Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4181
Views
5
Helpful
9
Replies

webvpn login failed

Go to solution
johnchrs2006
Level 1
Level 1

‎03-12-2013 10:39 AM

Hi Everyone!

I am configuring an asa 5520 (Software Version 8.2(5))  serveral clientless connection profiles and ACS 5.3 as an authentication server, this works well users on AD or local can establish a vpn connection without problem, but now i need to show just one profile (common for everybody) on the ASA portal and behind scene allocate to right connection profile depending on the authorization profile of the user, i followed the following document

"VPN group lock using ACS 5.x.pdf", but it does not work as expected, it keeps showing "login failed"

So i took a look on the ACS on radius authentication and  the user is authenticated, i did a debug aaa common 255, debug radius all

everything seem to be ok, but when i use debug webvpn 255

it shows me the following message

asa# webvpn_allocate_auth_struct: net_handle = D0200040

webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]

webvpn_portal.c:webvpn_login_validate_net_handle[2234]

webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]

webvpn_portal.c:webvpn_login_assign_app_next[2272]

webvpn_portal.c:webvpn_login_cookie_check[2289]

webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]

webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]

webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = SSLClientProfile

webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]

webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]

webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]

webvpn_login_resolve_tunnel_group: tgCookie = NULL

webvpn_login_resolve_tunnel_group: tunnel group name from group list

webvpn_login_resolve_tunnel_group: TG_BUFFER = SSLClientProfile

webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]

webvpn_portal.c:webvpn_login_check_cert_status[2733]

webvpn_portal.c:webvpn_login_cert_only[2774]

webvpn_portal.c:webvpn_login_primary_username[2796]

webvpn_portal.c:webvpn_login_primary_password[2878]

webvpn_portal.c:webvpn_login_secondary_username[2910]

webvpn_portal.c:webvpn_login_secondary_password[2988]

webvpn_portal.c:webvpn_login_extra_password[3021]

webvpn_portal.c:webvpn_login_set_cookie_flag[3040]

webvpn_portal.c:webvpn_login_set_auth_group_type[3063]

webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1

webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]

webvpn_portal.c:http_webvpn_kill_cookie[790]

webvpn_auth.c:http_webvpn_pre_authentication[2447]

WebVPN: calling AAA with ewsContext (-780823792) and nh (-803209152)!

webvpn_add_auth_handle: auth_handle = 529

WebVPN: started user authentication...

webvpn_auth.c:webvpn_aaa_callback[5320]

WebVPN: AAA status = (ACCEPT)

webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]

webvpn_portal.c:webvpn_login_validate_net_handle[2234]

webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]

webvpn_portal.c:webvpn_login_assign_app_next[2272]

webvpn_portal.c:webvpn_login_cookie_check[2289]

webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]

webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]

webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = SSLClientProfile

webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]

webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]

webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]

webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]

webvpn_portal.c:webvpn_login_check_cert_status[2733]

webvpn_portal.c:webvpn_login_cert_only[2774]

webvpn_portal.c:webvpn_login_primary_username[2796]

webvpn_portal.c:webvpn_login_primary_password[2878]

webvpn_portal.c:webvpn_login_secondary_username[2910]

webvpn_portal.c:webvpn_login_secondary_password[2988]

webvpn_portal.c:webvpn_login_extra_password[3021]

webvpn_portal.c:webvpn_login_set_cookie_flag[3040]

webvpn_portal.c:webvpn_login_set_auth_group_type[3063]

webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1

webvpn_portal.c:webvpn_login_aaa_resuming[3093]

webvpn_auth.c:http_webvpn_post_authentication[1611]

WebVPN: user: (john) authenticated.

webvpn_auth.c:http_webvpn_auth_accept[3066]

User came in on group he wasn't supposed to come in on!

webvpn_remove_auth_handle: auth_handle = 529

webvpn_free_auth_struct: net_handle = D0200040

Any suggestion would be appreciated

Thanks

Jonathan

Labels:
Preview file
538 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎03-12-2013 10:51 AM

Jonathan,

The issue is clear, your users are not connecting to the right profile.

Please check this out:

ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method

The idea of having ACS authorization is to assign a specific group-policy according to probably Radius attribute 25, but if you have it working in conjuction with the "group-lock" feature, then you need to make sure that the users connect to the correct connection profile, otherwise the group-policy will not allow the connection.

For instance:

group-policy test attributes

     group-lock testGroup

!

tunnel-group testGroup general-attributes

     default-group-policy test

!

tunnel-group testGroup webvpn attributes

     group-url https://1.1.1.1/testGroup enable

So if a user connects to a different profile which is not the testGroup and gets the group-policy named test, then the connection is going to be rejected.

HTH.

Portu.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Javier Portuguez
Level 9
Level 9

‎03-12-2013 10:51 AM

Jonathan,

The issue is clear, your users are not connecting to the right profile.

Please check this out:

ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method

The idea of having ACS authorization is to assign a specific group-policy according to probably Radius attribute 25, but if you have it working in conjuction with the "group-lock" feature, then you need to make sure that the users connect to the correct connection profile, otherwise the group-policy will not allow the connection.

For instance:

group-policy test attributes

     group-lock testGroup

!

tunnel-group testGroup general-attributes

     default-group-policy test

!

tunnel-group testGroup webvpn attributes

     group-url https://1.1.1.1/testGroup enable

So if a user connects to a different profile which is not the testGroup and gets the group-policy named test, then the connection is going to be rejected.

HTH.

Portu.

0 Helpful

Go to solution
johnchrs2006
Level 1
Level 1
In response to Javier Portuguez

‎03-12-2013 11:13 AM

Javier,

Thanks for your answer, i'd like to ask you if there is a way to use just one profile and this profile do the redirection to the right profile with the help of the acs, is this possible?

Thanks again!

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to johnchrs2006

‎03-12-2013 11:18 AM

Jonathan,

Not that I am aware of.

You usually use certificate mapping for this.

On the other hand, why would redirect the users to a specific profile? I mean, all attributes and settings can be configured in the group-policy itself. Having multiple profiles and group-policies is not scalable at all .

I would recommend to have all users connecting to the default-webvpn group and have ACS assign the group-policy to each session. This saves time and additional commands in the configuration.

HTH.

Portu.

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Javier Portuguez

‎03-12-2013 11:20 AM

BTW, for that, would need to remove the "group-lock" attribute.

0 Helpful

Go to solution
johnchrs2006
Level 1
Level 1
In response to Javier Portuguez

‎03-12-2013 11:48 AM

Javier,

I followed your recommendation and now i can logging successfully but no matter what group the acs assigns to the user it keeps connecting to the same profile. Do you have any idea why could this be happening?

Thank you so much for your support

Jonathan

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to johnchrs2006

‎03-12-2013 12:09 PM

Jonathan,

Yes the connection profile will be the same, but the group-policy should be different. Please check this out:

Configure ACS to Assign a Group Policy at Login using RADIUS

Let me know.

Thanks.

0 Helpful

Go to solution
johnchrs2006
Level 1
Level 1
In response to Javier Portuguez

‎03-12-2013 12:27 PM

Javier, everything was working well, but i hadn't changed the portal customization of the group policy, It was inherited so i changed for my preference and now every is working great.

Thank you so much for your support!

Jonathan

Go to solution
Javier Portuguez
Level 9
Level 9
In response to johnchrs2006

‎03-12-2013 12:28 PM

Awesome!! 

Please rate any helpful posts and mark this post as answered.

Have a nice day.

0 Helpful

Go to solution
Jtown0011
Level 1
Level 1
In response to Javier Portuguez

‎01-06-2016 04:37 PM

Jonathan,

Also, be sure that when users are trying to connect they're using the correct url that you specified under your "tunnel-group <name> webvpn attributes". 

For Example:

tunnel-group WebVPN_tg webvpn attributes

group-url https://5.5.5.5/testGroup enable

***Clients should be using the URL of https://5.5.5.5/testGroup     and not just https://5.5.5.5/

I ran across the same issue while troubleshooting my home webvpn access on my ASA5505 getting the same error as you when I ran "debug webvpn 125" from the cli.

User came in on group he wasn't supposed to come in on!

I hope this helps!

0 Helpful
Customers Also Viewed These Support Documents