WebVPN Group Policies
Group policies were previously introduced in Chapter 17, where I discussed IPSec remote access. Group policies can also be used for WebVPN users. The following two sections discuss how to define group policies and how to override them on a per-user basis.
Configuring Group Policies
Group policies can be defined either locally or on an AAA RADIUS server. To define the name of the policies and where they are found, use the group-policy command—these commands were discussed in Chapter 17:
ciscoasa(config)# group-policy policy_name internal
[from group_policy_name]
ciscoasa(config)# group-policy policy_name external server-group
server_group password user_password
To specify the WebVPN attributes for a local policy, use the preceding configuration. Non-WebVPN policy commands were discussed in Chapter 17.
Specifying Internal Policies
Within a local group policy, you can control the VPN protocols that users of specific tunnel groups can use:
ciscoasa(config)# group-policy policy_name internal
ciscoasa(config)# group-policy policy_name attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol {[svc] [webvpn]
[ipsec] [l2tp-ipsec]} Enter all the protocols allowed on a single line—if you omit this command, it defaults to IPSec only (ipsec parameter), so you need to include webvpn for clientless and svc for the SVC and AnyConnect client connections.
To enter the WebVPN policies for the group policy, enter the webvpn command, which takes you into a secondary subcommand mode:
ciscoasa(config)# group-policy policy_name attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# From this second-level subcommand mode, you can control what appears on the login page for clientless and thin client connections, control what appears on the user’s home page, filter web content, and define restrictions for uploading and downloading content. The following sections will discuss the configuration of these policies.
If a user successfully logs in, but the vpn-tunnel-protocol command doesn’t allow WebVPN, you can display an appropriate message with the deny-message value command within the WebVPN subcommand mode for the group policy:
ciscoasa(config)# group-policy policy_name attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# deny-message value "string"
Controlling Home Page Elements
The home page, commonly called the home portal, is what authenticated users see once they log in; you can control what appears on a per-group basis. The following sections will discuss some common home page elements you might want to control.
Customization Profiles
Customization profiles affect the look and feel of the WebVPN login, logout, and home pages. Since customization profiles are no longer configured from the CLI in version 8, you must use ASDM, which is discussed in Chapter 27, or an XML editor. One nice feature of ASDM is that it supports a quasi-XML editor/builder that allows you to build the home portal and preview it. You can use a different customization profile for different groups of users, thus giving you specific control over what each group of users can see and do from their respective home page.
If you’ve already created the XML file and have it on an external server, or restore one that you misconfigured with ASDM, you can pull it into flash with the import webvpn customization command:
ciscoasa# import webvpn customization profile_name URL
ou’ll have to define the name of the customization profile that the ASA will use when referencing it and the location of the external server and filename to pull it from.
Here’s an example of importing an existing customization profile:
ciscoasa# import webvpn customization general_profile
tftp://10.0.1.11/profiles/general_profile.xml
Accessing
tftp://10.0.1.11/customization/general_profile.xml...!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/csco_config/customization/general_profile...!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
329994 bytes copied in 5.350 secs (65998 bytes/sec) The customization profiles that are imported are stored in the “csco-config/customization/” directory in flash: this directory is hidden and cannot be accessed from the CLI. When the file is pulled in, a basic XML syntax check is performed on it.
Once you import the customization profile, it is not used until it is referenced in either a tunnel group or a group policy. To specify a customization profile a group policy should use, configure the customization value command in the group policy:
ciscoasa(config)# group-policy policy_name attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# customization value
{DfltCustomization | profile_name}
You can reference the default customization policy, or one you created with ASDM or manually imported from the CLI.
You can export a customization profile from flash to an external server with the export command:
You might want to export a file if you want to copy it from one ASA to another.
| Note |
|
Predefined URLs and URL Policies
You can predefine URLs that will appear on a user’s home portal. In version 8, you must use the ASDM built-in editor or an external XML editor to create these. URLs that you can define on the home portal include HTTP, HTTPS, FTP, and CIFS.
Use the import command to pull in an existing URL list from an external server:
Here’s an example of importing a file that has a predefined list of URLs:
ftp://192.168.1.66/SalesURLlist.xml
!!
%INFO: URL list 'salesURLlist' was successfully imported
329994 bytes copied in 5.350 secs (65998 bytes/sec)
The URL list is stored in the “csco-config/url-lists/” directory: this directory is hidden and cannot be viewed from the CLI. You can use the export webvpn url-list command to back up a URL list created from ASDM—you might want to do this if you want to copy a list from one ASA to another.
| Note |
|
Once you have either created a URL list in ASDM or imported an external one, it is not used unless referenced in a group policy with the url-list command:
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# url-list {value URL_list_name | none}
If a URL list is not specified, then no URLs are displayed on the home page by default.
The url-entry command controls whether an address text box is displayed on the home portal so that users can type in their own URLs that the ASA will proxy:
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# url-entry {enable | disable}
By default an address text box is not displayed on a user’s home page.
Other Home Page Elements
If you don’t want to create a home portal on the ASA, but want to use an internal server web page as the home page when the user logs in, configure the homepage command:
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# homepage {none | value URL}
If you want to allow users to browse CIFS file shares, use the file-browsing command:
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# file-browsing {enable | disable}
By default this is disabled.
Some web-based applications used ActiveX controls to launch a Microsoft Office application—to allow or disallow this behavior, use the activex-relay command:
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# activex-relay {enable | disable}
By default this is disabled.
A hidden share is identified by a dollar sign ($) at the end of the share name. For example, drive C is shared as C$. With hidden shares, a shared folder is not displayed, and users are restricted from browsing or accessing these hidden resources. To control the visibility of hidden shares for CIFS files, use the hidden-shares command:
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# hidden-shares {visible | none}
This policy is only applicable if you allow users CIFS file share access.
Filtering Content
One of the features of WebVPN in version 7 allows you to use ACLs to filter web content. Normally this is not something you do on the appliance, but rather on either a full-blown web proxy or a modified proxy like that discussed in Chapter 7 with web content filtering. With the latter feature, web policies are defined on a Smartfilter or Websense policy server, and the appliances implement the policies on returning web traffic. Using ACLs on the ASAs to filter web content is typically done in smaller environments where you want to allow or restrict a few locations and where it makes no economic sense to buy an extra server to perform this process.
To filter web content, you use a new type of ACL called a webtype ACL. With webtype ACLs, you can filter URLs or IP addresses. Here is the full syntax of the two commands you can use to filter web content:
url [url_string | any] [log [[disable | default] |
level] [interval secs] [time-range name]]
ciscoasa(config)# access-list ACL_ID webtype {deny | permit}
tcp [host ip_address | ip_address subnet_mask |
any] [oper port [port]]
[log [[disable | default] | level]
[interval secs] [time-range name]]
To filter on URLs, use the first command; to filter on addresses, use the second command.
To use the webtype ACL, reference it in a group policy, like this:
ciscoasa(config)# group-policy policy_name attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# filter value webvpn_ACL_ID
Any users associated with this policy (discussed in the “Tunnel Groups” section later in the chapter) will then have this policy applied to their proxied traffic.
The html-content-filter command allows you to perform general filtering: stripping out cookies, images, Java scripts, and script code from downloaded web pages. Here’s the syntax to set this up for a group policy:
ciscoasa(config)# group-policy policy_name attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# html-content-filter {[cookies]
[images] [java] | [scripts]} Restricting Downloads and Uploads
Another option you have for proxied traffic is to place limits on downloads and uploads in a group policy:
ciscoasa(config)# group-policy policy_name attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# download-max-size bytes
ciscoasa(config-group-webvpn)# post-max-size bytes
ciscoasa(config-group-webvpn)# upload-max-size bytes
You can restrict the maximum size of an object that can be downloaded with the download-max-size command; this can be used to ensure that large files, like movies or similar content, are restricted. You can also restrict the maximum object size that can be posted with the POST method (post-max-size command) and the maximum object size that can be uploaded (upload-max-size command). The default is 2,147,483,647 bytes (over 2 GB!) for all three.
Overriding Group Policies on a Per-User Basis
As I discussed in Chapter 17, you can create a local database on the appliances that contains the usernames and passwords for remote access users. The username command is used to create a local user account, as shown here:
The following sections will discuss some of the general and WebVPN attributes you can override on a user-by-user basis. Please note that overriding users policies based on the group they are associated with is uncommon and not very manageable.
| Security Alert! | For non-administrator appliance accounts, make sure the privilege level is 0, which ensures that remote access users can’t access the appliance itself! |
User General Attributes
You can override the group policies associated with the user on a user-by-user basis. Here are the general attributes you can override for a user accessing the ASA using WebVPN:
ciscoasa(config)# username username attributes
ciscoasa(config-username)# group-lock value tunnel_group_name
ciscoasa(config-username)# memberof tunnel_group_name
[...tunnel_group_name]
ciscoasa(config-username)# service-type {admin | nas-prompt |
remote-access}
ciscoasa(config-username)# vpn-access-hours value time_range_name
ciscoasa(config-username)# vpn-filter value ACL_ID
ciscoasa(config-username)# vpn-group-policy group_policy_name
ciscoasa(config-username)# vpn-idle-timeout minutes
You can lock a user into a particular group with the group-lock command. You can assoc- iate the user to multiple tunnel groups with the memberof command. The service-type command restricts the kind of access the user account has:
- admin Access to configuration mode on the appliance
- nas-prompt Access to EXEC mode on the appliance
- remote-access No access to EXEC mode on the appliance (used only for remote access authentication for your user/non-administrator population)
The other preceding commands were discussed in Chapter 17. Other general commands you can configure include vpn-session-timeout, vpn-simultaneous-logins, and vpn-tunnel-protocol.
User WebVPN Attributes
To override users’ WebVPN-specific attributes based on the group they are associated with, use the following configuration:
ciscoasa(config)# username username attributes
ciscoasa(config-username)# webvpn
ciscoasa(config-username-webvpn)# commands
Here is a list of commands you can enter to override a particular user’s group policy configuration (some were discussed earlier in the chapter or will be discussed in Chapter 20): activex-relay, auto-signon, customization, deny-message, download-max-size, file-browsing, file-entry, filter, hidden-shares, homepage, html-content-filter, http-comp, http-proxy, keep-alive-ignore, timer, port-forward, auto-download, applet, post-max-size, smart-tunnel, sso-server, storage-key, storage-objects, svc, unix-auth-gid, upload-max-size, url-entry, url-list, and user-storage.
Tunnel Groups
Tunnel groups for IPSec remote access were introduced in Chapter 17, where I discussed setting up an appliance as an Easy VPN server. Tunnel groups are used to more easily assign policies and attributes to a common group of users or L2L connections. As with IPSec remote access, Cisco supports a tunnel group for WebVPN users. To create a WebVPN tunnel group, use the following command:
type remote-access
The name of the tunnel group should be descriptive, describing the type of users that will be using the attributes and policies of the tunnel group. Most administrators use job functions to classify people, like “executives,” “sales,” “programmers,” “marketing,” “pctechs,” and other similar functional names. The following sections will discuss the general and WebVPN-specific attributes you can assign to your tunnel groups.
Tunnel Group General Attributes
General attributes for tunnel groups are attributes not associated with a specific VPN type. General attributes include where to find the user accounts to authenticate them, where to find the group policies for the users, and where to store accounting records of a user’s access. Here are the commands to configure these attributes:
ciscoasa(config-tunnel-general)# authentication-server-group
[(logical_if_name)] server_tag [LOCAL]
ciscoasa(config-tunnel-general)# authorization-server-group
[(logical_if_name)] server_tag
ciscoasa(config-tunnel-general)# default-group-policy group_policy_name
ciscoasa(config-tunnel-general)# accounting-server-group server_tag
All these commands were discussed in Chapter 17. If you don’t specify the method of authentication, local authentication is used with the username commands. If you don’t define a group policy, the default group policy called DfltGrpPolicy on the ASA is used; you can create specific policies on the appliance, or specify an AAA server to find them (authorization-server-group command).
Tunnel Group WebVPN Attributes
WebVPN-specific attributes for a tunnel group are configured with the following set of commands:
ciscoasa(config-tunnel-webvpn)# authentication {[aaa] [certificate]}
ciscoasa(config-tunnel-webvpn)# customization profile_name
ciscoasa(config-tunnel-webvpn)# dns-group dns_server_group_name
ciscoasa(config-tunnel-webvpn)# group-alias other_group_name
{enable | disable}
ciscoasa(config-tunnel-webvpn)# group-url URL {enable | disable}
ciscoasa(config-tunnel-webvpn)# nbns-server WINS_server_IP [master]
[timeout seconds] [retry retry_count]
ciscoasa(config-tunnel-webvpn)# radius-reject-message
In the WebVPN attributes configuration of a tunnel group, the authentication command specifies that AAA, digital certificates, or both are used to authenticate WebVPN users. The default is AAA if you don’t configure this command. The customization command specifies the customization profile to use for the tunnel group—this affects the look and feel of the home page when they log in. You can also define this within the group policy in the general attributes of the tunnel group. The dns-group command specifies the DNS server group to use to resolve names to addresses—this overrides the global DNS server settings. DNS server groups were previously discussed in the “Performing DNS Lookups” section.
The group-alias command allows you to specify an additional name for the tunnel group that users might be more familiar with. This must be configured if you configured the tunnel-group-list enable command under the WebVPN subcommand mode of the webvpn global command:
ciscoasa(config-webvpn)# tunnel-group-list enable
If you don’t configure the tunnel-group-list command along with the group-alias command, then the user will be connected to the default WebVPN group called Default-WEBVPNGroup. For every group you want to see in the drop-down group selector on the login page, you need the group-alias command for the group and the tunnel-group-list enable command for the global WebVPN setting. Use the show webvpn group-alias[tunnel_group_name] command to view the aliases for your tunnel groups.
The group-url command specifies a URL that will represent the users’ home page when they log in—this is an external server behind the ASA. Configure this command if another device will be proxying the connections and a home page has already been configured on this second server. (See the “Defining External Web Proxies” section earlier in the chapter.)
If you are allowing users to access CIFS file shares and are using WINS for name resolution, in the tunnel group WebVPN properties, you’ll need to define the WINS server or servers with the nbns-server command—execute the command separately for each server. The primary server should be denoted with the master parameter. If you don’t change the timeout or number of retries, they default to 2 seconds and 2 retries respectively.
| Note |
|
The radius-reject-message only applies to a tunnel group when RADIUS authentication is used. In this instance, if the user fails to log in successfully on the login screen, the reject message from the RADIUS server is displayed—the default is not to display this message.
Group Matching Methods
In Chapter 17, where I discussed Easy VPN remote access, users are associated to a particular tunnel group based on one of the following methods:
- Pre-shared keys The group name entered by the user, along with the correct pre-shared key.
- Digital certificates The group name in the Organizational Unit (OU) or Department field. (You can use certificate matching to match on other fields on the certificate.)
WebVPN has multiple methods of matching users to WebVPN groups. If you are using digital certificates, the default is to look at the Organizational Unit (OU) field (commonly called the Department field) to match a user to a group; you can override this by creating certificate group matching rules (discussed in Chapter 17). If you aren’t using digital certificates, you have the following options:
- Let the user choose the group from the login page.
- Define the group the user belongs to on a per-user basis (on the AAA server or locally with the username’s attributes).
- Place the user in a default group.
The following sections will discuss the two common options in associating a user to a particular WebVPN tunnel group.
Tunnel Group Lists
As I mentioned earlier in the “Tunnel Group WebVPN Attributes” section, you can display a drop-down list of group names on the login screen for clientless and thin client access. The tunnel-group-list command displays a drop-down selector of tunnel group names on the login screen for clientless mode that allows the users to choose what group they should be associated with. An alias for the group must be specified to see the drop-down menu (via the group-alias command).
Here’s a simple example:
ciscoasa(config-tunnel-webvpn)# group-alias sales enable
ciscoasa(config-tunnel-webvpn)# exit
ciscoasa(config# tunnel-group hr-group webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias human_resources enable
ciscoasa(config-tunnel-webvpn)# exit
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# tunnel-group-list enable
| Note |
|
Certificate Group Matching
If you will be using certificates to authenticate WebVPN users, you can examine information on the certificate to determine which tunnel group to associate the user to. Normally this will be the OU field; you can override this mapping by creating certificate mapping rules, which I discussed in Chapter 17. With certificate mapping rules, once you create the list of rules, you need to associate them with the WebVPN process:
ciscoasa(config-webvpn)# certificate-group-map map_name rule_#
tunnel_group_name
Notice that in the certificate-group-map command, you associate the rule to a particular tunnel group name.
| Note |
|
