01-08-2016 06:48 AM - edited 02-21-2020 08:36 PM
I have configured an AnyConnect RA VPN on a 5525x ASA in version 9.4. I configured it so that it will perform authentication through a RADIUS server (which in this case is an ACS 4.2). The problem is that I can´t authenticate to the VPN, even though in the logs of the ACS I see the authentication was successful, the ASA would keep telling me that login failed. It´s worthy of mention that in the ACS 4.2 the device is added with RADIUS for PIX 7.1+/ASA. I´m not sure if it is still compatible with this new versions of ASA Software. Any ideas of what might I be missing?
01-08-2016 07:39 AM
Is the ASA using ACS for any function other than authenticating AnyConnect (administrative login/Telnet/SSH, etc) that could demonstrate successful communication between ASA and ACS?
Are there any log messages on the ASA at the time that you are attempting to authenticate AnyConnect? It is a bit of a stretch but are there any messages generated on AnyConnect as it attempts to authenticate?
HTH
Rick
01-08-2016 08:18 AM
Thank you Richard. The ACS is only for VPN authentication. For sure there is at least one-way communication between the ACS and the ASA, since I can see my authentication attempts in the ACS and I can see it as successful. Perhaps the ACS is failing to send that info back to the ASA. Also i´m not quite sure where i can see that kind of log in the ASA. Is there a way to filter it like to the RA VPN type of log?
01-08-2016 08:43 AM
Certainly the ACS is seeing the request and believes that it responded positively. So we need to understand what the ASA received and what it did with it. As far as logs go I frequently use the | include function
show log | include <variable>
where variable might be the user name, or might be aaa, or fail, or something like that.
Perhaps debug for radius on the ASA would show the exchange of messages.
HTH
Rick
01-08-2016 08:57 AM
Sure! that makes sense. I will try watching the debug messages. Also, the ACS 4.2 has like a lot of flavors of RADIUS. One specifically says "PIX7.1+/ASA", but let´s remember this is a very old ACS trying to work with a new version of ASA. I´m thinking there is a chance of incompatibility. Do you think this could be the case?
01-08-2016 10:23 AM
We can not rule out the possibility of incompatibility between that implementation of Radius and this version of code for the ASA. Perhaps the output of debugs for Radius might help us see the issue better.
HTH
Rick
01-14-2016 06:39 AM
Thank you very much for your help Richard. In the end it was an Anyconnect incompatibility since I was using an old one. After I updated it everything worked fine.
01-14-2016 07:02 AM
Thanks for posting back and letting us know that you have solved the problem. This may serve other readers in the forum as an example of the benefit of keeping versions of code close to current. Since the problem is solved perhaps you can mark the question as answered?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide