Clientless VPN SSL - based credentials for different networks?

Hi guys,.

I want to be able to display different cifs: / / and unc paths based on the user who connects to the portal of the SSL.

Could someone help me on how this can be done? I couldn't find that it documented somewhere... Maybe I'm just blind.

any help is appreciated.

Thank you very much.

Oh, OK.  It is not difficult.  I don't have any document or anything, but assuming that you already have your separate groups already set up, here's what you have to do (in ASDM):

  1. Access Configuration--> Device Management--> users / AAA--> user accounts
  2. Select the user name that you want to assign a group policy
  3. Click on 'change '.
  4. In the pop-up window, click VPN policy from the menu on the left
  5. Your first option right must be group policy
  6. Uncheck "Inherit" and assign a group policy
  7. Click on 'OK '.
  8. Click 'apply '.

Repeat this step for each user name.  That should do it.  I would like to know if that's what you're looking for.

Please evaluate the useful messages.

Tags: Cisco Security

Similar Questions

  • Clientless VPN SSL certificate

    Hello

    Is a certificate must be installed on the client in a SSL VPN configuration without client for HTTPS traffic.

    Thank you.

    NO - do not mandatory, only cert that is used is the end of SSL VPN. The user must accept it if it's a self-signed certificate (this is normal), or if the cert was signed by the normal authorities - the user will never see the cert.

    HTH

  • Clientless VPN SSL - policy of another LDAP authentication group

    Hi all

    I am currently working with Clientless SSL VPN. I have a problem with the creation of access to the different or blocking of users.

    I created tunnel/connection-profile (WEB-VPN-TEST-Profil2) and create group WEB-VPN-TEST2. I joined with the LDAP server. I also create a map LDAP attribute to provide only specific users to access. I havn't create an address pool

    What I'm trying to do is give access to the 'IL DBA' team and stop access to all the others in my organization. But to the login page when I give my password, I am able to connected even if I'm in the team "IT Network". Here's what I've done, (think I work for abcxyz.com)

    =======================================================

    AAA-server BL_AD protocol ldap

    AAA-server BL_AD (inside) host 172.16.1.1

    OR base LDAP-dn = abcxyz, DC = abcxyz, DC = com

    LDAP-naming-attribute sAMAccountName

    LDAP-login-password *.

    LDAP-connection-dn [email protected] / * /

    microsoft server type

    LDAP-attribute-map CL-SSL-ATT-map

    =======================================================

    LDAP attribute-map CL-SSL-ATT-map

    name of the memberOf IETF-Radius-class card

    map-value memberOf 'CN = IT s/n, OU = abcxyz, DC = abcxyz, DC = com' WEB-VPN-TEST2

    ========================================================

    WebVPN

    allow inside

    tunnel-group-list activate

    internal-password enable

    ========================================================

    internal strategy group WEB-VPN-TEST2

    Group WEB-VPN-TEST2 policy attributes

    VPN-tunnel-Protocol webvpn

    group-lock value WEB-VPN-TEST-Profil2

    WebVPN

    value of the URL-list WEB-VPN-TEST-BOOKMARK

    value of personalization WEB-VPN-TEST2

    ========================================================

    remote access of tunnel-group WEB-VPN-TEST-Profil2 type

    attributes global-tunnel-group WEB-VPN-TEST-Profil2

    authentication-server-group abcxyz_AD

    Group Policy - by default-WEB-VPN-TEST2

    tunnel-group WEB-VPN-TEST-Profil2 webvpn-attributes

    enable WEB-VPN-TEST-Profil2 group-alias

    =========================================================

    Please let me know if there is a question or let me know why I am still able to access the same if I did my attribure to match only with "IT"DBA ".

    Thanks in advance.

    BR.

    Adnan

    Hello Adnan,

    That's what you do:

    internal group WITHOUT ACCESS strategy

    attributes of non-group policy

    VPN - concurrent connections 0

    attributes global-tunnel-group WEB-VPN-TEST-Profil2

    Group Policy - by default-NO-ACCESS

    Group WEB-VPN-TEST2 policy attributes

    VPN - connections 3

    Kind regards

  • A point of access for different networks

    Hi all

    I need to use an access point in several places: my house, my gf, my office. I intend to use the same device for all 3 places.

    My problem is: 3 local networks have different configurations (192.168.1.x for two, 192.168.0.x for another and the doors have different addresses).

