Cisco VPN :: 5505 Local Users Authenticate To AnyConnect
Jul 16, 2012
I am trying to configure a Cisco ASA 5505 so that users can authenticate via Radius or via a Local account using the Cisco AnyConnect client. In the AnyConnect Connection profile, the basic tab, it has Authentication Method. We have this going to an AAA server group with Use Local if Server Group fails option is checked.Each time, I see where the user has failed while attemtping to log in to the domain via the radius servers and thus bypasses the local user database all together.
View 3 Replies
ADVERTISEMENT
Oct 17, 2012
what is the minimun privilege level to assign at username account on ASA 5505 to grant the access with AnyConnect?
username ... privilege ?
View 4 Replies
View Related
Dec 29, 2012
I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting. This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below."The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail. Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
View 4 Replies
View Related
Feb 14, 2012
I am trying to connect using officeextend but couldn't . I have managed to connect the officeextend AP to the DMZ WLC however i cant get the users to authenticte to the ACS (although there is a rule to access the access on ports 1813 and 1812). Should the DMZ WLC need the ACS servers (i thought they wouldnt require as they are anchored back to the Internal WLC that the ACS server address
oon a side note, i have'nt created dhcp for hte officeedxtend users - will this cause an issue - (just deciding on to it on WLC or windows server)In-fact i cant even see myself authenticating on the ACS server
View 25 Replies
View Related
Feb 9, 2012
We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?
View 3 Replies
View Related
Jun 9, 2011
I have an issue with an implementation, I had a ACS R5.1 that I'm using to authenticate the wireless users with 802.1x, that's OK and working fine. Now I want to use the same ACS to authenticate wired users using MAB (for IP phones, printers, servers, and other devices) and 802.1x (for corporate users). I already configured the authentication services (MAB and 802.1x) on ACS, but when I'm doing tests I can see that for example the phones are trying to authenticate using the 802.1x rules of wireless connection, not using the MAB rules. [code]
You could also see an screen from the ACS in the attached file. On the picture remark you could see a IP Phone trying to authenticate using the wireless Access Services insted of using MAB.
View 1 Replies
View Related
Sep 25, 2011
Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
View 9 Replies
View Related
Dec 7, 2010
We have a customer with ACS 4.2 Appliances who currently uses the Layer 3 web-redirect guest function to authenticate users against AD via ACS and LDAP to the AD, its a mixture of un-managed Windows, Mac & linux clients.
They want to move to an 802.1x solution.
Now MS-CHAPv2 is proably the obvoius choice (maybe it isnt considering Linux and MAC clients ... comments???). However the only option to integrate with AD is LDAP i.e remote agents or an upgrade to 5.x is out of the question.
View 9 Replies
View Related
Jul 22, 2012
Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.
View 9 Replies
View Related
Mar 12, 2013
we are using ACS4.2 to authenticate wireless users for ssid : copr-wireless. the acs authenticate users via windows database (acs is a member of the windows doamin) no local user defined in acs. there is a mapping between all windows users and a local group in acs (wireless_group) in wireless group i defined the vlan as 80 so that corp-wireless clients will be in vlan 80 and they can take an ip address from one DHCP server in the network. vlan 80 is in our core switch. the dhcp also.
now we added a guest anchor WC with ssid: guest-wireless. we need to auth guests also via ACS/Windows. guests are the same users as corp-wireless but corp for lan only and guest for internet only my prob is that ACS will map guests to vlan 80 because they are member of the domain, however guest users should not have any vlan. it is like if they are in DMZ. they will take ip address from the anchor WC.
View 4 Replies
View Related
Aug 26, 2012
i have configured acs 5.3. i integrated wth active directory also it got suceeded in test connection.but when am trying to conncet ssid its not getting authenticate, wat r the users i created on acs they can able to login on wifi ssid
View 6 Replies
View Related
Feb 24, 2013
We are running Cisco Secure ACS for Windows version 4.1(1)b23p5 on a Windows 2000 member server. Starting from today, ACS fails to authenticate users. Using the same external user (andrea-meconi) I can verify successfull and failed authentication. This is the AUTH.log for a genericRADIUS request...
