the WebVPN asa8.0 portal (4): Group-url

Similar Questions

• ASA: webvpn: Group-url command

  Hell

  I don't know how the Group-url command doesn't work. Order reference:

  "Specifying a group URL or IP address eliminates the need for the user to select a group when connecting. When a user connects, the Adaptive security apparatus seeks URL/address of the user entering the tunnel group strategy table.

  When I type:

  ASA - 1(config-tunnel-WebVPN) # enable Group-url https://100.60.10.100/ssl

  What does the ASA? Compare the source_ip from the customer with this IP and HTTP request to check if there is "ssl" in ULR and only if the two matches with this configuration links this user to this group of tunnel?

  What happens if I type:

  ASA - 1(config-tunnel-WebVPN) # enable Group-url https://www.cisco.com/ssl

  that ASA exactly looking for this command?

  Thanx

  Group-url is another way to give users the right tunnel-group and political party. It is also configured under the params webvpn of the tunnel group. You must specify a url for each group of tunnel.

  When applications for WebVPN comes to ASA through the WebVPN active interface and if the URL matches anyone in the Group url configured in the tunnel-group, this group of tunnel is used to the WebVPN.

  It can be done in two ways, either mention the IP address or FULL domain name.

  Thank you

  Ajay

• failed the WebVPN login

  Hello world!

  I'm setting up a asa 5520 (software Version 8.2 (5)) connection without customer serveral profiles and ACS 5.3 as server authentication, this works well AD users or local can connect vpn without problem, but now I need to show only one (common to all) profile on the portal of the ASA and behind the stage allocated to the connection profile right according to the profile of the user authorization I followed the following document

  'Lock group VPN using ACS 5.x.pdf', but it does not work as expected, it continues to show "cannot connect".

  So I took a glance at the ACS on radius authentication and the user is authenticated, I did a debug aaa 255 common, debug all the RADIUS

  everything seems to be ok, but when I use debug webvpn 255

  It gives me the following message

  ASA # webvpn_allocate_auth_struct: net_handle = D0200040

  webvpn_portal.c:ewaFormSubmit_webvpn_login [3203]

  webvpn_portal.c:webvpn_login_validate_net_handle [2234]

  webvpn_portal.c:webvpn_login_allocate_auth_struct [2254]

  webvpn_portal.c:webvpn_login_assign_app_next [2272]

  webvpn_portal.c:webvpn_login_cookie_check [2289]

  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form [2325]

  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie [2359]

  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = SSLClientProfile

  webvpn_portal.c:webvpn_login_set_tg_cookie_form [2421]

  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string [2473]

  webvpn_portal.c:webvpn_login_resolve_tunnel_group [2546]

  webvpn_login_resolve_tunnel_group: tgCookie = NULL

  webvpn_login_resolve_tunnel_group: name of the tunnel from the list of groups

  webvpn_login_resolve_tunnel_group: TG_BUFFER = SSLClientProfile

  webvpn_portal.c:webvpn_login_negotiate_client_cert [2636]

  webvpn_portal.c:webvpn_login_check_cert_status [2733]

  webvpn_portal.c:webvpn_login_cert_only [2774]

  webvpn_portal.c:webvpn_login_primary_username [2796]

  webvpn_portal.c:webvpn_login_primary_password [2878]

  webvpn_portal.c:webvpn_login_secondary_username [2910]

  webvpn_portal.c:webvpn_login_secondary_password [2988]

  webvpn_portal.c:webvpn_login_extra_password [3021]

  webvpn_portal.c:webvpn_login_set_cookie_flag [3040]

  webvpn_portal.c:webvpn_login_set_auth_group_type [3063]

  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1

  webvpn_portal.c:webvpn_login_aaa_not_resuming [3137]

  webvpn_portal.c:http_webvpn_kill_cookie [790]

  webvpn_auth.c:http_webvpn_pre_authentication [2447]

  WebVPN: call to AAA with ewsContext (-780823792) and nh (-803209152)!

  webvpn_add_auth_handle: auth_handle = 529

  WebVPN: started authentication of users...

  webvpn_auth.c:webvpn_aaa_callback [5320]

  WebVPN: Status = (ACCEPT) AAA

  webvpn_portal.c:ewaFormSubmit_webvpn_login [3203]

  webvpn_portal.c:webvpn_login_validate_net_handle [2234]

  webvpn_portal.c:webvpn_login_allocate_auth_struct [2254]

  webvpn_portal.c:webvpn_login_assign_app_next [2272]

  webvpn_portal.c:webvpn_login_cookie_check [2289]

  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form [2325]

  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie [2359]

  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = SSLClientProfile

  webvpn_portal.c:webvpn_login_set_tg_cookie_form [2421]

  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string [2473]

  webvpn_portal.c:webvpn_login_resolve_tunnel_group [2546]

  webvpn_portal.c:webvpn_login_negotiate_client_cert [2636]

  webvpn_portal.c:webvpn_login_check_cert_status [2733]

  webvpn_portal.c:webvpn_login_cert_only [2774]

  webvpn_portal.c:webvpn_login_primary_username [2796]

  webvpn_portal.c:webvpn_login_primary_password [2878]

  webvpn_portal.c:webvpn_login_secondary_username [2910]

  webvpn_portal.c:webvpn_login_secondary_password [2988]

  webvpn_portal.c:webvpn_login_extra_password [3021]

  webvpn_portal.c:webvpn_login_set_cookie_flag [3040]

  webvpn_portal.c:webvpn_login_set_auth_group_type [3063]

  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1

  webvpn_portal.c:webvpn_login_aaa_resuming [3093]

  webvpn_auth.c:http_webvpn_post_authentication [1611]

  WebVPN: user: authenticated (John).

  webvpn_auth.c:http_webvpn_auth_accept [3066]

  User has entered the group, on what it was not supposed to come!

  webvpn_remove_auth_handle: auth_handle = 529

  webvpn_free_auth_struct: net_handle = D0200040

  Any suggestion would be appreciated

  Thank you

  Jonathan

  Jonathan,

  The question is clear, your users do not connect to the right profile.

  Please see this:

  ASA 8.x: allow users to select a group when connecting WebVPN with Group Alias group-URL method

  The idea of having the authorization of GBA is to affect a specific group depending on probably the attribute Radius 25 policy, but if you have it working in conjunction with the 'group-lock' feature, then you must ensure that users connect to the correct connection profile, group policy does not allow the connection.

  For example:

  test group policy attributes
  

  Group-lock testGroup
  

  !

  tunnel-group testGroup General attributes
  

  Group Policy - by default-test

  !
  

  testGroup webvpn attributes tunnel-group

  Group-url https://1.1.1.1/testGroup enable

  So if a user connects to a different profile that is not the testGroup and gets group policy named test, then the connection will be rejected.

  HTH.

  Portu.

• ASA and group URL

  So I have the need to provide two SSL VPN environments for two different clients on the same ASA 5510 appliance.  Can I create two group policies, each with a group unique url and then assign a certificate corresponding to the Group url?  From the point of view of the intellectual property, they would all be hitting the same outside IP address.

  Ex:

  Group_policy: customer

  Group URL: https://remote.customera.com

  SSL certificate: remote.customera.com

  Group_policy: CustomerB

  Group URL: https://remote.customerb.com

  SSL certificate: remote.customerb.com

  Thank you!

  -Craig

  Hey Craig,.

  On your request, let me divide 2 parts:

  1. can you use 2 different urls on the SAA for two separate connection profiles

  2. can you use 2 separate certificates to validate the two URLS

  Regarding your first question, yes it is possible. You will need to create 2 separate group policy and 2 connection profiles Tunnel aka groups. Under each tunnel group define a separate url group and assign the corresponding group policy. Your configuration might look like this:

  In-house strategy group customer ASA (config) #.
  Strategy of customer attributes group ASA (config) #.

  .

  .

  .

  (to configure the respective attribute)

  ASA (config) # Tunnel - group customer type remote access
  ASA (config) # Tunnel - group customer General attributes
  ASA(config-tunnel-General) # by default-group-policy customer

  ASA (config) # tunnel - group customer webvpn-attributes

  ASA(config-tunnel-WebVPN) # group - url https://ASA1/remote.customera.com

  Repeat the steps above and replace "customer" by "CustomerB".

  As for your second question, you can only configure a trustpoint to be used with a single interface. If you do one of the following:

  1. get a UCC (Unified Client certificate) to your ASA:

  Get a UCC with multiple CNs / without (Subject Alternative Name extensions) for each domain COMPLETE/IP ASA. If you need a certificate of the UCC with CN to FQDN or IP and no master for each SAA: ASA-1 FQDN or IP, ASA-2 FULL FQDN or IP domain name and so on. Several suppliers PKI/certificates are supported entrust.com, verisign, UCC:godaddy.com, etc.

  Note: the ASA cannot generate a certificate request (CSR) signature with multiple WITHOUT (CSCso70867 is development requesting this capability), so you must be the seller of the PKI to submit the entry for you.

  ASA set a trustpoint "and Install/import the UCC certifcate in this trustpoint. Bind this trustpoint to the external interface.

  2 OR a certificate with wildcards. Generic certificates are discouraged in favour of the UUC certs. According to a seller, Entrust, these are the 2 main reasons:

  1. UCC is more secure than Wildcard certificates since Entrust UC Certificates specify exactly the hosts and domains must be protected
  2. UCC is more flexible than Wildcard certificates since Entrust UC certificates are not limited to a single domain

  I hope this helps.

  Kind regards

  ATRI

• Get rid of Web page errors when connecting to the webvpn

  It's on an ASA5505

  I have a question about the resolution of errors in the web browser when you try to access my vpn ssl interface to download Anyconnect.

  I use self-signed certificates.

  The webvpn page that will allow users to connect to get the anyconnect client.

  For webvpn page I do not use a domain name FULL only her public IP address of the external interface.

  For example, I want the clients to connect to https://x.x.x.x/AnyConnectVPN and get the anyconnect client. They will receive the webbrowser error, noting that the certificate is not approved. After that install the cert to the root that goes now, I'm trying to keep from getting the error "The URL that you use to access the site does not match the name in the certificate."

  Can I specify the exact page I want vpn users to enter the name of the object CN?

  Crypto ca trustpoint Identity_Certificate

  LOCAL-CA-SERVER key pair

  ID-use ssl-ipsec

  no name FQDN

  name of the CN=x.x.x.x/AnyConnectVPNobject, OR IT_Dept, O is is BUSINESS of TEST, C = US, St = FL, L = Daytona[email protected] / * /

  Thanks for the help.

  Triton

  The trustpoint you created needs to have the subject name of "CN = x.x.x.x", you do not need to include the "/ AnyConnectVPN".

  Hope that helps.

• 10g: unable to set the default dashpoard (CheminPortail) to several groups

  Hi all
  
  I am facing a problem while defining the portal path for several groups.
  I have two RPD groups and each group need to have its own default table in the form of ready page.
  
  We use authentication RPD and cannot use the database table to record the CheminPortail for each user or group.
  
  
  What I've tried so far is the following:
  
  We have two groups, Group1 , Group2 , who need to have the default dashboard * \shared\_portal\dashboard1* and * \shared\_portal\dashboard2* respectively.
  
  
  Approach 1: Create a block INIT of Session with the following query:
  Select case when ""="Group1: GROUP ' then '\shared\_portal\dashboard1' another '\shared\_portal\dashboard2' end of the double"
  
  Result: Failure - because all users are directed to "\shared\_portal\dashboard2". Somehow *': group ' * Gets not the affected GROUP.
  
  Even tried to replace ": GROUP ' with"VALUEOF (GROUP)"in the SQL query, however, it did not help."
  
  
  Help to get the same functionality will be appreciated.
  
  
  Kind regards
  Khalid

  Khalid,

  Here you go... use example below and change as you need.

  Create a SESSION - INIT BLOCK with this query... Say CRTAP

  SELECT CASE WHEN ' VALUEOF (NQ_SESSION. GROUP)' = "DASH_usr" THEN "/ shared/test ' WHEN ' VALUEOF (NQ_SESSION. GROUP)' = "DASH_ctr" THEN "test1/shared / ' END OF DOUBLE

  Set it to a variable with the name CHEMINPORTAIL and default to say anything ' / abc / ".

  This will work for sure... You can test this by RPD as well.

  Hope this helps

• What happens if the user is assigned to multiple groups

  Hello
  (1) we use authentication Portal allowing to authenticate the user. If the user is mapped to several gropus, how it will work at the object level security.
  
  For example: User1-> Group1, Group2. (Group1 - access denied and Group2-tuned for level of section)
  Here I applied the permission through the Section level I'm not able to see all the reports under article if User1 logged... Logically, it is not correct, because User1 is mapped into 2 groups. Group 2 have access to the section...
  
  (2) if the user is mapped to 2 groups there at - it sort of defined priority in OBIEE...
  
  Could you please help me how to solve the problem...

  in your block of initialization in the RPD you get group names, have you checked the wise initialization line?

• Hit the counter for a Portal Page

  What is the fastest, easiest way to add a page counter or a counter to a page on the Oracle 10 g Portal? (OAS)
  I'm looking for SIMPLE. It is a simple thing to do, then do this little trick should also be... :-)

  Portal does not come with one, but it is not a lot of work to build one or the other. We have an intranet of production to work built using the portal and our counter is implemented with a table like this (for the purposes of illustration, storage omitted parameters index):

  create table cl_page_access_log)
  Site_ID number (9) not null,
  page_id number (9) not null,
  VARCHAR2 (30) not null username,.
  date_accessed date not null,
  URL varchar2 (200)
  )

  Our banner is a navigation page that is published under the title of portlet and then added to all the page templates. This navigation page has a plsql element that includes the following code:

  If p_log_page_access and v_page_id is not null then
  --
  -Insert the javascript code for the event domready to log access page
  --
  HTP.p (')
  

• Why you put "Open a new tab" on the right side of the browser, when you close a tab on the left and you type a new URL in the browser on the left?

