Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
1
Helpful
2
Replies

Clientless SSL VPN Disable issues with SAML Implementation

JoeTheInfraGuy
Level 1
Level 1

‎07-18-2023 01:02 AM

Hi I'm currently in the progress off moving RADIUS based (on a ASA 5516-X) authentication on an ASA to SAML to use with DUO to enable Trusted Endpoints and the Health app in a UK Organization. Currently there are attempts of authenticating via the US via DUO over Radius, I've reach-out to our Vendor and we've reached out to DUO and have yet to find the problem, We are certain moving to SAML will stop the fraudulent attempts. 

The issue we have currently is when we authenticate via SAML through Duo we are forwarded back to our Base URL of the firewall which is currently inaccessible due to Clientless/Web VPN being disabled (Russian address were attempting to breach the login page) Is there a way to secure the clientless page just to internal address, as disabling it from the external interface when live stopped the client based VPN connection from working also, If not is there a way to reroute the login to another page instead of the forbidden, at this part of the process the authentication fails. We have a ASA 5516-X this is managed internally that is on an older firmware version, the SAML VPN can initialize on this firewall however the forbidden page is still given. I'm aware of options like Cisco umbrella to GEO block addresses so that we can have the page open, however ideally we need to secure this without incurring extra cost if possible. 

Thanks for the Support and I look forward from hearing back from the community!

1 person had this problem
0 Helpful
2 Replies 2

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-03-2023 12:25 AM

Hi @JoeTheInfraGuy,

I'm not convinced that disablement of Clientless VPN is what is causing your issues. I've implemented SSO multiple times, and never once I had WebVPN enabled, so it could be something else in your case.

Have you followed Duo guide for configuration? It is important to correctly set BaseURL and Tunnel-group, as this is where assertions are being sent back from Duo (or any other SSO provider).

Kind regards,

Milos

JoeTheInfraGuy
Level 1
Level 1

‎08-07-2023 05:46 AM

Hi @Milos_Jovanovic  I've followed the guide as suggested, I will re-trace the steps to make sure there hasn't been a misconfiguration it's just strange it works on the test firewall on older firmware than the productive ones we have with the most up-to-date firmware, We've raised the firmware issue with TAC via our 3rd party support provider. I know for sure the BaseURL and Tunnel-group are correct as this was the first thing we checked.

0 Helpful
Customers Also Viewed These Support Documents