Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9202
Views
15
Helpful
3
Replies

AnyConnect Authentication fails and then succeeds

Go to solution
TobiasBlachetta7285
Level 1
Level 1

‎05-27-2019 02:46 AM

Hi,

I have a really strange behaviour in our new ISE 2.6 cluster.

When an AnyConnect client connects to our ASA 5545-X, the ASA talks radius to our ISE cluster.

The log shows:

2019-05-27 10:30:18.03RADIUS Accounting watchdog update
2019-05-27 10:30:17.846RADIUS Accounting start request
2019-05-27 10:30:17.84Authentication failed
2019-05-27 10:30:17.818Authentication succeeded

It's a local user which gets authenticated, it always fails first, then succeeds, the Anyconnect client shows no failure at all, it just connects successfully.

Failed attempt:

11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Cisco-VPN3000.CVPN3000/ASA/PIX7x-Tunnel-Group-Name
 15041Evaluating Identity Policy
 15013Selected Identity Source - Internal Users
 24210Looking up User in Internal Users IDStore - testuser
 24212Found User in Internal Users IDStore
 22040Wrong password or invalid shared secret
 22057The advanced option that is configured for a failed authentication request is used
 22061The 'Reject' advanced option is configured in case of a failed authentication request
 11003Returned RADIUS Access-Reject

And successfull attempt:

11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Cisco-VPN3000.CVPN3000/ASA/PIX7x-Tunnel-Group-Name
 15041Evaluating Identity Policy
 15013Selected Identity Source - Internal Users
 24210Looking up User in Internal Users IDStore - testuser
 24212Found User in Internal Users IDStore
 22037Authentication Passed
 24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 24209Looking up Endpoint in Internal Endpoints IDStore - testuser
 24211Found Endpoint in Internal Endpoints IDStore
 15048Queried PIP - Network Access.AuthenticationStatus
 15016Selected Authorization Profile - VPN
 15048Queried PIP - Network Access.UserName
 15048Queried PIP - InternalUser.IPAddress
 22081Max sessions policy passed
 22080New accounting session created in Session cache
 11002Returned RADIUS Access-Accept

 

How can I fix the first failed attempt?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎05-29-2019 06:46 PM

It looks like to me you have mistakenly configure AAA authorization on your VPN tunnel group on your ASA.  You should only be doing RADIUS authentication and accounting.  Make sure you don't have authorization enabled.

View solution in original post

3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-29-2019 01:08 PM

Check the authentication policy and make sure its set to continue for unknown users.

If this doesn’t work open a tac case.
0 Helpful

Go to solution
paul
Level 10
Level 10

‎05-29-2019 06:46 PM

It looks like to me you have mistakenly configure AAA authorization on your VPN tunnel group on your ASA.  You should only be doing RADIUS authentication and accounting.  Make sure you don't have authorization enabled.

Go to solution
TobiasBlachetta7285
Level 1
Level 1
In response to paul

‎05-30-2019 10:50 PM

Thanks Paul, that worked!

 

I thought that I needed authorization to push the profile to the client (the profile gives the IP address to the user, which is configured in the local user on ISE). But this works anyway.

 

Best regards,

Tobias

0 Helpful
Customers Also Viewed These Support Documents