10-26-2010 07:49 AM - edited 02-21-2020 04:56 PM
Hi Everyone
Im trying to configure my ASA with anyconnect in my test lab but im coming across problems. Basically im authenticating usernames and passwords using active directory (kerberos). Now from the ASDM i can test active directory authentication and its successful. Now when Im tryin to use anyconnect from my pc its failing. No error messages come up! Dont know what im doing wrong here so was just wondering if anyone can take a look at my config and help me find any mistakes.Any help is appreciated. Thanks
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.167.10 255.255.255.240 standby 192.168.167.11
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.0.10 255.255.0.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ACuserPOOL 10.10.0.11-10.10.0.13 mask 255.255.0.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link failover GigabitEthernet0/3
failover interface ip failover 192.168.0.1 255.255.255.252 standby 192.168.0.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
<--- More --->
asdm history enable
arp timeout 14400
nat (inside) 0 access-list NONAT
route outside 0.0.0.0 0.0.0.0 192.168.167.12 1
route inside 10.11.14.0 255.255.255.0 10.0.0.1 1
route inside 10.11.14.0 255.255.255.0 10.10.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACauthentication protocol kerberos
aaa-server ACauthentication (inside) host 10.11.14.103
timeout 5
kerberos-realm LAB.NET
aaa authentication http console ACauthentication
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
<--- More --->
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.0.11
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ACpolicy internal
group-policy ACpolicy attributes
vpn-tunnel-protocol svc
tunnel-group ACusers type remote-access
tunnel-group ACusers general-attributes
address-pool ACuserPOOL
authentication-server-group ACauthentication
<--- More --->
default-group-policy ACpolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
10-26-2010 01:45 PM
Anyone? Really struggling with this :-( The authentication test is successful and i can ping from my host to the outside firewall interface. Can someone point me in the right direction? Thanks
10-27-2010 04:51 AM
2 things:
Make sure time is synched between your ASA and your AD server - kerberos is time sensitive.
In your user settings in AD, there is a checkbox for 'require kerberos pre-authentication'. Try selecting/deselecting that box and see if there is any change in behavior.
Also - what is the OS of the AD server?
If that doesn't work, get a 'debug aaa common 255' and 'debug kerberos 255' from the ASA.
10-27-2010 05:41 AM
Hi
The AD and asa is time synched with an external ntp server and i know this works fine as i have tested it in asdm. It even authenticates the usernames. I have some users with pre authentication enabled and some disabled. The OS is server 2003. Anyway ive enabled the debug and i cant make sense of it. I havent touched Firewalls in years. heres the output from the debug:
AAA API: In aaa_open
AAA session opened: handle = 205
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(6d9c6a80) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
Initiating authentication to primary server (Svr Grp: LOCAL)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: user1
Resp:
In localauth_ioctl
Local authentication of user user1
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 205, pAcb = 6f3e43a4
aaa_backend_callback: Error:
AAA task: aaa_process_msg(6d9c6a80) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
------------------
Authentication Status: -1 (REJECT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = LOCAL, author svr =
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
None
user policy attributes:
None
tunnel policy attributes:
None
Auth Status = REJECT
AAA API: In aaa_close
AAA task: aaa_process_msg(6d9c6a80) received message type 3
In aaai_close_session (205)
10-27-2010 08:35 AM
It looks like you're landing on the LOCAL authentication server
Initiating authentication to primary server (Svr Grp: LOCAL) <---- LOCAL
Which is probably due to the fact that you are landing on the DefaultWEBVPNGroup (where SSL connections will land by default unless configured otherwise) connection profile/tunnel-group and it's set for local authentication by default.
You can either change the authentication on that group to be your kerberos AAA group, or make the tunnel-group/connection profile available to be chosen instead of DefaultWEBVPNGroup:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
--Jason
10-27-2010 08:19 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide