09-08-2009 02:27 PM - edited 02-21-2020 03:39 AM
The goal: To allow Clientless(portal) connections with only username/password authentication (LDAP in this case) while requiring two-factor (LDAP & Certificate) authentication for AnyConnect connections.
The config: Since the auth methods are configured within connection profiles/tunnel groups, I am using two different profiles, one requiring only LDAP auth for use with clientless and one requiring both LDAP and client certificate authentication for AnyConnect. I have not enabled the option to allow users to choose their connection profile.
The only way I have been able to get the AnyConnect client to use anything other than the "DefaultWEBVPNGroup" profile was to use a URL mapping for the AnyConnect tunnel group, a custom AnyConnect client profile (to specify the custom URL), and a DAP policy to deny AnyConnect connections on the "DefaultWEBVPNGroup" tunnel group.
Resulting behavior: Web portal requires only username and password. Stand-alone AnyConnect connections require username/password & client certificate.
The problem: Weblaunch (launching AnyConnect from the portal) installs the client, but throws an error and disconnects (see attached). Subsequent stand-alone AnyConnect connection attempts work fine.
I assume this issue is related to the different tunnel groups using different authentication methods. If I disable the DAP policy, weblaunch works without erros, but it connects without requiring two-factor authentication.
Does anyone know if what I am trying to do is possible and/or supported? I am open to alternative suggestions as well.
Thanks,
Aaron
09-10-2009 08:29 AM
Sounds like you are 95% of the way there. You can definitely get this to work. Based on your description of the problem when trying to web launch AnyConnect, it sounds like you are not matching the correct tunnel group. As you stated, when using more specific connection profiles, you need to give users a means to identify which TG they want to connect to. This is typically achieved via a drop down selection box, group URL, or certificate attribute map. In your case, it sounds like you are using group URLs. With this approach, you will have two more specific URLs for your users to access. For web launch and standalone AnyConnect clients, they may access https://vpn.vpn.com/anyconnect while your clientless users may access https:/vpn.vpn.com/webvpn. The catch as you found is what happens when a user tries to go to the root https://vpn.vpn.com? In this case, the user will hit the default WebVPN TG. I would have to see your DAP policy to understand what policies you have implemented. If you take DAP out of the picture for a moment, a few quick workarounds to preventing AnyConnect users from being able to log into the default WebVPN group is to remove the corresponding tunneling protocol from the default group policy. Alternatively, you could set the simultaneous logins to 0 in the default group policy. You may also want to look into configuring group locking to prevent users from logging into a TG that they don't belong to. With respect to your certificate requirement, ASA 8.2.1 code allows you to configure client certificate authentication on a TG by TG basis. This is more flexible than 8.0 where this is enabled globally.
09-10-2009 09:33 AM
Interesting that you should mention removing the tunneling protocol from the group policy. I have done exactly this and the AnyConnect client still connects using that profile/group policy pair even though the only protocol specified is "webvpn". It's because of this that I had to resort to using DAP. Below are the commands I have in place for the two different group policies. Notice the banners and the tunnel-protocol commands. When connecting via AnyConnect I see the banner "This is the Portal Policy" even though "svc" isn't specified as a tunnel protocol.
group-policy mycompany_Portal internal
group-policy mycompany_Portal attributes
banner value This is the Portal Policy
vpn-tunnel-protocol webvpn
group-lock value DefaultWEBVPNGroup
webvpn
svc profiles value mycompany_AnyConnect_v1
group-policy mycompany_AnyConnect internal
group-policy mycompany_AnyConnect attributes
banner value This is the AnyConnect Policy
vpn-tunnel-protocol svc
group-lock value AnyConnect
webvpn
svc profiles value mycompany_AnyConnect_v1
Something tells me that regardless of how I deny the AnyConnect clinet from connecting to the default profile, I'm still going to have problems with web launch, unless there is a way to specify the URL that is used by web launch.
Thanks for your reply.
09-10-2009 11:00 AM
Here is a quick example from my ASA using a group URL to achieve what you are looking for. In my case, I set the tunneling protocol of the default group policy to IPSec and built two more specific tunnel groups and group policies, one for AnyConnect and one for clientless WebVPN.
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
group-policy Clientless internal
group-policy Clientless attributes
vpn-tunnel-protocol webvpn
group-policy AnyConnect internal
group-policy AnyConnect attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool TRUSTED-POOL
authentication-server-group LDAP
default-group-policy AnyConnect
tunnel-group AnyConnect webvpn-attributes
authentication aaa certificate
group-alias AnyConnect enable
group-url https://10.10.10.10/anyconnect enable
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
authentication-server-group LDAP
default-group-policy Clientless
tunnel-group WebVPN webvpn-attributes
group-alias WebVPN enable
group-url https://10.10.10.10/webvpn enable
09-14-2009 11:34 AM
My config is almost identical, however when using web launch, the AnyConnect client will still establish a connection using the 'WebVPN' tunnel group and will do so with only LDAP authentication.
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
group-policy mycompany_Portal internal
group-policy mycompany_Portal attributes
banner value mycompany Portal Policy
vpn-tunnel-protocol webvpn
group-policy mycompany_AnyConnect internal
group-policy mycompany_AnyConnect attributes
banner value mycompany AnyConnect Policy
vpn-tunnel-protocol svc
webvpn
svc profiles value mycompany_anyconnect_v1
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
authentication-server-group mycompany_LDAP
default-group-policy mycompany_AnyConnect
password-management
tunnel-group AnyConnect webvpn-attributes
authentication aaa certificate
group-alias anyconnect enable
group-url https://vpn.mycompany.com/anyconnect enable
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
authentication-server-group mycompany_LDAP
default-group-policy mycompany_Portal
tunnel-group WebVPN webvpn-attributes
group-alias WebVPN enable
group-url https://vpn.mycompany.com enable
At this point I'm thinking my only option is to remove the web launch functionality from policy/URL used for clientless connections.
Are you using web launch in your environment?
Thanks,
Aaron
09-14-2009 11:48 AM
What do your DefaultWEBVPNGroup and DfltGrpPolicy configs look like? I have this set up in my lab and can access it via web launch and standalone AnyConnect.
09-14-2009 01:05 PM
As requested:
group-policy DfltGrpPolicy attributes
banner value Default Policy
dns-server value 172.16.1.3
vpn-simultaneous-logins 1
vpn-session-timeout 1080
vpn-tunnel-protocol IPSec
pfs enable
ipsec-udp enable
default-domain value mycompany.com
address-pools value mycompany_general_pool
webvpn
svc ask enable default webvpn timeout 30
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group mycompany_LDAP
default-group-policy mycompany_Portal
password-management password-expire-in-days 0
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization mycompany_Custom
group-alias Default enable
In your lab, when web launching, which URL are you using? I am able to connect via web launch and stand-alone as well. The problem is that web launch connections (via the WebVPN URL) are allowed without a certificate. As I mentioned before, the only way I've been able to prevent this is using a DAP policy.
Thanks,
Aaron
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: