Anyconnect credentials

pawelzwierzynski · ‎10-23-2014

Hi

I have a strange issue with anyconnect. Anyconnect is based on radius credientials. When I login through portal it's working correctly, I can connect to vpn without any problems. But when I want to connect directly from anyconnect client it asking for credentials and don't want to connect. Credientials arfe valid.

[2014-10-23 13:04:02] Ready to connect.
[2014-10-23 13:06:20] Contacting 77.65.5.226.
[2014-10-23 13:06:45] Please enter your username and password.
[2014-10-23 13:06:53] User credentials entered.
[2014-10-23 13:07:28] Please enter your username and password.
[2014-10-23 13:22:55] User credentials entered.
[2014-10-23 13:23:49] Please enter your username and password.
[2014-10-23 13:23:55] User credentials prompt cancelled.
[2014-10-23 13:23:55] Ready to connect.

What could cause this issue, do I missed something in configuration?

Thanks in advance

Regards

Marius Gunnerud · ‎10-24-2014

I am guessing you have the following configured for the relevant tunnel-group?

tunnel-group ExampleGroup1 general-attributes
authentication-server-group <SERVER GROUP>

Would you be able to post a sanitised running config for us to look over?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

pawelzwierzynski · ‎10-24-2014

Thanks for response

I guess this is config form ASA, I have anyconnect on 1921 router. Config:

webvpn gateway gateway_1
ip address XXX
http-redirect port 80
ssl trustpoint TP-self-signed-1662321223
inservice
!
webvpn context webvpn
secondary-color white
title-color #669999
text-color black
virtual-template 6
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
!
ssl authenticate verify all
inservice
!
policy group policy_1
functions svc-enabled
svc address-pool "SDM_POOL_1" netmask 255.255.255.255
svc default-domain "XXX"
svc keep-client-installed
--svc split include 192.168.55.0 255.255.255.0
svc split include 192.168.66.0 255.255.255.0
svc dns-server primary 192.168.55.12
svc dns-server secondary 192.168.55.41
default-group-policy policy_1

aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 local

Marius Gunnerud · ‎10-25-2014

I was actually asking for the full running configuration of the ASA. This is only part of the config. This is why Clientless VPN works: webvpn context webvpn aaa authentication list ciscocp_vpn_xauth_ml_1 As I posted above, you need to have the same aaa authentication command under the tunnel group (connection profile) for the anyconnect vpn. -- Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

pawelzwierzynski · ‎10-27-2014

I found issue. In configuration were two radius servers, first of them was unavailable.

Regards

abithbasha · ‎09-13-2017

Hi,

I am also having the same problem. what was your resolution for this

vinayjaiswal · ‎06-20-2018

I am sure you would have figured out the issue but I faced the same issue and found my license had expired.

dremler · ‎11-08-2018

I faced same problem. There was an error in the authorization policy on ACS. We use cisco-av-pair and there was a mistake in one rule of de ACL on Radius attribute.

After correct that, client VPN could connect.

smanganello · ‎09-16-2019

When I received this same message while attempting to login via VPN, it turned out that I simply needed to reactivate my two-factor authentication account. Once reactivated, I was able to login without issue.

serdar_1453 · ‎03-04-2021

I had the same issue with one our client and his AD password were expired. After resetting his password which worked fine.