topic Re: AnyConnect Clientless SSL VPN - ISE Auth failure in Network Access Control

AnyConnect Clientless SSL VPN - ISE Auth failure

newbieftd — Wed, 24 Jan 2018 20:26:53 GMT

When I try to connect to the ASA (9.6)/ISE (2.2) using https://asaaddress.domian.com, I authenticate with username (via RADIUS/AD/ISE), but access is still denied -

From Radius live log details - steps -

24343	RPC Logon request succeeded - XXXXXXX@XXXXXXX.com
	24402	User authentication against Active Directory succeeded - XXXXXXX.com
	22037	Authentication Passed
	24423	ISE has not been able to confirm previous successful machine authentication
	15036	Evaluating Authorization Policy
	15048	Queried PIP - Session.EPSStatus
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	11003	Returned RADIUS Access-Reject

The machine was just previously authenticated on the network (Wired and wireless) -

Authentication is VPN->Default->Default, not hitting Authorization policy

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

paul — Wed, 24 Jan 2018 20:48:34 GMT

You are hitting an authorization profile, just one that has Access-Reject in it. What does your VPN policy set look like?

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

newbieftd — Wed, 24 Jan 2018 21:07:26 GMT

Very basic - I am in the dialup users group - then VPN ALLOW

Policy, Policy elements, Results, Authorization, Authorization Profiles, VPN ALLOW, has Access Type = ACCESS_ACCEPT, and DACL = ISE-VPN-ALLOW

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

newbieftd — Wed, 24 Jan 2018 21:20:22 GMT

Also - I tried changing the final VPN rule to "PermitAccess" - no difference.

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

paul — Wed, 24 Jan 2018 21:51:55 GMT

Show the result details where you changed it to permit access. That should show:

15016 Selected Authorization Profile – PermitAccess

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

newbieftd — Wed, 24 Jan 2018 22:47:16 GMT

That is what I thought, but the details stay exactly the same.

So I don’t think it gets to the final rule, it authenticates, but doesn’t authorize.

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

paul — Thu, 25 Jan 2018 00:03:34 GMT

Is this a deployment or one node? If deployment sounds like you may have a synchronization issue with the PSN. If you changed to PermitAccess but you see log details showing DenyAccess then I would look at sync issues.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

newbieftd — Thu, 25 Jan 2018 00:11:22 GMT

It is a deployment, these two nodes are in the same zone. I will reset and give them longer to sync. Is they a key or synchronize I’d? Something I can check?

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

paul — Thu, 25 Jan 2018 00:15:34 GMT

Are the authentications going to the same node as the rule set you are looking at? You can force sync from the deployment screen.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

newbieftd — Thu, 25 Jan 2018 16:59:47 GMT

I copied the VPN policy to VPN_copy, and changed the last rule to PermitAccess – left plenty of time to sync with no change. (access good from AnyConnect client, fails for Clientless SSL VPN).

I purchased a book yesterday and it has a helpful hint to test the “AAA test” from the ASA. The test FAILS. This seems odd since I can connect/authenticate using the AnyConnect client.

Here are the trace results of (3) connection attempts (AAA test , Clientless SSL VPN from home , AnyConnect client from home ) – seems like I should focus on getting the AAA test to work, but not sure where to start.

Test from ASA AAA Server Groups ###################

Radius.User-Name=myname@mydomain.com

Radius.NAS-IP-Address=10.247.101.10

Radius.NAS-Port-Type=Virtual

Network Access.NetworkDeviceName=MyCompVPN

Network Access.AuthenticationMethod=PAP_ASCII

Network Access.Protocol=RADIUS

Radius.NAS-Port=3

Network Access.AD-User-Join-Point=MyDomain.COM

Network Access.AD-User-DNS-Domain=MyDomain.com

DEVICE.Network Device Profile=Cisco

DEVICE.Location=All Locations#MyLocation

DEVICE.Device Type=All Device Types#Firewalls

MyDomain.com.IdentityAccessRestricted=false

Network Access.Device IP Address=10.247.101.10

Failed from home to Clientless WebVPN ###################

Radius.Calling-Station-ID=12.193.30.2

Radius.User-Name=myname@mydomain.com

Radius.NAS-IP-Address=10.247.101.10

Radius.NAS-Port-Type=Virtual

Network Access.NetworkDeviceName=MyCompVPN

Network Access.AuthenticationMethod=PAP_ASCII

Network Access.Protocol=RADIUS

Radius.NAS-Port=323584

Radius.Tunnel-Client-Endpoint=(tag=0) 12.193.30.2

Cisco-VPN3000.CVPN3000/ASA/PIX7x-Tunnel-Group-Name=AnyConnect

Normalised Radius.SSID=183.187.10.10

Cisco-VPN3000.CVPN3000/ASA/PIX7x-Client-Type=Clientless-SSL-VPN

Network Access.AD-User-Join-Point=MyDomain.COM

Network Access.AD-User-DNS-Domain=MyDomain.com

DEVICE.Network Device Profile=Cisco

DEVICE.Location=All Locations#MyLocation

DEVICE.Device Type=All Device Types#Firewalls

MyDomain.com.IdentityAccessRestricted=false

Network Access.Device IP Address=10.247.101.10

Radius.Called-Station-ID=183.187.10.10

Success from home to AnyConnect Client ###################

Radius.Calling-Station-ID=12.193.30.2

Radius.User-Name=myname@mydomain.com

Radius.NAS-IP-Address=10.247.101.10

Radius.NAS-Port-Type=Virtual

Network Access.NetworkDeviceName=MyCompVPN

Network Access.AuthenticationMethod=PAP_ASCII

Network Access.Protocol=RADIUS

Radius.NAS-Port=8192

Radius.Tunnel-Client-Endpoint=(tag=0) 12.193.30.2

Cisco-VPN3000.CVPN3000/ASA/PIX7x-Tunnel-Group-Name=AnyConnect

Normalised Radius.SSID=183.187.10.10

Cisco-VPN3000.CVPN3000/ASA/PIX7x-Client-Type=AnyConnect-Client-SSL-VPN

Network Access.AuthenticationStatus=AuthenticationPassed

Network Access.AD-User-Join-Point=MyDomain.COM

Network Access.AD-User-DNS-Domain=MyDomain.com

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-Admins

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup Users

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsMyLocation

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsGlobal

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-AdvancedMathematics

MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Users

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/IS/Groups/vCenterAdmins

MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Admins

DEVICE.Network Device Profile=Cisco

DEVICE.Location=All Locations#MyLocation

DEVICE.Device Type=All Device Types#Firewalls

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-Admins

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup Users

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsMyLocation

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsGlobal

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-AdvancedMathematics

MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Users

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/IS/Groups/vCenterAdmins

MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Admins

MyDomain.com.IdentityAccessRestricted=false

Network Access.Device IP Address=10.247.101.10

Radius.Called-Station-ID=183.187.10.10

-cliff

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

hslai — Fri, 26 Jan 2018 01:40:48 GMT

Try using the primary ISE to authenticate and see whether it makes any difference. If it does, then go to the deployment page and initiate a manual sync to the 2nd ISE node.

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

newbieftd — Fri, 26 Jan 2018 16:17:48 GMT

Thanks, but no difference using primary/secondary to authenticate.

-cliff

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

hslai — Fri, 26 Jan 2018 16:23:04 GMT

Please restart the ISE services on one of the ISE nodes. If this not helping, then your policies might be a strange state and please engage Cisco TAC to investigate further.

Re: AnyConnect Clientless SSL VPN - ISE Auth failure

paul — Fri, 26 Jan 2018 16:23:49 GMT

I would probably open a TAC case. Most likely it is something that is easily explained, but hard to troubleshoot over the forums.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250