12-02-2015 07:49 AM - edited 02-21-2020 08:34 PM
Hi,
We currently have an ASA 8.2.5 that authenticates remote access VPN users who connect using AnyConnect 3.1 via Radius which is running on Microsoft IAS. We have 6 or 7 groups in Active Directory and as long as they are in the correct group they get the correct tunnel-group and group policy which gives them the correct ACL. We would like to move this authentication to ACS 5.2 which we have running already for tacacs authentication to network equipment.
I have added a new AAA Server group for the ACS server which tests fine from the ASA and also have joined the ACS to our AD domain. I have set up a tunnel-group and group policy and changed User Authentication to the ACS server group. The issue is that I get the following error message when trying to authenticate with the user:
Group <DfltGrpPolicy> User <testuser> IP <xx.xx.xx.xx> Authentication: rejected, Session Type: WebVPN
AAA user authentication Rejected : reason = AAA failure : server = xx.xx.xx.xx : user = testuser
It looks to me like it is defaulting to the DefaultWebVPNGroup tunnel group which has our IAS server configured as the Authentication Server Group.
I did use the AnyConnect VPN wizard and it created the tunnel-group, group policy and AnyConnect Client Profile which did authenticate the user but it added the tunnel-list drop down in AnyConnect. We do not want the drop-down in AnyConnect and want the user to just enter their AD network credentials and be assiged the correct tunnel-group/group policy and be authenticated to ACS.
I cannot change the Authentication Server Group for the Default WebVPNGroup to our ACS as we want to migrate groups from the IAS to the ACS.
Do I have any other options to allow both IAS and ACS authenticate users with out the use of the tunnel-list in AnyConnect?
Thanks in advance.
Jeff
12-02-2015 01:16 PM
You can create a Group-url for the new group that you created and use it in the Client profile for the user. This way, the user only goes to that group and he/she does not get the dropdown from any other aliases you may have created.
Group url can be something like https://<asa-fqdn>/group1
More details are here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html#MAINTASK2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide