Solved: Re: AnyConnect RADIUS authentication issues

philipvoceehs · ‎03-19-2024

Hi Guys,

We're having issues with our RADIUS authentication. We just keep getting login failed when trying to connect to our VPN. We've run an authentication test in ASDM and that works fine so not sure where our issue lies. I've pulled out our config the relevant sections:

aaa-server EHS protocol radius
aaa-server EHS (inside) host 10.0.100.80
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
port 4433
enable outside
dtls port 4433
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect enable
cache
disable
error-recovery disable
group-policy GroupPolicy_EHSVPN internal
group-policy GroupPolicy_EHSVPN attributes
wins-server none
dns-server value 10.0.100.200 8.8.8.8
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-session-timeout alert-interval none
vpn-filter value inside_access_in
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
group-lock value EHSVPN
default-domain value ehs.local
vlan none
address-pools value VPN-IP-Range
smartcard-removal-disconnect enable
security-group-tag none
periodic-authentication certificate none
vpn-simultaneous-login-delete-no-delay

Any help would be appreciated!

Thanks!

MHM Cisco World · ‎03-19-2024

debug radius
debug webvpn anyconnect

I need to see both of these debug

MHM

View solution in original post

MHM Cisco World · ‎03-19-2024

tunnel-group <NAME> general-attributes

authentication-server-group <NAME> LOCAL <<- this command i DONT SEE

Cisco AnyConnect With Server 2016 NPAS (RADIUS) Different Groups | PeteNetLive

MHM

Rob Ingram · ‎03-19-2024

@philipvoceehs Running the authentication test from ASDM just confirms authentication is working, but have you configured the authentication-server-group under the tunnel-group/connection profile?

Example:

tunnel-group RAVPN general-attributes
 authentication-server-group ISE

philipvoceehs · ‎03-19-2024

Hi Rob,

Seems our config is dotted around the running config. We have these lines:

tunnel-group EHSVPN type remote-access
tunnel-group EHSVPN general-attributes
address-pool VPN-IP-Range
authentication-server-group EHS
default-group-policy GroupPolicy_EHSVPN
tunnel-group EHSVPN webvpn-attributes
group-alias EHSVPN enable
tunnel-group EHSVPN ipsec-attributes

Thanks!

MHM Cisco World · ‎03-19-2024

ciscoasa#debug radius <<- share this

also the user for Access ASA is different than user access anyconnect in attributes return from radius
share the debug let see what radius retrun to ASA and then we need to modify I think the radius

MHM

MHM Cisco World · ‎03-19-2024

vpn-simultaneous-logins 3 <<- this limit the access to this group for only three users
if you do
show vpn db and you see three user active then new user is reject by ASA

MHM

philipvoceehs · ‎03-19-2024

We have 0 connected currently

MHM Cisco World · ‎03-19-2024

show vpn-sessiondb anyconnect <<- do this to be more check

philipvoceehs · ‎03-19-2024

0 connected

MHM Cisco World · ‎03-19-2024

debug radius
debug webvpn anyconnect

I need to see both of these debug

MHM

Rob Ingram · ‎03-19-2024

@philipvoceehs and do you connect to the tunnel-group called EHSVPN or the default?

If EHSVPN then do you see anything in the RADIUS server logs when authentication fails?

philipvoceehs · ‎03-19-2024

Hi Rob,

We are strangely seeing successful authentication against the radius server but the ASA still presents login failed so we're not sure where to look next?

crHL · ‎10-15-2024

@philipvoceehs This is my issue. The ASA receives an 'access-accept' packet from RADIUS. The ASA claims it will logon the AnyConnect user as auth has fully succeeded, then it doesn't. The AnyConnect app states 'Login denied. Sorry, you have not been granted <vpn profile> access.'

I've had a case open with Cisco for several weeks, and tested this across two environments (which are segmented, different LDAP, different RADIUS, different ASA's...). Both environments have the same issue. Both ASA's are running the same firmware, both RADIUS servers are running the same software, the LDAP servers are also on the same versions. The common item is the AnyConnect client, however it does not function for my colleagues either.

Did you come across any solution? I'm thrown off by the fact the ASA is logging neither the rejection decision or the action itself... it just states everything is fine and that it is progressing, then AnyConnect throws the error and the ASA simply says nothing.

I've been using:

debug radius all
debug webvpn anyconnect 255
debug aaa common 255
debug crypto ca 255

... per my Cisco tech's advice.