Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5520 and ACS 4.0 - WebVPN (Clientless-SSL-Tunnel) AnyConnect doesn't apply Downloadable ACLs (dACLs)

I'm having lots of issues having so-called "Clientless-SSL-Tunnel" AnyConnect VPN sessions - that is, those which are enacted by visiting https://<ASA IP> via a Browser, and letting the Java/ActiveX plugin automatically run the AnyConnect VPN Fat Client for you - honour Downloadable ACLs.

Our setup is integrated via RADIUS to Cisco ACS 4.0.

The Dynamic Group Policy -> Connection Profile appears to work for either (direct using AnyConnect VPN Fat Client or indirect via Browser -> ActiveX /Java Client), however, our Downloadable ACLs only take affect if the user instantiates the SSL VPN via the AnyConnect VPN Fat Client; users who access via the "Browser -> https://<ASA IP>" route first appear to have no ACL applied at all?

I understand that I can tweak the custom "Cisco VPN/3000/etc" RADIUS settings, such as "WebVPN-Filters" and "WebVPN-Access-List" to apply an ACL that is locally configured on the ASA Firewall, but what do I need to configure to make "WebVPN/Clientless-SSL-Tunnel" sessions honour the dACL which our ACS is sending?

  • AAA Identity and NAC
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

This is a known issue with

This is a known issue with certain ASA software Versions please see cisco bug CSCtv19046 - DACL is not applied to AC when connection via the webportal. You will probably need to update your ASA to 8.4(4.1) or later.

2 REPLIES
New Member

This is a known issue with

This is a known issue with certain ASA software Versions please see cisco bug CSCtv19046 - DACL is not applied to AC when connection via the webportal. You will probably need to update your ASA to 8.4(4.1) or later.

New Member

Thanks - upgraded to 8.4(7)

Thanks - upgraded to 8.4(7) which seems to have done the trick.

226
Views
0
Helpful
2
Replies