How do I control who has access to Clientless SSL VPN on ASA 5520?

Unanswered Question
Nov 3rd, 2008
User Badges:

Hello,


I have setup clientless SSL VPN on my ASA. User authentiation is done by RADIUS on a Windows server.


I have create a portal for users and a portal for IT guys. On the logon page users see the drop down box to select IT or sales. Things is users can login to IT, how can I get so IT can only log into the IT group and Sales in the Sales group?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
guibarati Mon, 11/03/2008 - 11:10
User Badges:
  • Bronze, 100 points or more

To do that you must use a feature called: Group lock.


You just enable group lock in the Group Policy of both grups.


Then in Windows IAS create two policies.


One with mach in one windows group and other one in other windows group (Sales and TI)

Put the desired users in the right groups.


Edit the policy in IAS and make it return a parameter called "Class" (RADIUS number 25). The content of this parameter must be the exact name of the Group Policy where the user is trying to connect.

whiteford Mon, 11/03/2008 - 13:13
User Badges:

This is just what I need, I will test this tomorrow, hopefully you will be around if I get any issues :)


Does this also work for the SSL VPN client that downloads when you connect?


Thanks

whiteford Tue, 11/04/2008 - 04:59
User Badges:

Hi,


I have just gone onto the ASDM and can't find the group lock option, please help.


Thanks

guibarati Tue, 11/04/2008 - 05:07
User Badges:
  • Bronze, 100 points or more

It's under group-policy configuration.

whiteford Tue, 11/04/2008 - 05:09
User Badges:

I've just gone to clientless SSL VPN Access > Group policy > then my policy and can't see the option in there.


Am I going mad, I think I am.

guibarati Tue, 11/04/2008 - 05:20
User Badges:
  • Bronze, 100 points or more

You need to use different group to them. (no default_group...)


go to cli


group-policy "GROUP_NAME" attributes

group-lock "name"

whiteford Tue, 11/04/2008 - 05:30
User Badges:

This is what I have so I will add the group-lock "London"


group-policy WebSSLGP-London internal

group-policy WebSSLGP-London attributes

vpn-tunnel-protocol webvpn

webvpn

url-list value London


So I then need to add "London" to the class 25 in IAS? When I create it this wizard asks if it's a VPN connection or Ethernet, will this connection be seen as a VPN.


Thanks

guibarati Tue, 11/04/2008 - 05:38
User Badges:
  • Bronze, 100 points or more

For IAS you should set it as VPN, but it actually does not metter.


To insert the attribut 25 (class) you have to:


Edit the policy, go to Edit Profile then, Advanced.


There, in Advanced, click "Add" and add the atribute "Class".

In the attibute class (of IAS) put the same name you left in the Group-lock line of ASA.

whiteford Tue, 11/04/2008 - 05:36
User Badges:

In CLI this is what I get:


ASA(config-group-policy)#group-lock value London

WARNING: tunnel-group does not exist



Have I missed something in the config?

guibarati Tue, 11/04/2008 - 05:40
User Badges:
  • Bronze, 100 points or more

The group lock value must be exacly the same name of the group.

whiteford Tue, 11/04/2008 - 05:43
User Badges:

Ah, you did say this sorry so "WebSSLGP-London" not "London"

whiteford Tue, 11/04/2008 - 06:18
User Badges:

Hmm..


This is what I have


group-policy WebSSLGP-London internal

group-policy WebSSLGP-London attributes

vpn-tunnel-protocol webvpn

webvpn

url-list value London


But the group name issues is happening againb:


ASA# conf t

ASA(config)# group-policy WebSSLGP-London attributes

ASA(config-group-policy)# group-lock value WebSSLGP-London

WARNING: tunnel-group does not exist

ASA(config-group-policy)#


Is't the group policy name the one I need use here?


Thanks




whiteford Tue, 11/04/2008 - 06:28
User Badges:

Looks like the group-lock value needed to be the tunnel group name. Now set.

whiteford Tue, 11/04/2008 - 07:07
User Badges:

Right, last part is it's failing on the IAS server.


The servers event log for my failure is:


Source: IAS

Even ID: 2


User andyw was denied access.

Fully-Qualified-User-Name = ms.local/London/IT/Andy

NAS-IP-Address = 1.2.3.4

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier = 81.3.3.3

Client-Friendly-Name = Cisco-ASA

Client-IP-Address = 1.2.3.4

NAS-Port-Type = Virtual

NAS-Port = 39

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = WebSSL for London

Authentication-Type = PAP

EAP-Type =

Reason-Code = 66

Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.


On the IAS remote Access Policies i have created a policy which matches an AD group called WebSSL-London and my account is in this.


If I then click edit profile > advanced there is a single entry called Class | RADIUS Standard | WebSSL-London


Do you want any screenshots?

guibarati Tue, 11/04/2008 - 07:50
User Badges:
  • Bronze, 100 points or more

Enable the right authentication methody in the policy

whiteford Tue, 11/04/2008 - 07:59
User Badges:

I don't see this under the authentication tab. Mine is set to MS-Chap v2.

guibarati Tue, 11/04/2008 - 08:04
User Badges:
  • Bronze, 100 points or more

Sorry, but last post.


Enable all of them under Authentication tab, if it work you should see which it's using and leave it.

whiteford Tue, 11/04/2008 - 08:15
User Badges:

Already tried that. Thanks for your help, I'll wait in hope that someone else might shed some light.


Cheers

whiteford Tue, 11/04/2008 - 08:30
User Badges:

For your info it's working now, It need to use PAP in the IAS authentication setting. This unencrypted which is not good, but start a fresh post about this part later.


Thanks

Actions

This Discussion