Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
1
Replies

ASA SSL VPN problems

alex goshtaei
Level 1
Level 1

‎08-03-2009 09:28 AM - edited ‎03-11-2019 09:02 AM

Hi All,

I have two issue with SSL VPN configuration in ASA:

1- I have setup Microsoft IAS as RADIUS server for authentication. when I try to login to SSL VPN, the username and password in AD doesn't work and still I have to login with local username and password. RADIUS server is working with VPN client though.

2- I like when user acecss to webvpn, SVC package automatically download to client PC. But still clientless SSL VPN portal is shown rather than download SVC package.

Please find the show version and show run in the attachment.

any suggestion would be very appreciated.

thanks

Alex

Labels:
Preview file
7 KB
0 Helpful
1 Reply 1

Roman Rodichev
Level 7
Level 7

‎08-03-2009 02:10 PM

When connecting with Cisco VPN client, your client tells ASA which group (tunnel-group) the connection belongs to. When connecting to SSL VPN portal, your connection by default belongs to "tunnel-group DefaultWEBVPNGroup". You will need to configure this:

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool wohlerpool

authentication-server-group (inside) WohlerGroup LOCAL

default-group-policy WohlerSSLPolicy

You can also remove your "tunnel-group WohlerSSL"

Now, if you want to have several different tunnel-groups for SSL VPN, then you need to choose one of a few methods for client to tell ASA which group it belongs to.

1. URL based. Client will have to browse to that specific URL:

tunnel-group WohlerSSL webvpn-attributes

group-url https://vpn.company.com/wohlerssl enable

2. You can add a drop-down box on the on the login page to select the group.

webvpn

tunnel-group-list enable

!

tunnel-group WohlerSSL webvpn-attributes

group-alias WohlerSSL

3. You can also have your RADIUS server return IETF RADIUS [025] Class attribute. For example: "ou=WohlerSSLPolicy;". This attribute refers to "group-policy", not "tunnel-group", so everyone would still connect under tunnel-group DefaultWEBVPNGroup, but you could assign various parameters to the client using group-policies.

4. If using local user database on ASA, you can also lock users into specific group policies.

username USERNAME password PASSWORD encrypted

username USERNAME attributes

group-lock value WohlerSSLPolicy

service-type remote-access

To answer you other question, you are looking for this:

group-policy WohlerSSLPolicy attributes

webvpn

svc ask none default svc

Regards,

Roman

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card