cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2099
Views
5
Helpful
8
Replies

SSLVPN on RV340 with RADIUS

chellchevos
Level 1
Level 1

I have a RADIUS server connected to an RV340 router and can see logs that tell me links are connected

 

The issue I have is this, from logs on the Cisco router:

 

ssl-vpn
log_sslvpnac: facility=SslVpn;msg=ERROR sslvpn_aaa_stubs.c.113[747DD470] sbtg_authorize: user(user) is not authorized to access VPN service
 
ssl-vpn
log_sslvpnac: facility=SslVpn;msg=DEBUG sslvpn_aaa_stubs.c.105[747DD470] sbtg_authorize: ret 0.;

 

It looks like I need to add the RADIUS users to a group that has VPN access. I guess this is to be set on the RV340 but i can only see options to set local users' VPN access through groups

 

There must be some straightforward way of registering RADIUS users properly

1 Accepted Solution

Accepted Solutions

No, that 'solution' was something obvious. We really should have more guides/documentation instead of having to rely on forums full of people trying to belittle other's intelligence. I'm not going to give the solution because it should be in a guide. Cisco has lots of guides but the 'solution' i needed wasn't in any of them. IT is not too hard, the bad teaching and lack of compassion in communications makes it more difficult than it should be.

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

check this place authentication order :

 

image.png

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for your reply.

 

Never Tried different source for authentication on VPN, we expect both should be same Radius ( Under radius, you can different Radius servers for high availability)

 

You did not check the tick box use for default.

 

Make sure you have routing place, for the Radius reach back router.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Answered

is that solution works?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

No, that 'solution' was something obvious. We really should have more guides/documentation instead of having to rely on forums full of people trying to belittle other's intelligence. I'm not going to give the solution because it should be in a guide. Cisco has lots of guides but the 'solution' i needed wasn't in any of them. IT is not too hard, the bad teaching and lack of compassion in communications makes it more difficult than it should be.

I landed here as I found the same errors as chellchevos.

Today, I am using SSL VPN + AnyConnect client for a few OSX users and doesn't incorporate DUO MFA - which I do not like. The Win 10/11 users still use their respective built-in clients.

I recently switched from a Peplink router (worked beautifully) for the sole purpose of getting away from the Windows 10/11 built-in clients, knowing I would need a CISCO device to use the AnyConnect Mobility Client. Or at least I think I know that. In any event, I have the RV345P in place now and all is well, other than I can't figure out what I am missing to get the AnyConnect to work for Windows users in the same way their built-in Windows VPN client works now.

All traffic hitting the router from the FQDN vpnserver.mydomain.com has a Static NAT based on a custom service created via Service Management. Port forwarding is in place as well. Once hit, the user is directed to the DUO Auth Proxy, which is configured with Radius/NAP/AD values - all unbeknownst to the user of course. The user accepts a prompt on their mobile device and access into the on-prem network is established.

Today if I install the AnyConnect client on a Windows 10/11 device, enter the vpnserver.mydomain.com address, and attempt to connect, very quickly a "No valid certificate available for authentication" error is thrown.

I have uploaded the vpnserver.mydomain.com certificate to the RV345P Certificate Table; all devices have this same certificate in place as well.

I have looked at Client-to-Site and Teleworker options, but neither spoke to me immediately.

On the Users and User Groups front, I looked at Remote Authentication Service options, played around a little, and locked myself out during early testing. Thankfully I was on-site at the time, which I rarely am, so I need to be strategic about which configs to apply. But possibly the key lies within those User Account settings.

 

Is it just as simple as removing the Use Default flag from the AnyConnect SSL VPN Service to bypass the local DB and move along the path as configured?

Pasa
Level 1
Level 1

I also can't figure out how to get RADIUS up and running, please help

1.jpg

 

Here is a log from RADIUS in SYNOLOGY, as you can see is successful.

2.jpg

Here is a log from RADIUS in SYNOLOGY, as you can see is successful. (for testing I set up RADIUS to log in to the router itself and it works normally)

3.jpg

4.jpg

And here is the log d of the router

And finally, best of all, when you remove everything and set up Local DB, the router is still trying to contact RADIUS, it can be seen on both sides of the log. And if you turn off RADIUS, you will no longer log in to the router!

 

5.jpg

 

It's really frustrating, RADIUS is a common thing in other routers and APs, and I wouldn't think it would not work with a Cisco router. Thank you for your help.

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: