Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
5
Helpful
1
Replies

AnyConnect group policy via RADIUS Class attribute inconsistent

m.yost
Level 1
Level 1

‎05-23-2022 08:44 AM

FMC: 7.1.0.1

FTD: 7.0.1.1

 

Having a weird issue with a new turn up of AnyConnect off an FTD 1100 managed by FMC.  Periodically when users login to VPN, they will get placed into the Default Group Policy on the FTD and not into their correct group policy assigned via the RADIUS Class attribute however sometimes that same user is put into the correct VPN group policy and everything works fine.

 

The RADIUS server is NPS and is doing O365 MFA on top of the normal RADIUS authentication.  When we look at the NPS server logs, it is matching the correct NPS policy and shows the correct VPN group policy name being mentioned in the Class Attribute portion of the log:

 

<Event><Timestamp data_type="4">04/29/2022 15:21:07.390</Timestamp><Computer-Name data_type="1">OMITTED</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.90.192.10 04/29/2022 13:08:53 15</Class><Reply-Message data_type="1">Enter Your Microsoft verification code</Reply-Message><Class data_type="1">GP_TC_ITS</Class><NP-Policy-Name data_type="1">FP1140 - TC_ITS</NP-Policy-Name><Client-IP-Address data_type="3">192.168.201.1</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">Cisco-FP1140</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">TOMPKINS-CO\acasper</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">OMITTED\acasper</Fully-Qualifed-User-Name><Authentication-Type data_type="0">1</Authentication-Type><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

 

but when you look at the output on the "sh vpn-sessiondb anyconnect" you see the Group Policy is DfltGrpPolicy.  

 

We did some packet captures to validate that when the Access Accept message is sent to the FTD, that it includes the Class attribute.  The only problem is that attribute value is encoded so I can't 100% verify it matches the GP and was not corrupted somehow.  When doing a "debug radius all" on the FTD, we also see the Class attribute, but the value is encoded there too.  Running AnyConnect debugs (debug webvpn anyconnect 255) also didn't seem to help much either.

 

Not sure if there are additional debugs I can do to troubleshoot.  I did just notice that there is bug CSCwa08262 which is eerily similar to the issue we are having with the difference being that the output of the "show vpn-sessiondb anyconnect" actually shows the Default Group Policy being assigned but the bug says the mapped group policy is shown.  We also do not have "vpn-simultaneous-logins 0" set....we have it set to 3.

Labels:
1 Reply 1

MHM Cisco World
VIP
VIP

‎05-28-2022 10:09 AM

von-simultaneous-logins 0<- this use in case that the anyconect is failed in any point will redirect to this group-policy with VPN-login 0 i.e. the any connect is deny.
can I see the config of group-policy and group-policy MAP
 

0 Helpful
Customers Also Viewed These Support Documents