Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
0
Helpful
0
Replies

Cisco AnyConnect User with Multiple Assigned Tunnel Groups in Windows - LoginFailed

Netmart
Level 3
Level 3

‎01-31-2019 04:21 PM

According to Cisco AnyConnect login failed.

Based on debugs ASA server is sending correct tunnel group RAD attribute string: it-vpn1

AAA server does respond with wrong tunnel group string/Radius Type25: it-vpn2.

 

Note: User is assigned multiple tunnel-groups

AAA server (Win AD Server) always respond with it-vpn2 tunnel group, although VPN User selects 'it-vpn1' in Cisco AnyConnect Login Menu - see trace

 

How does  the Windows NPS have to be set up when AD user is required to access multiple tunnel groups?

 

==>ASA  Upstream RADIUS  Attributes [to AAA Server]

Radius: Type = 146 (0x92) Tunnel-Group-Name

Radius: Length = 10 (0x0A)

Radius: Value (String) =

68 61 63 73 2d 76 70 6e                            |  test-vpn1

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 3076 (0x00000C04)

Radius: Type = 150 (0x96) Client-Type

Radius: Length = 6 (0x06)

Radius: Value (Integer) = 2 (0x0002)

send pkt 192.168.1.1/1645

 

 

 

==> RADIUS Downstream Authorization Attributes [from AAA Server]

Parsed packet data.....

Radius: Code = 2 (0x02)

Radius: Identifier = 204 (0xCC)

Radius: Length = 262 (0x0106)

Radius: Vector: 290B4D24880917E0C20FBEBD60C56DC7

Radius: Type = 25 (0x19) Class

Radius: Length = 8 (0x08)

Radius: Value (String) =

69 74 2d 76 70 6e                                  |  test-vpn2

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents