Cisco ASA Clientless VPN and AnyConnect VPN

Unanswered Question
Oct 23rd, 2009
User Badges:

Is there a way to allow access to Clientless (webvpn) for some users but not to AnyConnect? We want powerusers to use AnyConnect and normal users to use the Clientless. Right now all users can access either one. We're using IAS RADIUS for authentication. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jamesfick Fri, 10/23/2009 - 11:27
User Badges:

terryfojas- Sorry to jump in on your posting but was wondering if you could help me. How do you have IAS RADIUS setup? We are trying to do that in our office but it fails. Thank you.


terryfojas Fri, 10/23/2009 - 11:43
User Badges:


- Create a client that points to your ASA's IP

- Client-vendor is RADIUS Standard

-Check that shared secret matches your ASA's

-Create a Remote Access Policy with "Grant remote access permission" checked.


Enter your IAS' IP on ASDM-Config, Device Management,Users/AAA,AAA Server Groups

jamesfick Tue, 10/27/2009 - 06:16
User Badges:

I have it setup but when I test it to authenticate a user I get this error message- ERROR: Authentication Rejected:AAA failure.

Our network admin says the IAS is setup to use MS-CHAPv2, but the ASA is sending it via PAP. Can we force MS-CHAP or are we stuck with PAP?

terryfojas Fri, 10/30/2009 - 13:45
User Badges:

tunnel-group yourvpngroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2


This Discussion