Authorization of RADIUS WebVPN ASA

Hi, guys.

I'm working on an ASA 5510 and plan to work as a waiter webvpn. Currently I am facing a Raius permission problem.

I can't config Raiuds AV pair in ACS server to designate the webvpn different policies for each group of users.

Until I have it configured on the router to IOS, and it might well work.

How can I understand this? Anyone have any ideas? ASA does not support the webvpn radius av pair? Thank you.

Ed

Try this link for more information

http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_70/config/WebVPN.htm#wp1067287

Tags: Cisco Security

Similar Questions

  • WebVPN ASA "Customization of help" is not up to date

    Hello

    I have a set the clientless VPN (WebVPN) ASA for a customer portal that you am only using the plugin RDP Protocol.  I would rephrase the RDP help that appears on the RIGHT side of the screen once the user is logged in, because the text is quite vervbose and especially does not apply to my deployment (I only provided bookmarks for RDP sessions, no manual entry or navigation were allowed).

    I tried to download a .htm file to the 'personalization help' for RDP but after connection via a WebVPN session the new page simply does not, all I have is the standard on the box help page.

    It sounds pretty simple and I followed the steps in this document

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a008094abcb.shtml#helpapps

    I tried a lot of files with different extensions all this without a bit of luck.  Y at - there are simple somehting that I'm missing or that simply not work?

    I tried on 8.0 (4) and 8.4 (1) with the same results (or not), someone at - he never had any luck with this?

    Thanks to all in advance.

    Hello

    How do import you exactly? What language option do you use? Tried "in" ASA is set to default ' fr', for other languages that the "us - in ' respective translation table necessary to add

    Thank you

    Asim

  • SSO with WebVPN ASA using RSA tokens

    Current configuration:

    Chip & PIN the user authenticates for-> ASA5510 8.2 Clientless VPN-> past to the 7.2 SDI RSA Authentication Manager.

    I've got of authentication works great, at the first connection, users can connect with their AD usernames and RSA tokens and generate his pin code.

    We used to use ACS express and their advertising information for vpn authentication, but now we have to two factors of authentication.

    Is it possible to some how to maintain SSO so that when the user authenticates via its RSA token they can always browse through OWA, Sharepoint, CIFS (file share) without having to enter their credentials for the AD?

    Any help or information is much appreciated.

    Thank you

    You can activate the field "internal password" on the customization of WebVPN and also re-name-the ("Password AD" for example) and then configure the entries in the auto-code of access for internal URLS on NTLM.  Such that when the guest servers the WebVPN session will send the user name used to connect to the ASA but send the internal password captured during the connection instead of the password used to connect to the WebVPN himself.

    The only problem I saw during the test, there is no seam to be a graceful way to establishing a password incorrect or missing, then NTLM would fail and fall back basic over ssl.   Finally it would block the AD accounts based on URL how much the user has tried when the password entered when the connection is bad or missing (because it failed to connect to the WebVPN).

  • WEBVPN ASA 9.1 + VMWARE VDI

    Hi all

    in Cisco ASDM 7.1 (1), webvpn configuration, it is possible to set up bookmarks with "vdi: / /" links to Citrix or Vmware Virtual Desktop infrastructure, but we could not find any resource configuration (conf guide) on the official website of Cisco: do someone know if it is possible to integrate Vmware View Client ASA 9.1 WebVpn solution?

    Thank you

    Hi Flavio,

    as far as I know, this only usable for Citrix Receiver Mobile right now.

    CFR:

    http://www.Cisco.com/en/us/docs/security/ASA/asa91/asdm71/VPN/vpn_clientless_ssl.html#wp2579971

    Maybe VMware View will be supported in a future release - I suggest that you check with your sales of Cisco.

    HTH

    Herbert

  • ACS 5.1 - profile of the authorization, the RADIUS attributes

    Hello

    I am setting up Radius AAA for cat6K switch.

    For the authentication of its work and the user can connect to. But for the assignment of a privilege level, it does not work.
    After loging in, I always get the privilege 1.

    I need your guide on how to Setup GBA 5.1, RADIUS attribute.

    I followed the document to configure the cisco-av-pair to assign 15 privilege and privilege 5, but it does not work.

    This format of the attribute has been shown in document is to define the privilege 15 "shell: priv-lvl = 15.

    Please refer to my screen shot, it's the right way to set it up on ACS 5.1

    Creation date: June 12, 2011 05:56 by: Damiano, Anisha A(ANDAMANI,279917) problem:

    =========

    Authorization does not not as expected

    Resolution:

    ============

    Adding a type of NAS-Prompt service

  • AAA with RADIUS of ASA

    Hey everybody,

    I'm with RADIUS AAA configuration on our Firewall remote ASA.  It's pretty simple, but I have some firewall that does not work on.  I upgraded the IOS image on the ASA 5510 to ASA804-K8. BIN on each of them.  The weird part is some of them work and some of them do not work.