  I changed my computer from XP to Windows 7 and migrated my FF browsers. But... now the tabs at the top of the page are all right (they were upper-front left - where I loved her)

  The most important is the "open a new tab" + - is on the right. But that is not sensible. Why you put "Open a new tab" on the extreme right of the browser, when you close a tab on the left and you type a new URL in the browser on the left?

  How can I put my "open a new tab" immediately to the right of 'Close tab' - as if it was before?

  Please advise?

  Try clicking on "Restore default settings" in the palette to customize to reset the toolbar customization.

  • Firefox '3-bar' menu button > customize
  • View > toolbars > customize
  • https://support.Mozilla.org/KB/customize-Firefox-controls-buttons-and-toolbars

  You can attach a screenshot?

  • http://en.Wikipedia.org/wiki/screenshot
  • https://support.Mozilla.org/KB/how-do-i-create-screenshot-my-problem
  • Use a type of compressed as PNG or JPG image to save the screenshot
  • Make sure you do not exceed the maximum size of 1 MB

• I lost my home page, by clicking on the home button all I get is URL is not valid, I tried suggestion in help, but they do not have. Can you plse.

  On enter Monzilla since the update, I no longer get I got the home page. In fact, the page is empty except for headerbar. When I clock on the Home button all I get is "URL is not valid" message it means that I can not leave a site without logging into my account from Firefox.

  -> To restore the default home page

  -> Now, put one website as your home page

  Check and tell if its working.

• How to send emails to the MS Exchange Server 2010 distribution group?

  Well, I'm not well versed in Exchange, (that I'm learning) so please forgive me for the lack of details correct / lingo.

  I try to create email for my church, distribution groups.
  We must be able to send a single email to a group and do it before out to all members of this group.
  For example: if I send an email to * address email is removed from the privacy * ", the email needs to go to each (even personal) email address that is in the distribution group"deacons".

  So far, I can do where ONLY the people on the network of the Church can send to distribution groups, and then ONLY the emails that are created from the Church network can receive them.

  Obviously, there is some progress, but I'm just at a loss on how to 'open' of this group until the 'general public'.

  I need to have server-based distribution groups and NOT people's individual e-mail / accounts Outlook, because the Congregation members need to be able to send messages to these emails as well. I can't create individual distribution to 1000 prospects people groups.

  Any help would be spectacular.

  Post in the Forums of Exchange Server:
  http://social.technet.Microsoft.com/forums/Exchange/en-us/home?category=exchangeserve

• When sending emails to the bcc and access to a group, I hit the button send and dates back to the Inbox without sending.

  When sending emails to the bcc and access to a group, I hit the button send and dates back to the Inbox without sending. I even changed users on my pc and it always does.  I closed temporarily add-ons thinking that would help, but did not seem to make a difference.  Can I have a virus?

  Hello

  • E-mail are what customer you referring?

  If you use Windows live mail, then the number you posted is related to windows live and will be much better suited in Windows live forums. Click on the link below.

  Windows Live Solution Center

  http://www.windowslivehelp.com/

• user belongs to a domain and user does not belong to the local administrator or power users groups, or any custom group and the user is not part of the domain administrators group, but user show that it is admin

  WinXP
  user belongs to a domain and user does not belong to the local administrator or power users groups, or any custom group and the user is not part of the domain administrators group, but user show that it is admin

  I did a gpupdate/force and restart twice PC
  Yet, user indicate it is always admin when we right click on Start menu and see the possibility to open all users

  Hi elena_ad,

  Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the public on the TechNet site. Please post your question in the below link:

  http://social.technet.Microsoft.com/forums/en/winserverManagement/threads

• Combine the free capacity of different disk group

  Hello

  I have Dell PowerVault MD 3000i. I have the free capacity of two different disk groups. Two groups of disks have the same RAID level. Is it possible to combine the free capacity of these two groups?

  Thank you.

  No, this isn't an option. Your only choice is to make 2 different virtual disks.

  In the operating system, you can be then able to combine them, but this has usually few drawbacks with respect to performance and reliability.

• Flag to set Autostart on request submit to the App World vendor Portal

  Hi all

  I've been wondering. How the device know if my application will be run automatically at startup (when the device starts up) or not, if my application is installed by the user from the App World?

  I thought that the autostart flag is stored in the Blackberry App descriptor XML file then reflected to the .jad file once I've compiled my app.

  Presentation on the App World vendor Portal requires only the .cod files, not the descriptor xml file or a .jad file.

  The autostart flag is also stored in the .cod file?

  Yes