I am working on an AnyConnect RAVPN project that requires the the client to display a custom message when the user fails authorization. I am able to make this work using the AAA and Cert authentication methods but not SAML. I have a tunnel-group configured for SAML authentication and I am using ISE for authorization. I have radius-reject-message configured on my tunnel-group and I have confirmed that the ASA is receiving the ACCESS-REJECT packet with the Reply-Message attribute but the client only displays "Authentication failed". Tunnel-group config and ASA RADIUS debug is below. Has anyone been able to pull off this behavior for SAML based authentication?
ASA: 9.16(3)23
Anyconnect: 4.10.06079
tunnel-group tg-ra-saml type remote-access
tunnel-group tg-ra-saml general-attributes
address-pool ra-pool
authorization-server-group home-radius
accounting-server-group home-radius
authorization-required
tunnel-group tg-ra-saml webvpn-attributes
authentication saml
radius-reject-message
group-url https://###/saml enable
saml identity-provider https://###
###################################
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 102).....
03 fe 00 66 02 33 fb 2c 77 d9 f8 84 ad e1 32 06 | ...f.3.,w.....2.
22 a5 d4 ea 12 40 56 50 4e 20 69 73 20 6f 6e 6c | "....@VPN is onl
79 20 61 6c 6c 6f 77 65 64 20 6f 6e 20 63 6f 6d | y allowed on com
70 61 6e 79 20 61 73 73 65 74 73 2e 20 50 6c 65 | pany assets. Ple
61 73 65 20 63 6f 6e 74 61 63 74 20 77 68 6f 65 | ase contact whoe
76 65 72 2e 50 12 8c 58 2f ef 81 10 13 cf 4a 52 | ver.P..X/.....JR
cb 02 1e 7d 62 f3 | ...}b.
Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 254 (0xFE)
Radius: Length = 102 (0x0066)
Radius: Vector: 0233FB2C77D9F884ADE1320622A5D4EA
Radius: Type = 18 (0x12) Reply-Message
Radius: Length = 64 (0x40)
Radius: Value (String) =
56 50 4e 20 69 73 20 6f 6e 6c 79 20 61 6c 6c 6f | VPN is only allo
77 65 64 20 6f 6e 20 63 6f 6d 70 61 6e 79 20 61 | wed on company a
73 73 65 74 73 2e 20 50 6c 65 61 73 65 20 63 6f | ssets. Please co
6e 74 61 63 74 20 77 68 6f 65 76 65 72 2e | ntact whoever.
Radius: Type = 80 (0x50) Message-Authenticator
Radius: Length = 18 (0x12)
Radius: Value (String) =
8c 58 2f ef 81 10 13 cf 4a 52 cb 02 1e 7d 62 f3 | .X/.....JR...}b.
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0x00007f75f06256b0 session 0x999 id 254
free_rip 0x00007f75f06256b0
radius: send queue empty