    I was wondering if anyone else has encountered this before and what information do you need to give me a reference to help.

    Thanks in advance,

    Kimberly

    Hi Kimberly,

    just curious: why 8.0.4 and not 8.0.5?

    What you use radius for? What is the radius server? You have configured all the ASAs of the radius servers? Did you use the right shared secret?

    Is there something different between the ASAs working and does lack those? Configuration, location in the network, etc.?

    If the above does not help, please post the config of ASA failure (or at least the relevant items and be sure to remove all sensitive data) and the output of:

    Debug RADIUS

    Debug aaa authentic

    Debug aaa 254 Commons

    You can test only the part of RADIUS with the command «test aaa-server authentication cli...» »

    HTH

    Herbert

  • See imprint SHA of the certificate self-signed client webvpn ASA?

    When connecting to an ASA with certificate self-signed, using Cisco AnyConnect Secure Mobility Client 3.1 (10010), the AnyConnect client presents the big red warning box, which is good.  The user must turn off "Block for unknown servers connections" in the preferences in order to complete the connection.

    Is it possible for the user to view the fingerprint SHA1/SHA3 cert self-signed, before disabling the safety block?  I could have sworn that older versions of the AnyConnect client allow the user view the certificate details and fingerprints before choosing to accept and connect.

    You can't make AnyConnect 3.x or 4.x as far as I know. Even a set of Diagnostics and Reporting Tool (DART) does not include this information.

    It is quite easy to inspect although if you simply browse to the ASA to almost any browser interface. From there, you can review the site certificate (ASA), including the footprint of the RSA public key.

  • Issue of operability of the ACS as RADIUS with ASA 5.0?

    Hello

    I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

    Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

    Concerning

    Ritesh

    Ritesh,

    Yes, there is a lack of ACS 5.0 with vpn authentication.

    When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
    The ASDM logs: you'll see radius server is not accessible.
    Debugs you show RADIUS period.
    This will work with Ganymede.

    Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

    http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

    If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

    You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

    Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

    Reference: update of the CSA since version 5.0 to 5.1:
    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

    HTH

    Kind regards

    JK

    The rate of useful messages-

  • False claims RADIUS of customer VPN Cisco ASA 5510

    Hello world

    I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

    Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

    What is the source of such behavior?

    The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

    Debugging of ASA:

    -First application-

    RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

    RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

    RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

    RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

    RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

    RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

    -The second request-

    RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

    RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

    RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

    RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

    GBA debug:

    -First application-

    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

    -The second request-
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

    The ASA config:

    Crypto ikev1 allow outside
    Crypto ikev1 allow inside
    IKEv1 crypto ipsec-over-tcp port 10000
    life 86400
    IKEv1 crypto policy 65535
    authentication rsa - sig
    3des encryption
    md5 hash
    Group 2
    life 86400

    !

    internal Cert_auth group strategy
    attributes of Group Policy Cert_auth
    client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list aclVPN2
    the address value vpnpool pools
    rule of access-client-none

    !

    attributes global-tunnel-group DefaultRAGroup
    address (inside) vpnpool pool
    address vpnpool pool
    authentication-server-group RADIUS01
    authorization-server-group RADIUS01
    authorization-server-group (inside) RADIUS01
    Group Policy - by default-Cert_auth

    !

    RADIUS protocol AAA-server RADIUS01
    AAA-server host 10.2.9.224 RADIUS01 (inside)
    key *.
    RADIUS-common-pw *.
    AAA-server host 10.4.2.223 RADIUS01 (inside)
    key *.

    Hello

    It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

    If you remove this line:

    authorization-server-group RADIUS01

    you will see that it starts to work properly

    In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

    This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

    Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

    HTH

    Herbert

  • RADIUS authorization does not not for Nortel by ACS 5.3 switches

    Hello

    RADIUS authorization does not work on the Nortel switches, I configured the access policies relevant for the attributes RADIUS (attached screenshot)

    Order get not executed due to the failure of authorization:

    config cli password rwa

    I do not see RADIUS authorization reports option, just to check if someone has understood how to set up these reports?

    I made a capture of packages for packages of AAA of the nortel switch and found that the accounting request contains the cli command sent for authorization. (pcap file attached)

    Kind regards

    Akhtar

    Akhtar,

    This isn't how the authorization of RADIUS. Accept access and the av-pairs that are sent in the response is the permission for the session of the user. This isn't like Ganymede where each command is permitted with an authentication request separate with the command that the client is running.

    When it comes to radius account management isn't too late in the process.

    Thank you

    Tarik admani

  • ASA 5505/VPN/Radius

    Hello

    Try to configure VPN access via the radius on ASA 5505

    Try to test authentication, but getting an errror below

    Thank you

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS (inside) host x.x.x.x

    key *.

    RADIUS-common-pw *.

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS protocol AAA-server radiusserver

    RadiusServer AAA-server (internal host x.x.x.x)

    key *.

    tunnel-group remoteusers type remote access

    tunnel-group remoteusers General attributes

    vpn address pool

    Group Policy - by default-remoteusers

    remoteusers group tunnel ipsec-attributes

    pre-shared key *.

    FW # test authentication radius host x.x.x.x username xxxx password xxxxx aaa-Server

    ERROR: the aaa server group does not exist

    Your group name isn't radiusserver, RADIUS, you should be able to use the following syntax:

    test server Authenticate radiusserver host x.x.x.x username xxxx xxxxx passworkd aaa

  • ASA mismanaged webvpn cascading connections

    I'm trying to get a webvpn configuration to run with two ASAs which are cascading. Each ASA requires the user to connect to the webvpn. Practically, this means that you connect to the ASA to first, which, from the successful connection, should divert automatically you to the login screen the ASA webvpn cascade with a command of 'value https://homepage.

    It does not work correctly because the first ASA never presents you with the webvpn ASA connection second, but instead you will see the login of the ASA first again. I suspect that this might have something to do with cookies or the way ASAs calculate the special URL that they present the user's browser...?

    Furthermore, no matter what other web HTTPS service works properly when they are referenced as a home page, it won't work with a second ASA. In addition, connecting directly to the ASA second works without problem.

    Someone has any idea how to solve this problem?

    Thank you

    Toni

    Hi Toni,

    This is not a scenario supported (without customer through without customer)

    Kind regards

    Rami

  • [Cisco AnyConnect] Certificate on RADIUS authentication

    Hello

    I use authentication and LDAP authorization certificates and it works fine.

    Now, I want to centralize authentication and authorization on the server RADIUS (Cisco ACS in my case)

    In the connection profile, we have 3 authentication methods:

    • AAA: I can choose RADIUS server group or LDAP--> the user is prompted to enter the username/password credentials
    • Certificate: I can't choose AAA server...--> user group will have to provide the certificate
    • Both: I choose the RADIUS or LDAP--> the user is prompted for username/password credentials and the user must provide the certificate

    If I choose the certificate authentication methods, I can't delegate the authentication and authorization of RADIUS server.

    Is there a solution to delegate the authentication of the certificate to the RADIUS?

    I have different authorization for each VPN connection profile rules

    ASA can send a VPN connection profile to the RADIUS? (in the RADIUS attribute...)

    Thanks for your help,

    Patrick

    Patrick,

    The essential in deployments using WLC is begging on client can talk to EAP (including EAP - TLS) so the AAA server can authenticate the certificate.

    In the case of Anyconnect, or old IPsec client there is no way to send the full cert to server AAA (not implemented/redundant from the point of view of the customer, or not in the standard).

    IOS also gives you a possibility to make calls for authorization of PKI:

    http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-Rev-cert.html

    AFAIR is no similar mechanism on the SAA.

    M.

  • ACS5.1 - AD and mapping of RADIUS attributes

    Hello

    I am trying to dynamically assign IP addresses for users of VPN of AD (without IAS service). Is it possible?

    I know that there is a restriction that "Dial-in users are not taken in charge by announcement in ACS (note in 'acsuserguide51') but I'm not exacly sure, which may or may not do with it."

    "Authorization profiles" RADIUS attributes tab I try manually add a specific attribute (box-IP-Address).

    I have no problem (everything works fine) with the award of a static in a way as address below:

    AD is already integrated with ACS and I managed to download the directory attributes particular msRADIUSFramedIPAddress

    When I change the ' attribute value 'static to the dynamic type I see to select AD (but "Select" which should list all of the available attributes is empty).

    Is it possible in this way or my concept wrong?

    I know I can do it directly (ASA <->AD attribute mapping), but I want to ACS to make

    best regards and thx for all help

    Przemek

    Your baisc approach is

    fix. However, when you dynamically assign the IP address of type RADIUS attributes in an authorization profile you get only presented for the selection of attributes in the store identities (in this case AD) which are also a type IP address. In your example, it is of the type "integer64.

  • WebVPN file download problem

    Hello world

    I have an ASA5520 with active WebVPN ASA 8.21 is software version.  I have users of webVPN login and need to download files from a cifs share.  Users successfully connect and gain access to the share.  However, it seems that when a file is greater than 2 GB, the download does not complete.  The download stops each time than 2GB.  If I log on locally and ride sharing, I can successfully download the entire file over 2GBs.    Is there a download through the WebVPN file limit?  Any other ideas of what could be the cause?

    Thank you

    Scott

    There are a few legacy group policy controls that allow you to restrict download, view, and download files.  What I read, I do not believe that these commands are hooked into the burner without ASA 8.x client.  I have this model in my lab to see if it really affects the max download file size.

    attributes of Group Policy WebVPNGroupPolicy
    Protocol-tunnel-VPN l2tp ipsec webvpn
    WebVPN
    size of download-max 3000000

    size of download-max 3000000

    mini-Max-size 3000000

Maybe you are looking for