SSL Tunnel Groups

Unanswered Question
Oct 3rd, 2007
User Badges:


Has anyone set up ACS security for SSL/Webvpn Tunnel Groups on the ASA.

I want to set up multiple tunnel groups for different SSL VPNs and control Authentication via ACS.

How do I ensure that when the user has Authenticated, he can only access a particular Tunnel Group?

There doesn't appear to be any way to tie the username name with the allowed tunnel on the ASA.

With IPSEC VPN - the client provides the group and corresponding pre-shared key to associate the user with an IPSEC Tunnel, but this doesn't work for SSL.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Danilo Dy Thu, 10/04/2007 - 06:10
User Badges:
  • Blue, 1500 points or more


I'm able to do that using Microsoft AD (as LDAP) and Microsoft IAS (as RADIUS) with over 100 tunnel groups and thousands of users.

- User can be a member of only one tunnel group (limitation).

- Each tunnel group have ACL/ACE to allow access only to specific host(s)/network(s) and services/ports.

- There is no drop-down list of tunnel groups in the login page. Give and take though, all tunnel groups will be sharing one vpn pool. If I want dedicated vpn pool for each tunnel group, the drop-down list is a must.


Dandy Mon, 10/22/2007 - 03:22
User Badges:

Can you elaborate a bit more on how this is acomplished?

I am using RADIUS to A/D or NDS on my usual set-up's but I too would like to know how the username is associated with the Tunnel Group.

Many thanks,



This Discussion