Solved

Cisco AnyConnect / IAS Radius problem

Posted on 2010-11-21
7
2,206 Views
Last Modified: 2012-05-10
I have finally gotten my ASA 5520 authenticating to my 2003 IAS Radius server with MS-CHAPv2, and according to the event I have attached, it is granting access.  I actually get two events in a row like this every time.  I have a Remote Access Policy that grants access to everybody in a certain group, and I have my user account set to "Control access through Remote Access Policy" (and of course, I have put myself in that group).  So, according to the event as shown in the attachment, it looks like it is working.

The problem is that on my client, when I try to log in (and I get the attached event on the server), it sits there for a little bit, then I get a "Connection attempt has failed (timeout)."

Is there a part of the setup for this kind of authentication that I am missing?
Event Type:        Information

Event Source:    IAS

Event Category:                None

Event ID:              1

Date:                     11/21/2010

Time:                     10:11:36 PM

User:                     N/A

Computer:          GMSDC1

Description:

User bbeachy was granted access.

Fully-Qualified-User-Name = goshenschools.org/Goshen Schools/OTIS/Staff/Branden Beachy

NAS-IP-Address = 10.101.1.10

NAS-Identifier = <not present> 

 Client-Friendly-Name = 10.101.1.10

Client-IP-Address = 10.101.1.10

Calling-Station-Identifier = 184.2.157.87

NAS-Port-Type = Virtual

NAS-Port = 3743744

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows 

 Authentication-Server = <undetermined> 

 Policy-Name = VPN

Authentication-Type = MS-CHAPv2

EAP-Type = <undetermined>

Open in new window

0
Comment
Question by:brandenb
  • 4
  • 3
7 Comments
 
LVL 7

Accepted Solution

by:
kellemann earned 500 total points
ID: 34186812
You can do a test directly on the firewall to determine is there is indeed an authentication problem. The command is:
test aaa-server authentication <AAA groupname> host <ip for server GMSDC1> username bbeachy
0
 

Author Comment

by:brandenb
ID: 34187577
When I test it that way, it asks me for my password, and after I give that, it waits 12 seconds, then says "ERROR: Authentication Server not responding: No error"
I look on the IAS server, and again I get the "user bbeachy was granted access" event.

So, it's like the IAS server is getting the request and authenticating it, but not getting the message back to the ASA...
0
 
LVL 7

Expert Comment

by:kellemann
ID: 34187627
Ok, sounds like the ASA hands off the data to the IAS in a correct manner, but the answer somehow get garbled or lost. Could you post the client configuration on the IAS?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:brandenb
ID: 34187937
Is this what you wanted to see?  I have tried setting the Client-Vendor to both Radius Standard as well as Cisco, and it makes no difference either way.
error.JPG
0
 

Author Comment

by:brandenb
ID: 34191046
Just to reiterate, the IAS server authentication is working perfectly.  If I set my user account to either Allow, or Control through Policy, the event log shows that I AM granted access, and if I change my account to "deny", then the event log shows that access was denied.

So, the only problem is that that information isn't getting back to the ASA - it times out saying the Authentication Server is not responding.
0
 
LVL 7

Expert Comment

by:kellemann
ID: 34194844
I once encountered a strange problem. Don't know if it applies here, but worth trying.
The ASA refused to authenticate users, until the default vpn group (DefaultWEBVPNGroup) was configured to use the same AAA group as the "real" group.
If that doesn't work, please post the configuration of the remote access policy in IAS, specifically the part regarding authentication (Properties on policy -> Edit profile -> Authentication tab)
0
 

Author Comment

by:brandenb
ID: 34201424
Well, I'm not totally sure what made it start working, but after playing with all the settings, and restarting the server, now it works.

Thanks for your help!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now