Cisco ASA Clientless VPN and AnyConnect VPN

Unanswered Question
Oct 23rd, 2009

Is there a way to allow access to Clientless (webvpn) for some users but not to AnyConnect? We want powerusers to use AnyConnect and normal users to use the Clientless. Right now all users can access either one. We're using IAS RADIUS for authentication. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jamesfick Fri, 10/23/2009 - 11:27

terryfojas- Sorry to jump in on your posting but was wondering if you could help me. How do you have IAS RADIUS setup? We are trying to do that in our office but it fails. Thank you.

Jim

terryfojas Fri, 10/23/2009 - 11:43

On IAS:

- Create a client that points to your ASA's IP

- Client-vendor is RADIUS Standard

-Check that shared secret matches your ASA's

-Create a Remote Access Policy with "Grant remote access permission" checked.

On ASA:

Enter your IAS' IP on ASDM-Config, Device Management,Users/AAA,AAA Server Groups

jamesfick Tue, 10/27/2009 - 06:16

I have it setup but when I test it to authenticate a user I get this error message- ERROR: Authentication Rejected:AAA failure.

Our network admin says the IAS is setup to use MS-CHAPv2, but the ASA is sending it via PAP. Can we force MS-CHAP or are we stuck with PAP?

terryfojas Fri, 10/30/2009 - 13:45

tunnel-group yourvpngroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

Actions

This Discussion