cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11820
Views
5
Helpful
4
Replies

AnyConnect clients failing auth - Using local auth instead of RADIUS

Michael Murray
Level 2
Level 2

I'm trying to set up RADIUS authentication for AnyConnect users using a Windows NPS server. The authentication is working from the ASA fine:

 

ASA# test aaa-server authentication RADIUS username mmurray password $

Server IP Address or name: 10.10.2.2

INFO: Attempting Authentication test to IP address <10.10.2.2> (timeout: 12 seconds)

INFO: Authentication Successful

 

But when I try to connect via AnyConnect it looks like the ASA is not using RADIUS but just the local user database instead:

 

AAA user authentication Rejected : reason = User was not found : local database : user = ***** : user IP = 

 

What am I missing?

 

ASA# sh run aaa

aaa authentication ssh console LOCAL

aaa authentication match aaa-auth inside RADIUS

 

ASA# sh run aaa-server

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.10.2.2

key *****

 

ASA# sh run tunnel-group

 

tunnel-group employeegroup type remote-access

tunnel-group employeegroup general-attributes

address-pool remoteaccessvpn

authentication-server-group (inside) RADIUS

default-group-policy employeegroup

tunnel-group employeegroup webvpn-attributes

group-alias employeegroup enable

tunnel-group employeegroup ipsec-attributes

ikev1 pre-shared-key *****

 

ASA# sh run webvpn

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-4.1.02011-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-4.1.02011-k9.pkg 2

anyconnect enable

cache

  disable

error-recovery disable

1 Accepted Solution

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

I think you are missing the following:


webvpn
  tunnel-group-list enable

Without this, the ASA will use the DefaultWebvpnGroup as the default tunnel group for any inbound connections. Your AAA authentication is set for the employeegroup tunnel-group only.

View solution in original post

4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

I think you are missing the following:


webvpn
  tunnel-group-list enable

Without this, the ASA will use the DefaultWebvpnGroup as the default tunnel group for any inbound connections. Your AAA authentication is set for the employeegroup tunnel-group only.

Also changed the following:

 

authentication-server-group (inside) RADIUS

 

to:

 

authentication-server-group (outside) RADIUS

 

This the interface where the tunnel terminates.

Thank you Rahul! I have spent 2 days banging my head against the wall over this problem.

Thank you!  I also had the same problem and now it's resolved!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: