Solved: Requested tunnel protocol (ssl-client) not allowed by group-policy

Bert-At-Work · ‎06-19-2024

Hi, I'm trying to setup a remote access SSL VPN on my FPR1010, but running into trouble. If someone kind could help I'd be grateful. Backstory:

I've been through the RA VPN wizard, these are the things I've done:

I'm only using SSL
I've defined a wildcard certificate issued by my organisation
I've uploaded the Secure Client images for Windows, MacOS and Linux
I'm using a LOCAL user account (for now)
I've created an IPv4 address pool
I've set two internal DNS servers
I've exempted VPN traffic from NAT

It seems to be a pretty basic setup where I'm using local accounts and although I used the wizard, I had to make some additional config changes, such as enabling WEBVPN on the outside interface.

Problem:

When I try to log into the VPN, the Cisco Secure Client software errors out with a message that says: "Login denied, unauthorised connection mechanism, contact your administrator". Using the Realtime Log Viewer, I can see that my AAA user authentication is successful, but it retrieves the default group policy (DfltGrpPolicy) for my user. I actually created a new Group Policy that I wanted to use, idea being is that I will create another Group Policy when I get around to setting up a different method of authentication via SAML with AzureAD. But for now, I'm just trying to get the local user up and running... And failing!

This is my first post on here and I'm familiar with ASAs but by no means an expert. This is also the first RA VPN that I've set up so please be gentle.

Rob Ingram · ‎06-19-2024

@Bert-At-Work enable the drop down list

webvpn
 tunnel-group-list enable

View solution in original post

Rob Ingram · ‎06-19-2024

@Bert-At-Work Did you create a new connection profile aka tunnel-group and did you connect to that connection profile when you attempted to connect to the VPN.

Is the new group-policy associated to the tunnel-group/connection profile?

If you run the command "show run tunnel-group" from the CLI and confirm the group policy is associated to the correct tunnel-group.

If you provide your configuration we shall be able to workout the problem.

MHM Cisco World · ‎06-19-2024

Ypu mention the user get default group and the you mention it failed!! What is failed ?

Can you more elaborate

Thanks

MHM

Bert-At-Work · ‎06-19-2024

Hi Rob, thanks for the quick reply. Yes, I created a new Secure Client Connection Profile. I now have 3 in total. They are: DefaultRAGroup, DefaultWEBVPNGroup and the one I created, named 'BERTNETWORKS_ravpn_local'. When I attempt to connect to the VPN from my client application, I just enter the FQDN and then click connect. All I'm presented with after that, is a username and password field, there's no dropdown or anything to select a profile or anything at all really.

This is the output of "show run tunnel-group"

FPR1010# show run tunnel-group
tunnel-group BERTNETWORKS_ravpn_local type remote-access
tunnel-group BERTNETWORKS_ravpn_local general-attributes
address-pool BERTNETWORKS_ravpn_dhcp_pool
default-group-policy BERTNETWORKS_ravpn
tunnel-group BERTNETWORKS_ravpn_local webvpn-attributes
group-alias BERTNETWORKS_ravpn_local enable

Rob Ingram · ‎06-19-2024

@Bert-At-Work enable the drop down list

webvpn
 tunnel-group-list enable

Bert-At-Work · ‎06-19-2024

This is the wider config if it is helpful:

webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/secure-client-software/cisco-secure-client-win-5.1.4.74-webdeploy-k9.pkg 1
anyconnect image disk0:/secure-client-software/cisco-secure-client-macos-5.1.4.74-webdeploy-k9.pkg 2
anyconnect image disk0:/secure-client-software/cisco-secure-client-linux64-5.1.4.74-webdeploy-k9.pkg 3
cache
disable
error-recovery disable
group-policy BERTNETWORKS_ravpn internal
group-policy BERTNETWORKS_ravpn attributes
banner value Welcome. For now...
dns-server value 10.10.10.10 10.10.10.20
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BERTNETWORKS-internal-network
address-pools value BERTNETWORKS_ravpn_dhcp_pool
dynamic-access-policy-record DfltAccessPolicy
username bert1 password ***** pbkdf2
username bert0 password ***** pbkdf2 privilege 15
tunnel-group BERTNETWORKS_ravpn_local type remote-access
tunnel-group BERTNETWORKS_ravpn_local general-attributes
address-pool BERTNETWORKS_ravpn_dhcp_pool
default-group-policy BERTNETWORKS_ravpn
tunnel-group BERTNETWORKS_ravpn_local webvpn-attributes
group-alias BERTNETWORKS_ravpn_local enable

I was trying to use DAP (thinking that this is the first policy that is checked), but what I was trying didn't seem to work.

MHM Cisco World · ‎06-19-2024

MHM

Bert-At-Work · ‎06-19-2024

Ahh Rob! Thanks so much. I see the drop down now and I can connect. I've been looking at this for so long, YouTube videos here and documents there, I never saw that at all...

You've been so helpful! I have a lot to learn too. Thank you.

MHM Cisco World · ‎06-19-2024

Friend' if you use fmc the from gui you can allow list as I know no need cli.

Also this list used to for tunnel-group not group-policy.

If you want to make anyconnect select group-policy you need AD/LDAP with map.

Goodluck

MHM