When connecting with Cisco VPN client, your client tells ASA which group (tunnel-group) the connection belongs to. When connecting to SSL VPN portal, your connection by default belongs to "tunnel-group DefaultWEBVPNGroup". You will need to configure this:
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool wohlerpool
authentication-server-group (inside) WohlerGroup LOCAL
default-group-policy WohlerSSLPolicy
You can also remove your "tunnel-group WohlerSSL"
Now, if you want to have several different tunnel-groups for SSL VPN, then you need to choose one of a few methods for client to tell ASA which group it belongs to.
1. URL based. Client will have to browse to that specific URL:
tunnel-group WohlerSSL webvpn-attributes
group-url https://vpn.company.com/wohlerssl enable
2. You can add a drop-down box on the on the login page to select the group.
webvpn
tunnel-group-list enable
!
tunnel-group WohlerSSL webvpn-attributes
group-alias WohlerSSL
3. You can also have your RADIUS server return IETF RADIUS [025] Class attribute. For example: "ou=WohlerSSLPolicy;". This attribute refers to "group-policy", not "tunnel-group", so everyone would still connect under tunnel-group DefaultWEBVPNGroup, but you could assign various parameters to the client using group-policies.
4. If using local user database on ASA, you can also lock users into specific group policies.
username USERNAME password PASSWORD encrypted
username USERNAME attributes
group-lock value WohlerSSLPolicy
service-type remote-access
To answer you other question, you are looking for this:
group-policy WohlerSSLPolicy attributes
webvpn
svc ask none default svc
Regards,
Roman