Re: Cisco ASA Group-Policy understanding

Marco Serato · ‎09-18-2023

Hello Community
My question is about group-policies for SSL VPN and the web portal (AnyConnect download).
The web portal is automatically enabled when SSL VPN is active?
I would like to use RADIUS for authentication for the web portal. What does the ASA expect in the result? In which places can I do settings for the web portal?
I'm not quite sure how this works with group policy and the web portal (downloading AnyConnect). Does this also fall under SSL VPN Tunneling Protocol? If a group policy is expected, according to best practice, is it better to use an own seperate group-policy or the same as for the SSL VPN in the RADIUS result?

The web portal to download the AnyConnect doesn't count under Clientless VPN, does it?

Can the web portal be turned off if SSL/TLS is also used for the AnyConnect?

Greetings Martin

balaji.bandi · ‎09-18-2023

You want to use radius authentication using your AD users ?

follow below example guides :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98594-configure-radius-authentication.html

So client do not have any connect client, and you would like to download - is this what you looking also ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marco Serato · ‎09-19-2023

I think my questions are not structured enough. Therefore, I have divided them into separate questions. Hope this helps to answer my questions more accurately.

Q1: The web portal for downloading the AnyConnect software (e.g. https://myvpnportal.com/vpnaccess) is automatically enabled when SSL VPN is active?

Q2: What does the ASA expect in the result to allow a user to login in the webportal (AnyConnect download)?

Q3: At which places can I do settings for the web portal (e.g. https://myvpnportal.com/vpnaccess)?

Q4: Does the webportal (e.g. https://myvpnportal.com/vpnaccess) fall under SSL VPN Tunneling Protocol?

Q5: The webportal to download the AnyConnect is not Clientless VPN?

Q6: If a group policy is expected in the RADIUS result to access the webportal, according to best practice, is it better to use an own seperate group-policy or the same as for the SSL VPN?

Q7: Can the webportal be turned off if SSL/TLS VPN is also used for the AnyConnect?

Martin

Sheraz.Salim · ‎09-19-2023

Q1: The web portal for downloading the AnyConnect software is typically separate from the SSL VPN functionality and is not automatically enabled when SSL VPN is active. You usually configure the web portal separately if you want users to download the AnyConnect client.

Q2: To allow a user to log in to the web portal and download the AnyConnect client, the ASA expects valid authentication credentials (such as a username and password) and authorization based on the configured policies.

Q3: You can configure settings for the web portal in the Cisco ASA through the ASDM/CLI. You specify the web portal settings, including the URL, authentication methods, and policies.

Q4: The web portal used for downloading the AnyConnect client is not considered an SSL VPN tunneling protocol itself. It is a portal through which users can access resources related to SSL VPN, such as client downloads and possibly documentation etc.

Q5: The web portal used to download the AnyConnect client is not a clientless VPN. A clientless VPN allows users to access resources via a web browser without installing a dedicated VPN client. In this case, users are downloading a VPN client (AnyConnect) through the web portal.

Q6: Whether you should use a separate group policy or the same one as for SSL VPN depends on your specific requirements and security policies. If you want to enforce different settings or access controls for users accessing the web portal compared to those using SSL VPN, it's advisable to use a separate group policy.

Q7: Yes I think so, you can turn off the web portal functionality while still using SSL/TLS VPN for AnyConnect. The web portal and the SSL VPN functionality are separate components, and you can configure them independently. Disabling the web portal does not affect the SSL/TLS VPN functionality, which allows users to connect using the AnyConnect client.

before implementing these I shall strongly suggest you to have a change windows or least test in lab enviroment.

please do not forget to rate.

Marco Serato · ‎09-20-2023

Q1: Can I also control for which Connection Profile the portal is active? Currently, the web portal is active for all connection profiles, even if it is not required for all of them.

Q3: Is it also possible to set what is displayed in the web portal? I have unfortunately found nothing there to hide or show content.

Q6: The group policy returned via RADIUS is also to configure under "Configuration > Remote Access VPN > Network (Client) Access > Group Policies"? Here I have the question if all the settings in the group policy are applied/necessary (e.g. Split Tunnel, DNS-Server, Secure Client, IPSec, ...)?

Aref Alsouqi · ‎09-19-2023

When you configure SSL VPN whether with AnyConnect or as a clientless VPN, the ASA activates the web portal. In case of AnyConnect VPN, the web portal in itself is not responsible to establish the VPN tunnel, and it would only be used to download the AnyConnect client. So shutting down the web portal will not affect the AnyConnect clients from connecting to the firewall.

The portal can be shutdown with the command "keepout" under the webvpn section, and it can also be shutdown via ASDM from "Configuration > Connection Profiles > Shutdown portal login page". You can add an informative message if you want to the users stating that there are no available web services on this firewall or something similar, or, you can just leave it in blank without presenting any message.

It is a good practice to shutdown that web portal unless you have 2FA authentication method configured on the firewall. The reason behind this is that unfortunately the ASA and still the FTD do not provide any geo protection mechanism to the traffic destined to themselves. For example, if you want to block the traffic to the firewall web portal from all over the world and allow it from a single country, you cannot do this easily with the firewalls. You could rely on the control plane access lists, but honestly they are not practical to use. Check out this post of mine if you are interested in knowing more about this:

Using the Firepower geolocation | Blue Network Security (bluenetsec.com)

When the users open up the web portal, they see the login page by default, however, if you have multiple tunnel groups (not group policies) configured, then the users will see the tunnel groups drop down menu where they can select the tunnel group they belong to. This allows say segregating the users accesses, for example, the normal end user selects Users tunnel group, and the IT admin selects IT tunnel group. You can change the names displayed on the drop down menu, those can be changed by creating aliases of the tunnel groups configured.

With regard to authenticating against RADIUS, or even 2FA, that will be part of the tunnel group configuration you apply, specifically the authentication server you would associate to the tunnel group.

Marco Serato · ‎09-20-2023

Is it also possible to turn off the web portal completely, so that no page is displayed at all?

Sheraz.Salim · ‎09-21-2023

as mentioned above SSL VPN whether with AnyConnect or as a clientless VPN, the ASA activates the web portal. In my previous deployment to move away from SSL anyconnet. I reconfigure the anyconnect with IKEv2 and later disable the SSL webport. doing no no SSL VPN web portal page displayed.

here is the link https://community.cisco.com/t5/security-knowledge-base/asa-anyconnect-ikev2-configuration-example/ta-p/3117462/page/2

please do not forget to rate.