Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSL VPN Group authentication issue

I have a Cisco 3K VPN concentrator configured to terminate ssl vpns. VPN Users are authenticated using an RSA ACE server. If I create a user and add them to the base group user can connect - auth fine. If I create a new group i.e. sslvpn group and add users to this auth fails and they cannot connect.

  • VPN
6 REPLIES
New Member

Re: SSL VPN Group authentication issue

I have the same problem. I cannot log in to webVPN unless WebVPN is enebled on the Base Group.

Anyone?

New Member

Re: SSL VPN Group authentication issue

I think you have to enable WebVPN on your specific group.

New Member

Re: SSL VPN Group authentication issue

Yes, that's correct. I have a group, sslVPN. This group has enabled WebVPN but it does not work unless WebVPN is enebled on the Base Group and the log shows that Base Group is used.

I am also unable to log in internal users, only RADIUS users work. It does not matter witch group the Internal users belong to.

New Member

Re: SSL VPN Group authentication issue

To specify your group you have to configure:

Enable Group Lookup and define a group delimiter (for example @) under Configuration | System | General | Global Authentication Parameters.

Then you'll have to log with user@sslVPN (you can choose to strip realm in your group configuration ).

Try to move up the internal server in the authentication servers list.

Morgan.

New Member

Re: SSL VPN Group authentication issue

Did the trick! Thanks!

New Member

Re: SSL VPN Group authentication issue

non group based protocols such as PPTP, SSLVPN, L2TP. All have to authenticate to the generic base group first. By themselves these protocols are not group oriented and do not negotiate group assignment. It was never designed that way. What you have to do is authenticate the users against the base group as regular but then use RADIUS to send OU=sslvpn; This will assign the user into this group where you can apply the different policiys,restrictions,etc

I have tried this and it is working for my 4.x, WebVPN, SSLVPN users, contractors, IT, etc.

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee122.html#wp1013532

119
Views
0
Helpful
6
Replies
This widget could not be displayed.