Clientless SSL VPN Groups

Answered Question
Nov 18th, 2007

Greetings. I currently have an ASA5520 in place running 8.0(2) IOS. We have configured a clientless SSL VPN portal that we are currently using as a "test run". One issue that we are trying to resolve deals with using groups at the SSL VPN login page. Right now the ASA is set to authenicate usernames/passwords to a Microsoft Windows 2003 server using IAS (RADIUS). This is working fine.

What we want to do is "lock in" the user account to a particular group alias in the ASA SSL VPN login page. For example, our SSL VPN login page displays two options for "Group", "sales' and "tech". As it stands now, a user from sales can select either one of the groups displayed and still be authenicated. Is there anyway to deny login credentials if a user does not select the correct GROUP from the pull-down? This would definitely help us make sure that users are selecting the correct GROUP from the pull-down.

Any information would be greatly appreciated.


I have this problem too.
0 votes
Correct Answer by irisrios about 8 years 11 months ago

In order to put the user in the correct group, define RADIUS attribute 25 as ou=ASAGroupPolicyName. then try the group lock command to lock the users.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


This Discussion