Group policy in SSL VPN

Unanswered Question
Jun 11th, 2010
User Badges:

We have an SSL VPN setup on ASA. There are different groups for different users.

I am seeing a strange output when i check on certain user sessions. Sample output is as below:

Session Type: SVC

Username     : XYZ          Index        : 3655
Assigned IP  :            Public IP    :
Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
License      : SSL VPN
Encryption   : RC4 AES128             Hashing      : SHA1
Bytes Tx     : 101279339              Bytes Rx     : 62952454
Group Policy : Users_group          Tunnel Group : Power_users
Login Time   : 13:28:36 SGT Fri Jun 11 2010
Duration     : 19h:31m:24s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

The highlighted part in bold is my query. This XYZ user falls under group called "Users_group" ( as shown in group policy). but why does

it show the tunnel group as "Power_user".

However if i check the same for certain other users, both group policy and tunnel group appear correctly to the group they belong to.

Please help me to understand this and appreciate any pointers to correct if this is not what it should be.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Tue, 06/15/2010 - 07:55
User Badges:
  • Purple, 4500 points or more

How are you assigning the user to the group? Are you using a radius server to pass the class attribute?

Does everyone else connect to the same group policy and the tunnel-group is different? Can you show a user that's connecting to the same group-policy but has a different tunnel-group? You don't generally need a tunnel-group if you have a group-policy that's attached to a user, but you may have a tunnel-group that's referencing the same group policy. I don't create tunnel-groups for my users that have ssl access only.

Can you show the config for "sh run tunnel-group " and "sh run group-policy "?



suthomas1 Sun, 06/20/2010 - 23:26
User Badges:

Yes ,Radius is being to pass the attribute.user assignment is done via
windows AD under respective far another user also has been
noticed to have similar outputs, but it was from a different group policy & different
tunnel group.sorry,details aren't available at this time though.

Below are the outputs as you asked for:

# sh running-config group-policy Users_group
group-policy Users_group internal
group-policy Users_group attributes
banner value Welcome USER
dns-server value X.X.X.X
vpn-tunnel-protocol svc webvpn
address-pools value users-group

# sh running-config tunnel-group Users_group
tunnel-group Users_group type remote-access
tunnel-group Users_group general-attributes
authentication-server-group Server-Radius
authentication-server-group (inside) Server-Radius
authorization-server-group Server-Radius
authorization-server-group (inside) Server-Radius
accounting-server-group Server-Radius
default-group-policy Users_group
username-from-certificate use-entire-name
tunnel-group Users_group webvpn-attributes
group-alias Users_group enable
group-url https://X.X.X.X/User enable

Let me know if other information is required.Thanks in advance for your help.


This Discussion