Re: Two Factor Auth - Works on Windows AnyConnect but not Mac OS

adminguy · ‎02-08-2018

Have an asa configured with two-factor auth: primary is RSA, secondary is LDAP. On Windows, a passcode and domain password works great. Using a Mac AnyConnect client, it won't connect. Syslog files show:

%ASA-6-113013: AAA unable to complete the request Error : reason = Invalid password : user = testuser

The password is correct and tests correctly in the secondary authentication Server Group test under ASDM. Windows client works perfectly, the Mac AnyConnect client does not using 4.5.04029 and all latest OS patches on the Mac.

If I change the Secondary Authentication Server Group and remove the "Use primary username (Hide secondary username on login page), then the Mac/Windows clients are presented with a "Second Username" prompt. Entering the same username for both "First Username" and "Second Username" will now work with the Mac.

It would appear that the Mac client isn't sending the primary username to the secondary authentication server. My AD logs show no attempt to authenticate the Mac client. The RSA authentication is working for both, so primary auth is performing as expected.

Please advise.

I have another ASA configured the same way and it works fine, so clearly something is not working correctly and I've run out of debugging ideas.

adminguy · ‎02-08-2018

Just tested a Linux AnyConnect client: it works fine. So, something with the Mac AnyConnect client or host OS is the problem. There is no LDAP auth login attempt made during the failure unless I have the ASA set to prompt for second username. The RSA attempt works and is logged by RSA as successful. It's as the LDAP credentials are not being set and then the ASA isn't sending the auth attempt because the username field is likely blank/null/malformed.

zunaid.cse · ‎08-26-2020

I need to enable this feature for windows machine. Can you help me sharing policy screenshot.