Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1375
Views
0
Helpful
2
Replies

Anyconnect Multifactor Auth with Centrify Radius. Split tunnel" issues

dmooreami
Level 3
Level 3

‎03-06-2018 12:51 PM - edited ‎03-12-2019 05:05 AM

Running the latest 9.6.x code with the updated anyconnect clients. We use Centrify as our MFA cloud vendor. The local radius server is also Centrify. It is talking to the inside interface of the Asa 5508-X.

 

Our Anyconnect profile is set to use split-tunnel.

 

When trying to use  MFA, any response that we try to put in the anyconnect client MFA box, doesn't seem to be transmitted back.

 

Example, I can select "SMS Text" in the MFA box, I get a text, click on the link on my phone  Centrify webpage says "authorized", but the anyconnect vpn client doesn't finish the login process.

 

If I change my Anyconnect Client profile to "Tunnel all", then everything works, Google Authenticator, SMS Text message. 

 

For MFA to work with anyconnect, do I have to have "tunnel all"? My testing seems to prove that.

 

reason we want split-tunnel is to allow external users to 1) use their bandwidth to stream video/audio 2) to print to wired and wireless devices on the local network.

 

What am I missing here?

 

 

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-06-2018 02:15 PM

That is strange. The Split-tunnel setting should not really matter here because it only takes effect after a successful connection attempt. Till that point, you are still not connected to the VPN, so you do not receive any routes from the ASA to install on your client machine. I did not see Centrify mention any restrictions on their page. I have also not seen other MFA vendors require this.

 

From your symptoms, it looks like you receive the challenge/response from Centrify but your MFA server never notifies the ASA or the ASA never notifies the end client. Can you share a sanitized config and output of "debug radius all" when you test this?

 

 

0 Helpful

dmooreami
Level 3
Level 3
In response to Rahul Govindan

‎03-07-2018 12:27 PM

Thanks for the reply. At this point running split-tunnel might be "living on borrowed time". Mgt want's "tunnel all" to make the vpn more secure.

If they decide to stick with split-tunnel, then I will post back and probably open up a Tac ticket.

Early in the debug process, we found that part of my problem was the value in the anyconnect XML file needed to be increased > 12 seconds default value.

I found that the Microsoft's MFA doc is fantastic for setting up any MFA with the ASA. It even uses the ADSM GUI to setup all necessary settings on the ASA.
0 Helpful
Customers Also Viewed These Support Documents