4171) 4 0
35 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff35d68835 ** Unresolved Attribute **
36 IE-Proxy-Server-Method(4177) 4 1
37 The tunnel group that tunnel must be associated with(4181) 11 "NET_ADMIN_G"
38 User ACL for inbound traffic(4182) 8 ""
39 User ACL for outbound traffic(4183) 8 ""
40 Indicates whether or not PFS is required for IPSec(4184) 4 0
41 WebVPN URL Entry enable(4189) 4 1
42 WebVPN File Server Entry enable(4191) 4 1
43 WebVPN File Server Browsing enable(4192) 4 1
44 WebVPN SVC Keep enable(4201) 4 1
45 WebVPN SVC Keepalive interval(4203) 4 20
46 WebVPN SVC Client DPD period(4204) 4 30
47 WebVPN SVC Gateway DPD period(4205) 4 30
48 WebVPN SVC Rekey period(4206) 4 0
49 WebVPN SVC Rekey method(4207) 4 0
50 WebVPN SVC Compression(4208) 4 2
51 WebVPN Customization(4209) 15 "NETADMIN_PORTAL"
52 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"
53 WebVPN SVC DTLS Compression(4213) 4 2
54 Extended Authentication-On-Rekey(4218) 4 0
55 WebVPN SVC DTLS enable(4219) 4 1
56 WebVPN SVC MTU(4221) 4 1406
57 CIFS hidden shares(4222) 4 1
58 CVC-Modules(4223) 7 "posture"
59 CVC-Profile(4224) 17 "net_admin_p#user,"
60 CVC-Ask(4227) 4 4
61 CVC-Ask-Timeout(4228) 4 0
62 WebVPN ActiveX Relay(4233) 4 1
63 VLAN ID(4236) 4 0
64 NAC Settings(4237) 0 0x00007fff35d68985 ** Unresolved Attribute **
65 WebVPN Session timeout alert interval(4245) 4 25
66 List of address pools to assign addresses from(4313) 13 "SSL_POOL"
67 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff35d68998 ** Unresolved Attribute **
68 Smart tunnel on home page enable(4324) 4 1
69 Disable Always-On VPN(4325) 4 0
70 SVC ignore DF bit(4326) 4 0
71 Client Bypass Protocol(4331) 4 0
72 Gateway FQDN(4333) 29 "xxx.xxxxcorp.com"
73 CA URL for SCEP enrollment(20530) 0 0x00007fff35d689c7 ** Unresolved Attribute **
tunnel policy attributes:
1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"
2 Session-Timeout(27) 4 0
3 Idle-Timeout(28) 4 30
4 Access-Hours(4097) 0 0x00007fff351cddd0 ** Unresolved Attribute **
5 Simultaneous-Logins(4098) 4 0
6 Primary-DNS(4101) 4 IP: 10.125.3.7
7 Secondary-DNS(4102) 4 IP: 10.125.3.5
8 Primary-WINS(4103) 4 IP: 0.0.0.0
9 Secondary-WINS(4104) 4 IP: 0.0.0.0
10 Tunnelling-Protocol(4107) 4 124
11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"
12 Store-PW(4112) 4 0
13 Group-Policy(4121) 13 "DfltGrpPolicy"
14 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"
15 Default-Domain-Name(4124) 18 "xxxxcorp.com"
16 Secondary-Domain-Name-List(4125) 0 0x00007fff351cdfc7 ** Unresolved Attribute **
17 Nat-Enabled-IPSec(4130) 4 0
18 IPSec-UDP-Port(4131) 4 10000
19 IPComp(4135) 4 0
20 Authentication-On-Rekey(4138) 4 0
21 Secure-unit-config(4144) 4 0
22 Individual-user-auth-config(4145) 4 0
23 User-auth-idle-timeout(4146) 4 30
24 Cisco-IP-telephony-config(4147) 4 0
25 Split-Tunneling-Policy(4151) 4 1
26 Client Firewall Optional(4154) 0 0x00007fff351cdfec ** Unresolved Attribute **
27 Backup-Ip-Sec-Peers-Enabled(4155) 4 1
28 Group-giaddr(4157) 4 IP: 0.0.0.0
29 Intercept-DHCP-Configure-Msg(4158) 4 0
30 Client-Subnet-Mask(4159) 4 IP: 255.255.255.255
31 Network-Extension-Mode-Allowed(4160) 4 0
32 WebVPN Content Filter Parameters(4165) 4 0
33 WebVPN Parameters configuration(4166) 4 1
34 URL list name(4167) 0 0x00007fff351ce008 ** Unresolved Attribute **
35 Forwarded ports(4168) 0 0x00007fff351ce009 ** Unresolved Attribute **
36 ACL-like filters(4169) 8 "INTERNAL_WEBACL"
