Solved: Thanks - upgraded to 8.4(7)

spoofneted · ‎04-10-2014

I'm having lots of issues having so-called "Clientless-SSL-Tunnel" AnyConnect VPN sessions - that is, those which are enacted by visiting https://<ASA IP> via a Browser, and letting the Java/ActiveX plugin automatically run the AnyConnect VPN Fat Client for you - honour Downloadable ACLs.

Our setup is integrated via RADIUS to Cisco ACS 4.0.

The Dynamic Group Policy -> Connection Profile appears to work for either (direct using AnyConnect VPN Fat Client or indirect via Browser -> ActiveX /Java Client), however, our Downloadable ACLs only take affect if the user instantiates the SSL VPN via the AnyConnect VPN Fat Client; users who access via the "Browser -> https://<ASA IP>" route first appear to have no ACL applied at all?

I understand that I can tweak the custom "Cisco VPN/3000/etc" RADIUS settings, such as "WebVPN-Filters" and "WebVPN-Access-List" to apply an ACL that is locally configured on the ASA Firewall, but what do I need to configure to make "WebVPN/Clientless-SSL-Tunnel" sessions honour the dACL which our ACS is sending?

JakeKynnersley · ‎04-14-2014

This is a known issue with certain ASA software Versions please see cisco bug CSCtv19046 - DACL is not applied to AC when connection via the webportal. You will probably need to update your ASA to 8.4(4.1) or later.

View solution in original post

JakeKynnersley · ‎04-14-2014

This is a known issue with certain ASA software Versions please see cisco bug CSCtv19046 - DACL is not applied to AC when connection via the webportal. You will probably need to update your ASA to 8.4(4.1) or later.

spoofneted · ‎04-14-2014

Thanks - upgraded to 8.4(7) which seems to have done the trick.

ASA5520 and ACS 4.0 - WebVPN (Clientless-SSL-Tunnel) AnyConnect doesn't apply Downloadable ACLs (dACLs)