Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Webvpn Services on an ISR

I am currently running Webvpn services on a 2921 Cisco ISR router.  Users are logging in with no problems.  I need to know if its possible for me categorize who gets access to different resources.  I am also need assistance in the area of understanding how the Webvpn services passes traffic to Active directory for authenticatin purposes.  Below are key portions to my config.

aaa group server radius RAD_SSLVPN

server 10.10.0.31

ip vrf forwarding SSLVPN

ip radius source-interface GigabitEthernet0/1

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 group RAD_SSLVPN local

aaa authorization exec default local

aaa authorization network default group radius

webvpn gateway gateway_1

ip address 192.30.212.59 port 443

http-redirect port 80

ssl trustpoint GD-SSL-VPN

inservice

!

webvpn gateway WEBVPN

ssl trustpoint TP-self-signed-2524349998

logging enable

inservice

!

no webvpn cef

!

webvpn context WEBVPN

secondary-color white

title-color #CCCC66

text-color black

virtual-template 2

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

logging enable

!

ssl authenticate verify all

inservice

!

policy group policy_1

   functions svc-enabled

   svc address-pool "VPN_TRANSPORT_A_DHCP_SCOPE" netmask 255.255.255.0

   svc default-domain "shoremortgage.com"

   svc keep-client-installed

   svc dns-server primary 10.10.0.30

   svc dns-server secondary 10.10.5.30

default-group-policy policy_1

!

1 REPLY
Cisco Employee

Webvpn Services on an ISR

There are mutliple ways to access-control the users.

The most typical is inacl sent from RADIUS:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-ssl-vpn.html#GUID-F005501D-8992-48A9-8D4A-7650D7554A3F

Another note is that LDAP (most typical way to integrate with AD) is not supported with SSLVPN. Stick to RADIUS.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-ssl-vpn.html#GUID-E83B5B7E-8905-4261-9145-51640F12DED9

292
Views
0
Helpful
1
Replies