Solved: Cisco AnyConnect Multifactor authentication Failed on Conn profile

waqasrd_99 · ‎07-05-2022

Hi,

We have setup AnyConnect MFA with Azure (using NPS extension). It is working fine with the test connection profile. But it failed on Prod Connection profile. Both using same LDAP user groups. NPS servers and policies are identical. User receives text code on mobile but does not get authenticated. Weirdly, user can complete authentication with Microsoft authenticator Application. Is there anything missing on Prod Connection profile or Group policies or Azure?

Thanks

waqasrd_99 · ‎07-24-2022

Thanks for your support. Issue was actually with timeout settings of radius server on ASA set to 10 seconds. I changed to 30 seconds and now users can connect via text code and

View solution in original post

Mohammed al Baqari · ‎07-05-2022

>From ASA can you 'debug ldap' to see whether ASA is receiving successfull
authentication response after MFA or not. This way you narrow down you
troubleshooting. If ASA is not receiving correct response from NPS after
user put the code then you need to look at NPS.

***** please remember to rate useful posts

waqasrd_99 · ‎07-05-2022

Hi Mohammad,

Thank you for your response. it is working fine on the test connection profile. We are using same NPS server and ldap user group for both. Unfortunately, I cant debug because its in Production. I am keen to get root cause what could be wrong with Production connection profile?

Mohammed al Baqari · ‎07-05-2022

Debug ldap won't cuz load on ASA. Without debugs, we can't findout

waqasrd_99 · ‎07-24-2022

Thanks for your support. Issue was actually with timeout settings of radius server on ASA set to 10 seconds. I changed to 30 seconds and now users can connect via text code and