Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
0
Helpful
0
Replies

Password handover different between Client (AnyConnect) and Clientless (WebVPN) VPN

sven.wolter
Level 1
Level 1

‎11-16-2018 06:57 AM - edited ‎02-21-2020 09:30 PM

Hello,

 

the Password handover to Radius Server is different between Client (AnyConnect) and Clientless (WebVPN) VPN from the same ASA. The ASA sends the Username and Password with Radius to an ISE. 

 

AnyConnect Client Session

AVP Type 1 = User-Name

AVP Type 2 = User-Password

 

ClientlessVPN Session

AVP Type 1 =User-Name

AVP Type 2 = "Is Missing"

Instead the AVP 26 Vendor-Specific 311 MS-Chap is present

 

With MS-Chap behind the ISE the General Authentication Platform can't do anything.

Can the ASA perhaps already fill in the password from Radius AVP Type 2 field or perhaps the ISE? The ISE in this case is Radius Proxy. Behind the is the Symantec VIP Gateway for Two Factor Authentication. The ISE is connected by Radius Protocol. 

With Client VPN it works fine and don't works for ClientlessVPN (because the Password is missing).

 

Does someone have an idea how to customize the ASA or ISE accordingly?

 

ASA Version 9.6

ISE Version 1.3

 

Thanks

Sven

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents