WebVPN (clientless) + Windows Auth

Unanswered Question
Mar 18th, 2008

Hi All,

I've configured SSLVPN on Cisco ASA 5540 to authenticate using Windows AD by providing DomainController information. Though the authentication is working, I'm bit concerned about the security as this method of authentication mechanism would expose remote access to every other account on Windows AD (including service accounts).

Is there a mecahnism / way to restrict the authenticate to specific group of users while using Windows AD for authentication on Cisco ASA for SSLVpn?

Please note: There is no ACS server available on the network.

Appreciate quick help on this,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
mainesy Tue, 03/18/2008 - 08:30

You can setup Dynamic Access Policies and configure it for a particular AD Security Group. You would need to map the LDAP memberOf field to the AD Security Group name.


satishcp Fri, 03/21/2008 - 02:14

Hi Josh,

Thanks for this excellent suggestion. Though would like to know if I need to enable LDAP authentication for WebUsers OR still live with Windows Auth using the following commands..

aaa-server ADdomain protocol nt

aaa-server ADdomain host

nt-auth-domain.controller dc1


PeterBodzay Fri, 03/21/2008 - 12:45


another way might be to configure a MS IAS server on one of your Windows Servers.

Creating Remote Access policys and using the IAS as a Radius server might have a advantage that You can use it for more then just Web VPN, like perhaps 802.1x on WLANs etc.

Another would be that it might be easier to create multiple and different access policys for different AD-security groups.


Hope this helps in some way


This Discussion