I am trying to configure a Cisco ASA 5505 so that users can authenticate via Radius or via a Local account using the Cisco AnyConnect client. In the AnyConnect Connection profile, the basic tab, it has Authentication Method. We have this going to an AAA server group with Use Local if Server Group fails option is checked..
Each time, I see where the user has failed while attemtping to log in to the domain via the radius servers and thus bypasses the local user database all together.
Do I need to create two connection profiles for this?
Yes, you need a second connection-profile for that. On the ASA, there is only a fallback from AAA-Server to LOCAL which is different to the IOS-Implementation where your setup would work. So just build one Connection profile with remote Auth and a second one with local auth. But I would configure it back to only remote with local fallback when all your users are migrated to your AAA-server as this system with two profiles is not really user-friendly.
I built a new connection profile. It has basically the same attributes except of course, the name and the means by which we authenticate. Now when I go to the AnyConnect, I do not have the scroll down option that says go to connectionProfile1 or connectionProfile2.
Why would they put an option on a connection Profile to use the local database if in fact they knew it did not work as advertised. The option needs to be complete removed until someone can get it to work properly.
I need for local users to be able to authenticate as well as domain users. Does anyone have any ideas?
Re: AAA and local users authenticate to AnyConnect
You have to enable the drop-down list you are missing in your remote-access VPN-setup. Additionally you could also specify a dedicated URL for your profile. This feature works exactly as documented by Cisco. But it hast to configured the way Cisco wants it and not the way an admin thinks it should work ...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...