https://community.cisco.com/t5/network-security/asa-ssl-vpn-problems/m-p/1342490#M828599 <HTML><HEAD></HEAD><BODY><P>When connecting with Cisco VPN client, your client tells ASA which group (tunnel-group) the connection belongs to. When connecting to SSL VPN portal, your connection by default belongs to "tunnel-group DefaultWEBVPNGroup". You will need to configure this:</P><P></P><P>tunnel-group DefaultWEBVPNGroup general-attributes</P><P> address-pool wohlerpool</P><P> authentication-server-group (inside) WohlerGroup LOCAL</P><P> default-group-policy WohlerSSLPolicy</P><P></P><P>You can also remove your "tunnel-group WohlerSSL"</P><P></P><P>Now, if you want to have several different tunnel-groups for SSL VPN, then you need to choose one of a few methods for client to tell ASA which group it belongs to.</P><P></P><P>1. URL based. Client will have to browse to that specific URL:</P><P></P><P>tunnel-group WohlerSSL webvpn-attributes</P><P> group-url <A class="jive-link-custom" href="https://vpn.company.com/wohlerssl" target="_blank">https://vpn.company.com/wohlerssl</A> enable</P><P></P><P>2. You can add a drop-down box on the on the login page to select the group. </P><P></P><P>webvpn</P><P> tunnel-group-list enable</P><P>!</P><P>tunnel-group WohlerSSL webvpn-attributes</P><P> group-alias WohlerSSL</P><P></P><P>3. You can also have your RADIUS server return IETF RADIUS [025] Class attribute. For example: "ou=WohlerSSLPolicy;". This attribute refers to "group-policy", not "tunnel-group", so everyone would still connect under tunnel-group DefaultWEBVPNGroup, but you could assign various parameters to the client using group-policies.</P><P></P><P>4. If using local user database on ASA, you can also lock users into specific group policies.</P><P></P><P>username USERNAME password PASSWORD encrypted</P><P>username USERNAME attributes</P><P> group-lock value WohlerSSLPolicy </P><P> service-type remote-access</P><P></P><P></P><P>To answer you other question, you are looking for this:</P><P></P><P>group-policy WohlerSSLPolicy attributes</P><P> webvpn</P><P> svc ask none default svc</P><P></P><P></P><P></P><P>Regards,</P><P>Roman</P><P></P><P> </P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 03 Aug 2009 21:10:35 GMT Roman Rodichev 2009-08-03T21:10:35Z https://community.cisco.com/t5/network-security/asa-ssl-vpn-problems/m-p/1342489#M828584 <P>Hi All, </P><P>I have two issue with SSL VPN configuration in ASA: </P><P>1- I have setup Microsoft IAS as RADIUS server for authentication. when I try to login to SSL VPN, the username and password in AD doesn't work and still I have to login with local username and password. RADIUS server is working with VPN client though. </P><P>2- I like when user acecss to webvpn, SVC package automatically download to client PC. But still clientless SSL VPN portal is shown rather than download SVC package. </P><P>Please find the show version and show run in the attachment. </P><P>any suggestion would be very appreciated. </P><P>thanks </P><P>Alex</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 16:02:05 GMT https://community.cisco.com/t5/network-security/asa-ssl-vpn-problems/m-p/1342489#M828584 alex goshtaei 2019-03-11T16:02:05Z https://community.cisco.com/t5/network-security/asa-ssl-vpn-problems/m-p/1342490#M828599 <HTML><HEAD></HEAD><BODY><P>When connecting with Cisco VPN client, your client tells ASA which group (tunnel-group) the connection belongs to. When connecting to SSL VPN portal, your connection by default belongs to "tunnel-group DefaultWEBVPNGroup". You will need to configure this:</P><P></P><P>tunnel-group DefaultWEBVPNGroup general-attributes</P><P> address-pool wohlerpool</P><P> authentication-server-group (inside) WohlerGroup LOCAL</P><P> default-group-policy WohlerSSLPolicy</P><P></P><P>You can also remove your "tunnel-group WohlerSSL"</P><P></P><P>Now, if you want to have several different tunnel-groups for SSL VPN, then you need to choose one of a few methods for client to tell ASA which group it belongs to.</P><P></P><P>1. URL based. Client will have to browse to that specific URL:</P><P></P><P>tunnel-group WohlerSSL webvpn-attributes</P><P> group-url <A class="jive-link-custom" href="https://vpn.company.com/wohlerssl" target="_blank">https://vpn.company.com/wohlerssl</A> enable</P><P></P><P>2. You can add a drop-down box on the on the login page to select the group. </P><P></P><P>webvpn</P><P> tunnel-group-list enable</P><P>!</P><P>tunnel-group WohlerSSL webvpn-attributes</P><P> group-alias WohlerSSL</P><P></P><P>3. You can also have your RADIUS server return IETF RADIUS [025] Class attribute. For example: "ou=WohlerSSLPolicy;". This attribute refers to "group-policy", not "tunnel-group", so everyone would still connect under tunnel-group DefaultWEBVPNGroup, but you could assign various parameters to the client using group-policies.</P><P></P><P>4. If using local user database on ASA, you can also lock users into specific group policies.</P><P></P><P>username USERNAME password PASSWORD encrypted</P><P>username USERNAME attributes</P><P> group-lock value WohlerSSLPolicy </P><P> service-type remote-access</P><P></P><P></P><P>To answer you other question, you are looking for this:</P><P></P><P>group-policy WohlerSSLPolicy attributes</P><P> webvpn</P><P> svc ask none default svc</P><P></P><P></P><P></P><P>Regards,</P><P>Roman</P><P></P><P> </P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 03 Aug 2009 21:10:35 GMT https://community.cisco.com/t5/network-security/asa-ssl-vpn-problems/m-p/1342490#M828599 Roman Rodichev 2009-08-03T21:10:35Z