37 Cisco-LEAP-Passthrough-config(4171) 4 0
38 Default WebVPN homepage(4172) 0 0x00007fff351ce016 ** Unresolved Attribute **
39 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff351ce017 ** Unresolved Attribute **
40 Application Access Name(4175) 18 "Application Access"
41 IE-Proxy-Server(4176) 0 0x00007fff351ce02b ** Unresolved Attribute **
42 IE-Proxy-Server-Method(4177) 4 1
43 IE-Proxy-Server-Exceptions(4178) 0 0x00007fff351ce030 ** Unresolved Attribute **
44 IE-Proxy-Server-Bypass-Local(4179) 4 0
45 The tunnel group that tunnel must be associated with(4181) 0 0x00007fff351ce035 ** Unresolved Attribute **
46 Indicates whether or not PFS is required for IPSec(4184) 4 0
47 NAC Enable/Disable(4185) 4 0
48 NAC Status Query Timer(4186) 4 300
49 NAC Revalidation Timer(4187) 4 36000
50 NAC Default ACL(4188) 8 ""
51 WebVPN URL Entry enable(4189) 4 0
52 WebVPN File Server Entry enable(4191) 4 0
53 WebVPN File Server Browsing enable(4192) 4 0
54 WebVPN Port Forwarding enable(4193) 4 0
55 WebVPN Port Forwarding Exchange Proxy enable(4194) 4 0
56 WebVPN Port Forwarding HTTP Proxy enable(4195) 4 0
57 WebVPN SVC enable(4199) 4 0
58 WebVPN SVC Required enable(4200) 4 0
59 WebVPN SVC Keep enable(4201) 4 0
60 WebVPN SVC Keepalive interval(4203) 4 20
61 WebVPN SVC Client DPD period(4204) 4 30
62 WebVPN SVC Gateway DPD period(4205) 4 30
63 WebVPN SVC Rekey period(4206) 4 0
64 WebVPN SVC Rekey method(4207) 4 0
65 WebVPN SVC Compression(4208) 4 2
66 WebVPN Customization(4209) 0 0x00007fff351ce08a ** Unresolved Attribute **
67 Single Sign On Server Name(4210) 0 0x00007fff351ce08b ** Unresolved Attribute **
68 WebVPN SVC Firewall Rule(4211) 17 "private#,public#,"
69 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"
70 WebVPN SVC DTLS Compression(4213) 4 2
71 HTTP compression method(4216) 4 0
72 Maximum object size to ignore for updating the session timer(4217) 4 4
73 Extended Authentication-On-Rekey(4218) 4 0
74 WebVPN SVC DTLS enable(4219) 4 1
75 WebVPN SVC MTU(4221) 4 1406
76 CIFS hidden shares(4222) 4 0
77 CVC-Modules(4223) 20 "dart,vpngina,posture"
78 CVC-Profile(4224) 15 "IPSEC_VPN#user,"
79 CVC-IKE-Retry-Timeout(4225) 4 10
80 CVC-IKE-Retry-Count(4226) 4 3
81 CVC-Ask(4227) 4 2
82 CVC-Ask-Timeout(4228) 4 0
83 IE-Proxy-Pac-URL(4229) 0 0x00007fff351ce1a4 ** Unresolved Attribute **
84 IE-Proxy-Lockdown(4230) 4 1
85 WebVPN Smart Tunnel(4232) 0 0x00007fff351ce1a9 ** Unresolved Attribute **
86 WebVPN ActiveX Relay(4233) 4 1
87 WebVPN Smart Tunnel Auto Download enable(4234) 4 0
88 WebVPN Smart Tunnel Auto Sign On enable(4235) 0 0x00007fff351ce1b2 ** Unresolved Attribute **
89 VLAN ID(4236) 4 0
90 NAC Settings(4237) 0 0x00007fff351ce1b7 ** Unresolved Attribute **
91 MemberOf(4241) 0 0x00007fff351ce1b8 ** Unresolved Attribute **
92 WebVPN Idle timeout alert interval(4244) 4 1
93 WebVPN Session timeout alert interval(4245) 4 1
94 Maximum object size for download(4253) 4 2147483647
95 Maximum object size for upload(4254) 4 2147483647
96 Maximum object size for post(4255) 4 2147483647
97 User storage(4256) 0 0x00007fff351ce1cd ** Unresolved Attribute **
98 User storage objects(4257) 19 "cookies,credentials"
99 User storage shared key(4258) 0 0x00007fff351ce1e2 ** Unresolved Attribute **
100 VDI configuration(4259) 0 0x00007fff351ce1e3 ** Unresolved Attribute **
101 NAC Exception List(4312) 4 0
102 List of address pools to assign addresses from(4313) 0 0x00007fff351ce1e8 ** Unresolved Attribute **
