In this article, we will look at the VPN group-lock feature on both the Cisco ASA and the Cisco IOS and see the difference between them.

Cisco ASA Remote Access VPN with Group-Lock Feature

The group-lock feature on the ASA restricts a user to a specific tunnel group, meaning that the user is not allowed to connect to other tunnel groups configured on that ASA.

CCNA Training – Resources (Intense)

Let us use the simple network diagram below to see this work:

The configuration on the Cisco ASA is as follows:

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 41.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
access-list SPLIT_ACL standard permit 192.168.10.0 255.255.255.0
ip local pool SALES-POOL 192.168.10.51-192.168.10.60
ip local pool ADMIN-POOL 192.168.10.61-192.168.10.70
!
crypto ipsec ikev1 transform-set MYSET esp-3des esp-sha-hmac
crypto dynamic-map DYN_MAP 1 set ikev1 transform-set MYSET
crypto dynamic-map DYN_MAP 1 set reverse-route
crypto map MYMAP 65535 ipsec-isakmp dynamic DYN_MAP
crypto map MYMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
group-policy SALES-POLICY internal
group-policy SALES-POLICY attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_ACL
 address-pools value SALES-POOL
group-policy ADMIN-POLICY internal
group-policy ADMIN-POLICY attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_ACL
 address-pools value ADMIN-POOL
!
tunnel-group SALES-RA type remote-access
tunnel-group SALES-RA general-attributes
 default-group-policy SALES-POLICY
tunnel-group SALES-RA ipsec-attributes
 ikev1 pre-shared-key cisco
tunnel-group ADMIN-RA type remote-access
tunnel-group ADMIN-RA general-attributes
 default-group-policy ADMIN-POLICY
tunnel-group ADMIN-RA ipsec-attributes
 ikev1 pre-shared-key cisco
!
username salesuser password cisco
username salesuser attributes
 group-lock value SALES-RA
username adminuser password cisco
username adminuser attributes
 group-lock value ADMIN-RA

Because of the group-lock configuration under the username attributes, the “salesuser” can only connect to the “SALES-RA” tunnel-group and the “adminuser” can only connect to the “ADMIN-RA” tunnel-group. Let’s test this out.

When I connect to this VPN, I can check the details on the ASA using the show vpn-sessionbd command. As you can see, the “salesuser” can successfully connect to the “SALES-RA” tunnel-group.

Now let us edit the VPN setting and try to connect to the “ADMIN-RA” tunnel-group using the “salesuser” username.

If I attempt to connect to the VPN, the connection will be unsuccessful and if logging was enabled on the ASA, you will see an error message as follows: “Tunnel Rejected: User (username) not member of group (tunnel-group-name), group-lock check failed.”

The same thing will apply to the adminuser: that user will only be able to connect to the ADMIN-RA and not the SALES-RA.

Cisco IOS EzVPN with Group-Lock Feature

Now let’s look at this same group-lock feature on the Cisco IOS and you will see that it works differently. When group-lock is enabled under an EzVPN group, the router does additional checking to make sure that the group specified with the username is the same as the EzVPN group name to which the user is trying to connect.

The configuration on the EzVPN router is as follows:

aaa new-model
aaa authentication login ezvpn local
aaa authorization network ezvpn local
!
username salesuser@SALESGRP password 0 cisco
username adminuser@ADMINGRP password 0 cisco
!
interface FastEthernet0/0
 ip address 41.1.1.1 255.255.255.0
!
ip local pool SALES-POOL 192.168.10.51 192.168.10.60
ip local pool ADMIN-POOL 192.168.10.61 192.168.10.70
!
ip access-list extended SPLIT_ACL
 permit ip 192.168.10.0 0.0.0.255 any
!
crypto isakmp client configuration group SALESGRP
 key cisco
 pool SALES-POOL
 save-password
 acl SPLIT_ACL
!
crypto isakmp client configuration group ADMINGRP
 key cisco
 pool ADMIN-POOL
 acl SPLIT_ACL
 group-lock
 save-password
!
crypto isakmp profile SALES-ISAKMP-PROFILE
   match identity group SALESGRP
   client authentication list ezvpn
   isakmp authorization list ezvpn
   client configuration address respond
   client configuration group SALESGRP
   virtual-template 1
!
crypto isakmp profile ADMIN-ISAKMP-PROFILE
   match identity group ADMINGRP
   client authentication list ezvpn
   isakmp authorization list ezvpn
   client configuration address respond
   client configuration group ADMINGRP
   virtual-template 2
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile SALES-IPSEC-PROFILE
 set transform-set MYSET
 set isakmp-profile SALES-ISAKMP-PROFILE
!
crypto ipsec profile ADMIN-IPSEC-PROFILE
 set transform-set MYSET
 set isakmp-profile ADMIN-ISAKMP-PROFILE
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SALES-IPSEC-PROFILE
!
interface Virtual-Template2 type tunnel
 ip unnumbered FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ADMIN-IPSEC-PROFILE

One thing you should notice here is the format in which the usernames are stored: username@groupname. If group-lock is enabled under an EzVPN group, the router will retrieve the “groupname” specified in the username and compare it to the EzVPN group name; if they match, access will be granted.

In our configuration, notice that group-lock is only enabled on the “ADMINGRP” and not on the “SALESGRP” – this means that only “adminuser@ADMINGRP” will be able to connect to “ADMINGRP.” However, both “salesuser@SALESGRP” and “adminuser@ADMINGRP” can connect to “SALESGRP” because group lock is not enabled under that group.

Let’s test this out. We will first connect to the “SALESGRP” with the “salesuser@SALESGRP” username.

I can view the session details using the show crypto session command.

Let’s now try to connect to the same group using the “adminuser@ADMINGRP” username. As we already said, since group lock is not enabled on this group, then this user should also be able to connect.

Again we can use the show crypto session to view the session details.

Let’s now move over to the “ADMINGRP.” We can start with the one we know will work: “adminuser@ADMINGRP.”

We can view the session details using the show crypto session command:

Finally, if we try to connect to the “ADMINGRP” using the “salesuser@SALESGRP” username, we will see that it will not work because the router will strip the group name associated with the username (i.e., “SALESGRP”) and compare it with the group name that the user is trying to connect to (i.e., “ADMINGRP”) and since they don’t match, the user will not be allowed to connect (because group lock is enabled).

If ISAKMP debugging was turned on while trying to connect, we will have gotten the following error: “User Authentication in this group failed.”

So we have seen the difference between the group lock on the Cisco ASA and the group lock on the Cisco IOS. On the Cisco ASA, group lock is enabled for a user; i.e., that user cannot connect to any other tunnel group except the one associated with it. On the Cisco IOS however, the group lock feature is enabled for a group.

Hint: The ipsec:user-vpn-group AAA attribute can be returned by a RADIUS server to the router, which basically acts like the group-lock feature on the Cisco ASA; i.e., it ties a user to a particular group.

Summary

This brings us to the end of this article, where we have looked at the group lock feature for remote access VPN on both the Cisco ASA and the Cisco IOS router. We saw that, while one is enabled for the user, the other is enabled for the group.

I hope you have found this article helpful.

References and Further Reading

  • ASA and Cisco IOS Group-lock Features and AAA Attributes and WebVPN Configuration Example: http://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html