取消
显示结果 
搜索替代 
您的意思是: 
cancel
7250
查看次数
10
有帮助
11
回复

anyconnect无法支持AAA认证

xiaotongse
Level 1
Level 1
PC在互联网上,PC通过防火墙ASA下载anyconnect3.1,下载通过anyconnect拨号后发现,仅支持本地用户名和密码拨号IKEV2,不支持通过LDAP拨号;
配置:
int g0
ip address 192.168.1.1 255.255.255.0
nameif Inside
no shut
int g1
ip address 202.16.1.1 255.255.255.252
nameif Outside
no shut
!
access-list icmp extended peremit icmp any any
access-list icmp extended permit udp any any
access-group icmp in interface Outside
object network LAN
sub 172.16.1.0 255.255.255.0
nat (Inside,Outside) dy inter
object network Remote
sub 10.144.1.0 255.255.255.0
!
nat (Inside,outside) source static LAN LAN destination static Remote Remote
!
ip local pool ezvpn 10.144.1.11-10.144.1.20
!
domain-name test.org
clock timezone GMT +8
ntp server 192.168.1.2
crypto ca trust-point CA
enrollment url http://202.16.1.2:80
sub-name cn=asa.test.org
fqdn asa.test.org
crypto ca authe CA
crypto ca enroll CA
!
http server enable 500
http 0 0 outside
!
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg
anyconnect enable
anyconnect profiles group1 disk0:/group1.xml
group-policy group1-certenroll internal
group-policy group1-certenroll attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
address-pools value ezvpn
webvpn
anyconnect profiles value group1 type user
!
username cisco password cisco
username cisco attribute
vpn-tunnel-group group1-certenroll
!
ssl trust-point CA
crypto ikev2 enable outside
crypto ikev2 remote-access trust-point CA
crypto ikev2 policy 1
group 2
integrity sha
lifetime 43200
prf sha
crypto ipsec ikev2 ipsec-proposal FirstSet
protocol esp encryption 3des aes
crypto dynamic-map dyn1 1 set ikev2 ipsec-proposal FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
!
tunnel-group test type remote-access
tunnel-group test gen
authentication-server-group ldap LOCAL
!
ldap attribute-map group-to-policy
map-name memberOf IETF-Radius-Class
map-value memberOf CN=group1,OU=Depart1,DC=test,DC=org
aaa-server 2008 (Inside) host 10.1.1.1
ldap-attribute-map group-to-policy
ldap-base-dn dc=test, dc=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password 1a.cisco
ldap-login-dn cn=administrator, cn=users, dc=test, dc=org group1-certenroll
server-type microsoft
11 条回复11

xiaotongse
Level 1
Level 1
tunnel-group test type remote-access
tunnel-group test gen
authentication-server-group 2008 LOCAL

one-time
Level 13
Level 13
xiaotongse 发表于 2017-3-25 17:02
tunnel-group test type remote-access
tunnel-group test gen
authentication-server-group 2008 LOCA ...

感谢您的提问!稍后会有小伙伴为您解答的!:)

13nash
Level 8
Level 8
LDAP测试通讯正常吗

xiaotongse
Level 1
Level 1
LDAP测试没有任何问题,从asa通过test测试正常的

fortune
VIP Alumni
VIP Alumni
是支持的哦,我上次才做过配置,你可以谷歌一下ASA ldap authe 就有案例

ilay
VIP
VIP
1、你看下log里面 aaa-server 有没有fail 的记录,如果有的话可以尝试重新标记aaa-server为active
命令示例:aaa-server SrvName active host 192.168.12.x
2、如果aaa-server是active的,你可以先连接anyconnect ,然后通过show vpn-sessiondb anyconnect 查看拨入用户的tunnel-group ,如果 Tunnel Group和你定义的tunnel名不一致,那么最好检查一下是否启用了tunnel-group-list enable
启用tunnel group部分配置如下
!--
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 1
anyconnect enable
tunnel-group-list enable

tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool vpn_pool
authentication-server-group LDAP_Srv LOCAL
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias sslvpn enable
!
!--
show vpn-sessiondb anyconnect 输出如下
------------------------------------------------------
SSLVPN# sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : vpnuser Index : 24
Assigned IP : 10.x.x.x Public IP : 100.100.100.100
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
Bytes Tx : 821187 Bytes Rx : 755243
Group Policy : SSLVPN Tunnel Group : SSLVPN
Login Time : 19:04:29 UTC Sun Mar 26 2017
Duration : 6h:49m:52s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801010001800058d810bd
Security Grp : none
SSLVPN#
----------------------------------------------------------

jingjian
Spotlight
Spotlight
1.NAT配置错误,nat (Inside,outside) source static LAN LAN destination static Remote Remote,G1的接口命名为Outside,nat配置的为小写outside.
2.后续的涉及到outside的调用全部是小写, 所以很多地方的调用都是错误的。
3.
建议可以把username cisco tunnel-group 调用配置删除,更换为调用vpn-group-policy group1-certenroll ,然后在tunnel-group 下调用group-policy
tunnel-group test gen
default-group-policy group1-certenroll
这样调用的策略就一致了,就不存策略调用先后的问题
另外你调用ldap也是错误的,定义的aaa-server 2008, 调用的时候变成ldap

xiaotongse
Level 1
Level 1
此问题目前已经解决,我调用默认的DefaultWEBGroup策略就没有任何问题

Yanli Sun
Community Manager
Community Manager
感谢分享解决方案

xiaotongse
Level 1
Level 1
不过还是要谢谢大家的帮助

one-time
Level 13
Level 13
xiaotongse 发表于 2017-3-28 17:02
不过还是要谢谢大家的帮助

请记得标注最佳答案哈~
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接