Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5439
Views
5
Helpful
2
Replies

Allow user to select connection profile

schnap
Level 1
Level 1

‎09-05-2013 12:41 PM

Hi,

I want to know the exact behavior of the option:

Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile for the VPN SSL.

At the moment, this option is unchecked in the AS 5585 and we have only one profile "DefaultWEBVPNGroup".

I want to define a new group " test" by example and checked this option "Allow user to select connection profile .... "

I want to know if all user will now need to choose a profile or only the person who need to connect with the test profile ?

Is the portion of the statement " Otherwise,DefaultWebVPNGroup will be the connection profile for the VPN SSL. " is applicable when we check the option or if we don't check this option.

Thanks,                   

Labels:
0 Helpful
2 Replies 2

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-05-2013 05:51 PM

Hi,

I believe you are reffering to the following:

If you have checked the allow user to select then you need to configure the Alias for the connection profile and next time the user will connect he would see that alias configured there. If there are multiple connection with the group-alias configured than you will see a drop down list and the user can select the group he want to connect to.

If you do not select this option than no matter how many connection profile you will configure the connect will always land on the DefaultWebVPNGroup profile.

If you do not wan to use the group alias you also have the option to configure a group-url. If you configure a group-url then you don't check "allow user to select connection profile". you can configure a url and use that url to connect in that user will not know how many other profiles are there.

to configure the group-url you need to do the following:

I hope this will answer your query.

Thanks

Jeet Kumar

sansarav720e
Level 1
Level 1

‎09-05-2013 08:52 PM


Hi

  Have  you got FQDN for your VPN SERVER IP address , if yes you can specific your Group URL for each group ,where other group will be unknown to end user .

One advantage of using group-url over group-alias (group drop-down) is that you do not expose the group names as the latter method does.

How do you configure the group-url if the ASA VPN gateway is behind a NAT device?

Answer:

The host/URL that the user enters will be used for the group mapping. Therefore, you have to use the NAT'd address, not the actual address on the ASA's outside interface. The best alternative is to use FQDN instead of IP address for group-url mapping.

All mapping is implemented on HTTP protocol level (based on information the browser sends) and a URL is composed to map from information in incoming HTTP headers. The host name or IP is taken from the host header and the rest of the URL from the HTTP request line. This means that the host/URL the user enters will be used for the group mapping.

ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml#cli2

      

HTH

Santhosh Saravanan

HTH Regards Santhosh Saravanan
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents