Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cant connect using anyconnect. Using Kerberos to authenticate via AD

Hi Everyone

Im trying to configure my ASA with anyconnect in my test lab but im coming across problems. Basically im authenticating usernames and passwords using active directory (kerberos). Now from the ASDM i can test active directory authentication and its successful. Now when Im tryin to use anyconnect from my pc its failing. No error messages come up! Dont know what im doing wrong here so was just wondering if anyone can take a look at my config and help me find any mistakes.Any help is appreciated. Thanks

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.167.10 255.255.255.240 standby 192.168.167.11
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.0.10 255.255.0.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
             
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ACuserPOOL 10.10.0.11-10.10.0.13 mask 255.255.0.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link failover GigabitEthernet0/3
failover interface ip failover 192.168.0.1 255.255.255.252 standby 192.168.0.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
<--- More --->
             
asdm history enable
arp timeout 14400
nat (inside) 0 access-list NONAT
route outside 0.0.0.0 0.0.0.0 192.168.167.12 1
route inside 10.11.14.0 255.255.255.0 10.0.0.1 1
route inside 10.11.14.0 255.255.255.0 10.10.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACauthentication protocol kerberos
aaa-server ACauthentication (inside) host 10.11.14.103
timeout 5
kerberos-realm LAB.NET
aaa authentication http console ACauthentication
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec security-association lifetime seconds 28800
<--- More --->
             
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.0.11
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ACpolicy internal
group-policy ACpolicy attributes
vpn-tunnel-protocol svc
tunnel-group ACusers type remote-access
tunnel-group ACusers general-attributes
address-pool ACuserPOOL
authentication-server-group ACauthentication
<--- More --->
             
default-group-policy ACpolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip

5 REPLIES
New Member

Re: Cant connect using anyconnect. Using Kerberos to authenticat

Anyone? Really struggling with this :-( The authentication test is successful and i can ping from my host to the outside firewall interface. Can someone point me in the right direction? Thanks

Cisco Employee

Re: Cant connect using anyconnect. Using Kerberos to authenticat

2 things:

Make sure time is synched between your ASA and your AD server - kerberos is time sensitive.

In your user settings in AD, there is a checkbox for 'require kerberos pre-authentication'.  Try selecting/deselecting that box and see if there is any change in behavior.

Also - what is the OS of the AD server?

If that doesn't work, get a 'debug aaa common 255' and 'debug kerberos 255' from the ASA.

New Member

Re: Cant connect using anyconnect. Using Kerberos to authenticat

Hi

The AD and asa is time synched with an external ntp server and i know this works fine as i have tested it in asdm. It even authenticates the usernames. I have some users with pre authentication enabled and some disabled. The OS is server 2003.  Anyway ive enabled the debug and i cant make sense of it. I havent touched Firewalls in years. heres the output from the debug:

AAA API: In aaa_open
AAA session opened: handle = 205
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(6d9c6a80) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction

Initiating authentication to primary server (Svr Grp: LOCAL)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: user1
Resp:
In localauth_ioctl
Local authentication of user user1
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 205, pAcb = 6f3e43a4
aaa_backend_callback: Error:
AAA task: aaa_process_msg(6d9c6a80) received message type 1
AAA FSM: In AAA_ProcSvrResp

Back End response:
------------------
Authentication Status: -1 (REJECT)

AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = LOCAL, author svr = , user pol = , tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
None

user policy attributes:
None

tunnel policy attributes:
None


Auth Status = REJECT
AAA API: In aaa_close
AAA task: aaa_process_msg(6d9c6a80) received message type 3
In aaai_close_session (205)

Cisco Employee

Re: Cant connect using anyconnect. Using Kerberos to authenticat

It looks like you're landing on the LOCAL authentication server

Initiating authentication to primary server (Svr Grp: LOCAL)  <---- LOCAL

Which is probably due to the fact that you are landing on the DefaultWEBVPNGroup (where SSL connections will land by default unless configured otherwise) connection profile/tunnel-group and it's set for local authentication by default.

You can either change the authentication on that group to be your kerberos AAA group, or make the tunnel-group/connection profile available to be chosen instead of DefaultWEBVPNGroup:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

--Jason

New Member

Re: Cant connect using anyconnect. Using Kerberos to authenticat

Hi

Ive just changed the authentication from Kerberos to LDAP but i still seem to be getting the same problem......Ive attached the config file with the debugs as well! This is becoming a bit of a nightmare for me :-(

Thanks as always

1596
Views
0
Helpful
5
Replies
CreatePlease to create content