Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
4
Replies

Different Group Policies for WEBVPN tunnels on ASA .. is it possible ..?

Fernando_Meza
Level 7
Level 7

‎07-03-2007 07:39 PM - edited ‎03-11-2019 03:39 AM

Hi Netpros,

This is my situation .. it is regarding to Webvpn access using the Cisco SSL VPN client.

No rocket science .. I only need to provide full tunnel to some users and split tunneling to others (I know you can use the Cisco VPN client but that is not an option with this customer). I have tried several tests and it seems that the only policy all webvpn users received is the one applied to the built-in DefaultWEBVPNGroup group.

I even tried assigning a group policy to the users by modifying the user's properties from ASDM .. but still, webvpn access won't pick it up.

Any ideas (hopefully from Cisco) will be much appreciated.

ASDM version 5.2(2)

ASA code 7.2(2)

ASA5520

Labels:
0 Helpful
4 Replies 4

alanajjar
Level 1
Level 1

‎07-04-2007 12:16 AM

Hi,

I need to ask if you try to create a new webvpn tunnel group other than the default one, you can then assign another group policy to it, and assign webvpn users to that tunnel.

hope it helpful

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to alanajjar

‎07-04-2007 04:45 PM

yes .. that was the first thing I did .. have you actually got this working before ..? .

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to Fernando_Meza

‎07-09-2007 05:27 PM

HI .. I have actually got this working with Cisco TAC help. The key feature that needs to be enabled is 'enable tunnel group drop-down list on WebVPN login Page'. This is the WebVPN attributes->WebVPNAccess (disabled by default).

Next I had to add an alias for every tunnel group I wanted to use and finally configure the tunnels and policies accordingly. When the user connects now, a drop down list with different groups appears.

I am still trying to work out the way of stopping users from using a tunnel group they are not supposed to. I have tried modifiying the user attribute 'lock group' but it does not seem to make much difference with SVC client

I thought I shared this with whoever has similar issue.

0 Helpful

stlieser
Level 1
Level 1

‎08-21-2007 01:29 AM

Hi,

yes it possible to assign different policies to different users or groups.

But the only way i know is to use a radius server. This Server must sends the attribut 25 (class). In this attribut you enter "OU=Policyname;". Then the user get the policy during authentication/authorization.

PS:

- Dont use a Defaultpolicy on your Tunnelgroup of WebVPN

- Dont use Grouplock

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card