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Starting authentication for user [andrea-meconi]
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Attempting
[Code].....
View 1 Replies
View Related
Apr 8, 2009
The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.
View 7 Replies
View Related
Apr 16, 2013
I have ACS 4 integrated with RSA 6.1, where users of ACS can authenticate their passwords with the rsa server.I am migrating users to ACS 5, and I want to integrate with rsa.
I am configuring rsa as “rsa secureID token servers”.But how should I configure the users on acs to authenticate the password with rsa?
Previously on acs 4, on the user page, in password field, I select authenticate with external DB, Also, any guide for the config on rsa 6.1 side (with acs 5)
View 1 Replies
View Related
Jul 17, 2012
I have successfully set up a windows 2008 box as a Radius server and use it to authenticate VPN users against ta AD database.I have also set up a similar policy that permits authentication for management purposes to all my networking devices (routers,switches and the ASA).Both policies work fine.Of course I don't want every VPN user to have administrative access to the ASA and every other device on my network.How can I discriminate between the 2 groups (VPN users and Network administrators)
View 3 Replies
View Related
Feb 24, 2013
I have a WLC 4404 with LWAPs, the customer has a microsoft LDAP and all users are joined to the domain and he wants the users to be authenticated against their domain accounts and this should be done automatically so that when users login to windows they are also authenticated and joined the WLAN.so how we can do that with the simplest way, without Radius server using only the LDAP and wwithout envolving any certificates.also i need to know when i add LDAP server to the WLC, how can i know that this LDAP is properly inegrated with the WLC?
View 8 Replies
View Related
Apr 19, 2010
I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510
View 12 Replies
View Related
May 2, 2012
I have a cisco nexus 7000 switch and a cisco ACS 5.2. I would like to setup the switch to be able to authenticate users with tacacs+ using RSA secureid tokens when they try to logon to the switch.
View 1 Replies
View Related
Mar 13, 2013
Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below: [code]
Update:
1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
View 6 Replies
View Related
Sep 8, 2011
I am transitioning from RADIUS auth to local auth and i don't want to hassle everyone to change in one hit.If i can get auth requests to look in the WLC local net db first and if not found try RADIUS then this is what i am after! You can easily do it with web auth but doesnt seem so easy via WPA2 method.
View 1 Replies
View Related
Nov 1, 2012
I have AnyConnect newly configured on my ASA 5550, running 8.2.x code; however, Mac users cannot connect using the Apple client, nor using the Cisco AnyConnect client - they are getting a "posture error" of some kind or the laptop is failing some kind of machine profiling.
View 3 Replies
View Related
Feb 22, 2013
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
View 6 Replies
View Related
Nov 27, 2012
we have three ASA 5540 with Cisco Adaptive Security Appliance Software Version 8.4(5) Device Manager Version 6.4(9) this devices are only for remote conections (webvpn/ssl-web/anyconnect), and we are having problems with connections anyconnects; are released every 15 seconds, the version anyconnect is 2.3.0254.is there a conflict of versions or a bug that could be picking up??.is there a compability matrix betwen Software Version of ASA and Anyconnect ?
View 2 Replies
View Related
May 16, 2012
I am able to successfully connect to my ASA5505 via AnyConnect via a mobile device. Upon doing so, I lose internet connectivity. My access list appear to be correct to I'm sort of at a loss.
[code]....
View 6 Replies
View Related
Jun 9, 2013
I have a weird problem which I have already submitted a TAC ticket about. When users authenticate through AnyConnect into our HQ ASA 5510 they grab an address from 172.16.254.x. What we have been noticing intermittently is that when logged into our network through the client they are unable to access their resources at one of our remote offices which is connected over l2l to the HQ ASA. This problem just started randomly a week ago and we have been working with Cisco trying to create a solution.
My quick fix is logging into a device at the remote office which is trying to be accessed and pinging the gateway of the virtual subnet for AnyConnect users. When I ping 172.16.254.1 it goes through after a few dropped icmp packets and then the issue is resolved for about 8 hours or so.
View 1 Replies
View Related
May 22, 2013
I have a ASA 5540 VPN Premium with 2 Client-less licenses.How many anyconnect users can i accommodate with current sessions ??
View 5 Replies
View Related
Aug 17, 2011
I have ACS 5.1 configured to authenticate users based on Active Directory. I have configured wired 802.1x too, with machine authentication enabled on ACS.When I login with credentials that exist in AD, it works fine. Then I configured Windows Authentication to ask for credentials (popup window). But I experience network disconnection when I login with a local account even though I entered correct AD credentials.I want to do the following: for an account that exist on the machine being authenticated (non-AD account), ACS should check its local database and reply with authentication success if it finds it, so the user is granted network connectivity.I heard about Identity Sequence in ACS. But I still don't see the right configuration,
View 2 Replies
View Related
Dec 2, 2012
I have a scenario where there is an ASA5510 configured as follows:
Interface0 = Outside
Interface1 = LAN
Interface2 = DMZ
Interface3 = unused
Running ASA version 8.2[1]
All network operations are fine, as are the IPSEC tunnels to other branch offices, and the incoming SSL VPN accessed via the IP address assigned to the external adapter.
My problem is that I have a device on the DMZ that needs to access the AnyConnect service hosted on the external adapter so that it can access LAN resources. When I try accessing it, I see the following errors appearing in the debug log:
3Dec 03 201212:10:50710003[DMZ client address]51031[AnyConnect ExternalAddress]443TCP access denied by ACL from [DMZ client address]/51031 to DMZ:[AnyConnect ExternalAddress]/443 If you look closely, it suggests an ACL issue from the DMZ client to the external AnyConnect IP address BUT it suggests the Anyconnect IP address is on the DMZ interface.
View 1 Replies
View Related
Jan 16, 2013
I configure anyconnect vpn on cisco asa version 8.2. vpn user need to access internet so i configured split-tunnel. the split-tunnel working but i do not want to use split-tunnel for security reason. i want vpn user use our local network internet. how i do it?i think that i must do vpn user subnet nat and then what i need do additionally?
View 1 Replies
View Related
Jul 20, 2011
We have SSL VPN using the AnyConnect client going to an ASA5540.
Is there a way to permit users to access their own LAN, but still force them to use the VPN tunnel for Internet access?
If I'm reading the documentation correctly, it seems that when you activate split tunnelling, it allow LAN access, but will also allow the user to access the Internet over the LAN instead of over the VPN.
View 1 Replies
View Related
Sep 20, 2011
ASA 5510 configuration for Csco anyconnect vpn client. Currently ASA is configured for self-signed certificate acces thru anyconnect ssl vpn. So the cert is being generated with every connection (of my understanding, I haven't found any identity certificate on the current configuration, at least on ASDM). Now I need to use a certificate from our local windows CA that we have at the office. I.e. self-signed certs should be changed with another one issued by our local office authority.
1. Generated new rsa key pair on the ASA
2. Generated CSR from identity certificates
3. Applied CSR to the windows CA and generated the certificate
Now I need to understand what is going to happen after I install this certificate on the ASA's identity certificates and apply it to outside interface. Is there anything to be done on the users side to use new certificate? Do they need to download and install the root certificate from the same CA? Do i need to have the root certificate installed on the ASA or identity is enough?
View 1 Replies
View Related
Jul 10, 2011
We are required to change passwords every so often at my job. I am trying to change the password for one of the local user accounts on a 5508 WLC running 7.0.98.218 - How can I accomplish this task? The option I get is to remove the users.
View 1 Replies
View Related
Aug 24, 2011
I have ACS 5.1 configured to authenticate users based on Active Directory. I have configured wired 802.1x too, with machine authentication enabled on ACS.When I login with credentials that exist in AD, it works fine. Then I configured Windows Authentication to ask for credentials (popup window). But I experience network disconnection when I login with a local account even though I entered correct AD credentials.I want to do the following: for an account that exist on the machine being authenticated (non-AD account), ACS should check its local database and reply with authentication success if it finds it, so the user is granted network connectivity.I heard about Identity Sequence in ACS. But I still don't see the right configuration,
View 2 Replies
View Related
