different types of vpn

Unanswered Question
Nov 9th, 2009

I am very familiar with IPSEC (site to site and remote access) vpns, but i would like to know exactly how the clientless ssl vpn and the ssl vpn client (anyconnect) work in terms of its configuration\setup and features. In what applications should this type of setup be used?

does the ssl vpn client (any clientless) require a group authentication name and a shared secret like the ipsec vpn?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Herbert Baerten Tue, 11/10/2009 - 04:26

In its most basic form, you do not need a group (all connections will land on the DefaultWebvpnGroup which is created by default, with a default config that you can modify).

However, you can also create groups (connection profiles in ASDM-lingo) and group policies, or push attributes from a Radius server just like with IPsec.

There is no group password, so by default any user can connect to any group (provided that they pass the authentication configured for that group), but there are ways to prevent this (e.g. the Radius server can specify which group a certain user can only connect to).

What happens after connecting is quite different with clientless, you may think of it more as a kind of HTTP proxy.

Anyconnect is quite similar to the ipsec client as far as usage is concerned.

I think you can find numerous examples on cisco.com, e.g. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml



ronshuster Thu, 11/12/2009 - 07:50

What about the anyconnect software, does it only support SSL? what type of setups does it support? can you pls send me an example if you have any?

also where would you use it as opposed to the clientless (webvpn)?

Herbert Baerten Thu, 11/12/2009 - 13:22

Yes Anyconnect only supports SSL at this time (this may or may not change at some point in the future).

Type of setup: you can pre-install the client on a workstation just like the ipsec client, or you can have the user download it at first use and then keep it installed, or you can have the user download it on every use.

Installation requires admin privileges though (at least on Windows, not sure about Mac and Linux) so this could be one reason to opt for clientless (e.g. for use in Internet cafe's etc.)

The same group can support both clientless and anyconnect, so the user can choose at connect time.

A good example of a basic config can be found here:


(note that in the config, anything anyconnect related still uses the lecagy name "svc" - short for SSL Vpn Client, the old name for Anyconnect).

Much more details can be found in the admin guide:





This Discussion