06-11-2010 08:21 PM
We have an SSL VPN setup on ASA. There are different groups for different users.
I am seeing a strange output when i check on certain user sessions. Sample output is as below:
Session Type: SVC
Username : XYZ Index : 3655
Assigned IP : 192.168.10.4 Public IP : 75.98.45.113
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES128 Hashing : SHA1
Bytes Tx : 101279339 Bytes Rx : 62952454
Group Policy : Users_group Tunnel Group : Power_users
Login Time : 13:28:36 SGT Fri Jun 11 2010
Duration : 19h:31m:24s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
The highlighted part in bold is my query. This XYZ user falls under group called "Users_group" ( as shown in group policy). but why does
it show the tunnel group as "Power_user".
However if i check the same for certain other users, both group policy and tunnel group appear correctly to the group they belong to.
Please help me to understand this and appreciate any pointers to correct if this is not what it should be.
Thanks!
06-15-2010 07:55 AM
How are you assigning the user to the group? Are you using a radius server to pass the class attribute?
Does everyone else connect to the same group policy and the tunnel-group is different? Can you show a user that's connecting to the same group-policy but has a different tunnel-group? You don't generally need a tunnel-group if you have a group-policy that's attached to a user, but you may have a tunnel-group that's referencing the same group policy. I don't create tunnel-groups for my users that have ssl access only.
Can you show the config for "sh run tunnel-group
HTH,
John
06-20-2010 11:26 PM
Yes ,Radius is being to pass the attribute.user assignment is done via
windows AD under respective groups.so far another user also has been
noticed to have similar outputs, but it was from a different group policy & different
tunnel group.sorry,details aren't available at this time though.
Below are the outputs as you asked for:
# sh running-config group-policy Users_group
group-policy Users_group internal
group-policy Users_group attributes
banner value Welcome USER
dns-server value X.X.X.X
vpn-tunnel-protocol svc webvpn
address-pools value users-group
# sh running-config tunnel-group Users_group
tunnel-group Users_group type remote-access
tunnel-group Users_group general-attributes
authentication-server-group Server-Radius
authentication-server-group (inside) Server-Radius
authorization-server-group Server-Radius
authorization-server-group (inside) Server-Radius
accounting-server-group Server-Radius
default-group-policy Users_group
username-from-certificate use-entire-name
tunnel-group Users_group webvpn-attributes
group-alias Users_group enable
group-url https://X.X.X.X/User enable
Let me know if other information is required.Thanks in advance for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide