Anyconnect with Cisco ACS

Unanswered Question
Dec 1st, 2007
User Badges:

Has anyone been able to get anyconnect to work properly with ACS? The problem that I am having is that I want users to be able to download the Anyconnect client from the Webvpn page. When I have them log onto the Webvpn page by authenticating with ACS (using radius protocol), the Anyconnect client is not available for download on the left hand side of the Webvpn options. However, if I configure the ASA to use a local username and password and do the following commands : "username test attributes" "vpn-group-policy HQ-SSLVPN" then the Anyconnect client is available for users to download on the Webvpn page. This is the relevant configuration that I am using:


webvpn

enable outside

svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1

svc enable






group-policy DfltGrpPolicy attributes

dns-server value 192.168.0.15

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

ipsec-udp enable

nac-settings value DfltGrpPolicy-nac-framework-create

address-pools value vpn-pool

webvpn

svc ask enable default svc



group-policy HQ-SSLVPN internal

group-policy HQ-SSLVPN attributes

vpn-tunnel-protocol svc webvpn

address-pools value svc-full-tunnel

webvpn

url-list value test-list

svc dtls enable

svc keep-installer installed

svc ask enable default svc




tunnel-group DefaultWEBVPNGroup general-attributes

address-pool svc-full-tunnel

authentication-server-group radius-acs

default-group-policy HQ-SSLVPN


tunnel-group HQ-SSLVPN type remote-access

tunnel-group HQ-SSLVPN general-attributes

address-pool svc-full-tunnel

authentication-server-group radius-acs

default-group-policy HQ-SSLVPN


When I am debugging the output, I do notice one difference. When the ASA is using ACS to authenticate it shows that AAA retrieve user specific group policy (HQ-SSLVPN). However, when the ASA just uses the local username and password, it says that AAA retrieved user specific group policy (HQ-SSLVPN) and right afterwards it says that AAA retrieved default group policy (DfltGrpPolicy).


Also, when I have the ASA configured to use ACS, if the person does already have the Anyconnect client installed on their computer and they try to login in using Anyconnect, it comes back with an error stating "Anyconnect is not enabled on the VPN Server". Of course, this goes away once I have them authenticating to the local ASA database. Any help or insite would be greatly appreciated.


Thanks,

Jason



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jason Gervia Mon, 12/03/2007 - 13:58
User Badges:
  • Cisco Employee,

For netpro's benefit - RADIUS attributes (group policy, tunnel protocol) etc. will override the settings set on the ASA - that's what was happening here.


--Jason



Actions

This Discussion