Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
1
Replies

The concept of WebVPN tunnel group

Go to solution
cjrchoi11
Level 1
Level 1

‎05-30-2006 11:24 AM - edited ‎03-09-2019 03:04 PM

I'm configuring WebVPN in ASA(7.1.2) and have a question regards the WebVPN tunnel group attributes. It'll be appreciated if I can get an useful link to understand or quick explain.

Q1) group-alias. Is this the group policy name and choose during login? If yes, can I configure group policy such as URL-list and choose during login to pick different group policy?

Q2) group-url. As per doc, not necessary to choose the group name if the user type the URL(or IP) configured here. If I have two WebVPN groups and only one ASA public IP address, how can I differenticate between the WebVPN groups.

Q3) During WebVPN login, how can I control a user to pick a specific group policy name when using the AAA authentication? I can associate the local users to the group name but I don't know is there any way in the case of AAA authenticaion.

Thanks in advance,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
carenas123
Level 5
Level 5

‎06-05-2006 10:59 AM

2) Group-url is another way to give users the right tunnel-group and group-policy. It is also configured under the webvpn params of the tunnel group. You should specify a url for each tunnel-group.

3) To put the user under the right group with aaa you need to pass back Radius Attribute 25 to the ASA. The user will send user/pass to the ASA. The ASA will forward the user/pass to the aaa-server.

The aaa-server will look up the user and send back a pass or a fail response AND attribute 25 = to something. Whatever ASA receives for attribute 25, it will try to match to a group-policy.group-lock in the group-policy should be turned on to place the user in the correct tunnel group.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
carenas123
Level 5
Level 5

‎06-05-2006 10:59 AM

2) Group-url is another way to give users the right tunnel-group and group-policy. It is also configured under the webvpn params of the tunnel group. You should specify a url for each tunnel-group.

3) To put the user under the right group with aaa you need to pass back Radius Attribute 25 to the ASA. The user will send user/pass to the ASA. The ASA will forward the user/pass to the aaa-server.

The aaa-server will look up the user and send back a pass or a fail response AND attribute 25 = to something. Whatever ASA receives for attribute 25, it will try to match to a group-policy.group-lock in the group-policy should be turned on to place the user in the correct tunnel group.

0 Helpful
Customers Also Viewed These Support Documents