topic Re: Anyconnect username USERNAME in Network Access Control

Anyconnect username USERNAME

anthony.mchie — Tue, 23 May 2023 19:47:44 GMT

ASA version 9.14(4)7 | Anyconnect 4.10 | ISE 2.6

ISE is authenticating our Annyconnect Clients that connect via a Cisco ASA. We'll get hit with hundreds of connection attempts from questionable countries with the username USERNAME (or at least that's what ISE reports). Typically we'll lose the ability to service any new anyconnect sessions for about 15 minutes after. I created a local user USERNAME specifically to reject the attempts and when I try to authenticate it does just that. Then later, I see that rejection isn't working against this attack. Anyone else see this? Any working solutions?

Attached are events that represent when I tried to auth vs the attack.

Re: Anyconnect username USERNAME

Rob Ingram — Tue, 23 May 2023 19:56:06 GMT

@anthony.mchie best option would be to filter the traffic from those questionable countries before they even attempt to authenticate. You can do this with geolocation filtering on NGFW firewall placed in front of the ASA. You do have the option to use a control-plane ACL on the ASA itself, to restrict IP addresses initating traffic to the ASA.

What is causing the loss of service for 15 minutes, the ASA itself?

Re: Anyconnect username USERNAME

MHM Cisco World — Tue, 23 May 2023 20:12:11 GMT

Use control-plane'

Allow only vpn pool subnet access to ISE.

Note:- allow management IP if you use it with ISE.

Re: Anyconnect username USERNAME

Arne Bier — Tue, 23 May 2023 20:17:03 GMT

Hi @anthony.mchie

Not entirely sure how to protect your VPN from outside actors. I have seen some customers put their VPN on non-standard TCP ports. You don't have to run your SSL VPN on TCP/443. Choose a tricky port number like 50443 🙂 That will keep them guessing 🙂 Of course you will need to tell your real clients to use that in the URL - but it might solve your dilemma.

USERNAME is just a standard string that ISE displays when it doesn't want to reveal the real username. By default, failed authentications have their username obfuscated with the string 'USERNAME' to protect the innocent (e.g. a user accidentally entering their password into the username field ... it happens 🙂 )

You can reveal the username by navigating to Administration > System > Settings > Security Settings

Re: Anyconnect username USERNAME

anthony.mchie — Tue, 23 May 2023 20:18:30 GMT

@Rob Ingram wrote:

@anthony.mchie best option would be to filter the traffic from those questionable countries before they even attempt to authenticate. You can do this with geolocation filtering on NGFW firewall placed in front of the ASA. You do have the option to use a control-plane ACL on the ASA itself, to restrict IP addresses initating traffic to the ASA.

What is causing the loss of service for 15 minutes, the ASA itself?

My answer would only be a guess since I don't see any logging events that clue me into the cause.

Don't have an NGFW in front (unfortunately) so I'll have to find another way.

Re: Anyconnect username USERNAME

MHM Cisco World — Tue, 23 May 2023 20:19:47 GMT

Not issue with username only'

The user is fialed to auth to Asa via ISE.

So I think he under some ddos.

Re: Anyconnect username USERNAME

anthony.mchie — Tue, 23 May 2023 20:21:19 GMT

@Arne Bier That's going to help quite a bit. Thank you!