05-25-2015 06:52 AM - edited 02-21-2020 08:14 PM
Hi All,
Two quick questions here that i need help with.
1. In an ASA 5525, is it possible to have multiple group-policies to a single Connection profile?
Scenario: One of our clients is running F5 Firepass for their VPN solution and that device can is used by them to have multiple group-policies per Connection Profile. We are planning to migrate them to ASA (5525) and i'm not sure if the ASA can support that.
2. In an ASA 5525 for Clientless Remote Access VPN, can we forward the login page to an external server? For example, if i have a connection profile setup with a URL: "https://wyz.vpn.com/"; for LDAP/Radius authentication, but for https://wyz.vpn.com/data and https://wyz.vpn.com/test i want HTTP form based authentication and this page needs to be sent to an external server i.e ASA will not handle that page but rather the front page for this will be served by the external server.
Scenario: One of our clients is running F5 Firepass for their VPN solution. On the F5 they have setup pages such as https://wyz.vpn.com/ which the F5 shows to the user when they connect via clientless VPN; however if the user types in https://wyz.vpn.com/data into the browser, the traffic comes to the F5, but the F5 redirects this traffic to an external server (with an external url as well). It is then this external server that forwards the front page to the user requesting authentication credentials for HTTP form based authentication.
Thanks in advance all!!
Solved! Go to Solution.
05-27-2015 09:14 AM
Hi,
You can have fall-back to primary method as LOCAL only.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_servers.html#pgfId-1053533
HTH
Abaji.
05-25-2015 11:56 PM
Hi,
I am not sure what are you trying to achieve with point 1 and for point 2 ASA can do limited stuff but complete redirection is not possible at this time
What ASA can do :http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/portal.pdf
HTH
Abaji.
05-27-2015 07:53 AM
Hi,
Thanks for that. Also would you happen to know if a connection profile can have more than one authentication method? The client wants the primary authentication method to be HTTP form based authentication and if the user fails to input those credentials he can use RSA. I know that for a connection profile i can have the local user as a fallback authentication mechanism but can we have RSA as a fallback?
Thanks!
05-27-2015 09:14 AM
Hi,
You can have fall-back to primary method as LOCAL only.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_servers.html#pgfId-1053533
HTH
Abaji.
05-29-2015 12:25 AM
Hi,
Thank you very much for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide