This vpn1.company.com page can’t be found

Pascal Lacroix · ‎03-23-2021

Hi,

for a customer i'm trying to authenticate anyconnect using an AD, but i can't get it work. On the Cisco ASA is see the following messages:

Mar 23 15:02:07 [SAML] consume_assertion: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
Mar 23 15:02:07
[SAML] consume_assertion:

[saml] webvpn_login_primary_username: SAML assertion validation failed

What do does messages mean? Could it be that the wrong saml idp url is being used or is it something else?

On the ASA we are running 9.8(4)29

Marvin Rhoads · ‎03-23-2021

If you made any changes to the SAML section after associating it with your tunnel-group (connection profile in ASDM), you have to remove and re-apply it. The #LassoServer errors are often a result of that issue.

Pascal Lacroix · ‎03-24-2021

Hi Marvin,

i already did that by removing and adding the saml identity-provider url in the tunnel-group webvpn-attributes, but that didn't resolve the issue

tunnel-group AD-SAML webvpn-attributes
no saml identity-provider <url>

saml identity-provider <url>

Marvin Rhoads · ‎03-25-2021

Is this setup authenticating via an Azure AD instance?

Pascal Lacroix · ‎03-26-2021

we are using a local AD for authentication. In the future it will be an Azure AD

Marvin Rhoads · ‎03-26-2021

Given that, I would suspect the wrong SAML iDP URL is being used.

Pascal Lacroix · ‎03-29-2021

Customer is using a Microsoft ADFS with the following url:

saml idp https://xx.yy.zz/adfs/services/trust

Marvin Rhoads · ‎03-30-2021

I've never set it up with on-premise but in Azure it works fine.

I did find this guide for integrating a different app (Atlassian) with on-premise AD FS SAML. You should be able to follow most of the steps in it to work with your ASA:

https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-ad-fs/

SPoodari · ‎03-29-2022

Hi Marvin,

i am having issue with integrating Azure MFA with ASA anyconnect.

This vpn1.company.com page can’t be found

No webpage was found for the web address: https://vpn1.company.com/+CSCOE+/SAML/SP/ACS?tgname=Azure-MFA

HTTP ERROR 404

got below from Debugs:

Mar 30 17:29:24 [SAML] get_lasso_signature_method:
Use SHA256 in SAML Request
Mar 30 17:29:24 [SAML] saml_add_config: SAML config added to list

SAML AUTH: SAML hash table cleanup periodic task
Public archive directives retrieved from cache for index 1.
Mar 30 17:29:37
[SAML] build_authnrequest:
https://login.microsoftonline.com/23e274fb-1240-4362-9b03-6b133e33c70e/saml2?SAMLRequest=fVLLTsMwEPyVyPfEsd0m1GorhT6kSoAQIA5ckJtuqCXHDl6nPL4eJwipHOA6O7M7M%2FYcVWs6WfXhaO%2FgtQcMyXtrLMpxsCC9t9Ip1CitagFlqOV9dX0leZbLzrvgamfImeR%2FhUIEH7SzJNmtF%2BSZbTe5K...
[SAML] saml_is_idp_internal: getting SAML config for tg Azure-MFA
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task
SAML AUTH: SAML hash table cleanup periodic task

ANy idea what i am missing?

Marvin Rhoads · ‎03-30-2022

@SPoodari

It's hard to say without a live troubleshooting session. What procedure did you follow for the setup?

SPoodari · ‎03-30-2022

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html
this one
and also the Microsoft one.

SPoodari · ‎03-30-2022

ASA# show run webvpn
webvpn
enable airtel
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect enable
saml idp https://sts.windows.net/xxxxxxxxxxxxxxxxxxxx-6b133e33c70e/
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx6b133e33c70e/saml2
url sign-out https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxx6b133e33c70e/saml2
base-url https://vpn.company.com
trustpoint idp AzureAD-AC-SAML
trustpoint sp ASDM_TrustPoint3
no signature
no force re-authentication
tunnel-group-list enable
cache
disable
error-recovery disable

ASA# show run tunnel-group
tunnel-group Azure-MFA type remote-access
tunnel-group Azure-MFA general-attributes
default-group-policy Azure-MFA-GP
tunnel-group Azure-MFA webvpn-attributes
authentication saml
group-alias Azure-MFA enable
saml identity-provider https://sts.windows.net/xxxxxxxxxxxxxxxxxxx-6b133e33c70e/

SPoodari · ‎03-31-2022

I have attached the logs here.

Now my previous issue is cleared.

but now i'm getting Anyconnect "Authentication failed due to unexpected error". after succesful login with Microsoft.

Anyconnect authentication using ADFS SAML

This vpn1.company.com page can’t be found