    If the access point could get its network with DHCP setting, this'll be fun. I looked inside the different pdf manuals, and the Linksys access points seem to not be designed to be a DHCP client. Maybe I'm wrong? Or maybe someone has another idea?

    You can configure WAP54G DHCP client mode. There are two available options.

  • Module AIM-VPN/SSL-2

    Does anyone know if the GRE tunnels can be used with the AIM-VPN/SSL-2 module for the Cisco 2800 series routers?

    Yes, we use it with GRE/IPSec.

    Hope that helps.

  • WebVPN and remote vpn, ssl vpn anyconnect

    Hi all

    Differences between webvpn and remote vpn, ssl vpn anyconnect
    All require a separate license?

    Thank you

    Hello

    The difference between the webvpn and SSL VPN Client is the WebVPN to use SSL/TLS and port

    send through a java application to support the application, it also only supports TCP for unicast traffic, no ip address

    address is assigned to the customer, and the navigation on the web in the tunnel is made with a SSL

    Web-mangle that allows us stuff things in theSSL session.

    SSL VPN (Anyconnect) Client is a client of complete tunneling using SSL/TCP, which installs an application on the computer and

    envelopes vpn traffic in the ssl session and thus also an assigned ip address has the

    tunnel's two-way, not one-way.   It allows for the support of the application on the

    tunnel without having to configure a port forward for each application.

    AnyConnect is a client of new generation, which has replaced the old vpn client and can be used as long as the IPSEC vpn ssl.

    For anyconnect licenses please see the link below:

    http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...

    Kind regards

    Kanwal

  • macOS Sierra always invites credentials for network drives

    At home, we have several Macs, when connecting, to mount a network SMB readers of different servers (OS X Server and Synology NAS). The credentials (username and password) for the network drives are stored in the keychain of the user through the time of the first option "remember this password in my keychain" readers was already mounted. So a command like "Mount" command correctly get readers without users needing to interact with an authentication dialog. This was works very well for a long time a completely up through OS X 10.11.6.

    In the Sierra, any attempt to build a network of road always opens the authentication dialog. The password can be filled in advance (probably from the keychain), but the user must always respond to the dialog by clicking OK. It is a huge problem for me because it breaks the loads of the automation scripts that I have that rely on the use of 'Mount' (the problem is not specific to climb, however, the same problem occurs if you use something like the command "Connect to Server" Finder).

    I tried to delete all the entries in keychain "network password" so that they will re-creqted (they make), but the behavior problem persists.

    Anyone know if this is a bug or design?

    Just to clarify. I mentioned "Mountain" above, but it is not really correct. I don't talk to the OS 'mount' command line command but rather the command mount AppleScript as in:

    Try

    turn up the volume "${url}".

    try to end

    the same problem afflicts the function 'connect to server... ". "finders.

    Certainly a change in behaviour; I hope this is temporary and is fixed in an update in the short term.

  • Clientless vpn cisco asa

    All,

    I use the cisco ASA 5500 vpn device, and I need a specific configuration where clients vpn (vpn without customer) would authenticate in an external radius server.

    My problem is that I need to do different bookmarks for different users, so how can I do if my clients are not in the local database? (I do not even have accounts configured on the cisco device), DAP would be the solution?

    TKS in advance

    You are absolutely right. You can configure DAP to make specific bookmarks according to which the user connects via the WebVPN (Clientless SSL VPN).

  • Different networks on different Interfaces

    I suspect that the answer to this question is no, but it is possible to simultaneously run different routes on different interfaces via El Capitan?

    Here's my situation: I have a lot of work from home and rely on an endpoint of Cisco 871 VPN to drive my VoIP as workphone and connect my MBP to of the corporate network through the Thunderbolt Display.  At the same time, I have a NAS and a printer on my LAN, I connect to WiFi, I need to access.  Sure enough I could work this point in Linux, but my attempts on OS X, er, macOS were not successful with lots of horror.  The Cisco assigns a router by default for Ethernet display configuration, which I think is the culprit...

    Those about to give me lectures on corporate network security, I am aware, it defeats the purpose to isolate my end point of my network, but our network of offices is almost entirely jobs I need VNC/RDP to and I have permission assuming that I can make it work.

    Thank you very much

    MB

    Glance at the 'route' command from an Applications-> utilities-> Terminal Services session.

