http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/prod_white_paper0900aecd80512065.html
From: [email protected] To: [email protected] Subject: RE: [OSL | CCIE_Security] SSL VPN, one gateway, two contexts Date: Tue, 28 Aug 2012 05:07:57 +0000 Hi Mike, Can you please refer me to any Cisco document that explains it? I mean the “@” part Eugene From: Mike Rojas [mailto:[email protected]] Sent: Monday, August 27, 2012 10:08 PM To: Eugene Pefti; [email protected] Subject: RE: [OSL | CCIE_Security] SSL VPN, one gateway, two contexts The AAA authentication must have "@" in front of the domain for proper authentication. The gateway will remain without the "@". Very important if you are using the same computer and browser, clear everything (cookies, history and such) then try again with the other user. Mike. From: [email protected] To: [email protected] Date: Tue, 28 Aug 2012 05:03:32 +0000 Subject: [OSL | CCIE_Security] SSL VPN, one gateway, two contexts Guys, Has anyone of you thoroughly tested what I said in the subject? I’m having a strange behavior of the web page when I try to login as a member of different contexts. I have two contexts ADMIN and USER (see below config). They all use the same gateway and to differentiate between them I use domain string. This is a minimalistic setup for webvpn without any group-policies just to prove it as a concept. aaa new-model aaa authentication login SSLVPN local username admin privilege 15 password 0 cisco123 username user password 0 cisco crypto pki trustpoint SSL-GW-TP enrollment selfsigned revocation-check crl rsakeypair SSL-TP-KEY 1024 webvpn gateway SSLGW ip address 192.168.3.1 port 443 ssl trustpoint SSL-GW-TP logging enable inservice ! webvpn context ADMIN title "Admin Context" ssl authenticate verify all aaa authentication list SSL-GLOBAL gateway SSLGW domain admin inservice webvpn context USER title "User context" ssl authenticate verify all aaa authentication list SSL-GLOBAL gateway SSLGW domain user inservice Then I try to login to the web portal from the Test PC as https://192.168.3.1/admin and see the page with my admin title (Admin Context), login as admin and see the internal page with the same admin context title. If I login as a user to https://192.168.3.1/user I see the same title on the page (the one I supposed to see for admin) and I don’t see the user title. Logging in as user and again see the title for admin user. Then I try to complicate things and introduce the domain part in the authentication inside the context, i.e. “aaa authentication domain NAME” and can’t login since then Now my contexts look like this: webvpn context ADMIN title "Admin Context" ssl authenticate verify all aaa authentication list SSL-GLOBAL aaa authentication domain admin gateway SSLGW domain admin inservice webvpn context USER title "User context" ssl authenticate verify all aaa authentication list SSL-GLOBAL aaa authentication domain user gateway SSLGW domain user inservice Any idea what’s wrong this time? _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
