Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2053
Views
5
Helpful
5
Replies

Anyconnect Not authorised error post update to 9.1(6)1

Trevor Peacock
Level 1
Level 1

‎05-11-2015 04:05 AM - edited ‎02-21-2020 08:13 PM

Hi, I have updated over the weekend to Version 9.1(6)1 from version 8.3(4), all is good except for the anyconnect VPN connections which are erroring as follows

 

[11/05/2015 11:56:12] Contacting hatstand.coatrack.com.
[11/05/2015 11:56:14] Please enter your username and password.
[11/05/2015 11:56:17] User credentials entered.
[11/05/2015 11:56:17] User not authorized for AnyConnect Client access, contact your administrator.
[11/05/2015 11:56:17] Ready to connect.

 

I have tried authenticating against the LDAP and the local databases and I get the same.

 

Any help is appreciated.

 

Thanks

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Roman Polyachkov
Level 1
Level 1

‎06-10-2018 02:08 PM - edited ‎06-10-2018 02:11 PM

I've got the same trouble (asa5505 9.2(4)33)
In logging
Jun 10 2018 23:50:09: %ASA-6-725001: Starting SSL handshake with client outside:31.173.80.4/43716 for TLS session.
Jun 10 2018 23:50:09: %ASA-6-725003: SSL client outside:31.173.80.4/43716 request to resume previous session.
Jun 10 2018 23:50:09: %ASA-6-725002: Device completed SSL handshake with client outside:31.173.80.4/43716
Jun 10 2018 23:50:09: %ASA-6-113012: AAA user authentication Successful : local database : user = test
Jun 10 2018 23:50:09: %ASA-6-113004: AAA user authorization Successful : server = LOCAL : user = test
Jun 10 2018 23:50:09: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = test
Jun 10 2018 23:50:09: %ASA-6-113008: AAA transaction status ACCEPT : user = test
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.username = test
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.username1 = test
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.username2 =
Jun 10 2018 23:50:09: %ASA-7-734003: DAP: User test, Addr 31.173.80.4: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
Jun 10 2018 23:50:09: %ASA-6-734001: DAP: User test, Addr 31.173.80.4, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
Jun 10 2018 23:50:09: %ASA-6-725007: SSL session with client outside:31.173.80.4/43716 terminated.
Jun 10 2018 23:50:10: %ASA-6-302014: Teardown TCP connection 1852 for outside:31.173.80.4/43716 to identity:78.107.195.78/30443 duration 0:00:00 bytes 736 TCP FINs

Folk, can anybody help me?

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Roman Polyachkov

‎06-11-2018 02:36 AM

As per your DAP output you are using tunnel group DefaultWEBVPNGroup and group policy DfltGrpPolicy.
Please post output from:
show runn tunnel-group DfltAccessPolicy
show runn group-policy DfltGrpPolicy

0 Helpful

Roman Polyachkov
Level 1
Level 1
In response to Bogdan Nita

‎06-11-2018 11:26 AM

Hi, Bogdan!

Here they are:

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client
 webvpn
  url-list value NS0001
  customization value SSLdefault

 

but

show runn tunnel-group DfltAccessPolicy           
ERROR: Invalid tunnel group name <DfltAccessPolicy>

 

tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool ac_admin_pool
 authorization-server-group LOCAL
 authorization-required
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 customization SSLdefault

 

and

sh run all dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record DfltAccessPolicy
 action continue

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Roman Polyachkov

‎06-12-2018 01:22 AM

Can you try this:

tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias DefaultWEBVPNGroup enable

, alias can be any name you want, I just used the tunnel name.

Roman Polyachkov
Level 1
Level 1
In response to Bogdan Nita

‎06-12-2018 02:34 AM

Added the group-alias.

Unfortunately, the same behaviour.

 

But finally I've found the root cause of this situation. In my case, the error message "User not authorized for AnyConnect Client access, contact your administrator." caused by my inattention:

there was config for ikev2 thru anyconnect - "crypto ikev2 enable outside client-services port 10443", but ssl config was -

"webvpn
 port 11443"

 

So I've just connected to wrong port - 10443.

 

Thanks Bogdan - your suggestions brought me to look inside the config more closely.

0 Helpful
Customers Also Viewed These Support Documents