LTLnetworker | IT hálózatok, biztonság, Cisco

               IT networks, security, Cisco

Local user group-lock in IOS Easy VPN

Posted by ltlnetworker on May 7, 2010


Cisco router IOS Easy VPN Server

Group-Lock feature can also be used with local users, we can even create something like ‘local user groups’. Possible formats are:

name/group, name\group, name@group, or name%group

 

username user1 password user1
username user2@R102-EZVPN password user2
username user3@gr3 password user3
 
crypto isakmp client configuration group R102-EZVPN
 !...
 group-lock

 

I tested it with Cisco VPN client. It’s not enough to enter ‘user2’ as the username, you have to type user2@R102-EZVPN . Neither ‘user1’ nor ‘user3’ nor ‘user3@gr3’ is accepted as the router has only R102-EZVPN group in the config.

If group-lock command is removed, the connection is authenticated with any full username:

user1, user2@R102-EZVPN , user3@gr3

but  ‘user2’ or ‘user3’ is not enough.

This method can be useful to prevent a user from using a different VPN group than he is assigned. (He might have obtained the VPN group credentials from someone else.)

 

Detailed config:

upgrade fpd auto
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R102
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default none
aaa authentication login xauth local
aaa authorization network xauth local
!
!
!
!
!
aaa session-id common
!
!
!
ip cef
!
!
!
ip dhcp-client default-router distance 1
ip dhcp-client forcerenew
ipv6 unicast-routing
ipv6 cef
!
username user1 password 7 1402010E1E55
username user2@R102-EZVPN password 7 111C0A000540
username user3@gr3 password 7 06131C245E1D
!
policy-map POL128k
 class class-default
    shape average 128000
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group R102-EZVPN
 key pw1
 domain lab.local
 pool R102_Loopback1
 acl EZsplit
 group-lock
 netmask 255.255.255.0
 banner %
   HELLO
  %
! a single isakmp and ipsec profile is sufficient even if you use multiple groups above
crypto isakmp profile EZVPN
   match identity group R102-EZVPN
   !here you can add multiple match statements in OR relation
   !match identity group gr3
   client authentication list xauth
   isakmp authorization list xauth
   client configuration address respond
   virtual-template 5
!
!
crypto ipsec transform-set RA esp-3des esp-md5-hmac
!
crypto ipsec profile EZ
 set transform-set RA
 set isakmp-profile EZVPN
!
interface Loopback1
 ip address 192.168.102.1 255.255.255.0
 !
!
interface FastEthernet1/0
 description inside LAN
 ip address 10.1.1.102 255.255.255.0
!
interface FastEthernet2/0
 description outside - VPN clients
 ip address 192.168.159.102 255.255.255.0
!
interface Virtual-Template5 type tunnel
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile EZ
 service-policy output POL128k
! input shaping is not supported, I tried:

! *Apr 25 14:09:58.627: AAA SRV(0000003B): Return Authentication
!   status=PASSTraffic Shaping feature not supported in input policy.
!
router eigrp 192
 network 192.168.0.0 0.0.255.255
!
ip local pool R102_Loopback1 192.168.102.11 192.168.102.19
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip access-list extended EZsplit
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
!
!
line con 0
 exec-timeout 1200 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
end

 

Software versions:

c7200-adventerprisek9-mz.150-1.M.bin

Cisco VPN Client 5.0.02.0090 on XP

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: