Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
4
Replies

Strange issue with Anyconnect on 9.0.3 with Radius based authentication.

manish arora
Level 6
Level 6

‎08-27-2014 12:24 PM - edited ‎02-21-2020 07:48 PM

Hi everyone

Just saw a very strange issue with Anyconnect on 9.0.3 with radius authentication with Class 25 Attribute. I have webvpn|Anyconnect  configured on 5510 running 9.0.3, the authentication is done using a FreeRadius server with class 25 attributes being passed on for group assignment.

The user is able to authenticate & group-policy is being assigned as per the Class attribute but for some reason only members of one Group have access to the resources ones connected using anyconnect  rest of the users are authenticated, group-policy assigned but have no access at all and whats strange is that all users have access according to group-policy for webvpn.

I have not cleared the tunnel-group or rebooted the device since it's been moved to Freeradius with Class Attributes from the static group assignment. Here's the configuration :

webvpn
 enable outside
 enable backup
 enable inside
 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-64-3.1.05170-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable

!

group-policy SSL_1 internal
group-policy SSL_1 attributes
 dns-server value 10.100.100.100
 vpn-filter value SSL_1-FILTER
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelall
 address-pools value SSL_1
 webvpn
  anyconnect keep-installer installed
group-policy SSL_2 internal
group-policy SSL_2 attributes
 dns-server value 10.100.100.100
 vpn-filter value SSL_2-FILTER
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelall
 address-pools value SSL_2
 webvpn
  anyconnect keep-installer installed

!

tunnel-group VPN-SSL type remote-access
tunnel-group VPN-SSL general-attributes
 authentication-server-group 2FA_GRP_LDAP LOCAL
 authorization-server-group 2FA_GRP_LDAP
 default-group-policy SSL_2
tunnel-group VPN-SSL webvpn-attributes
 radius-reject-message
 group-alias VPN-SSL enable

 

Please let me know if you have seen this before.

Thanks

Manish

 

 

 

 

Labels:
0 Helpful
4 Replies 4

manish arora
Level 6
Level 6

‎08-27-2014 09:59 PM

anyone ?

0 Helpful

manish arora
Level 6
Level 6
In response to manish arora

‎08-29-2014 01:58 PM

Fixed - Thanks to TAC ( Mr. Luis) :-)

"sh vpn-sessiondb detail anyconnect" is your friend.

If you have multiple policies and your assigned policy is missing some parameters, the firewall will pull them from default policy and use them.

 

0 Helpful

Kudetauk77
Level 1
Level 1
In response to manish arora

‎01-19-2016 08:17 AM

Hi Manish , 

I am trying to get a similar thing working. Can you explain how you configured free radius class25 , where is it etc ?

Thanks 

Craig 

0 Helpful

manish arora
Level 6
Level 6
In response to Kudetauk77

‎01-20-2016 06:30 PM

are you looking for the ASA side or FR side ?

Manish

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents