In this article, we will look at the VPN group-lock feature on both the Cisco ASA and the Cisco IOS and see the difference between them.
Cisco ASA Remote Access VPN with Group-Lock Feature
The group-lock feature on the ASA restricts a user to a specific tunnel group, meaning that the user is not allowed to connect to other tunnel groups configured on that ASA.
CCNA Training – Resources (Intense)
Let us use the simple network diagram below to see this work:
The configuration on the Cisco ASA is as follows:
interface GigabitEthernet0 nameif outside security-level 0 ip address 188.8.131.52 255.255.255.0 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! access-list SPLIT_ACL standard permit 192.168.10.0 255.255.255.0 ip local pool SALES-POOL 192.168.10.51-192.168.10.60 ip local pool ADMIN-POOL 192.168.10.61-192.168.10.70 ! crypto ipsec ikev1 transform-set MYSET esp-3des esp-sha-hmac crypto dynamic-map DYN_MAP 1 set ikev1 transform-set MYSET crypto dynamic-map DYN_MAP 1 set reverse-route crypto map MYMAP 65535 ipsec-isakmp dynamic DYN_MAP crypto map MYMAP interface outside crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! group-policy SALES-POLICY internal group-policy SALES-POLICY attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_ACL address-pools value SALES-POOL group-policy ADMIN-POLICY internal group-policy ADMIN-POLICY attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_ACL address-pools value ADMIN-POOL ! tunnel-group SALES-RA type remote-access tunnel-group SALES-RA general-attributes default-group-policy SALES-POLICY tunnel-group SALES-RA ipsec-attributes ikev1 pre-shared-key cisco tunnel-group ADMIN-RA type remote-access tunnel-group ADMIN-RA general-attributes default-group-policy ADMIN-POLICY tunnel-group ADMIN-RA ipsec-attributes ikev1 pre-shared-key cisco ! username salesuser password cisco username salesuser attributes group-lock value SALES-RA username adminuser password cisco username adminuser attributes group-lock value ADMIN-RA
Because of the group-lock configuration under the username attributes, the “salesuser” can only connect to the “SALES-RA” tunnel-group and the “adminuser” can only connect to the “ADMIN-RA” tunnel-group. Let’s test this out.
When I connect to this VPN, I can check the details on the ASA using the show vpn-sessionbd command. As you can see, the “salesuser” can successfully connect to the “SALES-RA” tunnel-group.
Now let us edit the VPN setting and try to connect to the “ADMIN-RA” tunnel-group using the “salesuser” username.
If I attempt to connect to the VPN, the connection will be unsuccessful and if logging was enabled on the ASA, you will see an error message as follows: “Tunnel Rejected: User (username) not member of group (tunnel-group-name), group-lock check failed.”
The same thing will apply to the adminuser: that user will only be able to connect to the ADMIN-RA and not the SALES-RA.
Cisco IOS EzVPN with Group-Lock Feature
Now let’s look at this same group-lock feature on the Cisco IOS and you will see that it works differently. When group-lock is enabled under an EzVPN group, the router does additional checking to make sure that the group specified with the username is the same as the EzVPN group name to which the user is trying to connect.
The configuration on the EzVPN router is as follows:
aaa new-model aaa authentication login ezvpn local aaa authorization network ezvpn local ! username salesuser@SALESGRP password 0 cisco username adminuser@ADMINGRP password 0 cisco ! interface FastEthernet0/0 ip address 184.108.40.206 255.255.255.0 ! ip local pool SALES-POOL 192.168.10.51 192.168.10.60 ip local pool ADMIN-POOL 192.168.10.61 192.168.10.70 ! ip access-list extended SPLIT_ACL permit ip 192.168.10.0 0.0.0.255 any ! crypto isakmp client configuration group SALESGRP key cisco pool SALES-POOL save-password acl SPLIT_ACL ! crypto isakmp client configuration group ADMINGRP key cisco pool ADMIN-POOL acl SPLIT_ACL group-lock save-password ! crypto isakmp profile SALES-ISAKMP-PROFILE match identity group SALESGRP client authentication list ezvpn isakmp authorization list ezvpn client configuration address respond client configuration group SALESGRP virtual-template 1 ! crypto isakmp profile ADMIN-ISAKMP-PROFILE match identity group ADMINGRP client authentication list ezvpn isakmp authorization list ezvpn client configuration address respond client configuration group ADMINGRP virtual-template 2 ! crypto ipsec transform-set MYSET esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile SALES-IPSEC-PROFILE set transform-set MYSET set isakmp-profile SALES-ISAKMP-PROFILE ! crypto ipsec profile ADMIN-IPSEC-PROFILE set transform-set MYSET set isakmp-profile ADMIN-ISAKMP-PROFILE ! interface Virtual-Template1 type tunnel ip unnumbered FastEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile SALES-IPSEC-PROFILE ! interface Virtual-Template2 type tunnel ip unnumbered FastEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile ADMIN-IPSEC-PROFILE
One thing you should notice here is the format in which the usernames are stored: username@groupname. If group-lock is enabled under an EzVPN group, the router will retrieve the “groupname” specified in the username and compare it to the EzVPN group name; if they match, access will be granted.
In our configuration, notice that group-lock is only enabled on the “ADMINGRP” and not on the “SALESGRP” – this means that only “adminuser@ADMINGRP” will be able to connect to “ADMINGRP.” However, both “salesuser@SALESGRP” and “adminuser@ADMINGRP” can connect to “SALESGRP” because group lock is not enabled under that group.
Let’s test this out. We will first connect to the “SALESGRP” with the “salesuser@SALESGRP” username.
I can view the session details using the show crypto session command.
Let’s now try to connect to the same group using the “adminuser@ADMINGRP” username. As we already said, since group lock is not enabled on this group, then this user should also be able to connect.
Again we can use the show crypto session to view the session details.
Let’s now move over to the “ADMINGRP.” We can start with the one we know will work: “adminuser@ADMINGRP.”
We can view the session details using the show crypto session command:
Finally, if we try to connect to the “ADMINGRP” using the “salesuser@SALESGRP” username, we will see that it will not work because the router will strip the group name associated with the username (i.e., “SALESGRP”) and compare it with the group name that the user is trying to connect to (i.e., “ADMINGRP”) and since they don’t match, the user will not be allowed to connect (because group lock is enabled).
If ISAKMP debugging was turned on while trying to connect, we will have gotten the following error: “User Authentication in this group failed.”
So we have seen the difference between the group lock on the Cisco ASA and the group lock on the Cisco IOS. On the Cisco ASA, group lock is enabled for a user; i.e., that user cannot connect to any other tunnel group except the one associated with it. On the Cisco IOS however, the group lock feature is enabled for a group.
Hint: The ipsec:user-vpn-group AAA attribute can be returned by a RADIUS server to the router, which basically acts like the group-lock feature on the Cisco ASA; i.e., it ties a user to a particular group.
This brings us to the end of this article, where we have looked at the group lock feature for remote access VPN on both the Cisco ASA and the Cisco IOS router. We saw that, while one is enabled for the user, the other is enabled for the group.
I hope you have found this article helpful.
References and Further Reading
- ASA and Cisco IOS Group-lock Features and AAA Attributes and WebVPN Configuration Example: http://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html