ASA5500 & SSL VPN client group authorization

Discussion in 'Cisco' started by Mike, Dec 31, 2008.

  1. Mike

    Mike Guest

    I'm running a Cisco ASA5520 using the V8 software as a VPN server. I'm
    setting up the SSL VPN standalone client and would like to know if
    it's possible to login with that client to a specific group, without
    actually displaying the group name in the drop down menu? For example,
    logging in as userid@groupname doesn't seem to work with that client,
    although it does with the IPSec client!

    Secondly, if I must display the group name in the drop down menu, how
    can I pass that group name to my AAA (Radius) server, so I can
    authorize the user correctly. Not all users should be able to access
    all groups. I'm finding the documentation on this topic very
    unhelpful. Has anyone done this?

    -Mike
     
    Mike, Dec 31, 2008
    #1
    1. Advertising

  2. Mike a écrit :
    > I'm running a Cisco ASA5520 using the V8 software as a VPN server. I'm
    > setting up the SSL VPN standalone client and would like to know if
    > it's possible to login with that client to a specific group, without
    > actually displaying the group name in the drop down menu? For example,
    > logging in as userid@groupname doesn't seem to work with that client,
    > although it does with the IPSec client!
    >
    > Secondly, if I must display the group name in the drop down menu, how
    > can I pass that group name to my AAA (Radius) server, so I can
    > authorize the user correctly. Not all users should be able to access
    > all groups. I'm finding the documentation on this topic very
    > unhelpful. Has anyone done this?
    >


    I use Vlan mapping depending of Atrribute 25 of RADIUS (OU=...).

    This attribute is set depending of the realm ...and by default is
    the 'general guest' Vlan. ASA configuration to manage a trunk with
    multiple Vlans subinterfaces to be mapped is tricky.

    It is not exactly what you need but there are no visible groups
    and it is only the username (with or without realm) which make
    RADIUS mapping the correct group (Vlan).

    --
    Jacques Virchaux
    EPFL - DIT-TI _|_
    ---------------------(*)---------
     
    Jacques Virchaux, Jan 14, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Evan Wagner
    Replies:
    2
    Views:
    612
    Evan Wagner
    Apr 6, 2004
  2. Olivier PELERIN

    SSL with backend SSL on CSS 11500

    Olivier PELERIN, Aug 30, 2004, in forum: Cisco
    Replies:
    0
    Views:
    3,764
    Olivier PELERIN
    Aug 30, 2004
  3. jenny
    Replies:
    0
    Views:
    959
    jenny
    Nov 30, 2006
  4. Young
    Replies:
    0
    Views:
    3,731
    Young
    Jan 17, 2008
  5. John
    Replies:
    0
    Views:
    491
Loading...

Share This Page