    You will have to Google to find examples of what you want to do.

    NOTE: I'm assuming that you are NOT any VPN software running on your Mac, and Cisco 871 is material external connects to work.  I mention this because usually a VPN on Mac software includes all of the network stack.  External VPN equipment would leave your single network interfaces to specify the different routes for your distinct interfaces.

  • Connect the 2 locations using RV016 router to fill 2 different networks.

    I have a RV016 connected to a comcast cable modem to slot 1 with IP 192.168.6.1

    I have a RV016 connected to a comcast cable modem at the 2 with 192.168.10.1 IP location

    I installed a VPN tunnel from gateway to gateway between 2 routers RV016.

    I have a LAN in slot 1 with the IP 192.168.1.1, which connects to the internet through an Adtran router with 4 lines of T1 servile.

    I have a LAN with IP 192.168.5.1 2 location that connects to the internet through an Adtran router with 3 T1 lines servile.

    I like a computer to location 2 to connect to the RV016 in the local Comcast modem to the Comcast modem at location 1 in the RV016 to slot 1 then go out to the local network at location 1 and communicate with an application server on LAN 1.

    Help, please.

    You can't do that with a RV016. The RV016 only supports layer 3 tunnel. This means that the two ends are different networks with different subnets. The traffic between them is not filled.

    If you want to really two bridged networks, i.e. join in a single LAN with a single IP subnet and a single broadcast domain you need a layer 2 tunnel, for example a tunnel L2TPv3. That works on layer 2, which is on the MAC addresses inside your networks. In this way, you can use the same IP subnet at both ends and on each side, it seems that the other side is connected to the same ethernet network.

    The RV016 does not support the tunneling of layer 2. You can create an IPSec tunnel, which is layer 3. If there is really a need for a tunnel layer 2, you get different devices. I recommend that you evaluate if a layer 2 connection is really necessary or not.

  • setting up a vpn ssl to a netgear router

    I have setup a router netgear FVS336G at a customer and you have configured a vpn ssl to the customer. I can cinnect on a win xp machine, but not on my machine which is running Vista 64 bit. I get narrations of error message cannot install the vpn tunnel.

    Hi Jluequi,

    The issue of Windows 7 you have posted is better suited for the IT Pro TechNet public. Please post your question in the TechNet Windows 7 networking forum.

    Concerning
    Joel S
    Microsoft Answers Support Engineer
    Visit our Microsoft answers feedback Forum and let us know what you think.

  • Windows 7 is constantly looking for other networks and drop connection

    Original title: the upgrade of Windows 7 for XP

    I first installed this OS a year ago to this date. Loved, absolutley was entrenched with how easy it was and just how 'worked '. I am a software developer myself and am happy to report all my IDEs, the server settings, etc. all worked like a charm. I had a little problem with VPN but it works with the Vista one (with some work) so I can't complain.

    My problem and this is why I uninstalled windows 7 and will be EVER is back at it before it is solved the same problem 10 years ago. He keeps every 60 seconds looking for other networks or drop the connection no reason apparent. With windows XP, I could disable the Zero wireless and everything would be fine. However, with windows 7 if I turn the WLAN service nothing on this earth that will allow me to connect to it without a third-party application.

    In the end I used a 3rd party app made by the chipset driver and it still failed (but had limited success).

    It is a known problem with windows operating systems. This just "does not work" at all. It's a pain in the thigh and is the reason why people are saying that the wireless is terrible for gaming. I know that isn't true since I have never had a fall with windows XP or my dual boot SuSe OS. 3rd parties even tried to fix this for microsoft in creating the WLAN and Vista Antilag optimizer which all fail for windows 7.

    And just to show you how apparent is this bug...

    customer complaints

    It seems to somehow keep seeps through the cracks with every version of windows. Simply because I know that this wont never be resolved after 10 years ive thrown my copy in the trash and advising all my loved ones to stay on XP. I used to think... "they'll fix" but quite honestly, I think that microsoft is tone deaf to it.

    With regard to upgrading my firmware on my router is concerned, I have programmed my own. I used 3 different routers. My drivers are all up to this date for my card wireless on this box. I used XP drivers with slightly better results but remains unacceptable. I was running with a hackintosh and vmware fusion rather than deal with these headaches after work.

    Maybe im being a bit too critical, but make you pay back for a BONE which does not have everything because of XP.

