How do I control who has access to Clientless SSL VPN on ASA 5520?

Unanswered Question
Nov 3rd, 2008


I have setup clientless SSL VPN on my ASA. User authentiation is done by RADIUS on a Windows server.

I have create a portal for users and a portal for IT guys. On the logon page users see the drop down box to select IT or sales. Things is users can login to IT, how can I get so IT can only log into the IT group and Sales in the Sales group?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
guibarati Mon, 11/03/2008 - 11:10

To do that you must use a feature called: Group lock.

You just enable group lock in the Group Policy of both grups.

Then in Windows IAS create two policies.

One with mach in one windows group and other one in other windows group (Sales and TI)

Put the desired users in the right groups.

Edit the policy in IAS and make it return a parameter called "Class" (RADIUS number 25). The content of this parameter must be the exact name of the Group Policy where the user is trying to connect.

whiteford Mon, 11/03/2008 - 13:13

This is just what I need, I will test this tomorrow, hopefully you will be around if I get any issues :)

Does this also work for the SSL VPN client that downloads when you connect?


whiteford Tue, 11/04/2008 - 04:59


I have just gone onto the ASDM and can't find the group lock option, please help.


whiteford Tue, 11/04/2008 - 05:09

I've just gone to clientless SSL VPN Access > Group policy > then my policy and can't see the option in there.

Am I going mad, I think I am.

guibarati Tue, 11/04/2008 - 05:20

You need to use different group to them. (no default_group...)

go to cli

group-policy "GROUP_NAME" attributes

group-lock "name"

whiteford Tue, 11/04/2008 - 05:30

This is what I have so I will add the group-lock "London"

group-policy WebSSLGP-London internal

group-policy WebSSLGP-London attributes

vpn-tunnel-protocol webvpn


url-list value London

So I then need to add "London" to the class 25 in IAS? When I create it this wizard asks if it's a VPN connection or Ethernet, will this connection be seen as a VPN.


guibarati Tue, 11/04/2008 - 05:38

For IAS you should set it as VPN, but it actually does not metter.

To insert the attribut 25 (class) you have to:

Edit the policy, go to Edit Profile then, Advanced.

There, in Advanced, click "Add" and add the atribute "Class".

In the attibute class (of IAS) put the same name you left in the Group-lock line of ASA.

whiteford Tue, 11/04/2008 - 05:36

In CLI this is what I get:

ASA(config-group-policy)#group-lock value London

WARNING: tunnel-group does not exist

Have I missed something in the config?

guibarati Tue, 11/04/2008 - 05:40

The group lock value must be exacly the same name of the group.

whiteford Tue, 11/04/2008 - 05:43

Ah, you did say this sorry so "WebSSLGP-London" not "London"

whiteford Tue, 11/04/2008 - 06:18


This is what I have

group-policy WebSSLGP-London internal

group-policy WebSSLGP-London attributes

vpn-tunnel-protocol webvpn


url-list value London

But the group name issues is happening againb:

ASA# conf t

ASA(config)# group-policy WebSSLGP-London attributes

ASA(config-group-policy)# group-lock value WebSSLGP-London

WARNING: tunnel-group does not exist


Is't the group policy name the one I need use here?


whiteford Tue, 11/04/2008 - 06:28

Looks like the group-lock value needed to be the tunnel group name. Now set.

whiteford Tue, 11/04/2008 - 07:07

Right, last part is it's failing on the IAS server.

The servers event log for my failure is:

Source: IAS

Even ID: 2

User andyw was denied access.

Fully-Qualified-User-Name = ms.local/London/IT/Andy

NAS-IP-Address =

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier =

Client-Friendly-Name = Cisco-ASA

Client-IP-Address =

NAS-Port-Type = Virtual

NAS-Port = 39

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = WebSSL for London

Authentication-Type = PAP

EAP-Type =

Reason-Code = 66

Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

On the IAS remote Access Policies i have created a policy which matches an AD group called WebSSL-London and my account is in this.

If I then click edit profile > advanced there is a single entry called Class | RADIUS Standard | WebSSL-London

Do you want any screenshots?

whiteford Tue, 11/04/2008 - 07:59

I don't see this under the authentication tab. Mine is set to MS-Chap v2.

guibarati Tue, 11/04/2008 - 08:04

Sorry, but last post.

Enable all of them under Authentication tab, if it work you should see which it's using and leave it.

whiteford Tue, 11/04/2008 - 08:15

Already tried that. Thanks for your help, I'll wait in hope that someone else might shed some light.


whiteford Tue, 11/04/2008 - 08:30

For your info it's working now, It need to use PAP in the IAS authentication setting. This unencrypted which is not good, but start a fresh post about this part later.



This Discussion