iOS AnyConnect 'login failed' but NPS (AAA) passed the authentication

pturner · ‎11-30-2011

I sure could really use some thoughts around this. Driving me nuts at this point.

Tunnel policy is set for AAA-RADIUS auth, with no accounting set. The real-time ASA monitor logs only the following (read from bottom up...):

6|Nov 30 2011|18:37:20|734001|||||DAP: User pturner, Addr 72.x.141.x, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

6|Nov 30 2011|18:37:20|113008|||||AAA transaction status ACCEPT : user = pturner

6|Nov 30 2011|18:37:20|113009|||||AAA retrieved default group policy (GroupPolicy1) for user = pturner

6|Nov 30 2011|18:37:20|113004|||||AAA user authentication Successful : server = 192.168.254.85 : user = pturner

The DfltAccessPolicy is to allow any traffic in and out to my private class C net (I'll refine it later).

My Microsoft NPS instance (at .85) is set to log both successes and failures, but only logs success for the attempt (I was getting a failure entry until I turned of accounting in my Tunnel group).

Why would my client come back with no tunnel, and reporting "Login failed". This is with an iPod touch running iOS 4.3.5, and the current AnyConnect client (v2.4.4019).

Thank you for your attention to this.

P

pturner · ‎12-02-2011

Here is the problem.

With one tunnel group (set to LOCAL authentication but with no authorization or accounting) I get connected. The log looks like this:

Dec 01 2011 17:14:11: %ASA-6-734001: DAP: User pturner, Addr 72.2.141.31, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

Dec 01 2011 17:14:11: %ASA-4-716047: Group User IP <72.2.141.31> User ACL from AAA ignored, AV-PAIR ACL used instead.

Dec 01 2011 17:14:11: %ASA-6-716001: Group User IP <72.2.141.31> WebVPN session started.

Dec 01 2011 17:14:11: %ASA-6-716038: Group User IP <72.2.141.31> Authentication: successful, Session Type: WebVPN.

Dec 01 2011 17:14:11: %ASA-6-302013: Built inbound TCP connection 110 for outside:72.2.141.31/50319 (72.2.141.31/50319) to identity:66.1.40.73/443 (66.1.40.73/443)

With my other tunnel group (set to AAA [AD-LDAP] authentication and with no authorization or accounting), I get authenticated, but the tunnel gets terminated 2 seconds later. The log looks like this:

Dec 02 2011 07:12:50: %ASA-6-734001: DAP: User pturner, Addr 72.2.141.31, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

Dec 02 2011 07:12:50: %ASA-6-302014: Teardown TCP connection 229 for inside:192.168.254.80/389 to identity:192.168.254.250/35246 duration 0:00:00 bytes 710 TCP Reset-I

Dec 02 2011 07:12:50: %ASA-7-609002: Teardown local-host inside:192.168.254.80 duration 0:00:00

Dec 02 2011 07:12:52: %ASA-6-725007: SSL session with client outside:72.2.141.31/50490 terminated.

Dec 02 2011 07:12:52: %ASA-6-302014: Teardown TCP connection 228 for outside:72.2.141.31/50490 to identity:

66.1.40.73/443 duration 0:00:03 bytes 3756 TCP Reset-I

If I switch out AAA-LDAP for AAA_RADIUS, the log is the same and my client reports the same ("Login Failed").

Why the difference between the LOCAL and AAA authenticated groups? They both get the same generic default DAP.

What ASA processes might be logging something relevent for those two seconds?

I'd really appreciate someone's comments or questions.

Thank you.

pturner · ‎12-02-2011

I solved this by unchecking the 'inherit' box on the Tunnel Group 'lock' entry of the assigned group policy, and left the value blank.