cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1429
Views
0
Helpful
22
Replies

How do I control who has access to Clientless SSL VPN on ASA 5520?

whiteford
Level 1
Level 1

Hello,

I have setup clientless SSL VPN on my ASA. User authentiation is done by RADIUS on a Windows server.

I have create a portal for users and a portal for IT guys. On the logon page users see the drop down box to select IT or sales. Things is users can login to IT, how can I get so IT can only log into the IT group and Sales in the Sales group?

Thanks

22 Replies 22

guibarati
Level 4
Level 4

To do that you must use a feature called: Group lock.

You just enable group lock in the Group Policy of both grups.

Then in Windows IAS create two policies.

One with mach in one windows group and other one in other windows group (Sales and TI)

Put the desired users in the right groups.

Edit the policy in IAS and make it return a parameter called "Class" (RADIUS number 25). The content of this parameter must be the exact name of the Group Policy where the user is trying to connect.

This is just what I need, I will test this tomorrow, hopefully you will be around if I get any issues :)

Does this also work for the SSL VPN client that downloads when you connect?

Thanks

Hi,

I have just gone onto the ASDM and can't find the group lock option, please help.

Thanks

It's under group-policy configuration.

I've just gone to clientless SSL VPN Access > Group policy > then my policy and can't see the option in there.

Am I going mad, I think I am.

You need to use different group to them. (no default_group...)

go to cli

group-policy "GROUP_NAME" attributes

group-lock "name"

This is what I have so I will add the group-lock "London"

group-policy WebSSLGP-London internal

group-policy WebSSLGP-London attributes

vpn-tunnel-protocol webvpn

webvpn

url-list value London

So I then need to add "London" to the class 25 in IAS? When I create it this wizard asks if it's a VPN connection or Ethernet, will this connection be seen as a VPN.

Thanks

For IAS you should set it as VPN, but it actually does not metter.

To insert the attribut 25 (class) you have to:

Edit the policy, go to Edit Profile then, Advanced.

There, in Advanced, click "Add" and add the atribute "Class".

In the attibute class (of IAS) put the same name you left in the Group-lock line of ASA.

In CLI this is what I get:

ASA(config-group-policy)#group-lock value London

WARNING: tunnel-group does not exist

Have I missed something in the config?

The group lock value must be exacly the same name of the group.

Ah, you did say this sorry so "WebSSLGP-London" not "London"

Hmm..

This is what I have

group-policy WebSSLGP-London internal

group-policy WebSSLGP-London attributes

vpn-tunnel-protocol webvpn

webvpn

url-list value London

But the group name issues is happening againb:

ASA# conf t

ASA(config)# group-policy WebSSLGP-London attributes

ASA(config-group-policy)# group-lock value WebSSLGP-London

WARNING: tunnel-group does not exist

ASA(config-group-policy)#

Is't the group policy name the one I need use here?

Thanks

Looks like the group-lock value needed to be the tunnel group name. Now set.

Right, last part is it's failing on the IAS server.

The servers event log for my failure is:

Source: IAS

Even ID: 2

User andyw was denied access.

Fully-Qualified-User-Name = ms.local/London/IT/Andy

NAS-IP-Address = 1.2.3.4

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier = 81.3.3.3

Client-Friendly-Name = Cisco-ASA

Client-IP-Address = 1.2.3.4

NAS-Port-Type = Virtual

NAS-Port = 39

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = WebSSL for London

Authentication-Type = PAP

EAP-Type =

Reason-Code = 66

Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

On the IAS remote Access Policies i have created a policy which matches an AD group called WebSSL-London and my account is in this.

If I then click edit profile > advanced there is a single entry called Class | RADIUS Standard | WebSSL-London

Do you want any screenshots?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: