Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
4
Replies

ASA Remote Access VPN Query - multiple group policies to single connection profile

Go to solution
ramesh.8901
Level 1
Level 1

‎05-25-2015 06:52 AM - edited ‎02-21-2020 08:14 PM

Hi All,

Two quick questions here that i need help with.

 

1. In an ASA 5525, is it possible to have multiple group-policies to a single Connection profile?

Scenario: One of our clients is running F5 Firepass for their VPN solution and that device can is used by them to have multiple group-policies per Connection Profile. We are planning to migrate them to ASA (5525) and i'm not sure if the ASA can support that.

 

2. In an ASA 5525 for Clientless Remote Access VPN, can we forward the login page to an external server? For example, if i have a connection profile setup with a URL: "https://wyz.vpn.com/"; for LDAP/Radius authentication, but for https://wyz.vpn.com/data and https://wyz.vpn.com/test i want HTTP form based authentication and this page needs to be sent to an external server i.e ASA will not handle that page but rather the front page for this will be served by the external server. 

Scenario: One of our clients is running F5 Firepass for their VPN solution. On the F5 they have setup pages such as https://wyz.vpn.com/ which the F5 shows to the user when they connect via clientless VPN; however if the user types in https://wyz.vpn.com/data into the browser, the traffic comes to the F5, but the F5 redirects this traffic to an external server (with an external url as well). It is then this external server that forwards the front page to the user requesting authentication credentials for HTTP form based authentication.

 

Thanks in advance all!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abaji Rawool
Level 3
Level 3
In response to ramesh.8901

‎05-27-2015 09:14 AM

Hi,

 

You can have fall-back to primary method as LOCAL only.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_servers.html#pgfId-1053533

 

HTH

Abaji.

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Abaji Rawool
Level 3
Level 3

‎05-25-2015 11:56 PM

Hi,

 

I am not sure what are you trying to achieve with point 1 and for point 2 ASA can do limited stuff but complete redirection is not possible at this time 

What ASA can do :http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/portal.pdf

HTH

Abaji.

 

 

0 Helpful

Go to solution
ramesh.8901
Level 1
Level 1
In response to Abaji Rawool

‎05-27-2015 07:53 AM

Hi,

 

Thanks for that. Also would you happen to know if a connection profile can have more than one authentication method? The client wants the primary authentication method to be HTTP form based authentication and if the user fails to input those credentials he can use RSA. I know that for a connection profile i can have the local user as a fallback authentication mechanism but can we have RSA as a fallback?

 

Thanks!

0 Helpful

Go to solution
Abaji Rawool
Level 3
Level 3
In response to ramesh.8901

‎05-27-2015 09:14 AM

Hi,

 

You can have fall-back to primary method as LOCAL only.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_servers.html#pgfId-1053533

 

HTH

Abaji.

 

0 Helpful

Go to solution
ramesh.8901
Level 1
Level 1
In response to Abaji Rawool

‎05-29-2015 12:25 AM

Hi,

 

Thank you very much for the help. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents