02-07-2017 07:42 PM
Hi,
I have a ASA setup for Clientless VPN access. I use LDAP/Password for primary authand SecurID via RADIUS for secondary auth. The login page requests username, password, and tokencode.
All works well except when a token pin code set/reset is required. When this occurs, I get a a small info button when then showns the message '
Your system administrator provided the following information to help understand and remedy the security conditions: |
|
The login page does not change and requests username, password, and tokencode. This new/next tokencode works fine when using anyconnect. I'd appreciate it if someone has a working config to share or can point out a missing/incorrect config.
Thanks
Stuart
I'm running v9.6(2). Config snippet is below.
aaa-server RSAServers protocol radius
aaa-server RSAServers (DMZ) host x.x.x.x
key *****
authentication-port 1812
accounting-port 1813
aaa-server LDAP protocol ldap
aaa-server LDAP (internal) host x.x.x.x
server-port 389
ldap-base-dn OU=SEC_User_Accounts,DC=SEC,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASA_Service,OU=RSA-ASA Accounts,DC=SEC,DC=local
server-type microsoft
ldap-attribute-map LMAP_SEC.LOCAL
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
webvpn
enable outside
anyconnect image disk0:/AnyConnectFiles/anyconnect-linux-64-4.1.06020-k9.pkg 1
anyconnect image disk0:/AnyConnectFiles/anyconnect-win-4.1.06020-k9.pkg 2
anyconnect image disk0:/AnyConnectFiles/anyconnect-macosx-i386-4.1.06020-k9.pkg 3
anyconnect profiles SSLVPNClientProfile disk0:/SSLVPNProfiles/sslvpnclientprofile.xml
anyconnect enable
error-recovery disable
group-policy DfltGrpPolicy attributes
banner value....
dns-server value x.x.x.x
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value sec.local
webvpn
customization value ADITS
activex-relay disable
file-browsing disable
group-policy GP_Deny_Users internal
group-policy GP_Deny_Users attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 1
vpn-filter value ACL_Deny_All
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value sec.local
webvpn
filter value WebACL_Deny_All
group-policy GP_General_Users internal
group-policy GP_General_Users attributes
wins-server none
dns-server value x.x.x.x
vpn-filter value ACL_General_Users
default-domain value sec.local
address-pools value Pool_General_Users
webvpn
filter value WebACL_General_Users
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Pool_General_Users
authentication-server-group LDAP
secondary-authentication-server-group RSAServers use-primary-username
accounting-server-group RSAServers
default-group-policy GP_Deny_Users
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization ADITS
radius-reject-message
proxy-auth sdi
group-alias Clientless disable
group-alias ClientlessVPN disable
group-alias Clientless_SSLVPN disable
group-alias SSL disable
group-alias VPN disable
tunnel-group DefaultSSLVPNGroup type remote-access
tunnel-group DefaultSSLVPNGroup general-attributes
address-pool Pool_General_Users
authentication-server-group LDAP
secondary-authentication-server-group RSAServers use-primary-username
accounting-server-group RSAServers
default-group-policy GP_Deny_Users
tunnel-group DefaultSSLVPNGroup webvpn-attributes
customization ADITS
radius-reject-message
proxy-auth sdi
group-alias Anyconnect disable
group-alias Anyconnect_VPNClient disable
group-alias VPNClient disable
!
Solved! Go to Solution.
02-08-2017 10:05 PM
Hi,
It turns out this is a bug - thanks Rahul Govindan. The strange thing is this was working for quite some time. Anyway, fixed now in 9.7(1)
OTP authentication is not working for clientless ssl vpn
CSCva87160
Description
Symptom:
The customer is using two factor authentication They're using AnyConnect and Clienteles ssl vpn.
in case of clienteles,
After the first authentication, not the second OPT authentication screen is displayed but the first one is displayed.
Conditions:
The customer had the problem in clientless vpn only after upgrading from version 9.4(2) to 9.4(3)6
Workaround:
none
The customer downgraded to the previous version(9.4(2)) and the issue was solved.
Further Problem Description:
02-08-2017 06:06 AM
Hello Stuart,
Is this a new setup and has yet to work or is this due to an upgrade to 9.6 ?
And just to be certain - when prompted tor the next token you enter the token and it is accepted but you are continually asked for the next token on every connection attempt ?
What browser are you using ?
I will look into this for you.
Best regards,
Paul
AnyConnect TME
@nandakum
02-08-2017 10:05 PM
Hi,
It turns out this is a bug - thanks Rahul Govindan. The strange thing is this was working for quite some time. Anyway, fixed now in 9.7(1)
OTP authentication is not working for clientless ssl vpn
CSCva87160
Description
Symptom:
The customer is using two factor authentication They're using AnyConnect and Clienteles ssl vpn.
in case of clienteles,
After the first authentication, not the second OPT authentication screen is displayed but the first one is displayed.
Conditions:
The customer had the problem in clientless vpn only after upgrading from version 9.4(2) to 9.4(3)6
Workaround:
none
The customer downgraded to the previous version(9.4(2)) and the issue was solved.
Further Problem Description:
02-10-2017 09:00 AM
Great. Thanks for details.
Best regards,
Paul
AC TME
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide