Solved: Re: Clientless (Browser) SSL VPN access is not allowed.

kyle.southerland · ‎05-10-2010

I am trying to setup an additional Anyconnect vpn profile. I have one that is working correctly but this new one will not. When I try to login to download the client or try to connect with a computer that already has the client I am unable to.

The client side recieves this error: "Clientless(Browser) SSL VPN access is not allowed."

On the ASA log:

4 May 10 2010 11:42:17 722050 Group <An1meR0xs> User <> IP <10.12.x.x> Session terminated: SVC not enabled for the user
4 May 10 2010 11:42:17 113019 Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

It is referencing the group name of our main ipsec connection. Which I think is very odd. Here is the portion of my config that deals with the ssl-client.

tunnel-group SSL-RDP-Only type remote-access
tunnel-group SSL-RDP-Only general-attributes
address-pool SSL_VPN_Users
authentication-server-group FUN-LDAP
default-group-policy SSL-RDP
tunnel-group SSL-RDP-Only webvpn-attributes
group-alias VPN_FUN enable
group-url https://64.244.9.X/VPN_FUN enable

group-policy SSL-RDP internal
group-policy SSL-RDP attributes
vpn-filter value RDP_only
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RDPonlyVPN_splitTunnelAcl
webvpn
url-list none
svc ask none default svc
access-list RDPonlyVPN_splitTunnelAcl standard permit 10.12.x.0 255.255.255.0
access-list RDPonlyVPN_splitTunnelAcl standard permit 10.12.x.0 255.255.255.0
access-list RDPonlyVPN_splitTunnelAcl standard permit 10.12.x.0 255.255.255.0
access-list RDPonlyVPN_splitTunnelAcl standard permit 10.12.x.0 255.255.255.0
access-list RDP_only extended permit tcp SSLVPN-Pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
access-list RDP_only remark RDP to .x
access-list RDP_only extended permit tcp SSLVPN-Pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
access-list RDP_only remark RDP to .x
access-list RDP_only extended permit tcp SSLVPN-Pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
access-list RDP_only remark RDP to .x
access-list RDP_only extended permit tcp SSLVPN-Pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389

ip local pool SSL_VPN_Users 10.12.20.1-10.12.20.100 mask 255.255.255.255

Message was edited by: kyle.southerland

Jennifer Halim · ‎05-11-2010

After reviewing the config, the difference between the Anyconnect group and SSL-RDP-Only group is the AAA server.

AnyConnect group uses radius server for authentication (RAS01), while SSL-RDP-Only group uses LDAP server for authentication (FUN-LDAP), and from the FUN-LDAP server configuration, you are configuring LDAP attribute mapping, that is mapping you to the "An1meR0xs" group.

To test, change the aaa authentication from LDAP to Radius for the newly created group.

Hope that helps.

View solution in original post

Jennifer Halim · ‎05-11-2010

Did you connect with browser, or with the AnyConnect client directly?

Do you connect to the following host: 64.244.9.94/VPN_FUN ?

kyle.southerland · ‎05-11-2010

Both the browser and the anyconnect client give the same client side/asa side error.

It does not allow me to currently hit it by 64.244.9.X/VPN_FUN

I can browse all my connections from 64.244.9.X

Jennifer Halim · ‎05-11-2010

What do you mean by it doesn't allow you to browse 64.244.9.X/VPN_FUN, can you pls provide screenshot of what you are seeing? Also

a copy of the config would help, and if you can advise which is the working tunnel-group name and what is the new tunnel-group name.

kyle.southerland · ‎05-11-2010

It is browseable. I apologize it was not yesterday but that may have been an error with my outside test network.

I attached the config. The working tunnel group is Anyconnect

Jennifer Halim · ‎05-11-2010

After reviewing the config, the difference between the Anyconnect group and SSL-RDP-Only group is the AAA server.

AnyConnect group uses radius server for authentication (RAS01), while SSL-RDP-Only group uses LDAP server for authentication (FUN-LDAP), and from the FUN-LDAP server configuration, you are configuring LDAP attribute mapping, that is mapping you to the "An1meR0xs" group.

To test, change the aaa authentication from LDAP to Radius for the newly created group.

Hope that helps.

kyle.southerland · ‎05-11-2010

Fantastic. I created a new LDAP authentication and used this. I got it to work without a map attribute. I need to get that working properly as well but this is a great first step.

---Kyle

kyle.southerland · ‎05-11-2010

Ok users are able to connect and I have setup a good ldap attribute map. The problem is they are not able to RDP into any of the subnets I have specified. Users in the An1meR0xs tunnel group have full access but I am trying to lock down the AnyConnect group to RDP only to the subnets I specified.

Jennifer Halim · ‎05-11-2010

A couple of missing configuration lines as follows:

For group-policy: SSL-RDP:
1) The IP Pool that you use is 10.12.20.0/24 as follows:
ip local pool SSL_VPN_Users 10.12.20.1-10.12.20.100 mask 255.255.255.255

The subnet mask needs to be changed to 255.255.255.0 as follows:
ip local pool SSL_VPN_Users 10.12.20.1-10.12.20.100 mask 255.255.255.0

2) There is no NAT exemption configured towards the ip pool subnet. You would need to add the following:
access-list no_nat extended permit ip 10.12.0.0 255.255.0.0 10.12.20.0 255.255.255.0