Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
833
Views
0
Helpful
1
Replies

Remote Access Authentication with ACS

Jeff Nagel
Level 1
Level 1

‎12-02-2015 07:49 AM - edited ‎02-21-2020 08:34 PM

Hi,

We currently have an ASA 8.2.5 that authenticates remote access VPN users who connect using AnyConnect 3.1 via Radius which is running on Microsoft IAS.  We have 6 or 7 groups in Active Directory and as long as they are in the correct group they get the correct tunnel-group and group policy which gives them the correct ACL.   We would like to move this authentication to  ACS 5.2  which we have running already for tacacs authentication to network equipment.

I have added a new AAA Server group for the ACS server which tests fine from the ASA and also have joined the ACS to our AD domain.  I have set up a tunnel-group and group policy and changed User Authentication to the ACS server group.  The issue is that I get the following error message when trying to authenticate with the user:

Group <DfltGrpPolicy> User <testuser> IP <xx.xx.xx.xx> Authentication: rejected, Session Type: WebVPN

AAA user authentication Rejected : reason = AAA failure : server = xx.xx.xx.xx : user = testuser

It looks to me like it is defaulting to the DefaultWebVPNGroup tunnel group which has our IAS server configured as the Authentication Server Group.

I did use the AnyConnect VPN wizard and it created the tunnel-group, group policy and AnyConnect Client Profile which did authenticate the user but it added the tunnel-list drop down in AnyConnect.  We do not want the drop-down in AnyConnect and want the user to just enter their AD network credentials and be assiged the correct tunnel-group/group policy and be authenticated to ACS. 

I cannot change the Authentication Server Group for the Default WebVPNGroup to our ACS as we want to migrate groups from the IAS to the ACS.

Do I have any other options to allow both IAS and ACS authenticate users with out the use of the tunnel-list in AnyConnect?

Thanks in advance.

Jeff

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎12-02-2015 01:16 PM

You can create a Group-url for the new group that you created and use it in the Client profile for the user. This way, the user only goes to that group and he/she does not get the dropdown from any other aliases you may have created.

Group url can be something like https://<asa-fqdn>/group1

More details are here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html#MAINTASK2

0 Helpful
Customers Also Viewed These Support Documents