Can SSL VPN Client user be put into a group?

Unanswered Question
Mar 15th, 2007

I have a 3015 VPN Concentrator. On that concentrator I have several IPSec groups but also have users that use the SSL Client. Can the users that come in using the SSL client be put into a group so I can authenticate them internally to the concentrator?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Kamal Malhotra Thu, 03/15/2007 - 06:58


Yes you can use a specific group for the SSL client, create users and bind those to the specific group created. Just make sure that WebVPN is enabled for the group you created.


Please rate if it helps,


king06aaa Thu, 03/15/2007 - 07:38

Thanks for your reply. I actually tried doing that, but it didn't work. I created a group and only had WebVPN enabled (disabled IPSec, etc.). Then I created a user that had that group. I thought that would work, but everytime I tried to log on via SSL client, the authentication failed. I looked in the log and it was trying to authenticate to the Active Directory, which of course wouldn't work.

I didn't do anything under the IPSec tab where you specify the authentication method because it seemed to me that I wouldn't be using IPSec so that setting would be irrelevant.

What am I doing wrong?

Kamal Malhotra Thu, 03/15/2007 - 09:09


You are not doing anything wrong except trying to get around the default behaviour.

WebVPN authentication requests don't fall back to the second entry in the authentication server list configured in the global mode. Whatever is the first entry, the concentrator tries to authenticate the user accordingly. It seems that you have AD on the top in the list.


*Please rate if it helps.



king06aaa Thu, 03/15/2007 - 11:07

You are correct, I do have internal last in my authentication list. But I don't really know what to do about that because most of the users that come in I want to authenticate against a Radius server or the AD. If I moved internal to the top of my authentication list wouldn't that screw up the authentication for all my AD users? They wouldn't have entries internally to the concentrator and since it was first in the list wouldn't it try to authenticate internally and thereby fail?


This Discussion