06-08-2008 10:30 PM - edited 03-11-2019 05:56 AM
Hello - when i confogure my asa 5520 with software 8.0(3) I have next problem:
When i enter to secure desktop and print my login and passwd i see "incorrect login"
on asa i see this:
INFO: debug webvpn enabled at level 200.
HMCIS-Firewall# webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
webvpn_portal.c:ewaFormSubmit_webvpn_login[1826]
ewaFormSubmit_webvpn_login: tgCookie = 0
ewaFormSubmit_webvpn_login: cookie = c9938928
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
webvpn_portal.c:http_webvpn_kill_cookie[632]
webvpn_auth.c:http_webvpn_pre_authentication[2009]
WebVPN: calling AAA with ewsContext (-932106496) and nh (-932109336)!
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[4537]
WebVPN: AAA status = (REJECT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[1826]
ewaFormSubmit_webvpn_login: tgCookie = 0
ewaFormSubmit_webvpn_login: cookie = c9938928
ewaFormSubmit_webvpn_login: tgCookieSet = 0
ewaFormSubmit_webvpn_login: tgroup = NULL
webvpn_auth.c:http_webvpn_post_authentication[1233]
WebVPN: user: (evkuzin) rejected.
http_remove_auth_handle(): handle 76 not found!
webvpn_auth.c:webvpn_auth[476]
WebVPN: no cookie present!!
But radius logs a clean!!!
what wrong?
06-09-2008 02:22 AM
Did you check the Radius connectivity with the AAA server using the 'test' command on the ASA?
Regards
Farrukh
06-09-2008 03:14 AM
Yes - i'm sure that the connection to radius work propertly because beside webvpn i configure remote ipsec vpn with authentification on this radius and it's work.
06-09-2008 03:58 AM
I'm assuming your WebVPN connections are landing on "tunnel-group test", Why do you have "authentication certificate" command there?
Also make sure you follow the instructions on the following link:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809888e5.shtml#topicsubsub
Regards
Farrukh
06-09-2008 04:02 AM
Also try to compare your debugs with the following page, and if possible post them over here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c18ff.shtml
Regards
Farrukh
06-09-2008 11:36 PM
Were you able to get this working?
Regards
Farrukh
06-10-2008 01:26 AM
It's not work :(
But i noticed the following issue:
If i write login & pass any users from AD, then i see "incorrect login" and in debug webvpn "AAA status = (REJECT)"
If i write login & pass my admin user with priv 15 - i see on debug webvpn "AAA status = (ACCEPT) and on login page "Login denied, unauthorized connection mechanism, contact your administrator."
I don't know why... (((
06-10-2008 03:12 AM
I think that in the settings webvpn I should enter tunnel-group test. But where... :)
06-10-2008 05:12 AM
I think your current WebVPN is landing on the DefaultRAGroup (the configuration of which is missing from the text file you attached in your first post), use this link to configure your ASA such that you can 'select' the tunnel-group at logon time:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
This way, at least you know no which tunnel-group you are landing.
Regards
Farrukh
06-10-2008 09:16 AM
Yes - thank you. Now it's working. But in cfg i don't see DefaultRAGroup...
06-10-2008 11:32 PM
Did you try
"show run all tunnel-group"
It should be there
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide