Friday, February 22, 2019

One user unable to log into Cisco Anyconnect

Checked: I can log in. Other users can log in from this machine. The user in question, can not.

A direct comparison in active directory shows that this user has everything needed to connect (supposedly), just as I and others do.

The machine is connecting through an ASA, which is talking to ISE, which is talking to AD.

On the firewall I get an AAA user authentication rejected = AAA failure

I can log in fine....

I cloned the user in AD for testing but I'm not seeing anything.

Things that are not on the table are: adjustments to the ASA itself, or ISE. They work for everyone else but this user.

Logs on ASA from attempted login:

Built inbound TCP connection ### for outside:IP/PORT to identity: IP/PORT

Starting SSL handshake with client outside:IP/PORT to IP/PORT for TLS session

SSL client outside:IP/PORT to IP/PORT request to resume previous session

Device completed SSL handshake with client outside:IP/PORT to IP/PORT for TLSv1 session

AAA user authentication Rejected : reason = AAA failure : server = SERVERIP: user = ***** : user IP = USERIP

SSL session with client outside:IP/PORT to IP/PORT terminated

Teardown TCP connection 15620376 for outside:IP/PORT to identity:IP/PORT duration 0:00:00 bytes 1216 TCP FINs

My only thought is that there is something wrong in Active Directory. It has to be...but I'm posting this in case someone else has run into something else that could cause this?

\

Edit:

Radius Logs from ISE

11001 Received RADIUS Access-Request 11017 RADIUS created a new session 15049 Evaluating Policy Group 15008 Evaluating Service Selection Policy 15048 Queried PIP - Network Access.Device IP Address 15048 Queried PIP - Network Access.Protocol 15048 Queried PIP - Radius.Service-Type 15048 Queried PIP - DEVICE.Device Type 15048 Queried PIP - Normalised Radius.RadiusFlowType 15041 Evaluating Identity Policy 15013 Selected Identity Source - DERP 24430 Authenticating user against Active Directory - DERP 24325 Resolving identity - copieduser 24313 Search for matching accounts at join point - [derp.net](https://derp.net) 24319 Single matching account found in forest - [derp.net](https://derp.net) 24367 Skipping unusable domain - ONE,Domain trust is one-way 24367 Skipping unusable domain - TWO,Domain trust is one-way 24367 Skipping unusable domain - THREE,Domain trust is one-way 24323 Identity resolution detected single matching account 24343 RPC Logon request succeeded - [copieduser@derp.net](mailto:copieduser@derp.net) 24402 User authentication against Active Directory succeeded - DERP 22037 Authentication Passed 24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory 15036 Evaluating Authorization Policy 15048 Queried PIP - Network Access.Protocol 24432 Looking up user in Active Directory - DERP 24355 LDAP fetch succeeded - [derp.net](https://derp.net) 24416 User's Groups retrieval from Active Directory succeeded - DERP 15048 Queried PIP - DERP.ExternalGroups (12 times) 15016 Selected Authorization Profile - DenyAccess 15039 Rejected per authorization profile 11003 Returned RADIUS Access-Reject 


No comments:

Post a Comment