Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2203
Views
0
Helpful
1
Replies

Anyconnect Login Error When Dacl Is applied with Duo Proxy's bypassed Users

atrif
Level 1
Level 1

‎04-02-2020 04:59 PM

Hi team,
Our scenario is protecting Radius SSL vpn Users with cisco ISE
the Duo Auth Proxy is sitting in middle between the ISE and the cisco ASA.
on cisco ASA ssl vpn profile we have DUO auth Proxy as the AAA radius server.
everything is working good until we hit the following use cases:

  • a not defined users on the duo portal “bypassed by 2FA”

  • and a downloadable ACL is applied on the authorization profile on cisco ISE
    with this use case the users get login error on anyconnect.

  • when we delete dacl from authz profile everything is ok

knowing that pass_through_all=true is confiugred
we tested with other radius attribute and it is ok like security group tag and DHCp attriute.

After investigating with packet capture we get the following results

ASA -> duo auth proxy : access-request with user name and pass
duo-> ASA : access accept with attribute(18) val=Allowing unknown user and of cours dacl
ASA->DUO access request username filled the Dacl Attribute Value
DUO-> ASA acces reject with reason invalid username or password

please any suggestion or help
regards

Labels:
0 Helpful
1 Reply 1

jmaldonado@nygenome.org
Level 1
Level 1

‎05-19-2020 02:41 PM

I have the same issue.
Did you get any resolution?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents