Thursday, July 10, 2014

How to assign ACLs to Cisco VPN user via RADIUS

While setting up per user ACLs in RADIUS for my VPN users I noticed some issues with current on-line documentation. I am using a Cisco ASA 9.2(2) as the VPN concentrator and FreeRADIUS 3.0.2 as the RADIUS server.  In the RADIUS users file you need to add your ACLs in this manner:

testuser1  Cleartext-Password := "testme"
   Cisco-AVPair = "ip:inacl#101=permit ip any 192.168.1.0 255.255.255.0",
   Cisco-AVPair += "ip:inacl#102=deny ip any any",
   Service-Type = Framed-User,
   Framed-Protocol = PPP,
   Framed-IP-Address = 192.168.255.97,
   Framed-IP-Netmask = 255.255.255.0,
   Reply-Message = "This is a test message"


You should notice the use of "ip:inacl" not "ip.inacl" as most current on-line documentation suggests.  Also, make sure you use "+=" for every line other than the first. 

Thursday, July 3, 2014

Cisco AnyConnect Secure Mobility Client Authentication Errors

I recently ran in to a problem where I would get the dreaded "User not authorized for AnyConnect Client access, contact your administrator" error message from my Cisco ASA running version 9.2(2) when trying to connect to the VPN service (IPSec, IKEv2).  The really frustrating part was my Mac could connect just fine, but my Windows VM would not. After some research I figured out what the fundamental problem was and what was causing it.

The main issue was the AnyConnect Client Profile was not getting downloaded to the Windows machine. The reason my Mac worked, is I had successfully downloaded it at some point and it was cached. On Windows 7 you can find the file in the following directory:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile>

On Mac you can find the same profille in:
/opt/cisco/anyconnect/profile->

The reason it was not getting downloaded is I had turned off the SSL Access configuration in the AnyConnect Connection Profiles interface section, since I was not using it.  You turn this back on, and viola it works. So if you are getting the dreaded error, check to see if you have your AnyConnect Client Profile first.