Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Anyconnect with Cisco ACS

Has anyone been able to get anyconnect to work properly with ACS? The problem that I am having is that I want users to be able to download the Anyconnect client from the Webvpn page. When I have them log onto the Webvpn page by authenticating with ACS (using radius protocol), the Anyconnect client is not available for download on the left hand side of the Webvpn options. However, if I configure the ASA to use a local username and password and do the following commands : "username test attributes" "vpn-group-policy HQ-SSLVPN" then the Anyconnect client is available for users to download on the Webvpn page. This is the relevant configuration that I am using:


enable outside

svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

dns-server value

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

ipsec-udp enable

nac-settings value DfltGrpPolicy-nac-framework-create

address-pools value vpn-pool


svc ask enable default svc

group-policy HQ-SSLVPN internal

group-policy HQ-SSLVPN attributes

vpn-tunnel-protocol svc webvpn

address-pools value svc-full-tunnel


url-list value test-list

svc dtls enable

svc keep-installer installed

svc ask enable default svc

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool svc-full-tunnel

authentication-server-group radius-acs

default-group-policy HQ-SSLVPN

tunnel-group HQ-SSLVPN type remote-access

tunnel-group HQ-SSLVPN general-attributes

address-pool svc-full-tunnel

authentication-server-group radius-acs

default-group-policy HQ-SSLVPN

When I am debugging the output, I do notice one difference. When the ASA is using ACS to authenticate it shows that AAA retrieve user specific group policy (HQ-SSLVPN). However, when the ASA just uses the local username and password, it says that AAA retrieved user specific group policy (HQ-SSLVPN) and right afterwards it says that AAA retrieved default group policy (DfltGrpPolicy).

Also, when I have the ASA configured to use ACS, if the person does already have the Anyconnect client installed on their computer and they try to login in using Anyconnect, it comes back with an error stating "Anyconnect is not enabled on the VPN Server". Of course, this goes away once I have them authenticating to the local ASA database. Any help or insite would be greatly appreciated.



Cisco Employee

Re: Anyconnect with Cisco ACS

For netpro's benefit - RADIUS attributes (group policy, tunnel protocol) etc. will override the settings set on the ASA - that's what was happening here.


CreatePlease to create content