cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
766
Views
0
Helpful
3
Replies
StuartR
Beginner

New/Next Tokencode not working with Clientless SSL VPN using Ldap and RSA(RADIUS) authentication

Hi,

I have a ASA setup for Clientless VPN access. I use LDAP/Password for primary authand SecurID via RADIUS for secondary auth. The login page requests username, password, and tokencode.

All works well except when a token pin code set/reset is required. When this occurs, I get a a small info button when then showns the message '

Your system administrator provided the following information to help understand and remedy the security conditions:


Enter a new PIN having from 4 to 8 alphanumeric characters:

The login page does not change and requests username, password, and tokencode. This new/next tokencode works fine when using anyconnect. I'd appreciate it if someone has a working config to share or can point out a missing/incorrect config.

Thanks

Stuart

I'm running v9.6(2). Config snippet is below.

aaa-server RSAServers protocol radius
aaa-server RSAServers (DMZ) host x.x.x.x
key *****
authentication-port 1812
accounting-port 1813
aaa-server LDAP protocol ldap
aaa-server LDAP (internal) host x.x.x.x
server-port 389
ldap-base-dn OU=SEC_User_Accounts,DC=SEC,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASA_Service,OU=RSA-ASA Accounts,DC=SEC,DC=local
server-type microsoft
ldap-attribute-map LMAP_SEC.LOCAL
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL

webvpn
enable outside
anyconnect image disk0:/AnyConnectFiles/anyconnect-linux-64-4.1.06020-k9.pkg 1
anyconnect image disk0:/AnyConnectFiles/anyconnect-win-4.1.06020-k9.pkg 2
anyconnect image disk0:/AnyConnectFiles/anyconnect-macosx-i386-4.1.06020-k9.pkg 3
anyconnect profiles SSLVPNClientProfile disk0:/SSLVPNProfiles/sslvpnclientprofile.xml
anyconnect enable
error-recovery disable
group-policy DfltGrpPolicy attributes
banner value....
dns-server value x.x.x.x
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value sec.local
webvpn
customization value ADITS
activex-relay disable
file-browsing disable
group-policy GP_Deny_Users internal
group-policy GP_Deny_Users attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 1
vpn-filter value ACL_Deny_All
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value sec.local
webvpn
filter value WebACL_Deny_All
group-policy GP_General_Users internal
group-policy GP_General_Users attributes
wins-server none
dns-server value x.x.x.x
vpn-filter value ACL_General_Users
default-domain value sec.local
address-pools value Pool_General_Users
webvpn
filter value WebACL_General_Users

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Pool_General_Users
authentication-server-group LDAP
secondary-authentication-server-group RSAServers use-primary-username
accounting-server-group RSAServers
default-group-policy GP_Deny_Users
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization ADITS
radius-reject-message
proxy-auth sdi
group-alias Clientless disable
group-alias ClientlessVPN disable
group-alias Clientless_SSLVPN disable
group-alias SSL disable
group-alias VPN disable
tunnel-group DefaultSSLVPNGroup type remote-access
tunnel-group DefaultSSLVPNGroup general-attributes
address-pool Pool_General_Users
authentication-server-group LDAP
secondary-authentication-server-group RSAServers use-primary-username
accounting-server-group RSAServers
default-group-policy GP_Deny_Users
tunnel-group DefaultSSLVPNGroup webvpn-attributes
customization ADITS
radius-reject-message
proxy-auth sdi
group-alias Anyconnect disable
group-alias Anyconnect_VPNClient disable
group-alias VPNClient disable
!

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

It turns out this is a bug - thanks Rahul Govindan. The strange thing is this was working for quite some time. Anyway, fixed now in 9.7(1)

OTP authentication is not working for clientless ssl vpn

CSCva87160

Description

Symptom:

The customer is using two factor authentication They're using AnyConnect and Clienteles ssl vpn.

in case of clienteles,

After the first authentication, not the second OPT authentication screen is displayed but the first one is displayed.

Conditions:

The customer had the problem in clientless vpn only after upgrading from version 9.4(2) to 9.4(3)6

Workaround:

none

The customer downgraded to the previous version(9.4(2)) and the issue was solved.

Further Problem Description:

View solution in original post

3 REPLIES 3
pcarco
Cisco Employee

Hello Stuart,

Is this a new setup and has yet to work or is this due to an upgrade to 9.6 ?

And just to be certain -  when prompted tor the next token you enter the token and it is accepted but you are continually asked for the next token on every connection attempt ?

What browser are you using ?

I will look into this for you.

Best regards,

Paul

AnyConnect TME

@nandakum

Hi,

It turns out this is a bug - thanks Rahul Govindan. The strange thing is this was working for quite some time. Anyway, fixed now in 9.7(1)

OTP authentication is not working for clientless ssl vpn

CSCva87160

Description

Symptom:

The customer is using two factor authentication They're using AnyConnect and Clienteles ssl vpn.

in case of clienteles,

After the first authentication, not the second OPT authentication screen is displayed but the first one is displayed.

Conditions:

The customer had the problem in clientless vpn only after upgrading from version 9.4(2) to 9.4(3)6

Workaround:

none

The customer downgraded to the previous version(9.4(2)) and the issue was solved.

Further Problem Description:

View solution in original post

Great.  Thanks for details.

Best regards,

Paul

AC TME

Content for Community-Ad