Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

The concept of WebVPN tunnel group

I'm configuring WebVPN in ASA(7.1.2) and have a question regards the WebVPN tunnel group attributes. It'll be appreciated if I can get an useful link to understand or quick explain.

Q1) group-alias. Is this the group policy name and choose during login? If yes, can I configure group policy such as URL-list and choose during login to pick different group policy?

Q2) group-url. As per doc, not necessary to choose the group name if the user type the URL(or IP) configured here. If I have two WebVPN groups and only one ASA public IP address, how can I differenticate between the WebVPN groups.

Q3) During WebVPN login, how can I control a user to pick a specific group policy name when using the AAA authentication? I can associate the local users to the group name but I don't know is there any way in the case of AAA authenticaion.

Thanks in advance,

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: The concept of WebVPN tunnel group

2) Group-url is another way to give users the right tunnel-group and group-policy. It is also configured under the webvpn params of the tunnel group. You should specify a url for each tunnel-group.

3) To put the user under the right group with aaa you need to pass back Radius Attribute 25 to the ASA. The user will send user/pass to the ASA. The ASA will forward the user/pass to the aaa-server.

The aaa-server will look up the user and send back a pass or a fail response AND attribute 25 = to something. Whatever ASA receives for attribute 25, it will try to match to a group-policy.group-lock in the group-policy should be turned on to place the user in the correct tunnel group.

1 REPLY
Silver

Re: The concept of WebVPN tunnel group

2) Group-url is another way to give users the right tunnel-group and group-policy. It is also configured under the webvpn params of the tunnel group. You should specify a url for each tunnel-group.

3) To put the user under the right group with aaa you need to pass back Radius Attribute 25 to the ASA. The user will send user/pass to the ASA. The ASA will forward the user/pass to the aaa-server.

The aaa-server will look up the user and send back a pass or a fail response AND attribute 25 = to something. Whatever ASA receives for attribute 25, it will try to match to a group-policy.group-lock in the group-policy should be turned on to place the user in the correct tunnel group.

581
Views
0
Helpful
1
Replies
This widget could not be displayed.