VPN Client login issue

Tom Leonard · ‎01-10-2014

I'm having a problem getting a VPN login script to work after an upgrade of the VPN server. The server is a HA pair of Cisco 5545X's with Cisco Secure ACS 5.4.0.46. The client is a Windows Server 2000 system running Cisco VPN Client 5.0.05.290. The connection profile uses group authentication with a blank domain and stored user name and password. GUI logon works fine. However, when I do a command line login of the form:

c:\ vpnclient connect vpn_server_connection_profile user user_name pwd password stdin < vpn.in

where:

vpn.in contain a "y" to satisfy a UAP banner request to proceed.

The problem is that the client still insists on opening the user authentication GUI window already populated with the proper user_name and password.

All that is required is a simple "OK" mouse click. This is supposed to be an unattended process . It used to work fine with earlier version of the VPN server.

Can anyone shed some light on how to fix this so no GUI interaction is required.

Many Thanks.

ps My undestanding is that there is no AnyConnect client for Windows 2000 Server, so we can't go that route.

Update: Tarik requested information on the ASA software levels. Here is what I could get from the network security tech. Hope it helps.

The previous ACS's were very old. They were 1113's running 3.1.

The ASA's were 3000 series I believe. I do not know what code these were running.

Moving to the VPN forum as suggested.

Tarik Admani · ‎01-12-2014

Tom,

Just so i understand, the authentiation piece is working fine and the ipsec client banner is being accepted however you are still being redirected when you try to surf to google?

What happens if you remove the script from the equation and try authenticating, are you still redirected after accepting the client's banner?

I can safely say that ACS is not the issue since radius should not control the messaging between the client and the server after the session is authorized.

You may want to move this over to the VPN forums to see if the response or behavior has changed, also include which version of ASA code this worked on and what version you are at.

Tarik Admani
*Please rate helpful posts*

Tom Leonard · ‎01-13-2014

Tarik,

In GUI mode, I can start the VPNClient, initiate the connection using a defined profile that has a stored password, get the User Authentication screen that has the correct Username and Password already filled in for the profile, click OK, get the Banner, click continue and the connection is established and fully ready to use. In my case, the tunnel connects to an IBM mainframe so no browser is involved.

In scripted mode, even though I have the Username and Password stored in the connection profile, I still get the User Authentication GUI screen and have to click OK. I should not have any GUI interaction in scripted (command line) mode.

The issue is not after the connection is made, but with the User Authentication screen before the connection is made.

Tom

Tom Leonard · ‎02-03-2014

Still have this problem. Can anyone suggest an alternate solution path, please?