Authentication of inside users ASA (EasyVPN)

Unanswered Question
Dec 8th, 2008

Greetings All

Authentication of users behind ASA 5505 connected to VPN3000 Concentrator with EasyVPN

According to the law in a certain country, we need to log the following:

Time & Datestamp

Username/ip address of the pc inside

Which sites they have visited (ip's, URL's etc..)

Eg. 11/4-2008 domain\john ip visited ip

I would like to achieve this with using the ASA 5505 and my Cisco ACS 4.1 on my LAN behind the VPN3000 Concentrator.

Im trying to setup forced authentication for the users on the inside interface (lan) of the ASA5505. I need to force them to authenticate before they will be able to get any access outside their lan.

I have read on the forum, and tried som different solutions, but not been able to get any solution to work with all the needed info and also to work in conjunction with EasyVPN (Network Extension-Mode).

I tried with cut-thru proxy solution from the guide here:

It does not work, because the include/exclude statements is not allowed in conjunction with EasyVPN.

Error: WARNING: <_vpnc_nwp_acl> found duplicate element

WARNING: <_vpnc_nwp_acl> found duplicate element

Hybrid configurations using 'match' and 'include|exclude' are not supported

I have then looked at enabling "Individual User Authentication (IUA)", but since Im using split-tunneling, it seemes like its only for the

tunnelled networks authentication is enforced. And I dont want to tunnell all- hence the repsone-times to the remote site is very high.

Last I tried to make som HTTP redirect with aaa authentication listener http[s] interface_name [port portnum] [redirect], but thats also not

allowed in conjunction with EasyVPN.


* Remove 'aaa authentication listener' configuration

CONFIG CONFLICT: Configuration that would prevent successful Cisco Easy VPN Remote

operation has been detected, and is listed above. Please resolve the

above configuration conflict(s) and re-enable.

The ASA is currently running IOS 7.2(4), but there's no problem in upgrading it to 8.0(4) if that could help me make a solution.

Is it possible to make this work somehow ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nefkensp Thu, 12/11/2008 - 11:44

Hello Claus,

Have you tried downloadable access lists in combination with the ACS for the authentication? You can then use the accounting options of that downloadable access list to register who has done what.

You can do this in combination with the virtual http listener or the virtual telnet listener.

Check out:

Hope this helps


P-J Nefkens


This Discussion