Technical Tip: Redirected to the wrong portal page due to ASA SSH credentials

Description

This article describes the issue when the client connected to the ASA VPN tunnel is presented with the registration page instead of the VPN page in the captive portal.

Scope

FortiNAC.

Solution

This occurs when the appliance cannot determine the client is a VPN client. The appliance must be able to read the ASA's Restricted Object Group. This group contains the IP addresses to which VPN pages should be served.

The appliance reads the information by connecting via SSH to the ASA. The appliance login sequence expects the '>' prompt to elevate privileges upon login to the CLI. If the SSH account used presents the '#' prompt instead, the appliance will be unable to read the information.

The account used for SSH access to the ASA must require a username, password, and an enable password.

For more details, see this document: Cisco ASA VPN Integration.