09-23-2012 01:15 PM
I'm am trying to get my ASA to authenticate Anyconnect users with Phonefactor authentication. Has anyone successfully done this before?
Solved! Go to Solution.
09-25-2012 02:40 PM
Hi Jason,
For this to work you need to configure the ASA to send a RADIUS request to PhoneFactor, you have to set the RADIUS timeout there as well so that the ASA doesn't time out waiting for a response from PhoneFactor. So, both the ASA and the AnyConnect client need to have a enough time out for the call to take place and get a response.
By default, AnyConnect waits up to 12 seconds for an authentication from the ASA before terminating the connection attempt. You can modify this value in the XML profile as following:
To set the authentication timeout to 90 seconds:
You can see the release notes describing the "Authentication Timeout Control" at:
Authentication Timeout Control
The rest of the configuration is a pretty common AnyConnect client authenticating against a Radius server.
Let me know if you have any questions.
Portu.
Please rate any helpful posts
10-01-2012 05:40 AM
Hi Jason,
Sorry for any delay.
Guidelines:
Blue: Current user and privilege level.
Black: Steps to open and create a new XML profile.
Green: Complete configuration path.
* If you have previously defined the group-policy then you could define it during the creation of the XML profile.
Once you have the profile, you must make this change:
* You could also include / edit other features to this XML profile, I only edited the authentication timeout value.
On the other hand, according to your License, there is a limit of 250 AnyConnect + WebVPN sessions:
SSL VPN : 250
Let me know if you have any further questions.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
10-01-2012 01:05 PM
Jason,
My friend, please upgrade update your ASDM to the latest version available:
http://tools.cisco.com/squish/D1aba
Let me know.
Thanks.
Portu.
10-02-2012 06:16 AM
Jason,
An ASDM upgrade is not a big deal, you will not need to rollback the process.
Just upload the ASDM image and enable it as: "asdm image disk0://your_asdm_image".
Keep me posted.
Thanks.
10-02-2012 10:52 AM
Jason,
Follow these steps:
1- Go to file management:
2- Select "Between local PC and Flash.
3- Select the image from your local folder and move it to "disk:0":
4- Finally, define the ASDM image:
5- Quit the active ASDM instance and connect again.
Let me know if you still have any questions about this procedure.
Thanks.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
09-25-2012 02:40 PM
Hi Jason,
For this to work you need to configure the ASA to send a RADIUS request to PhoneFactor, you have to set the RADIUS timeout there as well so that the ASA doesn't time out waiting for a response from PhoneFactor. So, both the ASA and the AnyConnect client need to have a enough time out for the call to take place and get a response.
By default, AnyConnect waits up to 12 seconds for an authentication from the ASA before terminating the connection attempt. You can modify this value in the XML profile as following:
To set the authentication timeout to 90 seconds:
You can see the release notes describing the "Authentication Timeout Control" at:
Authentication Timeout Control
The rest of the configuration is a pretty common AnyConnect client authenticating against a Radius server.
Let me know if you have any questions.
Portu.
Please rate any helpful posts
09-28-2012 10:56 AM
Thank you Javier for your assistance.
Few additional problems/questions.
It appears that I am only licensed for Anyconnect Mobile not Anyconnect Essentials
Does this mean that I cannot adjust the timeout? In addition on my ASDM under Tools my File Management option is greyed out. Do I need to upgrade my license to Anyconnect Essentials to adjust the timeout?
Thank you
09-28-2012 11:07 AM
Jason,
To add / modify / delete an XML profile, you only need a valid AnyConnect package on your ASA.
That option should not be grayed out, unless, your does not have the correct privelege level (15 for an admin).
On the other hand, I think you have a premium license, since I see:
SSL VPN peer : 250
You do not Essentials for this to work, the Premium is more than enough.
Please share : "show vpn-sessiondb summary"
Thanks.
Portu.
Please rate any helpful posts.
09-28-2012 11:26 AM
Javier,
Active Session Summary
Sessions:
Active : Cumulative : Peak Concurrent : Inactive
SSL VPN : 1 : 237 : 5
Clientless only : 0 : 73 : 4
With client : 1 : 164 : 3 : 0
IPsec Remote Access : 1 : 631 : 13
Totals : 2 : 868
License Information:
IPsec : 250 Configured : 250 Active : 1 Load : 0%
SSL VPN : 250 Configured : 250 Active : 1 Load : 0%
Active : Cumulative : Peak Concurrent
IPsec : 1 : 820 : 13
SSL VPN : 1 : 237 : 5
Totals : 2 : 1057
Active NAC Sessions:
No NAC sessions to display
Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display
I should definitely have the correct priv level...how can I veryify this?
So accessing and editing the XML file will have to be done via cli?
10-01-2012 05:27 AM
Javier,
I've verified my privilege level...
So I'm at a loss as to why my Tools>File Management is greyed out?? How do I go about editing the XML file to increase the Timeout?
10-01-2012 05:40 AM
Hi Jason,
Sorry for any delay.
Guidelines:
Blue: Current user and privilege level.
Black: Steps to open and create a new XML profile.
Green: Complete configuration path.
* If you have previously defined the group-policy then you could define it during the creation of the XML profile.
Once you have the profile, you must make this change:
* You could also include / edit other features to this XML profile, I only edited the authentication timeout value.
On the other hand, according to your License, there is a limit of 250 AnyConnect + WebVPN sessions:
SSL VPN : 250
Let me know if you have any further questions.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
10-01-2012 11:00 AM
Javier,
I have no access to the information you provided! I definitely have level 15 privilege access. Any ideas?
10-01-2012 01:05 PM
Jason,
My friend, please upgrade update your ASDM to the latest version available:
http://tools.cisco.com/squish/D1aba
Let me know.
Thanks.
Portu.
10-02-2012 05:13 AM
Javier,
Do I need to upgrade my ASA version in order to upgrade my ASDM version? What impact is there on the ASA when I upgrade ASDM versions? Does the machine need to reboot? What will it impact on the ASA?
Thank you for your assistance, it's been extremely helpful!
10-02-2012 05:50 AM
Good Morning Jason,
Do I need to upgrade my ASA version in order to upgrade my ASDM version?
A/ No
What impact is there on the ASA when I upgrade ASDM versions?
A/ No impact at all.
Does the machine need to reboot? What will it impact on the ASA?
A/ You do not need to reboot the machine. No impact on the ASA.
Let me know if you have any further questions.
Please rate any helpful posts
10-02-2012 06:04 AM
Javier,
I will have to incrementally upgrade to the current version...correct? What are my rollback options along this upgrade path?
Many thanks.
10-02-2012 06:16 AM
Jason,
An ASDM upgrade is not a big deal, you will not need to rollback the process.
Just upload the ASDM image and enable it as: "asdm image disk0://your_asdm_image".
Keep me posted.
Thanks.
10-02-2012 06:55 AM
Since I don't have access ( they are greyed out ) to Tools > Software Updates > Upgrade Software from local computer or Upgrade Software from Cisco.com in the ASDM I will have to perform this upgrade via the CLI?
Would you happen to have a link for this process?
Thank you.
10-02-2012 10:52 AM
Jason,
Follow these steps:
1- Go to file management:
2- Select "Between local PC and Flash.
3- Select the image from your local folder and move it to "disk:0":
4- Finally, define the ASDM image:
5- Quit the active ASDM instance and connect again.
Let me know if you still have any questions about this procedure.
Thanks.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: