cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
243
Views
0
Helpful
0
Replies

Webvpn, and webtype acl..

Ken Stieers
VIP Advisor VIP Advisor
VIP Advisor

Good afternoon,

We've got ASA, running 9.7.1, WebVPN working well.

We are starting to tighten down things with webtype acls for the few groups that use it.   DAP is working as expected.

Our issue is with a webtype acl.  New users get sent to a

The ACL is as follows:

access-list SecretariatOnly webtype permit url smart-tunnel://secretariat log default
access-list SecretariatOnly webtype permit url http://secretariat log default
access-list SecretariatOnly webtype permit url https://opussa1.opus-group.com//SecureAuth1/* log default

If I don't apply the acl I get this in the logs it allows the user to hit the urls as expected. (note the double // which is why its in the acl, I've tried both)

6 Mar 08 2017 08:12:02 716003

Group User IP <72.172.144.172> WebVPN access GRANTED: https://opussa1.opus-group.com//SecureAuth1/libraries/bootstrap-SA/js/bootstrap.min.js?version=9.0.0.50

If I apply the ACL, I get this denial. (without the // )...

6 Mar 08 2017 08:24:59 716004 Group User IP <72.172.144.172> WebVPN access DENIED to specified location: https://opussa1.opus-group.com/secureauth1/checkjre.aspx?userid=ktest

This specific URL is fed to the user via a the Homepage URL on the group policy, which they hit if they haven't gotten a certificate yet...

If I issue the user a cert, so they don't have to hit the SecureAuth page, the other ACLs permit user to hit stuff just fine.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers