SSL Tunnel Groups

m.reay · ‎10-03-2007

Hi.

Has anyone set up ACS security for SSL/Webvpn Tunnel Groups on the ASA.

I want to set up multiple tunnel groups for different SSL VPNs and control Authentication via ACS.

How do I ensure that when the user has Authenticated, he can only access a particular Tunnel Group?

There doesn't appear to be any way to tie the username name with the allowed tunnel on the ASA.

With IPSEC VPN - the client provides the group and corresponding pre-shared key to associate the user with an IPSEC Tunnel, but this doesn't work for SSL.

Thanks.

Mick.

Danilo Dy · ‎10-04-2007

Hi,

I'm able to do that using Microsoft AD (as LDAP) and Microsoft IAS (as RADIUS) with over 100 tunnel groups and thousands of users.

- User can be a member of only one tunnel group (limitation).

- Each tunnel group have ACL/ACE to allow access only to specific host(s)/network(s) and services/ports.

- There is no drop-down list of tunnel groups in the login page. Give and take though, all tunnel groups will be sharing one vpn pool. If I want dedicated vpn pool for each tunnel group, the drop-down list is a must.

Regards,

Dandy

peter.rowe · ‎10-22-2007

Can you elaborate a bit more on how this is acomplished?

I am using RADIUS to A/D or NDS on my usual set-up's but I too would like to know how the username is associated with the Tunnel Group.

Many thanks,

Peter.