    After buying a WNDR3700 N600 top double band brand new brand of the router Netgear power line she didn't always.

    2 solid ways fixed my issue.

    the network of windows 7 reason fails

    One, I had to turn off the service navigation computer in administrative services as noted above.

    Two, I had to turn off the power save feature on the usb network adapters.

    Not many people understand how to solve this problem, but I would ditch the derivative of the net bios completely.

  • Host NAT clientless VPN access

    Hello

    I have an ASA 5520 with a DMZ server accessible from the internet and local network using the public IP (static NAT to the DMZ server). As VPN users can access this server using the address public IP send the addresses of public subnet to the remote users with split tunneling ACL. The problem is that we need Clientless Remote Access users for this server attacker still sound too and it does not work. It works just fine when Clientless Remote users access to the private address of the DMZ server. We all need to connect to this server again a public address for the code page for the web server.

    I can't use split tunnel for Clientless Remote users, and connection was apparently the ASA as the source for this traffic. Anyone know if it is possible or an idea of what can I test?

    Thank you

    Kind regards

    Unfortunately, this is not possible for clientless VPN, the SAA is the connection of transmission by proxy because it isn't a full VPN tunnel. Therefore, it can only proxy the connection on the actual address, and not the address using a NAT.

  • Vs ASA VPN SSL IPSEC

    Hello all -

    I'm working on an ASA 5510, running version 8.4. I'm looking for something that I imagine would be simple, but having a few problems.

    I am configuring the connection profile for the client and clientless VPN on the SAA. I would like the profiles of customer (who will serve with anyconnect by our internal staff) to have the possibility to select the profile to login on the login page. I have create a subnet by using policies and business unit to restrict access to various servers. This option button is displayed on the page of remote vpn in the ASDM, I select it and problem solved, they see a drop-down menu when using the anyconnect client, select one and the appropriate IP pool is assigned.

    Now, when I am configuring profiles without client (to be used by our external business clients), I don't want that they have the ability to choose a profile. At least not the ability to see all of the internal profiles, I created for our internal employees. It is displayed by selecting this option in the "client access", it also allows her to "client access". What Miss me in how I can prevent our external collaborators via SSL, see the profiles that I created for our internal employees via the drop-down list? As I hinted above, I use the ASDM.

    Any help would be appreciated-

    Brian

    Hello

    Unfortunately this is not possible because when you enable the option for users to select the connection profile, it will be available for all connections. If this is not enabled the default policy will be selected so it is a must to have chosen option.
    What you can do is to create a group URL and maps it to a specific connection profile, so when users type in the full URL for example https://my domain.com / external it will take the user directly on the specific connection profile.

    The size to the bottom of this configuration is that if someone types in the URL without the group URL it is taken to the default profile and can see the drop-down list with all connection profiles.

    Sent by Cisco Support technique iPad App

  • Time Capsule backups of different networks?

    I have a Time Capsule that serves ONLY to expand my current network, but is also used for the backup of a single computer through Time Machine. If I take this time capsule to a new place, which has a different network I can configure it to join the new network and continue the backups Time Machine to a computer (which moves with it) without losing any old backups? If so, how can I say to join the network at the new place.

    Thank you

    Roger

    The time Capsule cannot 'join' a wireless provided third-party router, if that's what you're asking.

Maybe you are looking for

  • Whats Up with Fox update?

    (1) I get updates all the time, but if I open Firefox, I get no notifications & auto update doesn't seem to work, I only cause I opened about FireFox update 38 & then he began to search for updates (I got 3 or 4 updates like this ), I mean I get upda

  • How to copy contact from another list? No traveling.

    How to copy contact from another list? No traveling.

  • Hard drive 1 (301)

    Hello I have a problem starting my laptop, the hard drive 1 error (301) What will I do, please? Kind regards

  • Question by using the fingerprint reader to connect to Windows 8 on Elitebook 2760p

    Hey all. The fight currently with my 2760 p to use fingerprint for you the reader connect to Windows 8 x 64. I currently have all the other pieces of the puzzle installed, because I found in older subjects, but when at the login screen, sliding my fi

  • Cannot find crysis on computer

    First of all, when I inserted the game dvd in the drive, he didn't automatically start I went into the DVD folder and right click on the Setup file and ran it as an administrator. Now, I can not find the game in the section of all programs on the sta