Different auth methods for Clientless & AnyConnect?

Unanswered Question
Sep 8th, 2009

The goal: To allow Clientless(portal) connections with only username/password authentication (LDAP in this case) while requiring two-factor (LDAP & Certificate) authentication for AnyConnect connections.

The config: Since the auth methods are configured within connection profiles/tunnel groups, I am using two different profiles, one requiring only LDAP auth for use with clientless and one requiring both LDAP and client certificate authentication for AnyConnect. I have not enabled the option to allow users to choose their connection profile.

The only way I have been able to get the AnyConnect client to use anything other than the "DefaultWEBVPNGroup" profile was to use a URL mapping for the AnyConnect tunnel group, a custom AnyConnect client profile (to specify the custom URL), and a DAP policy to deny AnyConnect connections on the "DefaultWEBVPNGroup" tunnel group.

Resulting behavior: Web portal requires only username and password. Stand-alone AnyConnect connections require username/password & client certificate.

The problem: Weblaunch (launching AnyConnect from the portal) installs the client, but throws an error and disconnects (see attached). Subsequent stand-alone AnyConnect connection attempts work fine.

I assume this issue is related to the different tunnel groups using different authentication methods. If I disable the DAP policy, weblaunch works without erros, but it connects without requiring two-factor authentication.

Does anyone know if what I am trying to do is possible and/or supported? I am open to alternative suggestions as well.

Thanks,

Aaron

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Thu, 09/10/2009 - 08:29

Sounds like you are 95% of the way there. You can definitely get this to work. Based on your description of the problem when trying to web launch AnyConnect, it sounds like you are not matching the correct tunnel group. As you stated, when using more specific connection profiles, you need to give users a means to identify which TG they want to connect to. This is typically achieved via a drop down selection box, group URL, or certificate attribute map. In your case, it sounds like you are using group URLs. With this approach, you will have two more specific URLs for your users to access. For web launch and standalone AnyConnect clients, they may access https://vpn.vpn.com/anyconnect while your clientless users may access https:/vpn.vpn.com/webvpn. The catch as you found is what happens when a user tries to go to the root https://vpn.vpn.com? In this case, the user will hit the default WebVPN TG. I would have to see your DAP policy to understand what policies you have implemented. If you take DAP out of the picture for a moment, a few quick workarounds to preventing AnyConnect users from being able to log into the default WebVPN group is to remove the corresponding tunneling protocol from the default group policy. Alternatively, you could set the simultaneous logins to 0 in the default group policy. You may also want to look into configuring group locking to prevent users from logging into a TG that they don't belong to. With respect to your certificate requirement, ASA 8.2.1 code allows you to configure client certificate authentication on a TG by TG basis. This is more flexible than 8.0 where this is enabled globally.

aaron.g.smith Thu, 09/10/2009 - 09:33

Interesting that you should mention removing the tunneling protocol from the group policy. I have done exactly this and the AnyConnect client still connects using that profile/group policy pair even though the only protocol specified is "webvpn". It's because of this that I had to resort to using DAP. Below are the commands I have in place for the two different group policies. Notice the banners and the tunnel-protocol commands. When connecting via AnyConnect I see the banner "This is the Portal Policy" even though "svc" isn't specified as a tunnel protocol.

group-policy mycompany_Portal internal

group-policy mycompany_Portal attributes

banner value This is the Portal Policy

vpn-tunnel-protocol webvpn

group-lock value DefaultWEBVPNGroup

webvpn

svc profiles value mycompany_AnyConnect_v1

group-policy mycompany_AnyConnect internal

group-policy mycompany_AnyConnect attributes

banner value This is the AnyConnect Policy

vpn-tunnel-protocol svc

group-lock value AnyConnect

webvpn

svc profiles value mycompany_AnyConnect_v1

Something tells me that regardless of how I deny the AnyConnect clinet from connecting to the default profile, I'm still going to have problems with web launch, unless there is a way to specify the URL that is used by web launch.

Thanks for your reply.

Todd Pula Thu, 09/10/2009 - 11:00

Here is a quick example from my ASA using a group URL to achieve what you are looking for. In my case, I set the tunneling protocol of the default group policy to IPSec and built two more specific tunnel groups and group policies, one for AnyConnect and one for clientless WebVPN.

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec

group-policy Clientless internal

group-policy Clientless attributes

vpn-tunnel-protocol webvpn

group-policy AnyConnect internal

group-policy AnyConnect attributes

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool TRUSTED-POOL

authentication-server-group LDAP

default-group-policy AnyConnect

tunnel-group AnyConnect webvpn-attributes

authentication aaa certificate

group-alias AnyConnect enable

group-url https://10.10.10.10/anyconnect enable

tunnel-group WebVPN type remote-access

tunnel-group WebVPN general-attributes

authentication-server-group LDAP

default-group-policy Clientless

tunnel-group WebVPN webvpn-attributes

group-alias WebVPN enable

group-url https://10.10.10.10/webvpn enable

aaron.g.smith Mon, 09/14/2009 - 11:34

My config is almost identical, however when using web launch, the AnyConnect client will still establish a connection using the 'WebVPN' tunnel group and will do so with only LDAP authentication.

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec

group-policy mycompany_Portal internal

group-policy mycompany_Portal attributes

banner value mycompany Portal Policy

vpn-tunnel-protocol webvpn

group-policy mycompany_AnyConnect internal

group-policy mycompany_AnyConnect attributes

banner value mycompany AnyConnect Policy

vpn-tunnel-protocol svc

webvpn

svc profiles value mycompany_anyconnect_v1

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

authentication-server-group mycompany_LDAP

default-group-policy mycompany_AnyConnect

password-management

tunnel-group AnyConnect webvpn-attributes

authentication aaa certificate

group-alias anyconnect enable

group-url https://vpn.mycompany.com/anyconnect enable

tunnel-group WebVPN type remote-access

tunnel-group WebVPN general-attributes

authentication-server-group mycompany_LDAP

default-group-policy mycompany_Portal

tunnel-group WebVPN webvpn-attributes

group-alias WebVPN enable

group-url https://vpn.mycompany.com enable

At this point I'm thinking my only option is to remove the web launch functionality from policy/URL used for clientless connections.

Are you using web launch in your environment?

Thanks,

Aaron

Todd Pula Mon, 09/14/2009 - 11:48

What do your DefaultWEBVPNGroup and DfltGrpPolicy configs look like? I have this set up in my lab and can access it via web launch and standalone AnyConnect.

aaron.g.smith Mon, 09/14/2009 - 13:05

As requested:

group-policy DfltGrpPolicy attributes

banner value Default Policy

dns-server value 172.16.1.3

vpn-simultaneous-logins 1

vpn-session-timeout 1080

vpn-tunnel-protocol IPSec

pfs enable

ipsec-udp enable

default-domain value mycompany.com

address-pools value mycompany_general_pool

webvpn

svc ask enable default webvpn timeout 30

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group mycompany_LDAP

default-group-policy mycompany_Portal

password-management password-expire-in-days 0

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization mycompany_Custom

group-alias Default enable

In your lab, when web launching, which URL are you using? I am able to connect via web launch and stand-alone as well. The problem is that web launch connections (via the WebVPN URL) are allowed without a certificate. As I mentioned before, the only way I've been able to prevent this is using a DAP policy.

Thanks,

Aaron

Actions

This Discussion