I have a Cisco 3K VPN concentrator configured to terminate ssl vpns. VPN Users are authenticated using an RSA ACE server. If I create a user and add them to the base group user can connect - auth fine. If I create a new group i.e. sslvpn group and add users to this auth fails and they cannot connect.
non group based protocols such as PPTP, SSLVPN, L2TP. All have to authenticate to the generic base group first. By themselves these protocols are not group oriented and do not negotiate group assignment. It was never designed that way. What you have to do is authenticate the users against the base group as regular but then use RADIUS to send OU=sslvpn; This will assign the user into this group where you can apply the different policiys,restrictions,etc
I have tried this and it is working for my 4.x, WebVPN, SSLVPN users, contractors, IT, etc.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...