ASA - Logging WebVPN entry URLs

Answered Question
Jun 18th, 2009

We have a Cisco ASA, and are using it for several WebVPN (a.k.a SSL VPN) connections.

Based on the URL, they are placed in various group profiles. For example https://asa.mydomain.com/test will put them in the Test connection profile, while https://asa.mydomain.com/prod will put them in the Prod connection profile.

This is working fine, however, we'd like to be able to log (in the ASA log) the exact URL a user used to begin their session. Is that possible?

I have this problem too.
0 votes
Correct Answer by Todd Pula about 7 years 5 months ago

This isn't possible. If I had to guess without seeing your config, you are only using Group URLs as opposed to aliases and the selection drop down. In a case like this, users accessing the FQDN such as http://vpn.yourcompany.com will default to the DefaultWebVPNGroup connection profile. If there are no session limits configured on this policy and the authentication is configured the same, then the user will be permitted access. You could use the DefaultWebVPNGroup as a catch all and set the simultaneous login to 0 in the policy to restrict access. A better approach would be to look into group locking.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
shanepresley Wed, 06/24/2009 - 07:47

Interesting thanks, that puts me on the right track.

However, we're actually have a problem with users claiming they used the correct URL -- but we see them getting put into the Default WebVPN group.

I'm sure the ASA is functioning correctly. But we'd like proof of what URL the user started their session with (to check for typos, extra characters, etc).

Not possible?

Correct Answer
Todd Pula Wed, 06/24/2009 - 08:10

This isn't possible. If I had to guess without seeing your config, you are only using Group URLs as opposed to aliases and the selection drop down. In a case like this, users accessing the FQDN such as http://vpn.yourcompany.com will default to the DefaultWebVPNGroup connection profile. If there are no session limits configured on this policy and the authentication is configured the same, then the user will be permitted access. You could use the DefaultWebVPNGroup as a catch all and set the simultaneous login to 0 in the policy to restrict access. A better approach would be to look into group locking.

shanepresley Mon, 06/29/2009 - 08:18

Very helpful, thanks! I forgot about group locking. Is my understanding correct...essentially it uses my radius attribute tag to determine the group, regardless of Group URL?

Todd Pula Mon, 06/29/2009 - 09:48

Correct. You can use Radius Class Attribute #25 to specify the group policy that the user belongs to. The group policy on the ASA can then be configured with a group lock. With Cisco ACS 4.x, you can also use Cisco ASA Vendor Specific Attribute (VSA) #85 - Tunnel-Group-Lock to lock the user to a specific tunnel group.

Actions

This Discussion