AnyConnect VPN Authentication Failure
I am having some trouble with a new setup for Cisco ASA AnyConnect Authentication. We are running 9.6(3) on our ASA, with Authentication Manager v. 8.2.
We pulled our AD structure in for our user source, and they are currently in SystemDomain by default. When I try to use the SecurID soft token with my pin to generate a passcode for AnyConnect, the monitor reports:
User "username" attempted to authenticate using authenticator "SecurID_Native". The user belongs to security domain "SystemDomain".
This says to me I haven't tied those two items (the authenticator and the security domain) together somehow. What have I missed?
Here is the full output from the console:
|Date & Time:||2017-09-01 15:44:21.934|
|Activity Key:||Principal authentication|
|Description:||User “bdecker” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”|
|Action Result Key:||Failure|
|Result:||Authentication method failed|
|User First Name:||Bryan|
|User Last Name:||Decker|
|User Security Domain:||SystemDomain|
|User Identity Source Name:||Non GC Active Directory|
|Agent Security Domain:||SystemDomain|
|Server Node IP:||10.21.0.13|
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
- securid native
This error is pretty generic and doesn't mean that there is something wrong with the location of the users and tokens in the security domain. Probably you have something wrong with your token, either it's out of sync or maybe the pin is not correct. Best thing to do is to test the authentication on the self-service portal. It has the same URL of the security console but ends with console-selfservice instead of console-ims. If this fails as well then you probably will need to open a support case to do a live troubleshooting,
For future reference, the following is not an error message:
User “bdecker” attempted to authenticate using authenticator “SecurID_Native.”
The user belongs to security domain “SystemDomain.”
That message in the Description field is just explains what was happening. You tried to authenticate to the Authentication Manager server using the SecurID Native protocol and you exist in the SystemDomain security domain. The reason why the authentication failed is shown in the Action Result Key and Result Key fields, that is AUTHN_METHOD_FAILED and Authentication method failed.
As Nada Khaled mentioned, that error can display for several reasons. Confirming the token is working through the Self-Service console is a good place to start. If it works, we know the time offset between the token and the server is correct and we can look at other causes. If it fails, you may want to try to Resynchronize a Token and test the ASA again.
If the ASA is new, please check the Cisco Systems Inc. - Technology Integrations implementation guide for the ASA to ensure your configuration is correct. One thing that might cause the authentication method failed error is if the ASA has multiple IP addresses. If you set up your authentication agent information in the Security Console for IP address 188.8.131.52 and the traffic is coming from the ASA on 184.108.40.206, authentication will fail. On the ASA, confirm all of the IP addresses that belong to it. Once you have the list, go back to the agent record in the Security Console (Access > Authentication Agent > Manage Existing) and go through the list of all of the IP addresses. Make the change, save the agent update and test the ASA with the real time authentication activity monitor (Reporting > Real Time > Authentication Activity Monitor) open to see how the authentication request is handled by the server.
Since it says 'new' then I assume the node secret is not yet created.
I could not find this KB on Link, but KB 29015 - Why does an IP address override fix an Initial authentication failures with
no details: "Authentication Method Failed"
explains why this has failed, and how you might fix it.
Well, it isn't getting any better.
The self-service portal also failed, giving essentially the same output in the event monitor. I tried to resynchronize the token and got this:
The ASA IP address is correct. For what it's worth, the output in the event monitor is entirely different when you have the wrong IP on the authentication agent. It reports back:
Rather than the event message I am getting.
So, i am going to work on Jay's suggestion now, and see how much progress I can make.
And now I am having trouble generating a node secret. It's kicking back a length issue related to the realm default password policy, but with the "RSA Initial Password Policy" being the only one, and generating a 32 character password, I'm not sure why it's failing.
Even though Cisco ASA guide says sdopts.rec not implemented, you can still use one, you just have to create it yourself and put it in the same place as where the node secret and status files would go, in Memory.
Your sdopts.rec should have
I really feel like i'm missing some key parts here. I'm going to go back, review the settings and documentation for initial setup and start over. Thanks everyone!