06-19-2024 12:23 PM
Hi, I'm trying to setup a remote access SSL VPN on my FPR1010, but running into trouble. If someone kind could help I'd be grateful. Backstory:
I've been through the RA VPN wizard, these are the things I've done:
It seems to be a pretty basic setup where I'm using local accounts and although I used the wizard, I had to make some additional config changes, such as enabling WEBVPN on the outside interface.
Problem:
When I try to log into the VPN, the Cisco Secure Client software errors out with a message that says: "Login denied, unauthorised connection mechanism, contact your administrator". Using the Realtime Log Viewer, I can see that my AAA user authentication is successful, but it retrieves the default group policy (DfltGrpPolicy) for my user. I actually created a new Group Policy that I wanted to use, idea being is that I will create another Group Policy when I get around to setting up a different method of authentication via SAML with AzureAD. But for now, I'm just trying to get the local user up and running... And failing!
This is my first post on here and I'm familiar with ASAs but by no means an expert. This is also the first RA VPN that I've set up so please be gentle.
Solved! Go to Solution.
06-19-2024 01:01 PM
06-19-2024 12:34 PM
@Bert-At-Work Did you create a new connection profile aka tunnel-group and did you connect to that connection profile when you attempted to connect to the VPN.
Is the new group-policy associated to the tunnel-group/connection profile?
If you run the command "show run tunnel-group" from the CLI and confirm the group policy is associated to the correct tunnel-group.
If you provide your configuration we shall be able to workout the problem.
06-19-2024 12:48 PM
Ypu mention the user get default group and the you mention it failed!! What is failed ?
Can you more elaborate
Thanks
MHM
06-19-2024 12:57 PM
Hi Rob, thanks for the quick reply. Yes, I created a new Secure Client Connection Profile. I now have 3 in total. They are: DefaultRAGroup, DefaultWEBVPNGroup and the one I created, named 'BERTNETWORKS_ravpn_local'. When I attempt to connect to the VPN from my client application, I just enter the FQDN and then click connect. All I'm presented with after that, is a username and password field, there's no dropdown or anything to select a profile or anything at all really.
This is the output of "show run tunnel-group"
FPR1010# show run tunnel-group
tunnel-group BERTNETWORKS_ravpn_local type remote-access
tunnel-group BERTNETWORKS_ravpn_local general-attributes
address-pool BERTNETWORKS_ravpn_dhcp_pool
default-group-policy BERTNETWORKS_ravpn
tunnel-group BERTNETWORKS_ravpn_local webvpn-attributes
group-alias BERTNETWORKS_ravpn_local enable
06-19-2024 01:01 PM
06-19-2024 12:59 PM - edited 06-19-2024 01:02 PM
This is the wider config if it is helpful:
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/secure-client-software/cisco-secure-client-win-5.1.4.74-webdeploy-k9.pkg 1
anyconnect image disk0:/secure-client-software/cisco-secure-client-macos-5.1.4.74-webdeploy-k9.pkg 2
anyconnect image disk0:/secure-client-software/cisco-secure-client-linux64-5.1.4.74-webdeploy-k9.pkg 3
cache
disable
error-recovery disable
group-policy BERTNETWORKS_ravpn internal
group-policy BERTNETWORKS_ravpn attributes
banner value Welcome. For now...
dns-server value 10.10.10.10 10.10.10.20
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BERTNETWORKS-internal-network
address-pools value BERTNETWORKS_ravpn_dhcp_pool
dynamic-access-policy-record DfltAccessPolicy
username bert1 password ***** pbkdf2
username bert0 password ***** pbkdf2 privilege 15
tunnel-group BERTNETWORKS_ravpn_local type remote-access
tunnel-group BERTNETWORKS_ravpn_local general-attributes
address-pool BERTNETWORKS_ravpn_dhcp_pool
default-group-policy BERTNETWORKS_ravpn
tunnel-group BERTNETWORKS_ravpn_local webvpn-attributes
group-alias BERTNETWORKS_ravpn_local enable
I was trying to use DAP (thinking that this is the first policy that is checked), but what I was trying didn't seem to work.
06-19-2024 01:05 PM - edited 06-19-2024 01:18 PM
MHM
06-19-2024 01:10 PM
Ahh Rob! Thanks so much. I see the drop down now and I can connect. I've been looking at this for so long, YouTube videos here and documents there, I never saw that at all...
You've been so helpful! I have a lot to learn too. Thank you.
06-19-2024 01:32 PM
Friend' if you use fmc the from gui you can allow list as I know no need cli.
Also this list used to for tunnel-group not group-policy.
If you want to make anyconnect select group-policy you need AD/LDAP with map.
Goodluck
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide