Not sure about the fail but you can do the same thing using the alias so the 
user would go to the url https://ASA-ip/SSL  this would then lock them to the 
group



From: [email protected] 
[mailto:[email protected]] On Behalf Of Derek
Sent: 17 November 2011 19:05
To: [email protected]
Subject: [OSL | CCIE_Security] ASA Webvpn Tunnel Group Association..

I can get the user to bind to a particular tunnel group based on a drop down 
menu no problem. But I want to do this same concept w/o the user selecting a 
group from the drop down and just bind his username to a group within the 
config. Its still going to the defaultWEBVPNgroup and the user fails to 
login...why?

webvpn
enable inside
group-policy admins internal
group-policy admins attributes
banner value Welcome-Admins
vpn-tunnel-protocol webvpn
group-lock value SSL
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
username admin attributes
vpn-group-policy admins
group-lock value SSL

tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
default-group-policy admins
tunnel-group SSL webvpn-attributes
group-alias admins enable

debug

%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-7-734003: DAP: User admin, Addr 192.168.2.15<http://192.168.2.15>: Session 
Attribute aaa.cisco.grouppolicy = admins
%ASA-7-734003: DAP: User admin, Addr 192.168.2.15<http://192.168.2.15>: Session 
Attribute aaa.cisco.class = admins
%ASA-7-734003: DAP: User admin, Addr 192.168.2.15<http://192.168.2.15>: Session 
Attribute aaa.cisco.username = admin
%ASA-7-734003: DAP: User admin, Addr 192.168.2.15<http://192.168.2.15>: Session 
Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
%ASA-6-734001: DAP: User admin, Addr 192.168.2.15, Connection Clientless: The 
following DAP records were selected for this connection: DfltAcce
ssPolicy
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_remove_auth_handle: SESS_Mgmt_FreeSession(0x00026000) (38)
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to