Good afternoon,
We've got ASA, running 9.7.1, WebVPN working well.
We are starting to tighten down things with webtype acls for the few groups that use it. DAP is working as expected.
Our issue is with a webtype acl. New users get sent to a
The ACL is as follows:
access-list SecretariatOnly webtype permit url smart-tunnel://secretariat log default
access-list SecretariatOnly webtype permit url http://secretariat log default
access-list SecretariatOnly webtype permit url https://opussa1.opus-group.com//SecureAuth1/* log default
If I don't apply the acl I get this in the logs it allows the user to hit the urls as expected. (note the double // which is why its in the acl, I've tried both)
| 6 |
Mar 08 2017 |
08:12:02 |
716003 |
|
|
|
|
Group User IP <72.172.144.172> WebVPN access GRANTED: https://opussa1.opus-group.com//SecureAuth1/libraries/bootstrap-SA/js/bootstrap.min.js?version=9.0.0.50
|
If I apply the ACL, I get this denial. (without the // )...
| 6 |
Mar 08 2017 |
08:24:59 |
716004 |
|
|
|
|
Group User IP <72.172.144.172> WebVPN access DENIED to specified location: https://opussa1.opus-group.com/secureauth1/checkjre.aspx?userid=ktest |
This specific URL is fed to the user via a the Homepage URL on the group policy, which they hit if they haven't gotten a certificate yet...
If I issue the user a cert, so they don't have to hit the SecureAuth page, the other ACLs permit user to hit stuff just fine.
