User Not Authorized For Anyconnect Client Access

Posted on  by 



Please note: During the COVID-19 work-at-home period, the need for signing a Remote User Agreement (RUA ) is waived. If you plan to telework after the crisis i s over, you will be required to submit the RUA. Users are responsible to comply with the RUA despite not signing the document. See details here. For Midshipmen: Cisco VPN Authorized. The client endpoint does not have the correct user profile to initiate an IKEv2 connection. The AAA server that is being used does not authorize IKEv2 as the connection mechanism. The administrator is restricting access to this specific user. The IKEv2 protocol is not. This means that local devices, such as printers, may not work when you are connected to VPN. The client you use to connect to VPN (AnyConnect) will auto update upon connection. To use the new VPN, please follow the steps below: In the AnyConnect client, enter 'vpn.uab.edu' in the connect window and click 'Connect'. Authorized: Select whether this user is authorized to use the client VPN. To edit an existing user, click on the user under the User Management section. To delete a user, click the X next to the user on the right side of the user list. When using Meraki-hosted authentication, the user's email address is the username that is used for authentication. Jan 09, 2013 I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon.

The purpose of this article will be to authenticate SSL AnyConnect VPN users to a specific profile dependant on their Active Directory (AD) group membership.
First we need an AD user account that will be used by the ASA to query LDAP. This doesn't need to be a domain admin or anything, so just create a user with a strong password (set it so password doesn't expire etc).
We will also need to create, or take note of the AD group that will be used to identify to which VPN profile users will be authorised to access. For example, in this article we will have an AD group called 'Grp_GI_VPN_Tech', any user that is a member of that group will be authorised to access our AnyConnect profile named the same (I used the same names, you don't have to).

Cisco ASA – AnyConnect VPN With Active Directory ...

They won't however be able to access any other profile (unless they are a member of the relevant group as well).
So first step, let's set up our ASA to be able to query LDAP:
Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add
Now create a name for the group, such as 'VPN-LDAP', select protocol LDAP and leave the rest as default.

Now select your new server group, and we are going to add your domain controller(s) to the group from the next section (Servers in the Selected Group).
Select the interface via which your DC is accessible, likely Inside.
Server port: 389 (unless you're using LDAP over SSL)
Base DN: This determines where the ASA will look for users, in my case our users are spread out from the root OU, and therefore I will put the root of my domain. If your users were for example all under Users then you could go one level up. Eg. CN=Users,DC=mydomain,DC=loc
Scope: Determines to which sub-level the ASA will search
Login DN: This will be the user you created earlier to query LDAP, enter the fully distinguished name
Login Password: The strong password you created earlier
If you have a secondary DC, add that in the same way as above, your AAA Server Group will then have two servers configured for redundancy.

Now our ASA can query LDAP, we can start making the VPN's:
Configuration > Remote Access VPN > AnyConnectConnection Profiles
First we should enable AnyConnect on our outside interface, if not already done, therefore select the option and choose your interface, then select to bypass the interface ACLs for inbound sessions.
We will also select to allow users to select the connection profile on the login page, although they will see all of your profiles when they connect, they will only be able to access the ones that you determine via their AD group membership.
So far we should be looking something like this (dependant on your interfaces).

Now let's create our Connection Profile, select Add in the section below:

AnyConnect VPN Client FAQ

Name: Call this what you like, I find it useful to label it the same as your AD group, for easy management, so for our example I am going to call it Grp_GI_VPN_Tech.
Alias: This is what your users will see on their AnyConnect client, so label this clearly for them, such as 'Tech Department'.
Client
AAA Server Group: Here we select the group we created previously, in this example VPN-LDAP
Client Address Assignment: Depending on how you want to assign your VPN users an IP address will determine what you put here. For this example I am going to have the ASA assign an IP address by creating an IP range within Client Address Pools.
Group Policy: We need to create this next, so for now just select any existing policy, such as DfltGrpPolicy
Disable IPsec(IKEv2) client protocol
The advanced options we leave as default so press OK.

Now let's create our Group Policy (not related to AD GPO).

User Not Authorized For Anyconnect Client Access System

Add a new Internal Group Policy:
We can leave most of the General options inherited, however add the name you want (again I will keep it simple by using Grp_GI_VPN_Tech)
Under More Options we will explicitly define the following:
IPv4 Filter: Here we need to make an ACL determining what we want to allow our users to access on our inside LAN, eg. RDP to our terminal server, DNS query against our DC etc
Simultaneous Logins: Put here how many users should access at once, dependant on your licensing
Cisco asa user not authorized for anyconnect client access
Connection Profile Lock: Select our connection profile we created previously

Under the Servers tab, explicitly define your DNS/WINS/Default Domain again
If you want to use Split Tunneling, then select your Policy and Network List under Advanced > Split Tunneling.
User Not Authorized For Anyconnect Client Access

Now we go back to our AnyConnect Connection Profile and select our newly created Group Policy where we previously just used DfltGrpPolicy.

The final step is to restrict users to only access the VPN that their AD group membership allows, so navigate to Configuration > Remote Access VPN > Dynamic Access Policies
Policy Name: For simplicity, I will call this Grp_GI_VPN_Tech
ACL Priority: Doesn't really matter, let's just start at 100 and count down for each new VPN we make in future
Select User has ALL of the following AAA Attributes values...
AAA Attribute Type: Cisco
OK

See More Results

AAA Attribute Type: LDAP
Value: = Choose your AD group, example here is Grp_GI_VPN_Tech of course
Now ensure the Action is set to Continue, and press OK.
The final step now is to deny access for unauthorised users, so Edit the DfltAccessPolicy and ensure it is set to Terminate, supply a message for the users here if you like.

UserBecause
We should now be good to go, so fire up your test client and test.
Of course, you will need to repeat the steps for each additional VPN you create (except your AAA Server Groups, they don't need to be touched).
Please comment if you find anything incorrect, or have any questions!






Coments are closed