Fix for – Login Denied , unauthorized connection mechanism , contact your administrator – Cisco AnyConnect

The following error is one of the more annoying errors I have received when setting up Dynamic Access Policies.

“login denied your environment does not meet the access criteria defined by your administrator”

If you’ve ever seen this error before you know that there is little to no good information out there to actually correct the issue. Every post I found basically said, “check your DAP configuration you probably did something wrong”. While it is possible that you configure you DAP incorrectly there is another possible problem that you are running in to, Active Directory Primary Group. In AD there is an option that sets a Primary Group for each account, typically this is set to something like Domain Users. Why does this matter? Well you see, for some unknown reason the ASA will not allow you to use a users Primary Group to set policy off of and you will get the above error.  While almost no one will ever use the Domain Users group to configure DAP as it tends to include “all the things”, there are times when you may have a user who is not in the Domain Users group. Every user is required to have a Primary Group and in the absence of Domain Users could be set to another group in AD that you are trying to use for Dynamic Access Polices. The easiest solution/workaround/fix is to simply set the Primary Group to another group in AD that you are not planning on using for DAP. In the case the user is only in one AD group, you will have to create another group and assign that as the Primary Group.

Thanks for reading and I hope this helps at least one person, because tracking this down was a real pain in my ass.

-Philip Straatsma

Leave a Comment

Your email address will not be published. Required fields are marked *