67-101
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 67 Clientless SSL VPN
Configuring Bookmarks
When the adaptive security appliance recognizes one of these six variable strings in an end-user
request—in a bookmark or a post form—it replaces it with the user-specific value before passing the
request to a remote server.
Note You can obtain the http-post parameters for any application by performing an HTTP Sniffer trace in the
clear (without the security appliance involved). Here is a link to a free browser capture tool, also called
an HTTP Analyzer: http://www.ieinspector.com/httpanalyzer/downloadV2/IEHttpAnalyzerV2.exe.
Using Variables 1 - 4
The adaptive security appliance obtains values for the first four substitutions from the SSL VPN Login
page, which includes fields for username, password, internal password (optional), and group. It
recognizes these strings in user requests, and replaces them with the value specific to the user before it
passes the request on to a remote server.
For example, if a URL list contains the link,
http://someserver/homepage/CSCO_WEBVPN_USERNAME.html, the adaptive security appliance
translates it to the following unique links:
• For USER1 the link becomes http://someserver/homepage/USER1.html
• For USER2 the link is http://someserver/homepage/USER2.html
In the following case, cifs://server/users/CSCO_WEBVPN_USERNAME, lets the adaptive security
appliance map a file drive to specific users:
• For USER1 the link becomes cifs://server/users/USER1
• For USER1 the link is cifs://server/users/USER2
Using Variables 5 and 6
Values for macros 5 and 6 are RADIUS or LDAP vendor-specific attributes (VSAs). These substitutions
let you set substitutions configured on either a RADIUS or an LDAP server.
5 CSCO_WEBVPN_MACRO1 Set via RADIUS/LDAP vendor-specific attribute. I f you are
mapping this from LDAP via an ldap-attribute-map, the Cisco
attribute that uses this variable is
WEBVPN-Macro-Substitution-Value1.
Variable substitution via RADIUS is performed by VSA#223.
6 CSCO_WEBVPN_MACRO2 Set via RADIUS/LDAP vendor-specific attribute. If you are mapping
this from LDAP via an ldap-attribute-map, the Cisco attribute that
uses this variable is WEBVPN-Macro-Substitution-Value2.
Variable substitution via RADIUS is performed by VSA#224.
7 CSCO_WEBVPN_PRIMARY_USERNAME Primary user login ID for double authentication.
8 CSCO_WEBVPN_PRIMARY_PASSWORD Primary user login password for double authentication.
9 CSCO_WEBVPN_SECONDARY_USERNAME Secondary user login ID for double authentication.
10 CSCO_WEBVPN_SECONDARY_PASSWORD Secondary user login ID for double authentication.
Table 67-13 Clientless SSL VPN Variables
No. Variable Substitution Definition
To Next Page
Loading...
Need help?
General
