Restrict a user to a specific VPN Tunnel-Group
So, VPN access is wonderful, but you would like to restrict a user to certain network restrictions. For example, you have an HVAC contractor who maintains your system remotely via your Internet connection. You really have 2 options at this point:
- Open the port to the Public Internet exposing your Internal system (DANGER WILL ROBINSON!! DANGER!!)
- Create a remote-access VPN for the vendor
Let’s Focus on Option 2:
So we set up a VPN connection for the user hvacguy and we restict the tunnel to only access the HVAC controller at 10.255.255.55.
At this point, we have 2 VPN tunnel-groups on my edge ASA device:
tunnel-group CORP
My corporate users connect via VPN to access Exchange servers, file servers, and databases, so their tunnel-group has permissions to access these networks. As mentioned previously, the HVAC contractor’s tunnel-group has permissions to only access the HVAC controller at 10.255.255.55
Here is the config for the users
username hvac.guy password chilly123
Here is the config for the VPN tunnels:
tunnel-group CORP general-attributes
address-pool VPN-POOL
default-group-policy CorpPolicy
tunnel-group CORP ipsec-attributes
pre-shared-key As3cr3tk3y!
tunnel-group HVAC general-attributes
address-pool VPN-POOL
default-group-policy HVACPOL
tunnel-group HVAC ipsec-attributes
pre-shared-key ItsHotInHurr$
As you can see in the above configuration details, the HVAC tunnel sets the group-policy to HVACPOL. Below, you will see in the HVACPOL configuration details that a VPN filter has been set to filter the VPN access to only allow access to the HVAC controller.
group-policy HVACPOL attributes
vpn-simultaneous-logins 2
vpn-idle-timeout 60
vpn-filter value HVACFILTER
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote_LAN_Access
So, everything is working as expected. Corp users have access to Corp resources and the HVAC user only has access to the HVAC controller. BUT. The group password for both Corp and HVAC is stored in the pcf file on Cisco Client software using very weak encryption. You can copy the encrypted text to one of many web pages on the Internet and decrypt the password. What does this mean for you, dear administrator?
That’s right, by supplying the tunnel name Corp and the tunnel pre-shared-key, the HVAC user COULD authenticate using his hvac.guy credentials and then be allowed to access the Corp tunnel, giving him network access to Corp resources. DEAL BREAKER!
Can we restrict the username hvac.guy to only be allowed to use the HVAC tunnel? YES! The good news is that the solution or fix for this is much easier than the explanation of the problem above!
After you have created a user like hvac.guy, you can access or set several attributes for that user. One of these attributes “group-lock” is designed to solve this exact problem.
group-lock value HVAC
That’s it. Now the hvac.guy user can ONLY authenticate if he is using the HVAC tunnel-group and pre-shared-key in his VPN client. If he happens to get a hold of the tunnel-group credentials for the CORP tunnel, his login credentials for hvac.guy will fail to give him access to the CORP tunnel and Corp resources.
2 Responses to “Restrict a user to a specific VPN Tunnel-Group”
Leave a Reply
Hello Aaron, you have just explained how to restrict user access but I need help with problem how to restrict access to ipaddress or network using username when I use access to company network by VPN client. Thank you.
Just create a different group-policy for that user and under the user attributes, assign that group-policy to the user. In that group-policy, only add the IP addresses to which you would like the user to have access to the interesting traffic ACL.
Alternatively, you can do the same thing (customer group-policy for the user) by creating another tunnel-group with the customer policy attached to it and lock the user to that group-policy.