Solved: Re: Anyconnect Local AAA FMC 7.2

keithcclark71 · ‎07-17-2022

I just completed upgrade to FMC 7.2 and do not have Cisco ISE. I was hoping I could use LOCAL AAA for VPN authentication. I was able to create a realm for Local AAA and add a user however the "Enable" button next to the realm does not work and when I go through vpn to modify my authentication to Local I get a message stating the below. Any ideas????

Associate a Local realm with local user(s) to complete the selected LOCAL Authentication configuration.

Marvin Rhoads · ‎07-18-2022

@keithcclark71 I do not currently have ISE integrated in my lab FMC. I just rebuilt this FMC 7.2 from scratch after having been running the beta version (which is non-upgradable to release version).

View solution in original post

keithcclark71 · ‎07-19-2022

I reworked the VPN and error went away so not sure what was going on there. The truth is I am changing stuff all the time during this project here and doing a lot of back n fourth so probably something to do with my changing around of things. I was able to add LOCAL and associate User's then establish connection to the headend. I have all 5 of my 1010's running 7.2 now and one is in production. I still have a long long ways to go here but one step at a time. It's going to get fun now as the other ASA in production sites have backup routes to alternate ISP's and the s2S VPN on the existing ASA's can come up auto on the backup circuit and I am now sure how they did that and how I am going to do that with the FTD but one thing at a time here. Thanks for the assist as always

View solution in original post

miso-ch · ‎11-28-2023

I think you missed to configure the already configured local realm in the Remote Access Connection Profile:

View solution in original post

Marvin Rhoads · ‎07-17-2022

When you create a new local realm, the dialog box should have prompted you to put in at least one user. Once that has been done, the realm is created and available for use as an Authentication type in your VPN configuration.

I just verified it on my lab FMC 7.2:

keithcclark71 · ‎07-18-2022

Hey Marvin that is exactly what I had done. A long with the error above it said I needed to define a global server. Do you have ISE defined as an integration source on yours? I am wondering if that is why yours works and mine doesn't

I am going to wipe the VPN and try reconfiguring later on tonight. I'll report back. Thanks

Marvin Rhoads · ‎07-18-2022

@keithcclark71 I do not currently have ISE integrated in my lab FMC. I just rebuilt this FMC 7.2 from scratch after having been running the beta version (which is non-upgradable to release version).

keithcclark71 · ‎07-19-2022

I reworked the VPN and error went away so not sure what was going on there. The truth is I am changing stuff all the time during this project here and doing a lot of back n fourth so probably something to do with my changing around of things. I was able to add LOCAL and associate User's then establish connection to the headend. I have all 5 of my 1010's running 7.2 now and one is in production. I still have a long long ways to go here but one step at a time. It's going to get fun now as the other ASA in production sites have backup routes to alternate ISP's and the s2S VPN on the existing ASA's can come up auto on the backup circuit and I am now sure how they did that and how I am going to do that with the FTD but one thing at a time here. Thanks for the assist as always

miso-ch · ‎11-28-2023

I think you missed to configure the already configured local realm in the Remote Access Connection Profile: