Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
5
Replies

ASA - Logging WebVPN entry URLs

Go to solution
shanepresley
Level 1
Level 1

‎06-18-2009 03:49 AM

We have a Cisco ASA, and are using it for several WebVPN (a.k.a SSL VPN) connections.

Based on the URL, they are placed in various group profiles. For example https://asa.mydomain.com/test will put them in the Test connection profile, while https://asa.mydomain.com/prod will put them in the Prod connection profile.

This is working fine, however, we'd like to be able to log (in the ASA log) the exact URL a user used to begin their session. Is that possible?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Todd Pula
Level 7
Level 7
In response to shanepresley

‎06-24-2009 08:10 AM

This isn't possible. If I had to guess without seeing your config, you are only using Group URLs as opposed to aliases and the selection drop down. In a case like this, users accessing the FQDN such as http://vpn.yourcompany.com will default to the DefaultWebVPNGroup connection profile. If there are no session limits configured on this policy and the authentication is configured the same, then the user will be permitted access. You could use the DefaultWebVPNGroup as a catch all and set the simultaneous login to 0 in the policy to restrict access. A better approach would be to look into group locking.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Todd Pula
Level 7
Level 7

‎06-24-2009 07:19 AM

You can use syslog messages 716003 and 716004, however, the format of the message will not show the connection as https://asa.mydomain.com/test. Instead, it will show something like this:

Jun 26 2009 02:46:44 716003 Group User IP WebVPN access GRANTED: post://z.z.z.z/

http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wpxref52735

0 Helpful

Go to solution
shanepresley
Level 1
Level 1
In response to Todd Pula

‎06-24-2009 07:47 AM

Interesting thanks, that puts me on the right track.

However, we're actually have a problem with users claiming they used the correct URL -- but we see them getting put into the Default WebVPN group.

I'm sure the ASA is functioning correctly. But we'd like proof of what URL the user started their session with (to check for typos, extra characters, etc).

Not possible?

0 Helpful

Go to solution
Todd Pula
Level 7
Level 7
In response to shanepresley

‎06-24-2009 08:10 AM

This isn't possible. If I had to guess without seeing your config, you are only using Group URLs as opposed to aliases and the selection drop down. In a case like this, users accessing the FQDN such as http://vpn.yourcompany.com will default to the DefaultWebVPNGroup connection profile. If there are no session limits configured on this policy and the authentication is configured the same, then the user will be permitted access. You could use the DefaultWebVPNGroup as a catch all and set the simultaneous login to 0 in the policy to restrict access. A better approach would be to look into group locking.

0 Helpful

Go to solution
shanepresley
Level 1
Level 1
In response to Todd Pula

‎06-29-2009 08:18 AM

Very helpful, thanks! I forgot about group locking. Is my understanding correct...essentially it uses my radius attribute tag to determine the group, regardless of Group URL?

0 Helpful

Go to solution
Todd Pula
Level 7
Level 7
In response to shanepresley

‎06-29-2009 09:48 AM

Correct. You can use Radius Class Attribute #25 to specify the group policy that the user belongs to. The group policy on the ASA can then be configured with a group lock. With Cisco ACS 4.x, you can also use Cisco ASA Vendor Specific Attribute (VSA) #85 - Tunnel-Group-Lock to lock the user to a specific tunnel group.

0 Helpful
Customers Also Viewed These Support Documents