Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1645
Views
0
Helpful
4
Replies

Bookmark Smart Tunnel with SSO (WebVPN)

j_puzio42
Level 1
Level 1

‎07-31-2012 05:29 AM

Hello - I have been working for the past few weeks on implementing our WebVPN (Clientless SSL VPN) solution and we just about finished except for one issue we are running into.  We have a bookmark list that we have enabled the auto sign-in server list for.  When setting these bookmarks and leaving Smart Tunnel unchecked the Single Sign On works fine.  Once we set the Smart Tunnel option the SSO breaks and users are prompted for credentials.

We have found that we need to use Smart Tunnels on our bookmarks because Cisco injects code into site pages which causes undesired effects (OWA rendering issues, internal sites built in .Net utilizing Java script have problems)

Any ideas on how to either stop the code injection into pages, or enable Smart Tunnel and have SSO work would be great.  Thanks for any help.

Labels:
0 Helpful
4 Replies 4

Javier Portuguez
Level 9
Level 9

‎07-31-2012 09:34 AM

Dear Joseph,

Please check this out:

To create a list of hosts smart-tunnel automatically submits credentials, use the smart-tunnel auto-signon list command in webvpn configuration mode.

smart-tunnel auto-signon [use-domain] {ip [] | host }

To enable/disable servers on a group-policy, use CLI:

smart-tunnel auto-signon enable [domain ]

*Only available since 8.4.

Example:

ASA(config-webvpn)# smart-tunnel auto-signon ServersA ip 1.1.1.1 255.255.255.0

ASA(config-webvpn)# smart-tunnel auto-signon ServersA host *.test.com

ASA(config)# group-policy TEST attributes

ASA(config-group-policy)# webvpn

ASA(config-group-webvpn)# smart-tunnel auto-signon enable ServersA

Please keep in mind that this feature is not always reliable, so if further issues appear I would recommend to open a TAC case.

Let me know.

Please rate this post if you find it useful.

0 Helpful

j_puzio42
Level 1
Level 1
In response to Javier Portuguez

‎07-31-2012 09:59 AM

Thank you very much for the quick response!  We should be able to test this tonight after hours.  I will let you know how it goes. 

0 Helpful

j_puzio42
Level 1
Level 1
In response to Javier Portuguez

‎08-01-2012 01:24 PM

So we tested the smart tunnel auto-sign in list and our users are still being prompted for credentials when clicking on bookmarks.  The strang part is, this occurs on only through desktop and laptop browsers.  Mobile devices do not prompt for credentials and go directly into the site.

We did have SSO working outside of smart tunnels, so is there a way to disable the code injection into our internal sites? 

Thank you.

0 Helpful

dino.mumfrey
Level 1
Level 1

‎08-01-2012 12:40 PM

I have a similar problem, but I have the need to inject the domain into a Web Bookmark, but cannot get auto-sign-on to work with Smart Tunnel or a normal Boomark...

So with Smart Tunnels, does that mean they have to launch the link from outside the portal bookmark (like in a new tab or window)? Or will the Smart Tunnel auto-sign-on work with the actual Web Bookmark links as well?

0 Helpful
Customers Also Viewed These Support Documents