cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20355
Views
0
Helpful
9
Replies

AnyConnect error " User not authorized for AnyConnect Client access, contact your administrator"

ingotitze
Level 1
Level 1

Hi everyone,

it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem. The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.

Please find the current config and debugging output below. I appreciate any pointers as to what might be wrong here.

: Saved

:

ASA Version 9.1(1)

!

hostname ASA

domain-name ingo.local

enable password ... encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd ... encrypted

names

name 10.0.1.0 LAN-10-0-1-x

dns-guard

ip local pool VPNPool 10.0.2.1-10.0.2.10 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif Internal

security-level 100

ip address 10.0.1.254 255.255.255.0

!

interface Vlan2

nameif External

security-level 0

ip address dhcp setroute

!

regex BlockFacebook "facebook.com"

banner login This is a monitored system. Unauthorized access is prohibited.

boot system disk0:/asa911-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup Internal

dns domain-lookup External

dns server-group DefaultDNS

name-server 10.0.1.11

name-server 75.153.176.1

name-server 75.153.176.9

domain-name ingo.local

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network LAN-10-0-1-x

subnet 10.0.1.0 255.255.255.0

object network Company-IP1

host xxx.xxx.xxx.xxx

object network Company-IP2

host xxx.xxx.xxx.xxx

object network HYPER-V-DUAL-IP

range 10.0.1.1 10.0.1.2

object network LAN-10-0-1-X

access-list 100 extended permit tcp any4 object HYPER-V-DUAL-IP eq 3389 inactive

access-list 100 extended permit tcp object Company-IP1 object HYPER-V-DUAL-IP eq 3389

access-list 100 extended permit tcp object Company-IP2 object HYPER-V-DUAL-IP eq 3389 

!

tcp-map Normalizer

  check-retransmission

  checksum-verification

!

no pager

logging enable

logging timestamp

logging list Threats message 106023

logging list Threats message 106100

logging list Threats message 106015

logging list Threats message 106021

logging list Threats message 401004

logging buffered errors

logging trap Threats

logging asdm debugging

logging device-id hostname

logging host Internal 10.0.1.11 format emblem

logging ftp-bufferwrap

logging ftp-server 10.0.1.11 / asa *****

logging permit-hostdown

mtu Internal 1500

mtu External 1500

ip verify reverse-path interface Internal

ip verify reverse-path interface External

icmp unreachable rate-limit 1 burst-size 1

icmp deny any echo External

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (Internal,External) dynamic interface

object network LAN-10-0-1-x

nat (Internal,External) dynamic interface

object network HYPER-V-DUAL-IP

nat (Internal,External) static interface service tcp 3389 3389

access-group 100 in interface External

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server radius protocol radius

aaa-server radius (Internal) host 10.0.1.11

key *****

radius-common-pw *****

user-identity default-domain LOCAL

aaa authentication ssh console radius LOCAL

http server enable

http LAN-10-0-1-x 255.255.255.0 Internal

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map External_map interface External

crypto ca trustpoint srv01_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint asa_cert_trustpoint

keypair asa_cert_trustpoint

crl configure

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

crl configure

crypto ca trustpool policy

crypto ca server

cdp-url http://.../+CSCOCA+/asa_ca.crl:44435

issuer-name CN=...

database path disk0:/LOCAL_CA_SERVER/

smtp from-address ...

publish-crl External 44436

crypto ca certificate chain srv01_trustpoint

certificate <output omitted>

  quit

crypto ca certificate chain asa_cert_trustpoint

certificate <output omitted>

  quit

crypto ca certificate chain LOCAL-CA-SERVER

certificate <output omitted>

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable External client-services port 44455

crypto ikev2 remote-access trustpoint asa_cert_trustpoint

telnet timeout 5

ssh LAN-10-0-1-x 255.255.255.0 Internal

ssh xxx.xxx.xxx.xxx 255.255.255.255 External

ssh xxx.xxx.xxx.xxx 255.255.255.255 External

ssh timeout 5

ssh version 2

console timeout 0

no vpn-addr-assign aaa

no ipv6-vpn-addr-assign aaa

no ipv6-vpn-addr-assign local

dhcpd dns 75.153.176.9 75.153.176.1

dhcpd domain ingo.local

dhcpd option 3 ip 10.0.1.254

!

dhcpd address 10.0.1.50-10.0.1.81 Internal

dhcpd enable Internal

!

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address LAN-10-0-1-x 255.255.255.0

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

dynamic-filter use-database

dynamic-filter enable interface Internal

dynamic-filter enable interface External

dynamic-filter drop blacklist interface Internal

dynamic-filter drop blacklist interface External

ntp server 128.233.3.101 source External

ntp server 128.233.3.100 source External prefer

ntp server 204.152.184.72 source External

ntp server 192.6.38.127 source External

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

ssl trust-point asa_cert_trustpoint External

webvpn

port 44433

enable External

dtls port 44433

anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1

anyconnect profiles profile1 disk0:/profile1.xml

anyconnect enable

smart-tunnel list SmartTunnelList1 mstsc mstsc.exe platform windows

smart-tunnel list SmartTunnelList1 putty putty.exe platform windows

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

webvpn

  anyconnect profiles value profile1 type user

username write.ingo password ... encrypted

username ingo password ... encrypted privilege 15

username tom.tucker password ... encrypted

!

class-map TCP

match port tcp range 1 65535

class-map type regex match-any BlockFacebook

match regex BlockFacebook

class-map type inspect http match-all BlockDomains

match request header host regex class BlockFacebook

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 1500

  id-randomization

policy-map TCP

class TCP

  set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 250

  set connection timeout dcd

  set connection advanced-options Normalizer

  set connection decrement-ttl

policy-map type inspect http HTTP

parameters

  protocol-violation action drop-connection log

class BlockDomains

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect dns preset_dns_map dynamic-filter-snoop

  inspect http HTTP

!

service-policy global_policy global

service-policy TCP interface External

smtp-server 199.185.220.249

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command vpn-sessiondb

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command service-policy

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:41a021a28f73c647a2f550ba932bed1a

: end

Many thanks,

Ingo

9 Replies 9

jose.vieira525
Level 1
Level 1

Hi Ingo

Do you get prompt to insert the user credentials and when you type in and login is when you get the error message?

If so check the default dynamic access policy as it can be set to deny access

Sent from Cisco Technical Support iPad App

Hi Jose,

thanks for your quick reply. Yes, I get prompted for the credentials and after I type them in, the prompt screen closes and it just shows me the window with the URL and Connect button again. The error message is recorded under the Message History tab of the client.

I have checked the default dynamic access policy and the settings are:

Action: Continue

Access Method: Unchanged

AnyConnect Always-On VPN for AnyConnect client: Unchanged

This seems to be the default as I didn't touch those settings in the past. However, for testing reasons I just changed the settings for Access Method and AnyConnect Always-On specifically to AnyConnect. It didn't make a difference, unfortunately.

Cheers,

Ingo

Hi Ingo

Please connect to the asa via CLI and type "debug dap trace" then try to login again and this will generate some logs. Please copy the logs and send that to me.

Thank you

Sent from Cisco Technical Support iPad App

Hi Jose,

here it is:

ASA(config)# debug dap trace

debug dap trace enabled at level 1

ASA(config)# DAP_TRACE: DAP_open: CC07C2C0

DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy

DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker

DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker

DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =

DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup

DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]

DAP_TRACE: Username: tom.tucker, DAP_add_AC:

endpoint.anyconnect.clientversion="3.1.02026";

endpoint.anyconnect.platform="win";

DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1

DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy

DAP_TRACE: Username: tom.tucker, DAP_close: CC07C2C0

Thanks,

Ingo

Hi Ingo

Now please check the following. I am assuming that you are using the CIsco AnyConnect SSL client and ASDM to manage the system

On the AnyConnect Connection Profile (DefaultWEBVPNGroup)

-make sure you have a DHCP scope configured

On the Group Policies (DfltGrpPolicy)

-Under General and more options. make sure the tunneling protocol is correct

Hi Ingo

My apologies but should had a better look at the your comment and config before posting the previous comment.

I can see that you have a DHCP pool but it is not assigned to any tunnel group attribute.

Should have something like this:

tunnel-group XXXXXX general-attributes

address-pool XXXXXX

authentication-server-group XXXXXX

authorization-required

Hi Jose,

OK, so I created a tunnel group and the config now has these lines in addition:

ASA(config-tunnel-general)# sh run | begin tunnel-group

tunnel-group TunnelGroup1 type remote-access

tunnel-group TunnelGroup1 general-attributes

address-pool VPNPool

default-group-policy GroupPolicy1

authorization-required

Still facing the same problem though (same error message).

I also tried and added

authentication-server-group radius LOCAL

NB: My RADIUS server is a Server 2008 R2 machine with AD and authentication works fine when I log on to the CLI with one of my admin account that resides on AD. However, I haven't set any specific RADIUS or LDAP attributes yet. When I try to log on with my RADIUS-based account through AnyConnect after adding this line, it gives me a Login Failed error.

To not complicate matters, I would like to get AnyConnect working just with the local user accounts on the ASA and skip RADIUS for now, so I removed that line again.

Any other ideas? :-)

Many thanks,

Ingo


Hi Ingo

When you created the tunnel group attributes you should assign it to the current tunnel that you using and not create a new one.

As per your DAP output you are using tunnel group DefaultWEBVPNGroup



Sent from Cisco Technical Support iPad App

Hi Jose,

here is what I got now:

ASA(config)# sh run | begin tunnel-group

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPNPool

authorization-required

and DAP debugging still the same:

ASA(config)# DAP_TRACE: DAP_open: CDC45080

DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy

DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker

DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker

DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =

DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup

DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]

DAP_TRACE: Username: tom.tucker, DAP_add_AC:

endpoint.anyconnect.clientversion="3.1.02026";

endpoint.anyconnect.platform="win";

DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1

DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy

DAP_TRACE: Username: tom.tucker, DAP_close: CDC45080

Unfortunately, it still doesn't work. Hmmm.. maybe a wipe of the config and starting from scratch can help?

Thanks,

Ingo