cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2444
Views
4
Helpful
4
Replies

ACS 5.2 AAA and large Windows Access Tokens. Problems.

Adam Swindell
Level 1
Level 1

Hello I am having an issue that is only being experienced by one person out of many who use AnyConnect (authenticated with ACS 5.2).

I'll try to explain the set up first.

We have some users who use AnyConnect regularly; the tunnel is terminated on a 5520 ASA. The tunnel group is currently set up to send RADIUS aaa requests to the ACS server, which in turn is set up to query Active Directory. This is working perfectly for all AnyConnect users except for one person.

Here is the kicker, authentication worked fine for this person as well before we switched from an old Steel Belted Radius server that used to be doing the same thing basically, it handled the RADIUS requests but did a look up into Active Directory. So that part of it has not changed.

So now when this user tries to log in he gets these the Windows event logs. 

******************************************

Date        : 11/02/2012

Time        : 21:13:39

Type        : Information

Source      : acvpnui

Description : Function: ConnectMgr::userResponse

File: .\ConnectMgr.cpp

Line: 1301

Processing user response.

******************************************

Date        : 11/02/2012

Time        : 21:13:39

Type        : Information

Source      : acvpnui

Description : Function: CTransportWinHttp::setResponseData

File: .\CTransportWinHttp.cpp

Line: 1535

Invoked Function: WinHttpQueryHeaders

Return Code: 12150 (0x00002F76)

Description: The requested header was not found

******************************************

Date        : 11/02/2012

Time        : 21:13:39

Type        : Information

Source      : acvpnui

Description : Function: ConnectMgr::setPromptAttributes

File: .\ConnectMgr.cpp

Line: 4236

The certificate authority is disabled on the secure gateway.

******************************************

Date        : 11/02/2012

Time        : 21:13:39

Type        : Information

Source      : acvpnui

Description : The following error message was received from the secure gateway:

Login failed.

---------------------------------

I've looked though the ASA configuration and it is using a valid certificate and everything, signed by GoDaddy etc…. It won’t' let me look at the certificate authority configuration because it says it can't be configured when in a failover pair. I don't really think the problem is at the ASA at this point, because all other users are authenticating correctly. (And so was this user before switching to ACS)

Also in the ACS logs it says the user used the wrong password and that is why authentication is failing, but they are using the correct password.

So now I am looking into issues with the users account in particular. Something that I think may be worth noting is that this user has a very large access token (one of the largest in the entire organization) belonging to over 98 groups (not including all the sub groups). I'm wondering if having a very large access token could be throwing ACS off for some reason, or if anyone else has run into this before.

The next step for troubleshooting I'm going to do is create a local account on the ACS server and see what happens.

Thanks in advance for any help or insight.

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Adam,

Please follow my guide to see what the ntcode is being returned from active directory:

https://supportforums.cisco.com/docs/DOC-26787

Tarik Admani
*Please rate helpful posts*

I will give this a shot.

Thank you for the reply!

I took a look at the logs that were generated...I think. The logs reached all the way back to August so I'm not sure if either dubugging has been on this entire time or what...

Going to look that some more.

Also not sure if the logs really help me that much, I'm going to keep looking at them to see what I can see. Maybe open a TAC case so someone who is use to looking at these logs can take a look.

Thanks for the help.

Hello, not sure if this thread is closed, but I tried to access https://supportforums.cisco.com/docs/DOC-26787 but got denied. Is that information available elsewhere? Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: