Cisco ASA 5505 User Manual

74-14

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 74 Configuring Clientless SSL VPN

Using Single Sign-on with Clientless SSL VPN

Configuring SSO with HTTP Basic or NTLM Authentication

This section describes single sign-on with HTTP Basic or NTLM authentication. You can configure the
ASA to implement SSO using either or both of these methods. The auto-signon command configures
the ASA to automatically pass clientless SSL VPN user login credentials (username and password) on
to internal servers. You can enter multiple auto-signon commands. The ASA processes them according
to the input order (early commands take precedence). You specify the servers to receive the login
credentials using either IP address and IP mask, or URI mask.

Use the auto-signon command in any of three modes: webvpn configuration, webvpn group-policy
mode, or webvpn username mode. Username supersedes group, and group supersedes global. The mode
you choose depends upon scope of authentication you want:

Detailed Steps

The following example commands present various possible combinations of modes and arguments.

Mode

Scope

webvpn configuration

All clientless SSL VPN users globally.

webvpn group-policy
configuration

A subset of clientless SSL VPN users defined by a group policy.

webvpn username configuration

An individual user of clientless SSL VPN.

Command

Purpose

Step 1

Example:

hostname(config)# webvpn

hostname(config-webvpn)# auto-signon allow ip

10.1.1.1 255.255.255.0

auth-type ntlm

Configures auto-signon for all users of clientless
SSL VPN to servers with IP addresses ranging from
10.1.1.0 to 10.1.1.255 using NTLM authentication.

Step 2

Example:

hostname(config)# webvpn

hostname(config-webvpn)# auto-signon allow uri

https://*.example.com/* auth-type basic

Configures auto-signon for all users of clientless
SSL VPN, using basic HTTP authentication, to
servers defined by the URI mask
https://*.example.com/*.

Step 3

Example:

hostname(config)# group-policy ExamplePolicy

attributes

hostname(config-group-policy)# webvpn

hostname(config-group-webvpn)# auto-signon allow uri

https://*.example.com/* auth-type all

Configures auto-signon for clientless SSL VPN
sessions associated with the ExamplePolicy group
policy, using either basic or NTLM authentication,
to servers defined by the URI mask.

Step 4

Example:

hostname(config)# username Anyuser attributes

hostname(config-username)# webvpn

hostname(config-username-webvpn)# auto-signon allow

ip 10.1.1.1 255.255.255.0

auth-type basic

Configures auto-signon for a user named Anyuser to
servers with IP addresses ranging from 10.1.1.0 to
10.1.1.255 using HTTP Basic authentication.

Step 5

Example:

(config-webvpn)# smart-tunnel auto-signon

<host-list> [use-domain] [realm <realm string>]

[port <port num>] [host <host mask> | ip <address>

<subnet mask>]

Configures auto-signon with a specific port and
realm for authentication.