Cisco AnyConnect – With Google Authenticator 2 Factor Authentication
KB ID 0001256 Problem This was asked as a question on Experts Exchange this week, and it got my interest. A quick search turned up a bunch of posts that said, yes this is possible, and you deploy it with FreeRADIUS and it works great. The problem was, a lot of the information is a little out of date, and some of it is ‘wrong enough’ to make the non-technical types give up. But I persevered, and got it to work. Disclaimer:...
Cisco VPN – Split Tunnel Not Working?
KB ID 0001239 Problem Here I’m dealing with AnyConnect VPNs, but the principles are exactly the same for both remote IPSEC and L2TP VPNs. You connect to your VPN and can no longer browse the internet from your remote location. You can confirm that split-tunnelling is working or not by connecting with your VPN client and looking at the routing information. Solution Before proceeding are you sure Split-Tunnelling has ever been...
AnyConnect – The VPN Connection Failed (Domain Name Resolution)
KB ID 0001236 Problem This is a pretty generic error to be honest. AnyConnect Secure Mobility Client VPN The VPN connection failed due to unsuccessful domain name resolution. Solution Firstly, (and obviously) the name you are typing in the AnyConnect window can be resolved can’t it? If not then you might want to consider some employment that does not involve computers. Secondly (this is what usually trips me up) did you copy...
AnyConnect – ‘Your environment does not meet the criteria’
KB ID 0001232 Problem For an existing client, I was setting up a new user. I connected their laptop though my mobile phone and attempted to connect. This is the error I got. Cisco AnyConnect Logon denied: Your environment does not meet the access criteria defined by your administrator. Solution A cursory glance over the firewall config didn’t yield anything in their AAA settings that was odd, they were simply using LDAP for...
AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 1)
KB ID 0001155 Problem To be honest it’s probably a LOT easier to do this with Dynamic Access Policies, but hey, if you have ISE then why not use it for RADIUS, and let it deploy downloadable ACL’s to your remote clients and give them different levels of access, based on their group membership. I’m going to keep things simple, I will have a group for admins that can access anything, and a group for users that can only...