topic Hi, You can have fall-back to in VPN

ASA Remote Access VPN Query - multiple group policies to single connection profile

ramesh.8901 — Sat, 22 Feb 2020 04:14:46 GMT

Hi All,

Two quick questions here that i need help with.

1. In an ASA 5525, is it possible to have multiple group-policies to a single Connection profile?

Scenario: One of our clients is running F5 Firepass for their VPN solution and that device can is used by them to have multiple group-policies per Connection Profile. We are planning to migrate them to ASA (5525) and i'm not sure if the ASA can support that.

2. In an ASA 5525 for Clientless Remote Access VPN, can we forward the login page to an external server? For example, if i have a connection profile setup with a URL: "https://wyz.vpn.com/"; for LDAP/Radius authentication, but for https://wyz.vpn.com/data and https://wyz.vpn.com/test i want HTTP form based authentication and this page needs to be sent to an external server i.e ASA will not handle that page but rather the front page for this will be served by the external server.

Scenario: One of our clients is running F5 Firepass for their VPN solution. On the F5 they have setup pages such as https://wyz.vpn.com/ which the F5 shows to the user when they connect via clientless VPN; however if the user types in https://wyz.vpn.com/data into the browser, the traffic comes to the F5, but the F5 redirects this traffic to an external server (with an external url as well). It is then this external server that forwards the front page to the user requesting authentication credentials for HTTP form based authentication.

Thanks in advance all!!

Hi, I am not sure what are

Abaji Rawool — Tue, 26 May 2015 06:56:37 GMT

Hi,

I am not sure what are you trying to achieve with point 1 and for point 2 ASA can do limited stuff but complete redirection is not possible at this time

What ASA can do :http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/portal.pdf

HTH

Abaji.

Hi, Thanks for that. Also

ramesh.8901 — Wed, 27 May 2015 14:53:15 GMT

Hi,

Thanks for that. Also would you happen to know if a connection profile can have more than one authentication method? The client wants the primary authentication method to be HTTP form based authentication and if the user fails to input those credentials he can use RSA. I know that for a connection profile i can have the local user as a fallback authentication mechanism but can we have RSA as a fallback?

Thanks!

Hi, You can have fall-back to

Abaji Rawool — Wed, 27 May 2015 16:14:30 GMT

Hi,

You can have fall-back to primary method as LOCAL only.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_servers.html#pgfId-1053533

HTH

Abaji.

Hi, Thank you very much for

ramesh.8901 — Fri, 29 May 2015 07:25:58 GMT

Hi,

Thank you very much for the help.