Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Clientless (Browser) SSL VPN access is not allowed.

          I am trying to setup an additional Anyconnect vpn profile.  I have one that is working correctly but this new one will not.  When I try to login to download the client or try to connect with a computer that already has the client I am unable to.

The client side recieves this error: "Clientless(Browser) SSL VPN access is not allowed."

On the ASA log:

4    May 10 2010    11:42:17    722050                    Group <An1meR0xs> User <> IP <10.12.x.x> Session terminated: SVC not enabled for the user
4    May 10 2010    11:42:17    113019                    Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

It is referencing the group name of our main ipsec connection.  Which I think is very odd.  Here is the portion of my config that deals with the ssl-client.

tunnel-group SSL-RDP-Only type remote-access
tunnel-group SSL-RDP-Only general-attributes
address-pool SSL_VPN_Users
authentication-server-group FUN-LDAP
default-group-policy SSL-RDP
tunnel-group SSL-RDP-Only webvpn-attributes
group-alias VPN_FUN enable
group-url https://64.244.9.X/VPN_FUN enable

group-policy SSL-RDP internal
group-policy SSL-RDP attributes
vpn-filter value RDP_only
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RDPonlyVPN_splitTunnelAcl
webvpn
  url-list none
  svc ask none default svc
access-list RDPonlyVPN_splitTunnelAcl standard permit 10.12.x.0 255.255.255.0
access-list RDPonlyVPN_splitTunnelAcl standard permit 10.12.x.0 255.255.255.0
access-list RDPonlyVPN_splitTunnelAcl standard permit 10.12.x.0 255.255.255.0
access-list RDPonlyVPN_splitTunnelAcl standard permit 10.12.x.0 255.255.255.0
access-list RDP_only extended permit tcp SSLVPN-Pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
access-list RDP_only remark RDP to .x
access-list RDP_only extended permit tcp SSLVPN-Pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
access-list RDP_only remark RDP to .x
access-list RDP_only extended permit tcp SSLVPN-Pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
access-list RDP_only remark RDP to .x
access-list RDP_only extended permit tcp SSLVPN-Pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389

ip local pool SSL_VPN_Users 10.12.20.1-10.12.20.100 mask 255.255.255.255

Message was edited by: kyle.southerland

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Clientless (Browser) SSL VPN access is not allowed.

After reviewing the config, the difference between the Anyconnect group and SSL-RDP-Only group is the AAA server.

AnyConnect group uses radius server for authentication (RAS01), while SSL-RDP-Only group uses LDAP server for authentication (FUN-LDAP), and from the FUN-LDAP server configuration, you are configuring LDAP attribute mapping, that is mapping you to the "An1meR0xs" group.

To test, change the aaa authentication from LDAP to Radius for the newly created group.

Hope that helps.

8 REPLIES
Cisco Employee

Re: Clientless (Browser) SSL VPN access is not allowed.

Did you connect with browser, or with the AnyConnect client directly?

Do you connect to the following host: 64.244.9.94/VPN_FUN ?

Community Member

Re: Clientless (Browser) SSL VPN access is not allowed.

Both the browser and the anyconnect client give the same client side/asa side error.

It does not allow me to currently hit it by 64.244.9.X/VPN_FUN

I can browse all my connections from 64.244.9.X

Cisco Employee

Re: Clientless (Browser) SSL VPN access is not allowed.

What do you mean by it doesn't allow you to browse 64.244.9.X/VPN_FUN, can you pls provide screenshot of what you are seeing? Also

a copy of the config would help, and if you can advise which is the working tunnel-group name and what is the new tunnel-group name.

Community Member

Re: Clientless (Browser) SSL VPN access is not allowed.

It is browseable.  I apologize it was not yesterday but that may have been an error with my outside test network.

I attached the config.  The working tunnel group is Anyconnect

Cisco Employee

Re: Clientless (Browser) SSL VPN access is not allowed.

After reviewing the config, the difference between the Anyconnect group and SSL-RDP-Only group is the AAA server.

AnyConnect group uses radius server for authentication (RAS01), while SSL-RDP-Only group uses LDAP server for authentication (FUN-LDAP), and from the FUN-LDAP server configuration, you are configuring LDAP attribute mapping, that is mapping you to the "An1meR0xs" group.

To test, change the aaa authentication from LDAP to Radius for the newly created group.

Hope that helps.

Community Member

Re: Clientless (Browser) SSL VPN access is not allowed.

Fantastic.  I created a new LDAP authentication and used this.  I got it to work without a map attribute.  I need to get that working properly as well but this is a great first step.

---Kyle

Community Member

Re: Clientless (Browser) SSL VPN access is not allowed.

Ok users are able to connect and I have setup a good ldap attribute map.  The problem is they are not able to RDP into any of the subnets I have specified.  Users in the An1meR0xs tunnel group have full access but I am trying to lock down the AnyConnect group to RDP only to the subnets I specified.

Cisco Employee

Re: Clientless (Browser) SSL VPN access is not allowed.

A couple of missing configuration lines as follows:

For group-policy: SSL-RDP:
1) The IP Pool that you use is 10.12.20.0/24 as follows:
ip local pool SSL_VPN_Users 10.12.20.1-10.12.20.100 mask 255.255.255.255

The subnet mask needs to be changed to 255.255.255.0 as follows:
ip local pool SSL_VPN_Users 10.12.20.1-10.12.20.100 mask 255.255.255.0

2) There is no NAT exemption configured towards the ip pool subnet. You would need to add the following:
access-list no_nat extended permit ip 10.12.0.0 255.255.0.0 10.12.20.0 255.255.255.0

8041
Views
0
Helpful
8
Replies
CreatePlease to create content