Hi,
I have a ASA setup for Clientless VPN access. I use LDAP/Password for primary authand SecurID via RADIUS for secondary auth. The login page requests username, password, and tokencode.
All works well except when a token pin code set/reset is required. When this occurs, I get a a small info button when then showns the message '
Your system administrator provided the following information to help understand and remedy the security conditions: |
Enter a new PIN having from 4 to 8 alphanumeric characters:
|
The login page does not change and requests username, password, and tokencode. This new/next tokencode works fine when using anyconnect. I'd appreciate it if someone has a working config to share or can point out a missing/incorrect config.
Thanks
Stuart
I'm running v9.6(2). Config snippet is below.
aaa-server RSAServers protocol radius
aaa-server RSAServers (DMZ) host x.x.x.x
key *****
authentication-port 1812
accounting-port 1813
aaa-server LDAP protocol ldap
aaa-server LDAP (internal) host x.x.x.x
server-port 389
ldap-base-dn OU=SEC_User_Accounts,DC=SEC,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASA_Service,OU=RSA-ASA Accounts,DC=SEC,DC=local
server-type microsoft
ldap-attribute-map LMAP_SEC.LOCAL
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
webvpn
enable outside
anyconnect image disk0:/AnyConnectFiles/anyconnect-linux-64-4.1.06020-k9.pkg 1
anyconnect image disk0:/AnyConnectFiles/anyconnect-win-4.1.06020-k9.pkg 2
anyconnect image disk0:/AnyConnectFiles/anyconnect-macosx-i386-4.1.06020-k9.pkg 3
anyconnect profiles SSLVPNClientProfile disk0:/SSLVPNProfiles/sslvpnclientprofile.xml
anyconnect enable
error-recovery disable
group-policy DfltGrpPolicy attributes
banner value....
dns-server value x.x.x.x
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value sec.local
webvpn
customization value ADITS
activex-relay disable
file-browsing disable
group-policy GP_Deny_Users internal
group-policy GP_Deny_Users attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 1
vpn-filter value ACL_Deny_All
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value sec.local
webvpn
filter value WebACL_Deny_All
group-policy GP_General_Users internal
group-policy GP_General_Users attributes
wins-server none
dns-server value x.x.x.x
vpn-filter value ACL_General_Users
default-domain value sec.local
address-pools value Pool_General_Users
webvpn
filter value WebACL_General_Users
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Pool_General_Users
authentication-server-group LDAP
secondary-authentication-server-group RSAServers use-primary-username
accounting-server-group RSAServers
default-group-policy GP_Deny_Users
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization ADITS
radius-reject-message
proxy-auth sdi
group-alias Clientless disable
group-alias ClientlessVPN disable
group-alias Clientless_SSLVPN disable
group-alias SSL disable
group-alias VPN disable
tunnel-group DefaultSSLVPNGroup type remote-access
tunnel-group DefaultSSLVPNGroup general-attributes
address-pool Pool_General_Users
authentication-server-group LDAP
secondary-authentication-server-group RSAServers use-primary-username
accounting-server-group RSAServers
default-group-policy GP_Deny_Users
tunnel-group DefaultSSLVPNGroup webvpn-attributes
customization ADITS
radius-reject-message
proxy-auth sdi
group-alias Anyconnect disable
group-alias Anyconnect_VPNClient disable
group-alias VPNClient disable
!
