74-14
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Using Single Sign-on with Clientless SSL VPN
Configuring SSO with HTTP Basic or NTLM Authentication
This section describes single sign-on with HTTP Basic or NTLM authentication. You can configure the
ASA to implement SSO using either or both of these methods. The auto-signon command configures
the ASA to automatically pass clientless SSL VPN user login credentials (username and password) on
to internal servers. You can enter multiple auto-signon commands. The ASA processes them according
to the input order (early commands take precedence). You specify the servers to receive the login
credentials using either IP address and IP mask, or URI mask.
Use the auto-signon command in any of three modes: webvpn configuration, webvpn group-policy
mode, or webvpn username mode. Username supersedes group, and group supersedes global. The mode
you choose depends upon scope of authentication you want:
Detailed Steps
The following example commands present various possible combinations of modes and arguments.
Mode Scope
webvpn configuration All clientless SSL VPN users globally.
webvpn group-policy
configuration
A subset of clientless SSL VPN users defined by a group policy.
webvpn username configuration An individual user of clientless SSL VPN.
Command Purpose
Step1 Example:
hostname(config)# webvpn
hostname(config-webvpn)# auto-signon allow ip
10.1.1.1 255.255.255.0 auth-type ntlm
Configures auto-signon for all users of clientless
SSL VPN to servers with IP addresses ranging from
10.1.1.0 to 10.1.1.255 using NTLM authentication.
Step2 Example:
hostname(config)# webvpn
hostname(config-webvpn)# auto-signon allow uri
https://*.example.com/* auth-type basic
Configures auto-signon for all users of clientless
SSL VPN, using basic HTTP authentication, to
servers defined by the URI mask
https://*.example.com/*.
Step3 Example:
hostname(config)# group-policy ExamplePolicy
attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# auto-signon allow uri
https://*.example.com/* auth-type all
Configures auto-signon for clientless SSL VPN
sessions associated with the ExamplePolicy group
policy, using either basic or NTLM authentication,
to servers defined by the URI mask.
Step4 Example:
hostname(config)# username Anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# auto-signon allow
ip 10.1.1.1 255.255.255.0 auth-type basic
Configures auto-signon for a user named Anyuser to
servers with IP addresses ranging from 10.1.1.0 to
10.1.1.255 using HTTP Basic authentication.
Step5 Example:
(config-webvpn)# smart-tunnel auto-signon
<host-list> [use-domain] [realm <realm string>]
[port <port num>] [host <host mask> | ip <address>
<subnet mask>]
Configures auto-signon with a specific port and
realm for authentication.