SSL VPN and Group-URL's

roadhouse1387 · ‎09-28-2010

Hi all,

I am configuring an anyconnect solution using 2,5 client, 8.3 ASA and asdm 6.3. I have two ASA's configured in a cluster with active/standby failover.

I have a wildcard cert configured on both ASA's and each of the three IP's are resolvable from the internet.FQDN redirection is enabled.

These are the url's (sanitised)...

ac.mydomain.com (cluster virtual IP)

ac1.mydomain.com (Master/active real IP)

ac2.mydomain.com (secondary/standby real IP)

In the main, I have it the way I want it working but I am having trouble getting group-url to work for the annyconnect client. It seems to work ok for clientless connections though.

I am trying to configure the ASA so that when connecting (via a browser) to the https://ac.mydomain.com on its own, this takes you to the clientless portal where you have a minimum set of apps. So, I configured a group-url of just the url above and this works fine.

I want my annyconnect clients to connect using https://ac.mydomain.com/staff. The intention is that if you go here from a browser, you can download the client and if you go here from the client you can connect to all the resources as you are in the correct DAP. I am using endpoint assesmnet to identify corporate assets and place them into the correct DAP. This seems to be working fine if i use group aliases with drop down lists.

If I try to configure a group-url for https://ac.mydomain.com/staff, and add 'staff' to the annyconnect profile, I get an error 'connection attempt has failed due to an invalid host entry' and the bottom line of the anyconnect client reads 'Unable to process response from ac1.mydomain.com'.

Here are some config snips...

tunnel-group ClientProfile general-attributes
authentication-server-group MS-LDAP
default-group-policy ClientPolicy
dhcp-server 10.x.x.x
tunnel-group ClientProfile webvpn-attributes
radius-reject-message
group-alias "SLL Client" enable
group-url https://ac.mydomain.com/staff enable
group-url https://ac1.mydomain.com/staff enable

in my profile I have this....

<HostName>ac.mydomain.com</Hostname>

<UserGroup>staff</UserGroup>

As far as I can see this should work...can anyone shed any light on this ?

Many Thanks

Shaun

Marcin Latosiewicz · ‎09-28-2010

Shaun,

I would check without any profile.You don't need this for this particular functionality.

If I will find the time tomorrow I'll check it on a lab device.

What happens if you connect to ac.mydomain.com does it offer you a drop-down menu offering "SLL Client" as a possibility?

Share your

sh run webvpn

sh run tunnel-group

sh run group-policy

and whole contents of profile for AC.

Marcin

roadhouse1387 · ‎09-29-2010

Thanks Marcin,

I'm not sure what you mean when you say check without a profile. Could you help me out a little further with that ?

I having some difficulty understanding how the group-url is supposed to work and interact with the connection process, the Cisco docs dont seem to explain that in any detail.

I have attached a file with the out put you asked for, hope its ok but if you need anything else, please let me know.

Thanks for your help !

Cheers

Shaun

Marcin Latosiewicz · ‎09-29-2010

Shaun,

Forgive for not being clear.

What I meant is to remove the xml profile if stored localy (It's in documents and settings).

Consider my config in regards to group behavior.(and look what happens when I connect with anyconnect.

and configuration:

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool OVER
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias TESTING_PLEASE enable
group-url https://bsns-asa5520-10/TEST enable

tunnel-group OTHER_WEBVPN type remote-access
tunnel-group OTHER_WEBVPN webvpn-attributes
group-alias OTHER_PLEASE enable
group-url https://bsns-asa5520-10/OTHER enable

webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1
svc enable
tunnel-group-list enable

Now I don't have a profile. But your profile mentions group which I don't see configured on the ASA. ("staff")

I know this does not provide you will all the answers but hopefully demonstrates what I wanted you to check in my initial post.

Marcin