06-04-2013 01:39 PM - edited 03-11-2019 06:52 PM
Hi everyone,
A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.
What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly. Any suggestions?
Thanks for your advice.
-j
Solved! Go to Solution.
06-04-2013 09:10 PM
Hello,
Can you provide the logs at the time of the authenticaiton problem on the ASA, As well as the debugs from the ASA:
Debug radius
06-04-2013 09:10 PM
Hello,
Can you provide the logs at the time of the authenticaiton problem on the ASA, As well as the debugs from the ASA:
Debug radius
06-05-2013 01:27 PM
Found the answer in the syslog -- said that my dynamic access policy wasn't set to "continue." It was, but not for the AD group I was using to test the connection. So the config was fine, but I had forgotten while on vacation that this VPN was for admin accounts only. Head. Desk.
Thanks for the nudge -- sometimes I just need someone to point out the obvious!
-j
06-06-2013 07:20 AM
Great to hear that
Please mark the question as answered,
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide