02-27-2018 10:47 AM - edited 03-12-2019 05:03 AM
Hello All,
ASA version 9.4(1)
We are currently using AnyConnect along with the ASA and ISE for authentication and authorization into VPN. User's login requests are sent to the ISE server authentication and they get back the authorization policy from ISE.
But, I am planning on upgrading the ISE server this weekend which has an estimated time of about 10+ hours. So in case there are some issues that occur during the upgrade, and users cannot login to VPN via AnyConnect because ISE is down. We thought we could create a local user on the ASA which could authenticate through the ASA and bypass ISE for authentication. But, I'm having a little trouble figuring this out. The only time I've ever seen local user configurations on the ASA was for the user I use to login to the ASA on ASDM or CLI.
I just created a "local user" on the ASA. I gave it a username (*call him johndoe) and a password. Everything else is currently set to inherited.
Would someone be able to guide me to allowing this user the ability to login to VPN with the AnyConnect client?
Currenlty, when I attempt to login to VPN with my AnyConnect client, I get prompted with a pop-up that allows me to choose from the 2 Group Policies that we have (*Employee and Vendor) and then a username and password.
Any help would be greatly appreciated!
Thanks in Advance,
Matt
Solved! Go to Solution.
02-27-2018 11:01 AM
02-27-2018 11:01 AM
02-27-2018 11:24 AM
02-27-2018 11:29 AM
02-27-2018 11:33 AM
02-27-2018 11:37 AM
02-27-2018 11:43 AM
02-27-2018 11:47 AM
02-27-2018 12:37 PM
02-27-2018 12:46 PM
Connection Profile (on ASDM) = Tunnel Group (on CLI).
I think you should be good going forward. Just remember that if you have ISE and local, the user would try the AD username/password first. If this fails (assuming that ISE is down), then they have to try the local username/password on the second attempt. Auth will be slower that usual because of the retries that it would require for ISE to marked as failed. If you have 2 nodes for the ISE server-group, then slightly longer.
02-27-2018 01:10 PM
02-27-2018 03:50 PM
No, I was talking more of a real world scenario when the user does not know when the ISE is down. If the user knows that ISE servers are down and then try the LOCAL credentials, the auth request will be sent to ISE first. When ISE does not respond, the ASA checks the credentials with the local DB. If they don't know that the ISE is down, they would first try the AD credentials, which would fail, and then try the local credentials on the next attempt.
ASA will always attempt to send credentials to ISE first every time the username/password is entered.
02-28-2018 08:43 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide