ASA SSL VPN problems

Unanswered Question
Aug 3rd, 2009

Hi All,

I have two issue with SSL VPN configuration in ASA:

1- I have setup Microsoft IAS as RADIUS server for authentication. when I try to login to SSL VPN, the username and password in AD doesn't work and still I have to login with local username and password. RADIUS server is working with VPN client though.

2- I like when user acecss to webvpn, SVC package automatically download to client PC. But still clientless SSL VPN portal is shown rather than download SVC package.

Please find the show version and show run in the attachment.

any suggestion would be very appreciated.

thanks

Alex

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Roman Rodichev Mon, 08/03/2009 - 14:10

When connecting with Cisco VPN client, your client tells ASA which group (tunnel-group) the connection belongs to. When connecting to SSL VPN portal, your connection by default belongs to "tunnel-group DefaultWEBVPNGroup". You will need to configure this:

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool wohlerpool

authentication-server-group (inside) WohlerGroup LOCAL

default-group-policy WohlerSSLPolicy

You can also remove your "tunnel-group WohlerSSL"

Now, if you want to have several different tunnel-groups for SSL VPN, then you need to choose one of a few methods for client to tell ASA which group it belongs to.

1. URL based. Client will have to browse to that specific URL:

tunnel-group WohlerSSL webvpn-attributes

group-url https://vpn.company.com/wohlerssl enable

2. You can add a drop-down box on the on the login page to select the group.

webvpn

tunnel-group-list enable

!

tunnel-group WohlerSSL webvpn-attributes

group-alias WohlerSSL

3. You can also have your RADIUS server return IETF RADIUS [025] Class attribute. For example: "ou=WohlerSSLPolicy;". This attribute refers to "group-policy", not "tunnel-group", so everyone would still connect under tunnel-group DefaultWEBVPNGroup, but you could assign various parameters to the client using group-policies.

4. If using local user database on ASA, you can also lock users into specific group policies.

username USERNAME password PASSWORD encrypted

username USERNAME attributes

group-lock value WohlerSSLPolicy

service-type remote-access

To answer you other question, you are looking for this:

group-policy WohlerSSLPolicy attributes

webvpn

svc ask none default svc

Regards,

Roman

Actions

This Discussion