Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
2
Replies

Group policy in SSL VPN

suthomas1
Level 6
Level 6

‎06-11-2010 08:21 PM

We have an SSL VPN setup on ASA. There are different groups for different users.

I am seeing a strange output when i check on certain user sessions. Sample output is as below:

Session Type: SVC

Username     : XYZ          Index        : 3655
Assigned IP  : 192.168.10.4            Public IP    : 75.98.45.113
Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
License      : SSL VPN
Encryption   : RC4 AES128             Hashing      : SHA1
Bytes Tx     : 101279339              Bytes Rx     : 62952454
Group Policy : Users_group          Tunnel Group : Power_users
Login Time   : 13:28:36 SGT Fri Jun 11 2010
Duration     : 19h:31m:24s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

The highlighted part in bold is my query. This XYZ user falls under group called "Users_group" ( as shown in group policy). but why does

it show the tunnel group as "Power_user".

However if i check the same for certain other users, both group policy and tunnel group appear correctly to the group they belong to.

Please help me to understand this and appreciate any pointers to correct if this is not what it should be.

Thanks!

Labels:
0 Helpful
2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

‎06-15-2010 07:55 AM

How are you assigning the user to the group? Are you using a radius server to pass the class attribute?

Does everyone else connect to the same group policy and the tunnel-group is different? Can you show a user that's connecting to the same group-policy but has a different tunnel-group? You don't generally need a tunnel-group if you have a group-policy that's attached to a user, but you may have a tunnel-group that's referencing the same group policy. I don't create tunnel-groups for my users that have ssl access only.

Can you show the config for "sh run tunnel-group " and "sh run group-policy "?

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

suthomas1
Level 6
Level 6
In response to John Blakley

‎06-20-2010 11:26 PM

Yes ,Radius is being to pass the attribute.user assignment is done via
windows AD under respective groups.so far another user also has been
noticed to have similar outputs, but it was from a different group policy & different
tunnel group.sorry,details aren't available at this time though.

Below are the outputs as you asked for:

# sh running-config group-policy Users_group
group-policy Users_group internal
group-policy Users_group attributes
banner value Welcome USER
dns-server value X.X.X.X
vpn-tunnel-protocol svc webvpn
address-pools value users-group

# sh running-config tunnel-group Users_group
tunnel-group Users_group type remote-access
tunnel-group Users_group general-attributes
authentication-server-group Server-Radius
authentication-server-group (inside) Server-Radius
authorization-server-group Server-Radius
authorization-server-group (inside) Server-Radius
accounting-server-group Server-Radius
default-group-policy Users_group
username-from-certificate use-entire-name
tunnel-group Users_group webvpn-attributes
group-alias Users_group enable
group-url https://X.X.X.X/User enable

Let me know if other information is required.Thanks in advance for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents