06-18-2009 03:49 AM
We have a Cisco ASA, and are using it for several WebVPN (a.k.a SSL VPN) connections.
Based on the URL, they are placed in various group profiles. For example https://asa.mydomain.com/test will put them in the Test connection profile, while https://asa.mydomain.com/prod will put them in the Prod connection profile.
This is working fine, however, we'd like to be able to log (in the ASA log) the exact URL a user used to begin their session. Is that possible?
Solved! Go to Solution.
06-24-2009 08:10 AM
This isn't possible. If I had to guess without seeing your config, you are only using Group URLs as opposed to aliases and the selection drop down. In a case like this, users accessing the FQDN such as http://vpn.yourcompany.com will default to the DefaultWebVPNGroup connection profile. If there are no session limits configured on this policy and the authentication is configured the same, then the user will be permitted access. You could use the DefaultWebVPNGroup as a catch all and set the simultaneous login to 0 in the policy to restrict access. A better approach would be to look into group locking.
06-24-2009 07:19 AM
You can use syslog messages 716003 and 716004, however, the format of the message will not show the connection as https://asa.mydomain.com/test. Instead, it will show something like this:
Jun 26 2009 02:46:44 716003 Group
http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wpxref52735
06-24-2009 07:47 AM
Interesting thanks, that puts me on the right track.
However, we're actually have a problem with users claiming they used the correct URL -- but we see them getting put into the Default WebVPN group.
I'm sure the ASA is functioning correctly. But we'd like proof of what URL the user started their session with (to check for typos, extra characters, etc).
Not possible?
06-24-2009 08:10 AM
This isn't possible. If I had to guess without seeing your config, you are only using Group URLs as opposed to aliases and the selection drop down. In a case like this, users accessing the FQDN such as http://vpn.yourcompany.com will default to the DefaultWebVPNGroup connection profile. If there are no session limits configured on this policy and the authentication is configured the same, then the user will be permitted access. You could use the DefaultWebVPNGroup as a catch all and set the simultaneous login to 0 in the policy to restrict access. A better approach would be to look into group locking.
06-29-2009 08:18 AM
Very helpful, thanks! I forgot about group locking. Is my understanding correct...essentially it uses my radius attribute tag to determine the group, regardless of Group URL?
06-29-2009 09:48 AM
Correct. You can use Radius Class Attribute #25 to specify the group policy that the user belongs to. The group policy on the ASA can then be configured with a group lock. With Cisco ACS 4.x, you can also use Cisco ASA Vendor Specific Attribute (VSA) #85 - Tunnel-Group-Lock to lock the user to a specific tunnel group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide