Re: WebVPN Group authentication

ittiadmin · ‎07-06-2005

I am trying to create a seperate group called "WebVPNuser" and enable Webvpn permission only for that group and use Local authentication for users in WebVPnuser group.

What i observe is users (under webvpnuser group) do not authenticate using WebVPNusers group but are authenticated using basegroup which is Radius server.

I am not sure where i am going wrong. We have other users conencting using IPsec clinet without any problem.

ciscocsoc · ‎07-07-2005

Hi,

This is explained in Appendix B of the config manual.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/config/webvpnap.htm#1008861

"Web VPN uses global authentication and authorization settings, not the settings configured for the group. The first active server, independent of type, is used for authentication and authorization of WebVPN sessions. "

You'll need to make Internal the first global auth method.

Hope this helps

Kind Regards

Catriona

ittiadmin · ‎07-08-2005

Thanks for your info. I had tried this suggestion before and it had worked,

But i wanted to enable WebVPN only on "WebVPnuser" group instead of enabling webvpn in Base Group and use internal database for authentication.

I have changed internal the first auth method. Hope Changing Internal the first global auth method wont effect other VPN users authentication.

Appreciate your Help.

Regards,

Raj

cplatt01 · ‎02-13-2006

I was looking for the same thing...were you able to find sort of solution to this?

morgsizun · ‎03-01-2006

Under Configuration | General | Authentication , you can enble group lookup and choose a delimiter (for example @).

After that you can log in with user@yourgroup .

yourgroup can be the only one able to do webvpn .

Hope this help you.

Morgan.

abdus_salam_ictp · ‎03-23-2006

If this is the only way, it means I cannot separate my

WebVPN users in distinct groups, isn't it?

I would like to find a way of assigning WebVPN users to different groups in a secure way; because even if I configure the Radius server to return the right Class Attribute (Class="OU=;"), it seems to be ignored (at least for WebVPN connections): users logging in as user@anygroup get the attributes of that group, if the group authorizes WebVPN!

morgsizun · ‎03-24-2006

You can create different internally configured groups and put users in these groups(for example to have differents ACL):

user1@group1

user2@group2

These groups have to be internally configured because i don't think you can assign WebVPN attributes by Radius server(so your radius attribute will be ignored).

Regards.

ittiadmin · ‎03-24-2006

I was able to partially resolve this issue. To assign users to a different group(using webvpn) we will need to pass group information during RADIUS authentication.

However, What i was not able to resolves was using some Webvpn users to authenticate using Local database and some on Radius server. I tried different ways like using "@" during login. Each time i tried to login, By defaultVPN concentator passes info to Radius server, Which rejectes as there are no users defined in radius server.

morgsizun · ‎03-27-2006

Take a group "webvpn" internally configured .

Create locally a user called "local" that you assign to this group and on the radius server a user called "external".

If you choose the option "strip group" on global authentication parameters on your vpn3000 , you will be able to log on using either "local" or "external@webvpn".

If you don't use "strip group" , you have to create a user "external@webvpn" on the radius server(this can be interesting if you want to put the same acccount in differents groups).

Regards,

Morgan.