Solved: RV340 SSL VPN (anyConnect-vpn) with remote authentication

stsw1 · ‎03-23-2018

How do you allow users authenticated with a Radius server to access SSL VPN?

You can create a local user group for SSL VPN and add local users to the group. However, there is no

such choice for users authenticated externally. Similarly, you cannot assign externally authenticated users to the Admin group. Once you enabled external authentication, you can no longer login to the web client even though the user has been authenticated with the Radius server. When you use the local "cisco" user, it'll fail to authenticate with the Radius server and declare login failed. However, if you look at the config XML file, you'll find a line said

<authOrder>externalAuthentication localAuthentication</authOrder>

The line suggests that it'll try to use local authentication if it failed the external authentication. But it does not seem to be doing that. There is also no obvious structures in the config XML file supporting SSL VPN for externally authenticated users.

Any help would be greatly appreciated.

stsw1 · ‎04-18-2018

I had a chat with Cisco tech support. The solution is that some attributes need to be set on the Radius server side. In my case on my Windows NPAS sever.

----------------------------

[1] Check the configuration on the Radius server

RADIUS CLIENT:

-- create a record for RV340

Policies (Connection Request):

-- use the RV340 IP address

-- add Radius Attributes on Standard menu for the records of:

* Class = VPN

* Service-Type = Administrative

Policies (Network Policies):

-- check the option for «Ignore User Account dial-in properties»

-- use the RV LAN IP.

-- chose the Constraints for MS-CHAP-v2, MS-CHAP, CHAP, PAP and SPAP.

-- add Radius Attributes on Standard menu for the records of:

* Class = VPN

* Service-Type = Administrative

-- Add record for «Vendor Specific» attributes:

* Cisco-AV-Pair: Cisco: shell:priv-lvl=15

-----------------------------

The Class attribute (set to VPN here), need to be the name of a User group on the RV340 that has the SSL VPN privilege.

View solution in original post

stsw1 · ‎04-18-2018

I had a chat with Cisco tech support. The solution is that some attributes need to be set on the Radius server side. In my case on my Windows NPAS sever.

----------------------------

[1] Check the configuration on the Radius server

RADIUS CLIENT:

-- create a record for RV340

Policies (Connection Request):

-- use the RV340 IP address

-- add Radius Attributes on Standard menu for the records of:

* Class = VPN

* Service-Type = Administrative

Policies (Network Policies):

-- check the option for «Ignore User Account dial-in properties»

-- use the RV LAN IP.

-- chose the Constraints for MS-CHAP-v2, MS-CHAP, CHAP, PAP and SPAP.

-- add Radius Attributes on Standard menu for the records of:

* Class = VPN

* Service-Type = Administrative

-- Add record for «Vendor Specific» attributes:

* Cisco-AV-Pair: Cisco: shell:priv-lvl=15

-----------------------------

The Class attribute (set to VPN here), need to be the name of a User group on the RV340 that has the SSL VPN privilege.

JosePereira · ‎01-23-2021

Hi

Thank you so much for this information!!! I spent hours trying to make this work and finally could with your help!

I just want to add my personal experience: with this setup I was only being able to get PAP auth. So, I tried reverting some of those properties to what I had previously with a DrayTek:

Policies (Network Policies):

* Service-Type = Framed

* Framed-Protocol = PPP

With theese properties MS-CHAP v2 auth is working

Thank you some much once again!