Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
0
Helpful
1
Replies

Webvpn Services on an ISR

LADONNA EVANS-DUHART
Level 1
Level 1

‎11-13-2013 06:49 AM

I am currently running Webvpn services on a 2921 Cisco ISR router.  Users are logging in with no problems.  I need to know if its possible for me categorize who gets access to different resources.  I am also need assistance in the area of understanding how the Webvpn services passes traffic to Active directory for authenticatin purposes.  Below are key portions to my config.

aaa group server radius RAD_SSLVPN

server 10.10.0.31

ip vrf forwarding SSLVPN

ip radius source-interface GigabitEthernet0/1

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 group RAD_SSLVPN local

aaa authorization exec default local

aaa authorization network default group radius

webvpn gateway gateway_1

ip address 192.30.212.59 port 443

http-redirect port 80

ssl trustpoint GD-SSL-VPN

inservice

!

webvpn gateway WEBVPN

ssl trustpoint TP-self-signed-2524349998

logging enable

inservice

!

no webvpn cef

!

webvpn context WEBVPN

secondary-color white

title-color #CCCC66

text-color black

virtual-template 2

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

logging enable

!

ssl authenticate verify all

inservice

!

policy group policy_1

   functions svc-enabled

   svc address-pool "VPN_TRANSPORT_A_DHCP_SCOPE" netmask 255.255.255.0

   svc default-domain "shoremortgage.com"

   svc keep-client-installed

   svc dns-server primary 10.10.0.30

   svc dns-server secondary 10.10.5.30

default-group-policy policy_1

!

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎11-13-2013 10:26 AM

There are mutliple ways to access-control the users.

The most typical is inacl sent from RADIUS:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-ssl-vpn.html#GUID-F005501D-8992-48A9-8D4A-7650D7554A3F

Another note is that LDAP (most typical way to integrate with AD) is not supported with SSLVPN. Stick to RADIUS.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-ssl-vpn.html#GUID-E83B5B7E-8905-4261-9145-51640F12DED9

0 Helpful
Customers Also Viewed These Support Documents