Different Group Policies for WEBVPN tunnels on ASA .. is it possible ..?

Unanswered Question
Jul 3rd, 2007
User Badges:
  • Gold, 750 points or more

Hi Netpros,

This is my situation .. it is regarding to Webvpn access using the Cisco SSL VPN client.

No rocket science .. I only need to provide full tunnel to some users and split tunneling to others (I know you can use the Cisco VPN client but that is not an option with this customer). I have tried several tests and it seems that the only policy all webvpn users received is the one applied to the built-in DefaultWEBVPNGroup group.

I even tried assigning a group policy to the users by modifying the user's properties from ASDM .. but still, webvpn access won't pick it up.

Any ideas (hopefully from Cisco) will be much appreciated.

ASDM version 5.2(2)

ASA code 7.2(2)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
alanajjar Wed, 07/04/2007 - 00:16
User Badges:


I need to ask if you try to create a new webvpn tunnel group other than the default one, you can then assign another group policy to it, and assign webvpn users to that tunnel.

hope it helpful

Fernando_Meza Wed, 07/04/2007 - 16:45
User Badges:
  • Gold, 750 points or more

yes .. that was the first thing I did .. have you actually got this working before ..? .

Fernando_Meza Mon, 07/09/2007 - 17:27
User Badges:
  • Gold, 750 points or more

HI .. I have actually got this working with Cisco TAC help. The key feature that needs to be enabled is 'enable tunnel group drop-down list on WebVPN login Page'. This is the WebVPN attributes->WebVPNAccess (disabled by default).

Next I had to add an alias for every tunnel group I wanted to use and finally configure the tunnels and policies accordingly. When the user connects now, a drop down list with different groups appears.

I am still trying to work out the way of stopping users from using a tunnel group they are not supposed to. I have tried modifiying the user attribute 'lock group' but it does not seem to make much difference with SVC client

I thought I shared this with whoever has similar issue.

stlieser Tue, 08/21/2007 - 01:29
User Badges:


yes it possible to assign different policies to different users or groups.

But the only way i know is to use a radius server. This Server must sends the attribut 25 (class). In this attribut you enter "OU=Policyname;". Then the user get the policy during authentication/authorization.


- Dont use a Defaultpolicy on your Tunnelgroup of WebVPN

- Dont use Grouplock


This Discussion