08-03-2009 09:28 AM - edited 03-11-2019 09:02 AM
Hi All,
I have two issue with SSL VPN configuration in ASA:
1- I have setup Microsoft IAS as RADIUS server for authentication. when I try to login to SSL VPN, the username and password in AD doesn't work and still I have to login with local username and password. RADIUS server is working with VPN client though.
2- I like when user acecss to webvpn, SVC package automatically download to client PC. But still clientless SSL VPN portal is shown rather than download SVC package.
Please find the show version and show run in the attachment.
any suggestion would be very appreciated.
thanks
Alex
08-03-2009 02:10 PM
When connecting with Cisco VPN client, your client tells ASA which group (tunnel-group) the connection belongs to. When connecting to SSL VPN portal, your connection by default belongs to "tunnel-group DefaultWEBVPNGroup". You will need to configure this:
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool wohlerpool
authentication-server-group (inside) WohlerGroup LOCAL
default-group-policy WohlerSSLPolicy
You can also remove your "tunnel-group WohlerSSL"
Now, if you want to have several different tunnel-groups for SSL VPN, then you need to choose one of a few methods for client to tell ASA which group it belongs to.
1. URL based. Client will have to browse to that specific URL:
tunnel-group WohlerSSL webvpn-attributes
group-url https://vpn.company.com/wohlerssl enable
2. You can add a drop-down box on the on the login page to select the group.
webvpn
tunnel-group-list enable
!
tunnel-group WohlerSSL webvpn-attributes
group-alias WohlerSSL
3. You can also have your RADIUS server return IETF RADIUS [025] Class attribute. For example: "ou=WohlerSSLPolicy;". This attribute refers to "group-policy", not "tunnel-group", so everyone would still connect under tunnel-group DefaultWEBVPNGroup, but you could assign various parameters to the client using group-policies.
4. If using local user database on ASA, you can also lock users into specific group policies.
username USERNAME password PASSWORD encrypted
username USERNAME attributes
group-lock value WohlerSSLPolicy
service-type remote-access
To answer you other question, you are looking for this:
group-policy WohlerSSLPolicy attributes
webvpn
svc ask none default svc
Regards,
Roman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide