Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do I control who has access to Clientless SSL VPN on ASA 5520?

Hello,

I have setup clientless SSL VPN on my ASA. User authentiation is done by RADIUS on a Windows server.

I have create a portal for users and a portal for IT guys. On the logon page users see the drop down box to select IT or sales. Things is users can login to IT, how can I get so IT can only log into the IT group and Sales in the Sales group?

Thanks

22 REPLIES
Bronze

Re: How do I control who has access to Clientless SSL VPN on ASA

To do that you must use a feature called: Group lock.

You just enable group lock in the Group Policy of both grups.

Then in Windows IAS create two policies.

One with mach in one windows group and other one in other windows group (Sales and TI)

Put the desired users in the right groups.

Edit the policy in IAS and make it return a parameter called "Class" (RADIUS number 25). The content of this parameter must be the exact name of the Group Policy where the user is trying to connect.

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

This is just what I need, I will test this tomorrow, hopefully you will be around if I get any issues :)

Does this also work for the SSL VPN client that downloads when you connect?

Thanks

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

Hi,

I have just gone onto the ASDM and can't find the group lock option, please help.

Thanks

Bronze

Re: How do I control who has access to Clientless SSL VPN on ASA

It's under group-policy configuration.

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

I've just gone to clientless SSL VPN Access > Group policy > then my policy and can't see the option in there.

Am I going mad, I think I am.

Bronze

Re: How do I control who has access to Clientless SSL VPN on ASA

You need to use different group to them. (no default_group...)

go to cli

group-policy "GROUP_NAME" attributes

group-lock "name"

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

This is what I have so I will add the group-lock "London"

group-policy WebSSLGP-London internal

group-policy WebSSLGP-London attributes

vpn-tunnel-protocol webvpn

webvpn

url-list value London

So I then need to add "London" to the class 25 in IAS? When I create it this wizard asks if it's a VPN connection or Ethernet, will this connection be seen as a VPN.

Thanks

Bronze

Re: How do I control who has access to Clientless SSL VPN on ASA

For IAS you should set it as VPN, but it actually does not metter.

To insert the attribut 25 (class) you have to:

Edit the policy, go to Edit Profile then, Advanced.

There, in Advanced, click "Add" and add the atribute "Class".

In the attibute class (of IAS) put the same name you left in the Group-lock line of ASA.

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

In CLI this is what I get:

ASA(config-group-policy)#group-lock value London

WARNING: tunnel-group does not exist

Have I missed something in the config?

Bronze

Re: How do I control who has access to Clientless SSL VPN on ASA

The group lock value must be exacly the same name of the group.

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

Ah, you did say this sorry so "WebSSLGP-London" not "London"

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

Hmm..

This is what I have

group-policy WebSSLGP-London internal

group-policy WebSSLGP-London attributes

vpn-tunnel-protocol webvpn

webvpn

url-list value London

But the group name issues is happening againb:

ASA# conf t

ASA(config)# group-policy WebSSLGP-London attributes

ASA(config-group-policy)# group-lock value WebSSLGP-London

WARNING: tunnel-group does not exist

ASA(config-group-policy)#

Is't the group policy name the one I need use here?

Thanks

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

Looks like the group-lock value needed to be the tunnel group name. Now set.

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

Right, last part is it's failing on the IAS server.

The servers event log for my failure is:

Source: IAS

Even ID: 2

User andyw was denied access.

Fully-Qualified-User-Name = ms.local/London/IT/Andy

NAS-IP-Address = 1.2.3.4

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier = 81.3.3.3

Client-Friendly-Name = Cisco-ASA

Client-IP-Address = 1.2.3.4

NAS-Port-Type = Virtual

NAS-Port = 39

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = WebSSL for London

Authentication-Type = PAP

EAP-Type =

Reason-Code = 66

Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

On the IAS remote Access Policies i have created a policy which matches an AD group called WebSSL-London and my account is in this.

If I then click edit profile > advanced there is a single entry called Class | RADIUS Standard | WebSSL-London

Do you want any screenshots?

Bronze

Re: How do I control who has access to Clientless SSL VPN on ASA

Enable the right authentication methody in the policy

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

Is this in the IAS server or ASA?

Thanks

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

Is this in the IAS server or ASA?

Thanks

Bronze

Re: How do I control who has access to Clientless SSL VPN on ASA

IAS

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

I don't see this under the authentication tab. Mine is set to MS-Chap v2.

Bronze

Re: How do I control who has access to Clientless SSL VPN on ASA

Sorry, but last post.

Enable all of them under Authentication tab, if it work you should see which it's using and leave it.

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

Already tried that. Thanks for your help, I'll wait in hope that someone else might shed some light.

Cheers

New Member

Re: How do I control who has access to Clientless SSL VPN on ASA

For your info it's working now, It need to use PAP in the IAS authentication setting. This unencrypted which is not good, but start a fresh post about this part later.

Thanks

455
Views
0
Helpful
22
Replies