Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
10
Helpful
7
Replies

vpn connectivity affected by two factor authentication?

baselzind
Level 6
Level 6

‎08-30-2021 12:37 AM

I have asa 5525 v9.14 , i already have remote vpn that is working fine then i duplicated the vpn profile and used a radius with two factor authentication for authentication, now I'm hearing complaints about connectivity issues after authenticating to the vpn. can a radius server that is used for authentication users affect user connectivity and reachability after authenticating? I thought that as soon as the user logs in , the radius server is only used to authenticate them then it is out of the picture?

1 person had this problem
Labels:
7 Replies 7

Rob Ingram
VIP
VIP

‎08-30-2021 12:48 AM

@baselzind 

Well the RADIUS server could still be used for accounting purposes, but I doubt it is causing connectivity issues post authentication.

What is the exact issue? Does it happen to all users on both or one of the connection profiles?

Did you create a new VPN IP address pool, if so did you create a NAT exemption rule?

 

baselzind
Level 6
Level 6
In response to Rob Ingram

‎08-30-2021 12:52 AM

the original connection profile is ok so it doesn't make sense that the radius authenticated profile is having issues right?

I'm using the same ip pool for the original profile

0 Helpful

Rob Ingram
VIP
VIP
In response to baselzind

‎08-30-2021 12:55 AM

@baselzind 

Is the RADIUS server returning any specific attributes that apply to the original tunnel-group/connection profile, but don't apply to the new connection profile?

 

If not, nothing obvious comes to mind (without seeing the configuration or understanding what the users are saying).

0 Helpful

baselzind
Level 6
Level 6
In response to Rob Ingram

‎08-30-2021 01:02 AM

can you give an example to these attributes as im not clear how you mean? the thing is i was using cisco duo for the two factor and it was fine then i changed into okta which is giving issues atm

0 Helpful

Rob Ingram
VIP
VIP
In response to baselzind

‎08-30-2021 01:08 AM

@baselzind it would be helpful to know what exact issues they are experiencing?

Do all users experience the same issues or just some?

If you revert back to the other connection profile do they still experience issues?

0 Helpful

baselzind
Level 6
Level 6
In response to Rob Ingram

‎08-30-2021 10:55 PM

no the connection profile which I cloned for the radius authentication isn't having any issues, I'm still waiting to hear the exact detail of the problem from customers

0 Helpful

Brian Kesler
Level 1
Level 1

‎09-01-2021 08:35 AM

I, too, have a similar issue.  Users can connect successfully but then cannot access specific network resources.  What we found is that the workstation shows no cached Kerberos tickets (command prompt > KLIST).  The trigger seems to be when the user changes their password.  The workaround is that either the user comes into the office and connects or we use a Connection Profile that does not require MFA (Radius) authentication.  After implementing either workaround 1 time for the user, the subsequent connection through the MFA Connection Profile has no more issue for the user. 

 

Like you, the only difference between the Connection Profiles is the RADIUS configuration for authentication.  I plan to open a case with Cisco Support to investigate.  

0 Helpful
Customers Also Viewed These Support Documents