In the last article about this topic, we covered one of the ways to apply different policies to AnyConnect VPN users using the Cisco router’s local database. In that article, we saw that even though the IOS WebVPN group lock feature is meant to tie a user to a particular context, this indirectly means that the policy configured under that context gets applied to the user.

One of the reasons I don’t like that method is that users need to know which context they will be connecting to beforehand. This may not necessarily be a problem if hostnames are used to connect but, still, it seems a bit a tacky. This brings us to the second solution.

CCNA Training – Resources (Intense)

AAA Attribute Lists

Under a WebVPN context, one can configure several policies even though a context can have only one default group policy applied. While researching this topic, I discovered from a Cisco white paper that the attribute webvpn:user-vpn-group can be returned by a RADIUS server to assign different policies to VPN users. However, I needed a way to achieve this locally.

I recently started using AAA attribute lists extensively on the Cisco IOS and it has come in really handy in many instances. This feature basically turns a Cisco router into a local AAA server with many (if not all?) of the attributes that you can configure on an external AAA (e.g. RADIUS) server. Luckily for me (and you reading this article), “user-vpn-group” is one of the attributes available under AAA attribute lists.

Let me use the same network we had in the last article to show you how this can be configured:

We will configure a single WebVPN context, but with three different policies:

  1. “Sales_Policy,” which will allow HTTP access to 192.168.10.100
  2. “Administrator_Policy,” which will allow unrestricted access.
  3. “No_Access,” which will be the default policy applied to any user who isn’t assigned a policy. All traffic will be denied.

The configuration on the router is as follows:

aaa new-model
aaa authentication login webvpn local
!
interface FastEthernet0/0
 ip address 41.1.1.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.10.1 255.255.255.0
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/1
!
ip local pool ANYCONNECT_POOL 192.168.10.51 192.168.10.60
!
ip http server
ip http secure-server
!
ip access-list standard SPLIT_ACL
 permit 192.168.10.0 0.0.0.255
!
ip access-list extended Administrator_ACL
 permit ip any any
ip access-list extended Sales_ACL
 permit tcp any host 192.168.10.100 eq 80
!
webvpn gateway AnyConnect_RTR
 ip address 41.1.1.2 port 443
 ssl trustpoint TP-self-signed-4279256517
 inservice
 !
webvpn install svc disk0:/webvpn/anyconnect-linux-3.1.08009-k9.pkg sequence 1
 !
webvpn context Anyconnect
 ssl authenticate verify all
 !
 policy group Sales_Policy
   functions svc-enabled
   filter tunnel Sales_ACL
   svc address-pool "ANYCONNECT_POOL"
   svc keep-client-installed
   svc split include 192.168.10.0 255.255.255.0
 !
policy group Administrator_Policy
   functions svc-enabled
   filter tunnel Administrator_ACL
   svc address-pool "ANYCONNECT_POOL"
   svc keep-client-installed
   svc split include 192.168.10.0 255.255.255.0
!
policy group No_Access
   functions svc-enabled
   hide-url-bar
   banner “Access Denied!”
!
 virtual-template 1
 default-group-policy No_Access
 aaa authentication list webvpn
 gateway AnyConnect_RTR
 inservice

Notice that this configuration is just the normal IOS WebVPN/SSL VPN configuration except that we have defined multiple policies under the WebVPN context.

Now what we need to do is make sure users get assigned the right policy when they connect and this is where we configure AAA attribute lists. These attributes are applied in the authorization phase so we must also configure an AAA authorization method to be applied to the WebVPN context.

aaa authorization network webvpn local
!
aaa attribute list Sales_AAA_List
 attribute type user-vpn-group "Sales_Policy"
aaa attribute list Administrator_AAA_List
 attribute type user-vpn-group "Administrator_Policy"
!
username user1 secret cisco
username user1 aaa attribute list Sales_AAA_List
username user2 secret cisco
username user2 aaa attribute list Administrator_AAA_List
username user3 secret cisco
!
webvpn context Anyconnect
 aaa authorization list webvpn

As you can see, I have created three users: user1 has the AAA attribute list “Sales_AAA_List” attached; user2 has the AAA attribute list “Administrator_AAA_List” attached; and user2 does not have any attribute list attached.

Let’s test this configuration. We will start with user1, who should be assigned the “Sales_Policy.”

We can use the “show webvpn session user <username> context <context>” command to view information about the connected user’s session.

As you can see, even though the default group policy under the WebVPN context is “No_Access,” user1 was successfully assigned the “Sales_Policy” group policy, meaning that our AAA attribute list works.

Let’s test user2 now.

We can also check the WebVPN session for user2.

Finally, let’s test user3. Since this user has no AAA attribute list attached to it (meaning no user-vpn-group), it will use the default group policy under the WebVPN context. In summary, no access will be given and a banner will be displayed saying “Access Denied.”

After I click “Connect”, the banner we configured is displayed:

If I click on “Accept”, the tunnel still attempts to be formed but, since I did not attach any IP address pool to that policy, the VPN session is not established.

Note: If user3 connects to the WebVPN service using a web browser, the “hide-url-bar” (and no configured URL lists) will make sure that user cannot connect to any IP address

Summary

This brings us to the end of this 2-part article on using the local database on a Cisco router to apply different policies to WebVPN/AnyConnect VPN users. In the first part of this article, we used the Cisco IOS WebVPN group lock feature, which basically means we attach users to different WebVPN contexts and the policy configured under those WebVPN contexts will be applied to the user.

In this article, we configured different policies under a single WebVPN context and then used AAA attribute lists to attach these group policies to different users.

I hope you have found this article helpful.

References and Further Reading

  • ASA and Cisco IOS Group-lock Features and AAA Attributes and WebVPN Configuration Example: http://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html