05-14-2024 01:52 AM
Hello, friends.
We have encountered a very interesting problem.
We have a page on the Internet, through which passwords are being collected and as a consequence users are blocked on radius. We need this page to allow users to download anyconnect client program for different operating systems.
We realize that we can block this page, but that would add to our problems.
Can you tell me if anyone has encountered a solution to this problem?
Is it possible to solve this problem in such a way - authorization under a common login and password not related to profiles and radius (local AAA)?
05-14-2024 02:02 AM
you can disable and try using any MDM and SCCM to distribute the VPN packages to devices - is this works ?
05-15-2024 11:11 PM
Hello, can you show an example of how to do it or send me a link to the instructions please?
05-17-2024 02:23 AM
This issue has been discussed many times on this forum. Switching to LOCAL AAA won't help much in a sense that intruders will continue trying to guess passwords of users configured locally on the ASA. If passwords are complex, they won't succeed. ASA won't lock out corresponding accounts by default. In this sense switching to LOCAL will help.
The comprehensive solution is to 1) upgrade the ASA to a release with corresponding WebVPN vulnerabilities fixed; 2) use certificate authentication in default tunnel groups (connection profiles); 2) not use default tunnel groups for connections and create your own tunnel groups instead; 3) not use group-alias binding method and use group-url method instead; 4) user cert+AAA authentication for users if possible; 5) for AAA component of cert+AAA authentication use OTP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide