User Not Authorized For Anyconnect Client Access

by



A Remote Access VPN connection profile defines the characteristics that allow external users to create a VPN connection to the system using the AnyConnect client. Each profile defines the AAA servers and certificates used for authenticating users, the address pool for assigning users IP addresses, and the group policies that define various user. I have a mapped drive gpo that is not working for Cisco AnyConnect VPN users unless I do a gpupdate /force and have them log off and then log back on again. I do not have this issue with any users that are plugged into the network and then log off and back on again. These users are mainly on Windows XP 32 bit if that helps at all.

As you’ll see, you can initiate a client-based SSL VPN session from a broad range of devices and operating systems that support the install of AnyConnect Client (desktops, laptops, mobile devices), as shown in Figure 3-1.

User Not Authorized For Anyconnect Client Access

Figure 3-1 AnyConnect SSL VPN

Cisco VPN :: AnyConnect Error User Not Authorized For Client ...

FAQ

Deploying a Basic Cisco AnyConnect Full-Tunnel SSL VPN Solution

Client

Basic Cisco AnyConnect full-tunnel SSL VPN uses user authentication by username and password, provides IP address assignment to the client, and uses a basic access control policy. The client also authenticates the ASA with identity certificate-based authentication. Deployment tasks for this scenario are as follows:

  1. Configure the basic ASA SSL VPN gateway features.
  2. Configure local user authentication.
  3. Configure IPv4/IPv6 address assignment.
  4. Configure basic access control.
  5. Install the Cisco AnyConnect Secure Mobility Client.

Initially, AnyConnect was an SSL-only VPN client. Starting with Version 3.0, AnyConnect became a modular client with additional features (including IPsec IKEv2 VPN terminations on Cisco ASA), but it requires a minimum of ASA 8.4(1) and ASDM 6.4(1).

Configuring Basic Cisco ASA SSL VPN Gateway Features

To initially prepare the ASA for SSL VPN termination, complete the following steps:

  • STEP 1. Provision the ASA with an identity certificate. Your options are as follows:
    • Use a self-signed certificate.
    • Enroll ASA in Public Key Infrastructure (PKI) with Simple Certificate Enrollment Protocol (SCEP).
    • Enroll ASA in PKI with manual cut-and-paste method enrollment.

    To install a self-signed certificate using the ASDM, navigate to Configuration > Remote Access VPN > Certificate Management > Identity Certificates and click Add. Give the PKI trustpoint a name, choose Add a New Identity Certificate, check Generate Self-Signed Certificate, and then click Add Certificate. To configure a self-signed certificate via the command-line interface (CLI), use the following commands:

    To enroll with SCEP by using the ASDM, navigate to same section as for self-signed certificates. Give the PKI trustpoint a name, choose Add a New Identity Certificate (do not check Generate Self-Signed Certificate), and click the Advanced button for enrollment options. From here, you have two options:

    • For SCEP enrollment, navigate to Enrollment Mode and choose the Request from a CA method and complete the URL (which is in the form http://IP_ADDRESS/certserv/mscep/mscep.dll). Navigate to SCEP Challenge Password and provide the challenge in case the certificate authority (CA) requires it.
    • For manual enrollment, navigate to Enrollment Mode and choose Request by Manual Enrollment. This requires an additional step: After the certificate is issued, it needs to be imported onto the ASA from a file. For this, select the created trustpoint and click Install. In the new window, choose Install from a File and provide the full path to the base64-encoded certificate.

    To configure SCEP enrollment via the CLI, use the following commands:

  • STEP 2. Load the AnyConnect image onto the ASA.
  • There are different AnyConnect web deployment packages (PKG files) for different client operating systems. Choose the one you need, download it from Cisco.com, and load it into ASA flash memory. To make the transfer using the ASDM, navigate to Tools > File Management.
  • STEP 3. Enable SSL VPN termination on desired interfaces.
  • To enable SSL using the ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and check the Enable Cisco AnyConnect VPN Client Access on the Interfaces Selected in the Table Below check box. In the pop-up window, select the AnyConnect image. Choose Allow Access and, optionally, Enable DTLS for desired interfaces.

  • To enable SSL via the CLI, use the following commands:

  • STEP 4. Configure and optionally tune SSL Transport Layer Security (TLS) settings. Here, you can tune SSL VPN by allowing only certain SSL/TLS versions and algorithms and by specifying the identity certificate used (if many exist). To configure it using the ASDM, navigate to Configuration > Remote Access VPN > Advanced > SSL Settings (see Figure 3-2).

    To configure it via the CLI, use the following commands:

User Not Authorized For Anyconnect Client Access Portal

Nov 11, 2012

Windows 7 Home RDP Client Issues - Spiceworks

We currently have an ASA 5505 Firewall with VPN services configured. The system is running ASA Version 9.0.0 and ADSDM 7.0.2. I installed the 'Cisco AnyConnect Sercure Mobility Client' Version 3.1.01065 on my Windows 7 Ultimate PC. When I try to connect to my VPN service I ge the following message:
Security Warning: Untrusted VPN Server Certificate! AnyConnect cannot verify the VPN server: XXX.XXX.XX.XX
-Certifiate does not match the server name
-Certificate is from an untrusted source.
-Certificate is not identified for this purpose.
Without purchasing a certificate from a 3rd Party vendor, is it possible to register a 'Self' generated Certificate to get rid of this message? If so are there any 'Detailed' (e.g., simplified or not in Cisco-eeze language) instructions on how to setup the Firewall to 'push' the certificate to the VPN client so the message doesn't come up for the user?