Cisco ASA Clientless VPN and AnyConnect VPN

terryfojas · ‎10-23-2009

Is there a way to allow access to Clientless (webvpn) for some users but not to AnyConnect? We want powerusers to use AnyConnect and normal users to use the Clientless. Right now all users can access either one. We're using IAS RADIUS for authentication. Thanks.

jamesfick · ‎10-23-2009

terryfojas- Sorry to jump in on your posting but was wondering if you could help me. How do you have IAS RADIUS setup? We are trying to do that in our office but it fails. Thank you.

Jim

terryfojas · ‎10-23-2009

On IAS:

- Create a client that points to your ASA's IP

- Client-vendor is RADIUS Standard

-Check that shared secret matches your ASA's

-Create a Remote Access Policy with "Grant remote access permission" checked.

On ASA:

Enter your IAS' IP on ASDM-Config, Device Management,Users/AAA,AAA Server Groups

jamesfick · ‎10-27-2009

I have it setup but when I test it to authenticate a user I get this error message- ERROR: Authentication Rejected:AAA failure.

Our network admin says the IAS is setup to use MS-CHAPv2, but the ASA is sending it via PAP. Can we force MS-CHAP or are we stuck with PAP?

terryfojas · ‎10-30-2009

tunnel-group yourvpngroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

jamesfick · ‎11-03-2009

Thank you for responding and for your help.