https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440883#M5863 <HTML><HEAD></HEAD><BODY><P>Take a group "webvpn" internally configured .</P><P>Create locally a user called "local" that you assign to this group and on the radius server a user called "external".</P><P>If you choose the option "strip group" on global authentication parameters on your vpn3000 , you will be able to log on using either "local" or "external@webvpn".</P><P></P><P>If you don't use "strip group" , you have to create a user "external@webvpn" on the radius server(this can be interesting if you want to put the same acccount in differents groups).</P><P></P><P>Regards,</P><P></P><P>Morgan.</P><P></P></BODY></HTML> Mon, 27 Mar 2006 15:19:26 GMT morgsizun 2006-03-27T15:19:26Z https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440875#M5855 <P>I am trying to create a seperate group called "WebVPNuser" and enable Webvpn permission only for that group and use Local authentication for users in WebVPnuser group. </P><P></P><P>What i observe is users (under webvpnuser group) do not authenticate using WebVPNusers group but are authenticated using basegroup which is Radius server. </P><P></P><P>I am not sure where i am going wrong. We have other users conencting using IPsec clinet without any problem. </P><P></P><P></P><P></P> Fri, 21 Feb 2020 18:13:02 GMT https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440875#M5855 ittiadmin 2020-02-21T18:13:02Z https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440876#M5856 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This is explained in Appendix B of the config manual.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/config/webvpnap.htm#1008861" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/config/webvpnap.htm#1008861</A></P><P></P><P>"Web VPN uses global authentication and authorization settings, not the settings configured for the group. The first active server, independent of type, is used for authentication and authorization of WebVPN sessions. "</P><P></P><P>You'll need to make Internal the first global auth method.</P><P></P><P>Hope this helps</P><P></P><P>Kind Regards</P><P></P><P>Catriona</P><P></P></BODY></HTML> Thu, 07 Jul 2005 13:46:10 GMT https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440876#M5856 ciscocsoc 2005-07-07T13:46:10Z https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440877#M5857 <HTML><HEAD></HEAD><BODY><P>Thanks for your info. I had tried this suggestion before and it had worked, </P><P></P><P>But i wanted to enable WebVPN only on "WebVPnuser" group instead of enabling webvpn in Base Group and use internal database for authentication.</P><P></P><P>I have changed internal the first auth method. Hope Changing Internal the first global auth method wont effect other VPN users authentication. </P><P></P><P>Appreciate your Help. </P><P></P><P>Regards,</P><P>Raj</P><P></P></BODY></HTML> Fri, 08 Jul 2005 12:37:47 GMT https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440877#M5857 ittiadmin 2005-07-08T12:37:47Z https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440878#M5858 <HTML><HEAD></HEAD><BODY><P>I was looking for the same thing...were you able to find sort of solution to this?</P></BODY></HTML> Mon, 13 Feb 2006 19:42:22 GMT https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440878#M5858 cplatt01 2006-02-13T19:42:22Z https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440879#M5859 <HTML><HEAD></HEAD><BODY><P>Under Configuration | General | Authentication , you can enble group lookup and choose a delimiter (for example @).</P><P>After that you can log in with user@yourgroup .</P><P>yourgroup can be the only one able to do webvpn .</P><P></P><P>Hope this help you.</P><P></P><P>Morgan.</P><P></P></BODY></HTML> Wed, 01 Mar 2006 13:56:05 GMT https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440879#M5859 morgsizun 2006-03-01T13:56:05Z https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440880#M5860 <HTML><HEAD></HEAD><BODY><P>If this is the only way, it means I cannot separate my</P><P>WebVPN users in distinct groups, isn't it?</P><P></P><P>I would like to find a way of assigning WebVPN users to different groups in a secure way; because even if I configure the Radius server to return the right Class Attribute (Class="OU=<GROUPNAME>;"), it seems to be ignored (at least for WebVPN connections): users logging in as user@anygroup get the attributes of that group, if the group authorizes WebVPN!</GROUPNAME></P></BODY></HTML> Thu, 23 Mar 2006 14:19:26 GMT https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440880#M5860 abdus_salam_ictp 2006-03-23T14:19:26Z https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440881#M5861 <HTML><HEAD></HEAD><BODY><P>You can create different internally configured groups and put users in these groups(for example to have differents ACL):</P><P>user1@group1</P><P>user2@group2</P><P></P><P>These groups have to be internally configured because i don't think you can assign WebVPN attributes by Radius server(so your radius attribute will be ignored).</P><P></P><P>Regards.</P><P></P><P></P></BODY></HTML> Fri, 24 Mar 2006 16:14:03 GMT https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440881#M5861 morgsizun 2006-03-24T16:14:03Z https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440882#M5862 <HTML><HEAD></HEAD><BODY><P>I was able to partially resolve this issue. To assign users to a different group(using webvpn) we will need to pass group information during RADIUS authentication. </P><P></P><P>However, What i was not able to resolves was using some Webvpn users to authenticate using Local database and some on Radius server. I tried different ways like using "@" during login. Each time i tried to login, By defaultVPN concentator passes info to Radius server, Which rejectes as there are no users defined in radius server. </P><P></P></BODY></HTML> Fri, 24 Mar 2006 19:28:07 GMT https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440882#M5862 ittiadmin 2006-03-24T19:28:07Z https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440883#M5863 <HTML><HEAD></HEAD><BODY><P>Take a group "webvpn" internally configured .</P><P>Create locally a user called "local" that you assign to this group and on the radius server a user called "external".</P><P>If you choose the option "strip group" on global authentication parameters on your vpn3000 , you will be able to log on using either "local" or "external@webvpn".</P><P></P><P>If you don't use "strip group" , you have to create a user "external@webvpn" on the radius server(this can be interesting if you want to put the same acccount in differents groups).</P><P></P><P>Regards,</P><P></P><P>Morgan.</P><P></P></BODY></HTML> Mon, 27 Mar 2006 15:19:26 GMT https://community.cisco.com/t5/network-access-control/webvpn-group-authentication/m-p/440883#M5863 morgsizun 2006-03-27T15:19:26Z