Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12408
Views
6
Helpful
4
Replies

AnyConnect clients failing auth - Using local auth instead of RADIUS

Go to solution
Michael Murray
Level 2
Level 2

‎12-04-2017 05:27 AM - edited ‎03-12-2019 04:47 AM

I'm trying to set up RADIUS authentication for AnyConnect users using a Windows NPS server. The authentication is working from the ASA fine:

 

ASA# test aaa-server authentication RADIUS username mmurray password $

Server IP Address or name: 10.10.2.2

INFO: Attempting Authentication test to IP address <10.10.2.2> (timeout: 12 seconds)

INFO: Authentication Successful

 

But when I try to connect via AnyConnect it looks like the ASA is not using RADIUS but just the local user database instead:

 

AAA user authentication Rejected : reason = User was not found : local database : user = ***** : user IP = 

 

What am I missing?

 

ASA# sh run aaa

aaa authentication ssh console LOCAL

aaa authentication match aaa-auth inside RADIUS

 

ASA# sh run aaa-server

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.10.2.2

key *****

 

ASA# sh run tunnel-group

 

tunnel-group employeegroup type remote-access

tunnel-group employeegroup general-attributes

address-pool remoteaccessvpn

authentication-server-group (inside) RADIUS

default-group-policy employeegroup

tunnel-group employeegroup webvpn-attributes

group-alias employeegroup enable

tunnel-group employeegroup ipsec-attributes

ikev1 pre-shared-key *****

 

ASA# sh run webvpn

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-4.1.02011-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-4.1.02011-k9.pkg 2

anyconnect enable

cache

  disable

error-recovery disable

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎12-04-2017 05:47 AM - edited ‎12-04-2017 05:47 AM

I think you are missing the following:


webvpn
  tunnel-group-list enable

Without this, the ASA will use the DefaultWebvpnGroup as the default tunnel group for any inbound connections. Your AAA authentication is set for the employeegroup tunnel-group only.

View solution in original post

4 Replies 4

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎12-04-2017 05:47 AM - edited ‎12-04-2017 05:47 AM

I think you are missing the following:


webvpn
  tunnel-group-list enable

Without this, the ASA will use the DefaultWebvpnGroup as the default tunnel group for any inbound connections. Your AAA authentication is set for the employeegroup tunnel-group only.

Go to solution
Michael Murray
Level 2
Level 2
In response to Rahul Govindan

‎02-27-2018 04:35 AM

Also changed the following:

 

authentication-server-group (inside) RADIUS

 

to:

 

authentication-server-group (outside) RADIUS

 

This the interface where the tunnel terminates.

0 Helpful

Go to solution
MosesOgunseye20367
Level 1
Level 1
In response to Rahul Govindan

‎10-01-2019 06:16 PM

Thank you Rahul! I have spent 2 days banging my head against the wall over this problem.
0 Helpful

Go to solution
Ricky S
Level 3
Level 3
In response to Rahul Govindan

‎11-01-2020 10:01 AM

Thank you!  I also had the same problem and now it's resolved!

0 Helpful
Customers Also Viewed These Support Documents