Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
0
Helpful
1
Replies

ASA - SSL/VPN auto signon

snooter
Level 1
Level 1

‎04-10-2008 06:59 AM

ASA 5510 v8.0(3)

I've got our asa SSL/VPN setup with an AAA server (using ldap) and users can login just fine.

The only thing we have it configured for is to use the rdp plugin. We got a couple of bookmarks setup that send the users to internal windows 2003 terminal servers. That works fine.

Now, I'm trying to get the auto signon feature to work properly. (we don't have siteminder or the SAML profile) If I understand this right, I don't need those two thirdparty features to get this working. Is this correct?

All I've done is add the follwing commands:

webvpn

enable outside

enable inside

tunnel-group-list enable

auto-signon allow ip 10.10.1.0 255.255.255.0 auth-type ntlm

According to the ASA 8.0 Congfiguration guide, that should do it. But, when access one of our bookmarks, it connects just fine, but still prompts for the username and password. I've configured the group policy to inherit the auto sign settings (and pretty much everything else).

Can someone maybe recommend something I may be overlooking here? Do I need to configure something further on my terminal server that accepts this NTLM request?

------------------

A little more info: When I don't enable the auto signon, the rdp plugin works just fine and I can easily get the sign on screen to my terminal server. However, when I enable anything in the auto signon, the rdp client launches, but it stays as a tiny little box in center of the screen and it'll eventually timeout and close. This little tiny box isn't expandable either. I've tried degugs, but don't see anything. No errors on the terminal server itself either.

Labels:
0 Helpful
1 Reply 1

jsivulka
Level 5
Level 5

‎04-16-2008 08:54 AM

You can do the Auto Sign-on through Smart Tunnel. While the smart tunnel now allows Java applet to work for some application, single sign on no longer works for it. Try creating a bookmark for the application and enable the ST option. This is a Smart Tunnel limitation (auto-signon does not work with it).

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008017b2a4.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents