Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA SSL VPN problems

Hi All,

I have two issue with SSL VPN configuration in ASA:

1- I have setup Microsoft IAS as RADIUS server for authentication. when I try to login to SSL VPN, the username and password in AD doesn't work and still I have to login with local username and password. RADIUS server is working with VPN client though.

2- I like when user acecss to webvpn, SVC package automatically download to client PC. But still clientless SSL VPN portal is shown rather than download SVC package.

Please find the show version and show run in the attachment.

any suggestion would be very appreciated.




Re: ASA SSL VPN problems

When connecting with Cisco VPN client, your client tells ASA which group (tunnel-group) the connection belongs to. When connecting to SSL VPN portal, your connection by default belongs to "tunnel-group DefaultWEBVPNGroup". You will need to configure this:

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool wohlerpool

authentication-server-group (inside) WohlerGroup LOCAL

default-group-policy WohlerSSLPolicy

You can also remove your "tunnel-group WohlerSSL"

Now, if you want to have several different tunnel-groups for SSL VPN, then you need to choose one of a few methods for client to tell ASA which group it belongs to.

1. URL based. Client will have to browse to that specific URL:

tunnel-group WohlerSSL webvpn-attributes

group-url enable

2. You can add a drop-down box on the on the login page to select the group.


tunnel-group-list enable


tunnel-group WohlerSSL webvpn-attributes

group-alias WohlerSSL

3. You can also have your RADIUS server return IETF RADIUS [025] Class attribute. For example: "ou=WohlerSSLPolicy;". This attribute refers to "group-policy", not "tunnel-group", so everyone would still connect under tunnel-group DefaultWEBVPNGroup, but you could assign various parameters to the client using group-policies.

4. If using local user database on ASA, you can also lock users into specific group policies.

username USERNAME password PASSWORD encrypted

username USERNAME attributes

group-lock value WohlerSSLPolicy

service-type remote-access

To answer you other question, you are looking for this:

group-policy WohlerSSLPolicy attributes


svc ask none default svc