cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1361
Views
0
Helpful
2
Replies
StuartR
Beginner

New/Next Tokencode not working with Clientless SSL VPN using Ldap and RSA(RADIUS) authentication

Hi,

I have a ASA setup for Clientless VPN access. I use LDAP/Password for primary authand SecurID via RADIUS for secondary auth. The login page requests username, password, and tokencode. 

All works well except when a token pin code set/reset is required. When this occurs, I get a a small info button when then showns the message '

Your system administrator provided the following information to help understand and remedy the security conditions:

Enter a new PIN having from 4 to 8 alphanumeric characters:

The login page does not change and requests username, password, and tokencode. I'd appreciate it if someone has a working config to share or can point out a missing/incorrect config.

Thanks

Stuart

I'm running v9.6(2). Config snippet is below.

aaa-server RSAServers protocol radius
aaa-server RSAServers (DMZ) host x.x.x.x
key *****
authentication-port 1812
accounting-port 1813
aaa-server LDAP protocol ldap
aaa-server LDAP (internal) host x.x.x.x
server-port 389
ldap-base-dn OU=SEC_User_Accounts,DC=SEC,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ASA_Service,OU=RSA-ASA Accounts,DC=SEC,DC=local
server-type microsoft
ldap-attribute-map LMAP_SEC.LOCAL
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL 

webvpn
enable outside
anyconnect image disk0:/AnyConnectFiles/anyconnect-linux-64-4.1.06020-k9.pkg 1
anyconnect image disk0:/AnyConnectFiles/anyconnect-win-4.1.06020-k9.pkg 2
anyconnect image disk0:/AnyConnectFiles/anyconnect-macosx-i386-4.1.06020-k9.pkg 3
anyconnect profiles SSLVPNClientProfile disk0:/SSLVPNProfiles/sslvpnclientprofile.xml
anyconnect enable
error-recovery disable
group-policy DfltGrpPolicy attributes
banner value....
dns-server value x.x.x.x
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value sec.local
webvpn
customization value ADITS
activex-relay disable
file-browsing disable
group-policy GP_Deny_Users internal
group-policy GP_Deny_Users attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 1
vpn-filter value ACL_Deny_All
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value sec.local
webvpn
filter value WebACL_Deny_All
group-policy GP_General_Users internal
group-policy GP_General_Users attributes
wins-server none
dns-server value x.x.x.x
vpn-filter value ACL_General_Users
default-domain value sec.local
address-pools value Pool_General_Users
webvpn
filter value WebACL_General_Users

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Pool_General_Users
authentication-server-group LDAP
secondary-authentication-server-group RSAServers use-primary-username
accounting-server-group RSAServers
default-group-policy GP_Deny_Users
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization ADITS
radius-reject-message
proxy-auth sdi
group-alias Clientless disable
group-alias ClientlessVPN disable
group-alias Clientless_SSLVPN disable
group-alias SSL disable
group-alias VPN disable
tunnel-group DefaultSSLVPNGroup type remote-access
tunnel-group DefaultSSLVPNGroup general-attributes
address-pool Pool_General_Users
authentication-server-group LDAP
secondary-authentication-server-group RSAServers use-primary-username
accounting-server-group RSAServers
default-group-policy GP_Deny_Users
tunnel-group DefaultSSLVPNGroup webvpn-attributes
customization ADITS
radius-reject-message
proxy-auth sdi
group-alias Anyconnect disable
group-alias Anyconnect_VPNClient disable
group-alias VPNClient disable
!

1 ACCEPTED SOLUTION

Accepted Solutions
Rahul Govindan
Advocate

Looks like a bug to me. I checked the 9.6 and 9.7 release notes and there was one issue seen with 9.6(2) which is fixed in 9.7.1.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva87160

OTP authentication is not working for clientless ssl vpn

This may be what is affecting your secureid change-pin also. If possible, test the ASA with the fixed version - 9.7(1).

View solution in original post

2 REPLIES 2
Rahul Govindan
Advocate

Looks like a bug to me. I checked the 9.6 and 9.7 release notes and there was one issue seen with 9.6(2) which is fixed in 9.7.1.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva87160

OTP authentication is not working for clientless ssl vpn

This may be what is affecting your secureid change-pin also. If possible, test the ASA with the fixed version - 9.7(1).

View solution in original post

Thanks Rahul, installing 9.7(1) fixed the issue :)

Content for Community-Ad