cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2519
Views
0
Helpful
12
Replies

Anyconnect authentication using ADFS SAML

Pascal Lacroix
Beginner
Beginner

Hi,

 

for a customer i'm trying to authenticate anyconnect using an AD, but i can't get it work. On the Cisco ASA is see the following messages:

 

Mar 23 15:02:07 [SAML] consume_assertion: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
Mar 23 15:02:07
[SAML] consume_assertion:

[saml] webvpn_login_primary_username: SAML assertion validation failed

 

What do does messages mean? Could it be that the wrong saml idp url is being used or is it something else?

 

On the ASA we are running 9.8(4)29 

12 Replies 12

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

If you made any changes to the SAML section after associating it with your tunnel-group (connection profile in ASDM), you have to remove and re-apply it. The #LassoServer errors are often a result of that issue.

Pascal Lacroix
Beginner
Beginner

Hi Marvin,

i already did that by removing and adding the saml identity-provider url in the tunnel-group webvpn-attributes, but that didn't resolve the issue

 

tunnel-group AD-SAML webvpn-attributes
no saml identity-provider <url>

saml identity-provider <url>

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Is this setup authenticating via an Azure AD instance?

we are using a local AD for authentication. In the future it will be an Azure AD

Given that, I would suspect the wrong SAML iDP URL is being used.

Customer is using a Microsoft ADFS with the following url:

 

saml idp https://xx.yy.zz/adfs/services/trust

I've never set it up with on-premise but in Azure it works fine.

I did find this guide for integrating a different app (Atlassian) with on-premise AD FS SAML. You should be able to follow most of the steps in it to work with your ASA:

https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-ad-fs/

Hi Marvin,

 

i am having issue with integrating Azure MFA with ASA anyconnect. 

This vpn1.company.com page can’t be found

No webpage was found for the web address: https://vpn1.company.com/+CSCOE+/SAML/SP/ACS?tgname=Azure-MFA

HTTP ERROR 404
 
got below from Debugs:
 

Mar 30 17:29:24 [SAML] get_lasso_signature_method:
Use SHA256 in SAML Request
Mar 30 17:29:24 [SAML] saml_add_config: SAML config added to list

SAML AUTH: SAML hash table cleanup periodic task
Public archive directives retrieved from cache for index 1.
Mar 30 17:29:37
[SAML] build_authnrequest:
https://login.microsoftonline.com/23e274fb-1240-4362-9b03-6b133e33c70e/saml2?SAMLRequest=fVLLTsMwEPyVyPfEsd0m1GorhT6kSoAQIA5ckJtuqCXHDl6nPL4eJwipHOA6O7M7M%2FYcVWs6WfXhaO%2FgtQcMyXtrLMpxsCC9t9Ip1CitagFlqOV9dX0leZbLzrvgamfImeR%2FhUIEH7SzJNmtF%2BSZbTe5K...
[SAML] saml_is_idp_internal: getting SAML config for tg Azure-MFA
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task

 

ANy idea what i am missing?

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

@SPoodari 

It's hard to say without a live troubleshooting session. What procedure did you follow for the setup?

ASA# show run webvpn
webvpn
enable airtel
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect enable
saml idp https://sts.windows.net/xxxxxxxxxxxxxxxxxxxx-6b133e33c70e/
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx6b133e33c70e/saml2
url sign-out https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxx6b133e33c70e/saml2
base-url https://vpn.company.com
trustpoint idp AzureAD-AC-SAML
trustpoint sp ASDM_TrustPoint3
no signature
no force re-authentication
tunnel-group-list enable
cache
disable
error-recovery disable


ASA# show run tunnel-group
tunnel-group Azure-MFA type remote-access
tunnel-group Azure-MFA general-attributes
default-group-policy Azure-MFA-GP
tunnel-group Azure-MFA webvpn-attributes
authentication saml
group-alias Azure-MFA enable
saml identity-provider https://sts.windows.net/xxxxxxxxxxxxxxxxxxx-6b133e33c70e/

I have attached the logs here. 

Now my previous issue is cleared. 

but now i'm getting Anyconnect "Authentication failed due to unexpected error". after succesful login with Microsoft. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: