Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3236
Views
0
Helpful
7
Replies

Remote Access VPN Authentication Failure

lpavon0312
Level 1
Level 1

‎01-08-2016 06:48 AM - edited ‎02-21-2020 08:36 PM

I have configured an AnyConnect RA VPN on a 5525x ASA in version 9.4. I configured it so that it will perform authentication through a RADIUS server (which in this case is an ACS 4.2). The problem is that I can´t authenticate to the VPN, even though in the logs of the ACS I see the authentication was successful, the ASA would keep telling me that login failed. It´s worthy of mention that in the ACS 4.2 the device is added with RADIUS for PIX 7.1+/ASA. I´m not sure if it is still compatible with this new versions of ASA Software. Any ideas of what might I be missing? 

Labels:
0 Helpful
7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

‎01-08-2016 07:39 AM

Is the ASA using ACS for any function other than authenticating AnyConnect (administrative login/Telnet/SSH, etc) that could demonstrate successful communication between ASA and ACS?

Are there any log messages on the ASA at the time that you are attempting to authenticate AnyConnect? It is a bit of a stretch but are there any messages generated on AnyConnect as it attempts to authenticate?

HTH

Rick

HTH

Rick
0 Helpful

lpavon0312
Level 1
Level 1
In response to Richard Burts

‎01-08-2016 08:18 AM

Thank you Richard. The ACS is only for VPN authentication. For sure there is at least one-way communication between the ACS and the ASA, since I can see my authentication attempts in the ACS and I can see it as successful. Perhaps the ACS is failing to send that info back to the ASA. Also i´m not quite sure where i can see that kind of log in the ASA. Is there a way to filter it like to the RA VPN type of log? 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lpavon0312

‎01-08-2016 08:43 AM

Certainly the ACS is seeing the request and believes that it responded positively. So we need to understand what the ASA received and what it did with it. As far as logs go I frequently use the | include function

show log | include <variable>

where variable might be the user name, or might be aaa, or fail, or something like that.

Perhaps debug for radius on the ASA would show the exchange of messages.

HTH

Rick

HTH

Rick
0 Helpful

lpavon0312
Level 1
Level 1
In response to Richard Burts

‎01-08-2016 08:57 AM

Sure! that makes sense. I will try watching the debug messages. Also, the ACS 4.2 has like a lot of flavors of RADIUS. One specifically says "PIX7.1+/ASA", but let´s remember this is a very old ACS trying to work with a new version of ASA. I´m thinking there is a chance of incompatibility. Do you think this could be the case?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lpavon0312

‎01-08-2016 10:23 AM

We can not rule out the possibility of incompatibility between that implementation of Radius and this version of code for the ASA. Perhaps the output of debugs for Radius might help us see the issue better.

HTH

Rick

HTH

Rick
0 Helpful

lpavon0312
Level 1
Level 1
In response to Richard Burts

‎01-14-2016 06:39 AM

Thank you very much for your help Richard. In the end it was an Anyconnect incompatibility since I was using an old one. After I updated it everything worked fine.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lpavon0312

‎01-14-2016 07:02 AM

Thanks for posting back and letting us know that you have solved the problem. This may serve other readers in the forum as an example of the benefit of keeping versions of code close to current. Since the problem is solved perhaps you can mark the question as answered?

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents