03-12-2013 10:39 AM
Hi Everyone!
I am configuring an asa 5520 (Software Version 8.2(5)) serveral clientless connection profiles and ACS 5.3 as an authentication server, this works well users on AD or local can establish a vpn connection without problem, but now i need to show just one profile (common for everybody) on the ASA portal and behind scene allocate to right connection profile depending on the authorization profile of the user, i followed the following document
"VPN group lock using ACS 5.x.pdf", but it does not work as expected, it keeps showing "login failed"
So i took a look on the ACS on radius authentication and the user is authenticated, i did a debug aaa common 255, debug radius all
everything seem to be ok, but when i use debug webvpn 255
it shows me the following message
asa# webvpn_allocate_auth_struct: net_handle = D0200040
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = SSLClientProfile
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from group list
webvpn_login_resolve_tunnel_group: TG_BUFFER = SSLClientProfile
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2447]
WebVPN: calling AAA with ewsContext (-780823792) and nh (-803209152)!
webvpn_add_auth_handle: auth_handle = 529
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5320]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = SSLClientProfile
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1611]
WebVPN: user: (john) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[3066]
User came in on group he wasn't supposed to come in on!
webvpn_remove_auth_handle: auth_handle = 529
webvpn_free_auth_struct: net_handle = D0200040
Any suggestion would be appreciated
Thanks
Jonathan
Solved! Go to Solution.
03-12-2013 10:51 AM
Jonathan,
The issue is clear, your users are not connecting to the right profile.
Please check this out:
ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method
The idea of having ACS authorization is to assign a specific group-policy according to probably Radius attribute 25, but if you have it working in conjuction with the "group-lock" feature, then you need to make sure that the users connect to the correct connection profile, otherwise the group-policy will not allow the connection.
For instance:
group-policy test attributes
group-lock testGroup
!
tunnel-group testGroup general-attributes
default-group-policy test
!
tunnel-group testGroup webvpn attributes
group-url https://1.1.1.1/testGroup enable
So if a user connects to a different profile which is not the testGroup and gets the group-policy named test, then the connection is going to be rejected.
HTH.
Portu.
03-12-2013 10:51 AM
Jonathan,
The issue is clear, your users are not connecting to the right profile.
Please check this out:
ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method
The idea of having ACS authorization is to assign a specific group-policy according to probably Radius attribute 25, but if you have it working in conjuction with the "group-lock" feature, then you need to make sure that the users connect to the correct connection profile, otherwise the group-policy will not allow the connection.
For instance:
group-policy test attributes
group-lock testGroup
!
tunnel-group testGroup general-attributes
default-group-policy test
!
tunnel-group testGroup webvpn attributes
group-url https://1.1.1.1/testGroup enable
So if a user connects to a different profile which is not the testGroup and gets the group-policy named test, then the connection is going to be rejected.
HTH.
Portu.
03-12-2013 11:13 AM
Javier,
Thanks for your answer, i'd like to ask you if there is a way to use just one profile and this profile do the redirection to the right profile with the help of the acs, is this possible?
Thanks again!
03-12-2013 11:18 AM
Jonathan,
Not that I am aware of.
You usually use certificate mapping for this.
On the other hand, why would redirect the users to a specific profile? I mean, all attributes and settings can be configured in the group-policy itself. Having multiple profiles and group-policies is not scalable at all .
I would recommend to have all users connecting to the default-webvpn group and have ACS assign the group-policy to each session. This saves time and additional commands in the configuration.
HTH.
Portu.
03-12-2013 11:20 AM
BTW, for that, would need to remove the "group-lock" attribute.
03-12-2013 11:48 AM
Javier,
I followed your recommendation and now i can logging successfully but no matter what group the acs assigns to the user it keeps connecting to the same profile. Do you have any idea why could this be happening?
Thank you so much for your support
Jonathan
03-12-2013 12:09 PM
Jonathan,
Yes the connection profile will be the same, but the group-policy should be different. Please check this out:
Configure ACS to Assign a Group Policy at Login using RADIUS
Let me know.
Thanks.
03-12-2013 12:27 PM
Javier, everything was working well, but i hadn't changed the portal customization of the group policy, It was inherited so i changed for my preference and now every is working great.
Thank you so much for your support!
Jonathan
03-12-2013 12:28 PM
Awesome!!
Please rate any helpful posts and mark this post as answered.
Have a nice day.
01-06-2016 04:37 PM
Jonathan,
Also, be sure that when users are trying to connect they're using the correct url that you specified under your "tunnel-group <name> webvpn attributes".
For Example:
tunnel-group WebVPN_tg webvpn attributes
group-url https://5.5.5.5/testGroup enable
***Clients should be using the URL of https://5.5.5.5/testGroup and not just https://5.5.5.5/
I ran across the same issue while troubleshooting my home webvpn access on my ASA5505 getting the same error as you when I ran "debug webvpn 125" from the cli.
User came in on group he wasn't supposed to come in on!
I hope this helps!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide