cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Group for Clientless VPN Only

Matthew Martin
Contributor
Contributor

Hello All,

ASA 5525-X

I created a new Group Policy and new Tunnel Group that we want to only be accessible for Clientless VPN access only.

In the Group Policy, under Tunneling Protocols, I only enabled the checkbox (*on ASDM) for Clientless SSL VPN.

However, the Group is still being made available when connecting through the AnyConnect client. Is there anyway to hide this group for those logging in via AnyConnect and have it only display on Clientless logins?

 

Thanks in Advance,
Matt

3 REPLIES 3

Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor

So for webvpn there are the following methods to select which tunnel group: group url, group-alias, cert maps.  I think what you are looking for based on description is to disable the group-alias selection.  I would navigate in asdm to: Configuration->RAVPN->Clientless SSL VPN Access->Connection Profiles.  On this page there should be a setting stating something along the lines of: Allow user to select connection via alias.  Disable this and test again.  Note that in doing this your clientless webvpn users will need the group url to browse to.  Example:  < https://xxxx/group1>

HTH!

 

Hey Mike, thanks for the reply.

 

So it sounds like in order to remove the option of being able to select this Group from the AnyConnect VPN login's group selection drop-down box, it needs to be removed from both Client and Clientless Group selections..?

Then, in order to login using this group with WebVPN, those users would have a separate URL to login with. Does that sound accurate?

 

Thanks Again,

Matt

Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor

So it sounds like in order to remove the option of being able to select this Group from the AnyConnect VPN login's group selection drop-down box, it needs to be removed from both Client and Clientless Group selections..?

-When you disable it under 'Connection Profiles' in asdm it automatically disables it in both clientless and client.  You can do it in either location.

Then, in order to login using this group with WebVPN, those users would have a separate URL to login with. Does that sound accurate?

-Yes.  In asdm navigate to: Configuration->RAVPN->Clientless SSL VPN Access->Connection Profiles: then select the profile in question. Once selected, click edit, go to advanced, Clientless SSL VPN settings and refer to "Group URLs" section and configure accordingly.  Then dish out that url to users which will directly map them to their respective tunnel group via that url you just configured under the respective connection profile.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: