12-04-2017 05:27 AM - edited 03-12-2019 04:47 AM
I'm trying to set up RADIUS authentication for AnyConnect users using a Windows NPS server. The authentication is working from the ASA fine:
ASA# test aaa-server authentication RADIUS username mmurray password $
Server IP Address or name: 10.10.2.2
INFO: Attempting Authentication test to IP address <10.10.2.2> (timeout: 12 seconds)
INFO: Authentication Successful
But when I try to connect via AnyConnect it looks like the ASA is not using RADIUS but just the local user database instead:
AAA user authentication Rejected : reason = User was not found : local database : user = ***** : user IP =
What am I missing?
ASA# sh run aaa
aaa authentication ssh console LOCAL
aaa authentication match aaa-auth inside RADIUS
ASA# sh run aaa-server
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.10.2.2
key *****
ASA# sh run tunnel-group
tunnel-group employeegroup type remote-access
tunnel-group employeegroup general-attributes
address-pool remoteaccessvpn
authentication-server-group (inside) RADIUS
default-group-policy employeegroup
tunnel-group employeegroup webvpn-attributes
group-alias employeegroup enable
tunnel-group employeegroup ipsec-attributes
ikev1 pre-shared-key *****
ASA# sh run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.1.02011-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.1.02011-k9.pkg 2
anyconnect enable
cache
disable
error-recovery disable
Solved! Go to Solution.
12-04-2017 05:47 AM - edited 12-04-2017 05:47 AM
I think you are missing the following:
webvpn
tunnel-group-list enable
Without this, the ASA will use the DefaultWebvpnGroup as the default tunnel group for any inbound connections. Your AAA authentication is set for the employeegroup tunnel-group only.
12-04-2017 05:47 AM - edited 12-04-2017 05:47 AM
I think you are missing the following:
webvpn
tunnel-group-list enable
Without this, the ASA will use the DefaultWebvpnGroup as the default tunnel group for any inbound connections. Your AAA authentication is set for the employeegroup tunnel-group only.
02-27-2018 04:35 AM
Also changed the following:
authentication-server-group (inside) RADIUS
to:
authentication-server-group (outside) RADIUS
This the interface where the tunnel terminates.
10-01-2019 06:16 PM
11-01-2020 10:01 AM
Thank you! I also had the same problem and now it's resolved!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: