08-30-2021 12:37 AM
I have asa 5525 v9.14 , i already have remote vpn that is working fine then i duplicated the vpn profile and used a radius with two factor authentication for authentication, now I'm hearing complaints about connectivity issues after authenticating to the vpn. can a radius server that is used for authentication users affect user connectivity and reachability after authenticating? I thought that as soon as the user logs in , the radius server is only used to authenticate them then it is out of the picture?
08-30-2021 12:48 AM
Well the RADIUS server could still be used for accounting purposes, but I doubt it is causing connectivity issues post authentication.
What is the exact issue? Does it happen to all users on both or one of the connection profiles?
Did you create a new VPN IP address pool, if so did you create a NAT exemption rule?
08-30-2021 12:52 AM
the original connection profile is ok so it doesn't make sense that the radius authenticated profile is having issues right?
I'm using the same ip pool for the original profile
08-30-2021 12:55 AM
Is the RADIUS server returning any specific attributes that apply to the original tunnel-group/connection profile, but don't apply to the new connection profile?
If not, nothing obvious comes to mind (without seeing the configuration or understanding what the users are saying).
08-30-2021 01:02 AM
can you give an example to these attributes as im not clear how you mean? the thing is i was using cisco duo for the two factor and it was fine then i changed into okta which is giving issues atm
08-30-2021 01:08 AM
@baselzind it would be helpful to know what exact issues they are experiencing?
Do all users experience the same issues or just some?
If you revert back to the other connection profile do they still experience issues?
08-30-2021 10:55 PM
no the connection profile which I cloned for the radius authentication isn't having any issues, I'm still waiting to hear the exact detail of the problem from customers
09-01-2021 08:35 AM
I, too, have a similar issue. Users can connect successfully but then cannot access specific network resources. What we found is that the workstation shows no cached Kerberos tickets (command prompt > KLIST). The trigger seems to be when the user changes their password. The workaround is that either the user comes into the office and connects or we use a Connection Profile that does not require MFA (Radius) authentication. After implementing either workaround 1 time for the user, the subsequent connection through the MFA Connection Profile has no more issue for the user.
Like you, the only difference between the Connection Profiles is the RADIUS configuration for authentication. I plan to open a case with Cisco Support to investigate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide