BAK file to the C:\ProgramData\Cisco\Cisco An圜onnect Secure Mobility Client\Profile folder. For example, if the original profile name is ContosoVPN.xml, save it as ContosoVPN.bak. Now save the profile to your Desktop or another location with a. It's located in the C:\ProgramData\Cisco\Cisco An圜onnect Secure Mobility Client\Profile folder.Įdit the tag to use AllowRemoteUsersinstead of LocalUsersOnly.
#Cisco anyconnect vpn login failed how to
Here's how to get around it.įirst, open the client profile XML file in Notepad. If you're the ASA administrator read this article for instructions how to configure this.īut what if you're not the ASA administrator or the admin can't/won't to make this change for some reason? We can hack it! I don't normally write blog posts like this, but I honestly can't think of a single good reason to block VPN access from a remote desktop, so I don't consider this bypassing a security setting. Usually this is done by the ASA administrator using the Cisco Adaptive Security Device Manager (ASDM). The correct way to fix this is by configuring the Citrix VPN profile on the ASA. The client profile is an XML file that gets pushed out to the An圜onnect client every time the VPN is established. A VPN connection will not be established. VPN establishment capability for a remote user is disabled. ModifiersName: cn=Manager,dc=ps,dc=my,dc=comĮntryDN: uid=dms.If you get the following error when connecting to a Cisco An圜onnect VPN from Windows, it's because the VPN establishment capability in the client profile doesn't allow connections from a remote desktop session. MemberOf: cn=DMS_Group,ou=Groups,dc=ps,dc=my,dc=com Is anyone else having issues with the fact that OpenLDAP will return memberOf only if it explicitly ldapsearch -x -h localhost -x -b ‘dc=ps,dc=my,dc=com’ “uid=dms.user” memberOfĭn: uid=dms.user,ou=dms,ou=People,dc=ps,dc=my,dc=com Then create a user group that you want to grant An圜onnect Access to Īnd, then create a test user and put that user in your domain group.Ĭreate an AAA LDAP Server Group > Add a Server > Put in the Config for that server like so I’ll post both options, and you can take your pick Solutionįirstly you need to create a ‘service account’ in Active Directory that the ASA will use, it only need to be able to browse the AD, so a simple Domain User is fine. different ACLs etc.) then using a blend of LDAP and Cisco Dynamic Access Policies (DAP) is a lot simpler. Though to be honest if you have multiple groups and want to assign different levels of access (i.e. The process is to setup AAA for LDAP, then create an ‘Attribute map’ for the domain group, and then map that group to a particular ASA Tunnel Group/ASA Group Policy. I had to put in an ASA5512-X this weekend and the client wanted to allow An圜onnect to a particular Domain Security Group “VPN-Users”, so I thought I would use LDAP for a change. Because I fear and loath change I swapped to using Kerberos VPN Authentication for a while. Then Microsoft brought out 2008/2012 and RADIUS via NAP. When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use RADIUS with IAS.