Re: ASA VPN loses internet access after changing AAA Server

nsummers · ‎08-03-2024

Hello all, I am working on implementing DUO for one of our divisions. DUO Proxy Manager is setup and verified to work as we get push notifications upon logging in. We are able to approve the request and gain access through AnyConnect. However we do not have access to anything internal or external, cannot ping DNS ect. All of this is working on the previous AAA server profile but when moving to the DUO AAA server it does not. Nothing else is changing besides that authentication server profile. I do not see why this would be the case since everything else is staying the same and unsure what to try next.

MHM Cisco World · ‎08-03-2024

Can I see the webvpn config and tunnel group

Thanks

MHM

nsummers · ‎08-03-2024

I know it may complicate things but I had to omit a lot of the names and web addresses due to our security policies and such. Not sure if this was everything you were looking for but I included two configs. One with the current AAA server and the second with the AAA changed for DUO. I am working on airport related configurations

WORKING CONFIG

webvpn

anyconnect profiles value Airport_VPN type user

dynamic-access-policy-record _Dial_In_Users

priority 100

dynamic-access-policy-record DfltAccessPolicy

dynamic-access-policy-record Local_Users

priority 97

username XXXX password XXXX encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

authentication-server-group AAA_Sinkhole

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group AAA_Sinkhole

tunnel-group XX-Users type remote-access

tunnel-group XX-Users general-attributes

authentication-server-group VPN-RADIUS-XX

default-group-policy XX_Default

tunnel-group XX-Users webvpn-attributes

group-alias XX-Users disable

group-url https://XXXX enable

tunnel-group DT-CISCODUO type remote-access

tunnel-group DT-CISCODUO general-attributes

address-pool DTVPN_Access

authentication-server-group DUO-RADIUS

default-group-policy DT-CISCODUO

tunnel-group DT-CISCODUO webvpn-attributes

group-alias DT-DUO enable

group-alias DT-DUOTEST enable

tunnel-group Airport-Users type remote-access

tunnel-group Airport-Users general-attributes

authentication-server-group VPN-RADIUS-AIRPORT

default-group-policy Airport_Default

tunnel-group Airport-Users webvpn-attributes

group-alias Airport disable

group-url XXXX enable

tunnel-group XXX type remote-access

tunnel-group XXX general-attributes

authentication-server-group VPN-RADIUS

default-group-policy XXXXX_Default

tunnel-group XXXX webvpn-attributes

group-alias “XXXX” disable

group-alias XXXX disable

group-url /XXXX enable

!

NOT WORKING CONFIG

webvpn

anyconnect profiles value Airport_VPN type user

dynamic-access-policy-record _Dial_In_Users

priority 100

dynamic-access-policy-record DfltAccessPolicy

dynamic-access-policy-record Local_Users

priority 97

username XXXX password XXXX encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

authentication-server-group AAA_Sinkhole

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group AAA_Sinkhole

tunnel-group XX-Users type remote-access

tunnel-group XX-Users general-attributes

authentication-server-group VPN-RADIUS-XX

default-group-policy XX_Default

tunnel-group XX-Users webvpn-attributes

group-alias XX-Users disable

group-url XXXX enable

tunnel-group DT-CISCODUO type remote-access

tunnel-group DT-CISCODUO general-attributes

address-pool DTVPN_Access

authentication-server-group DUO-RADIUS

default-group-policy DT-CISCODUO

tunnel-group DT-CISCODUO webvpn-attributes

group-alias DT-DUO enable

group-alias DT-DUOTEST enable

tunnel-group Airport-Users type remote-access

tunnel-group Airport-Users general-attributes

authentication-server-group VPN-Airport-DUO

default-group-policy Airport_Default

tunnel-group Airport-Users webvpn-attributes

group-alias Airport disable

group-url XXXX enable

tunnel-group XXXX type remote-access

tunnel-group XXXX general-attributes

authentication-server-group VPN-RADIUS

default-group-policy XX_Default

tunnel-group XXXX webvpn-attributes

group-alias “XXXX” disable

group-alias XXXX disable

group-url XXXX enable

!

MHM Cisco World · ‎08-03-2024

Welcome Duo

the ASA or FTD send to radius for primary authc,
when you try use anyconnect please share below debug
1- debug radius all
2-debug aaa comm 128

MHM

nsummers · ‎08-03-2024

I don't get any output from debug while connected

MHM Cisco World · ‎08-03-2024

thanks

MHM

nsummers · ‎08-03-2024

I am unable to ping. The DUO server can ping the ASA. I do know that the DUO server lives at a separate site behind a Palo that is handled by a different team. Is there anything I should ask them to check?

I don’t fully get what would cause the client would have internet access with the existing AAA but then move them to the DUO AAA they do not. The authentication is the only variable that is changing

MHM Cisco World · ‎08-04-2024

I think you need ASA to direct connect to radius like old config was.
try use old radius server and debug radius all
see if ASA direct connect radius or it connect DUO and DUO proxy request to radius

MHM

ccieexpert · ‎08-03-2024

more than likely your previous radius server was sending back a radius attribute for either DACL or a group policy and DUO is not doing that... you may want to look into that as now it may be giving you the default group policy which may have restricted access.

Please post your group policy config as well..

which tunnel group are you using ?

get this output to see which group policy was assigned:

show vpn-sessiondb detail anyconnect filter name <username>

nsummers · ‎08-03-2024

Since it was a lot longer I put it in a text file. I included the tunnel group and group policy configs

ccieexpert · ‎08-03-2024

The problem is very clear. the group policy for existing radius vs Duo radius is different.

Most likely because the original radius was sending the group policy value in the radius class attribute, whereas by default duo proxy (is a proxy) and does not send attributes received from the upstream radius server.

That all depends on what you are using to lookup the user from the duo auth proxy. If it uses radius to AD using NPS etc, then you can enable pass_through_all=true in your authproxy config file and it should pass the same class attribute.

this link explains that scenario.

https://finkotek.com/cisco-anyconnect-with-ise-and-duo-mfa/

if you are not using radius to authenticate the user from auth proxy to AD, then you could use LDAP authorization and attribute map:

https://docs.calebsargeant.com/en/latest/computing/cloud/duo.html

you may also be able to use the original radius server for authorization only using "authorization-server <original server>" and "authorization-required"

Good luck

**Please rate this and mark as solution/answer/helpful, if this resolved your issue or is helpful**

nsummers · ‎08-07-2024

Thank you for this information. This is supposed to work just like you said with RADIUS and NPS, however it was not setup that way when I was handed the project.

I cannot believe I overlooked the group policy not being issues correctly. So I was unable to issue that command the person that configured the proxy manager configured as [ad_client] not [radius_client] before that person was let go out of no where. I am going to work on changing that with the correct client and setup NPS if it is not already and see how it goes

ccieexpert · ‎08-07-2024

if you dont want to change to radius, then do ldap authorization as i mentioned in the 2nd link.

**Please rate this and mark as solution/answer/helpful, if this resolved your issue or is helpful**