103 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff351ce1e9 ** Unresolved Attribute **
104 IPv6 filter-id(4315) 8 ""
105 WebVPN Unix user ID(4317) 4 65534
106 WebVPN Unix group ID(4318) 4 65534
107 Disconnect VPN tunnel when a Smartcard is removed(4321) 4 1
108 WebVPN Smart Tunnel Tunnel Policy(4323) 0 0x00007fff351ce1fe ** Unresolved Attribute **
109 Disable Always-On VPN(4325) 4 1
110 SVC ignore DF bit(4326) 4 0
111 SVC client routing/filtering ignore(4327) 4 0
112 Configure the behaviour of DNS queries by the client when Split tunneling is enabled(4328) 4 0
113 Client Bypass Protocol(4331) 4 0
114 IPv6-Split-Tunneling-Policy(4332) 4 0
115 Gateway FQDN(4333) 0 0x00007fff351ce217 ** Unresolved Attribute **
116 CA URL for SCEP enrollment(20530) 0 0x00007fff351ce218 ** Unresolved Attribute **
Auth Status = ACCEPT
AAA API: In aaa_close
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 3
In aaai_close_session (3)
Thanks, -
How to set two DNS domain in one Remote VPN group policy
Hello experts
I am using ASA 8.2 to provide IPsec remote VPN for our staff. And in the group policy I set default domain name which is needed for our DNS server to resolve internal URLs. But the problem is now we have two domain names on our DNS server, and host names in two domains are differents. So if I setup one domain name in the group policy, URLs in the other domain cannot be resolved when using VPN. But ADSM seems doesn't allow me to setup two domain names for the attribute 'Default Domain'. What can I do?
Thanks a lot.Come on Experts, please help. Any way to achieve that, or it's a mission impossible.
-
Missing vpn group name and password
i have successfully installed the cisco vpn version 4.9.01 (0100) for the mac os x 10.502 operating system. However, the software did not include the Group Name or the Group Password. I believe these are provided by Cisco. Can you tell me what they should be? The company is FedEx.
I have the .pcf file onm my desktop. I have been told that I need to open the vpn client and import the file. I click on import, and it asks for the import path, which I give) , and it also asks for the import password. No one at FedEx tech support seems to know the Import password. Any Ideas?
-
VRF aware GET-VPN Group-member
Hi,
we want to configure following on some of our routers.
3 VRF-lite (before it has been 3 seperate routers)
For each VRF we have to use a seperate GDOI-Group , different PSKs.
The KS for the different GDOI Groups is the same adresses (central resource reachable from every VRF).
I know that I can configure per GDOI-Group a "client registartion interface ..." which can be an interface in a VRF.
to configure the same KS-address for different GDOI-groups seems to be not possible
crypto gdoi group GROUP-1
identity number 1111111
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
crypto gdoi group GROUP-2
identity number 2222222
server address ipv4 22.198.255.29
server address ipv4 22.198.255.33
As soon as I configure the KS for GROUP-2 I get an error-message that the KS is already configured.
We can configure different ISAKMP-Profiles (vrf aware), but GDOI-GROUP configuration seems not to be VRF aware.
Is there a way how to achive to use the same KS-Address for different-Groups in different VRFs.
Thx
HubertHi Naman, I think there is a misunderstanding of my problem.
On the branch-routers I have two VRFs. In each VRF I have to configure GET-VPN-GM.
