Hi There,

Setting up a new ASA 5512x for the office.

I have previously set up 5510 ASAs, and am using the same configs (albeit changing it slightly)

Set up Anyconnect as I had done so before, and using an Internal RADIUS server.

But whenever I try to connect to the VPN all I get is a "Login Error" message.. Which doesn't mean much, and Cisco only says to "Retry the connection", which I did many times.

Checking the RADIUS shows that I have been granted access.

Firewall is off on the RADIUS Server, and they can (obviously) happily talk to each other.

Hope someone can help.

Thanks,

-Tim Jeens

Network Policy Server granted access to a user.

User:
Security ID: domain\Tim Jeens
Account Name: tim jeens
Account Domain: domain
Fully Qualified Account Name: domain\tim jeens

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: IPIPIPIPIPIIP
Calling Station Identifier: IPIPIPIPIPIIP

NAS:
NAS IPv4 Address: IPIPIPIPIPIIP
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 69632

RADIUS Client:
Client Friendly Name: ASA-1
Client IP Address: IPIPIPIPIPIIP

Authentication Details:
Connection Request Policy Name: VPN
Network Policy Name: VPN Policy
Authentication Provider: Windows
Authentication Server: DC.domainlocal
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.

Quarantine Information:
Result: Full Access
Session Identifier: -

ASA Config:

ASA-1# sh run
: Saved
:
: Serial Number: FCH204472YA
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(2)4
!
hostname ASA-1
domain-name domain.local
enable password EjFOEvFpDjN789vv encrypted
names
ip local pool VPNpool 192.168.100.2-192.168.100.250
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address IPIPIPIPIPIIP IPIPIPIPIPIIP
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.100
description Main Corp VLAN
vlan 100
nameif inside
security-level 100
ip address IPIPIPIPIPIIP

interface Management0/0
management-only
nameif management
security-level 100
no ip address
!
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server IPIPIPIPIPIIP
name-server IPIPIPIPIPIIP
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-network
subnet IPIPIPIPIPIIP

object network EX01
host IPIPIPIPIPIIP

object network objvpnpool
subnet 192.168.100.0 255.255.255.0
access-list outside_in extended permit tcp any object EX01 eq www
access-list outside_in extended permit tcp any object EX01 eq https
access-list outside_in extended permit tcp any object EX01 eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any echo
access-list outside_in extended permit icmp any any
access-list outside_in extended deny ip any any
access-list splittunnel standard permit IPIPIPIPIPIIP
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-network inside-network destination static objvpnpool objvpnpool
nat (inside,outside) source static objvpnpool objvpnpool destination static inside-network inside-network route-lookup
!
object network inside-network
nat (inside,outside) dynamic interface
object network EX01
nat (inside,outside) static IPIPIPIPIPIIP dns

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 IPIPIPIPIPIIP 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server UserAuth protocol radius
aaa-server UserAuth (inside) host IPIPIPIPIPIIP
timeout 5
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http IPIPIPIPIPIIP inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint1
keypair ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint1-1
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
certificate 

quit
certificate ca 07

quit
crypto ca certificate chain ASDM_TrustPoint1-1
certificate ca 00

quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server IPIPIPIPIPIIP
ntp server IPIPIPIPIPIIP
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.4.01054-webdeploy-k9.pkg 5
anyconnect image disk0:/anyconnect-linux64-4.4.01054-webdeploy-k9.pkg 6
anyconnect profiles AnyConnectProfile disk0:/anyconnectprofile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
webvpn
anyconnect profiles value AnyConnectProfile type user
group-policy VPNPolicy internal
group-policy VPNPolicy attributes
dns-server value IPIPIPIPIPIIP IPIPIPIPIPIIP
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value domain.local
webvpn
anyconnect keep-installer installed
anyconnect profiles value AnyConnectProfile type user
anyconnect ask none default anyconnect
tunnel-group VPNTunnel type remote-access
tunnel-group VPNTunnel general-attributes
address-pool VPNpool
authentication-server-group UserAuth
default-group-policy VPNPolicy
password-management
tunnel-group VPNTunnel webvpn-attributes
group-alias RemoteAccess enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end