The KS are on central routers in each VRF but they do have the sam IP-address (we use overlapping address-space in both VRFs)
Configuration is like following
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
the problem is that we would have to configure to different ISAKMP-PSK for same Server-Address, and thats not possible
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!101010 address 22.109.255.45
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.161.255.33
crypto isakmp key !$SECURE-WAN-KEY$!121212 address 22.109.255.45
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
crypto map MAP-12-SECURE-WAN local-address Loopback0
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
interface Loopback1
ip vrf forwarding VRF_10
ip address 10.10.10.45 255.255.255.252
interface Loopback1
ip vrf forwarding VRF_12
ip address 12.12.12.45 255.255.255.252
interface gig0/1.10
ip vrf forwarding VRF_10
crypto map MAP-10-SECURE-WAN
interface gig0/1.12
ip vrf forwarding VRF_12
crypto map MAP-12-SECURE-WAN
So my idea was to configure the PSKs per VRF via an ISAKMP-Profile (where i can define VRFs)
ip vrf VRF_10
rd 10:0
route-target export 10:0
route-target import 10:0
maximum routes 1000 warning-only
ip vrf VRF_12
rd 12:0
route-target export 12:0
route-target import 12:0
maximum routes 1000 warning-only
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1200
crypto keyring ISAKMP_KEY_GETVPN_10
local-address Loopback0
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!101010
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!101010
crypto keyring ISAKMP_KEY_GETVPN_12
local-address Loopback1
pre-shared-key address 22.161.255.33 key !$SECURE-WAN-KEY$!121212
pre-shared-key address 22.109.255.45 key !$SECURE-WAN-KEY$!121212
crypto isakmp profile ISAKMP_PROFILE_GETVPN_10
vrf VRF_10
keyring ISAKMP_KEY_GETVPN_10
self-identity address
match identity address 22.161.255.33 255.255.255.255
match identity address 22.109.255.45 255.255.255.255
keepalive 20 retry 2
local-address Loopback0
crypto isakmp profile ISAKMP_PROFILE_GETVPN_12
vrf VRF_12
keyring ISAKMP_KEY_GETVPN_12
self-identity address
match identity address 22.161.255.33 255.255.255.255
match identity address 22.109.255.45 255.255.255.255
keepalive 20 retry 2
local-address Loopback1
crypto gdoi group GROUP-10
identity number 101010
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback0
crypto gdoi group GROUP-12
identity number 121212
server address ipv4 22.161.255.33
server address ipv4 22.109.255.45
client registration interface Loopback1
crypto map MAP-10-SECURE-WAN local-address Loopback0
crypto map MAP-10-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_10
crypto map MAP-10-SECURE-WAN 10 gdoi
set group GROUP-10
crypto map MAP-12-SECURE-WAN local-address Loopback1
crypto map MAP-12-SECURE-WAN isakmp-profile ISAKMP_PROFILE_GETVPN_12
crypto map MAP-12-SECURE-WAN 10 gdoi
set group GROUP-12
But it seems it does not work !!!
Any idea ?
Thx in Advance
Hubert -
Doubt regarding avoiding group by function
i just came to know about a query which will avoid group by function,
select sum(column_name) over ( partition by <coulmns> order by <solumns> )
from <table_name>
now columns specified in the partition by clause, are the one which will be specified under group by clause, i know this works, but can anyone expalain the meaning and significance of over keyword and is it a function, i mean with respect to SQL language that syntax seems to be very much different isn't it???
cheereHi
Analytic functions are not alternative for group by.
Analytic functions are the last set of operations performed in a query except for the
final ORDER BY clause. All joins and all WHERE, GROUP BY, and HAVING clauses are completed before the analytic functions are processed. Therefore, analytic functions can appear only in the select list or ORDER BY clause.
And regarding your question,
see this example from oracle documentation
The following example calculates, for each manager in the sample table
hr.employees, a cumulative total of salaries of employees who answer to that
manager that are equal to or less than the current salary. You can see that Raphaely and Cambrault have the same cumulative total. This is because Raphaely and Cambrault have the identical salaries, so Oracle adds together their salary values and applies the same cumulative total to both rows.
SELECT manager_id, last_name, salary,
SUM(salary) OVER (PARTITION BY manager_id ORDER BY salary
RANGE UNBOUNDED PRECEDING) l_csum
FROM employees;
MANAGER_ID LAST_NAME SALARY L_CSUM
100 Mourgos 5800 5800
100 Vollman 6500 12300
100 Kaufling 7900 20200
100 Weiss 8000 28200
100 Fripp 8200 36400
100 Zlotkey 10500 46900
100 Raphaely 11000 68900
100 Cambrault 11000 68900
100 Errazuriz 12000 80900
149 Taylor 8600 30200
149 Hutton 8800 39000
149 Abel 11000 50000
201 Fay 6000 6000
205 Gietz 8300 8300
King 24000 24000
For clear understanding read the following point:
Whenever the order_by_clause results in identical
values for multiple rows, the function returns the same result for
each of those rows
ITS THE CUMULATIVE SUM HERE.
SO,IF TRY GIVING SAME NAME FOR ALL EMPLOYESS AND see the same result as you were getting with (partition by dept).
so , sum function which u are using here is analytic function and so results in cumulative sum. and when identical values are identified, same result is displayed.
Hope you got it!
Cheers,
Kishore KVR -
Hi All,
Program Groups has different meaning in ABAP.Could any body help me know the exact information on this... How the common data part will working according to this...
Thank you...check this out
link: [http://help.sap.com/saphelp_46c/helpdata/en/e4/2adbd7449911d1949c0000e8353423/content.htm]
reward if helpful
raam -
Doubt Regarding status group with respect to Incompletion log
Hi,
I just want to know if in status group if i click the radio button delivery & billing then will it alllow me to create delivery and billing even if sales order is incomplete .Hi,
No delivery & Billing are not carried out unless the sales order is complete. Selecting the radiobuttons delivery & billing indicate that some input data is missing.
Example Shipping point data in sales order is missing then delivery cannot be carried out and the system displays it in incompletion log.
If payment terms are missing in sales order, then billing cannot be carried out and the system displays it in incompletion log.
chan
Message was edited by:
hari sri -
OTL (Oracle Time and Labor) Doubt on Timekeeper Groups API
Hi,
Using HXC TimeStore API we can Create/insert/update/delete TimeCards.
Then what is the use of Timekeeper Groups API's HXC_TIMEKEEPER_GROUP_API ?
Thanks.I see below two calls in the package body, what is meant by 'User Hook'?User hooks provide the client with the ability to add logic to application processing and to disable optional product processing. These User Hooks take the form of procedures that may be called by the application, in sequence, when the application takes a specified action on a specified object type -- http://orclpps.blogspot.ca/2008/01/user-hooks-in-oracle.html
User Hooks are an easier way of extending the standard functionality of many Oracle Application modules. They are synonymous to database triggers, but are implemented as APIs (package.procedure). -- http://oraclewithbiju.blogspot.ca/2012/06/oracle-applications-user-hooks.html
http://www.oracle.com/pls/ebs121/search?word=%27User+Hook%27&format=ranked&remark=quick_search
https://forums.oracle.com/forums/search.jspa?threadID=&q=User+AND+Hooks&objID=c3&dateRange=all&userID=&numResults=15&rankBy=10001
Thanks,
Hussein -
How do i use an active directory group for vpn and not all user
hi all,
i have an asa 5515x...
how do i use a particular group in active directory to have vpn/anyconnect access? right now i believe it's for all user on my current config,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
!integrate with active directory
aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (vlan192) host 10.0.0.2
ldap-base-dn dc=company,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password 12345678
ldap-login-dn cn=administrator,cn=Users,dc=company,dc=com
server-type auto-detect
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
say i want this "vpn-group" object group in AD and my vpn is only anyconnect and no other vpn types.
thanks for any comment you may add.The best way is to use Dynamic Access Policies (DAP). Cisco has a white paper (here) that shows how one can choose the LDAP group as one of the DAP criteria.
DAP requires the Advanced Endpoint Assessment feature, so your licensing must support that. -
Can i use same address pool for different remote access VPN tunnel groups and policy
Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
ShnailThanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx
Maybe you are looking for
-
Increase in CPU Utilization after migration from APEX 3.1.2 to APEX 3.2
Has any noticed any increase in CPU Utilization after migrating from APEX 3.1.2 to APEX 3.2? Thanks, Mark
-
How do I show a clipping path on an image in Illustrator?
Hi there I am a beginner when it comes to Illustrator and only use it when I have to - like now! I was wondering - Is it possible to place an image into an AI file and show its clipping path? (that was created in Photoshop) I have tried saving the im
-
Issue Using both Firewire Ports on 24" iMac
I just got a new 24" iMac with the 3.06 processor. I intend to use it with Pro Tools and other music making software. I have an audio interface that is firewire only and an external hard drive (where I store my audio files) that is both firewire and
-
Is my right Ethernet Port Broken?
05Apr2014 I bought a new Mac Pro with all the features. There are two Ethernet ports on the bottom of the periferal ports. I am able to connect with an Airport Extreme (Generation 3) wiht the left port. The connection does not work on the right eth
-
Standard traffic flow in a network
HI when we work in a network then we face a problem overflow of trafic/packet . so If normal 100 user in a network work then how packet flow in a second ?. Like example normal condition in a router processor 30% and when it ups 50% or avobe then wron