topic Re: AnyConnect syslog AAA user authentication rejected in Network Security

AnyConnect syslog AAA user authentication rejected

davparker — Tue, 07 May 2024 19:15:15 GMT

I have some locally managed FTDs. I'm parsing syslog data for VPN auth failures. The FDM FlexConfig won't allow some of the simplest changes like "no logging hide username" (bug). Anyway, most the AAA user authentication errors indicate reason = Unspecified and the username is "*****". But there are some log entries that report the actual username and reason = Invalid password. I checked AD, it appears that the usernames displayed are actual accts in AD. I can't tell about the others as I am unable to display the actual username that was attempted. I'm wondering why the difference in the syslog messages. I'm unable to find what "Unspecified error" means. Was that caused by AnyConnect or someone failing auth through the web client? Or maybe those accts don't actually exist in AD so it lists "*****' and generates the Unspecified error?

Thanks,
David

Re: AnyConnect syslog AAA user authentication rejected

tvotna — Wed, 08 May 2024 07:48:07 GMT

This is by design. From the feature description:

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

So, if you see ****, the user doesn't exist, and if you see the username and the reason is "Invalid password", the user exists, but password is incorrect. The reason is shown as "Unspecified error" just to hide further details.

Also described here:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-101001-to-199021.html#con_8293726

113005

Error Message %ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = ip_addr : user = *****: user IP = ip_addr

Explanation The AAA authentication on a connection has failed. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured.

Re: AnyConnect syslog AAA user authentication rejected

MHM Cisco World — Wed, 08 May 2024 13:37:30 GMT

Check above

Thanks

MHM

Re: AnyConnect syslog AAA user authentication rejected

tvotna — Wed, 08 May 2024 07:57:18 GMT

Believe you or not, this is how it works.

Re: AnyConnect syslog AAA user authentication rejected

davparker — Wed, 08 May 2024 13:00:40 GMT

You can't configure "no logging hide username" using flexconfig on a locally managed FTD device. It incorrectly throws a syntax error upon validation. At most it should throw a warning and let you proceed. I also am standing up FMC managed firewalls at another location and this was not an issue. Flexconfig seems mostly broken in FDM. This makes handling security incidents much more problematic. We are working on bringing all of our firewalls into FMC but that will take time. Meanwhile I'm left partially blinded on these FDM managed devices.

Re: AnyConnect syslog AAA user authentication rejected

tvotna — Wed, 08 May 2024 13:17:21 GMT

I remember somebody reported that he managed to get FlexConfig working by configuring "no loggin hide username" (logging without the last G). Don't believe this is true, although there is bug which tells the same:

CSCvj02826 Need a way to negate "logging hide username" in FTD

Re: AnyConnect syslog AAA user authentication rejected

davparker — Wed, 08 May 2024 13:21:52 GMT

Ahh, I just realized you confirmed my suspicions.If the username is invalid, it is all *.

Thanks
David

Re: AnyConnect syslog AAA user authentication rejected

MHM Cisco World — Wed, 08 May 2024 13:36:56 GMT

https://community.cisco.com/t5/network-access-control/error-authentication-rejected-unspecified/td-p/3887948

Check this post

MHM

Re: AnyConnect syslog AAA user authentication rejected

othydojo — Wed, 15 May 2024 16:52:44 GMT

@tvotnaThis actually worked. I ran this up in CDO with our test FTD VPN and flex config took the command "no loggin hide username"

Re: AnyConnect syslog AAA user authentication rejected

davparker — Thu, 16 May 2024 19:23:07 GMT

I started seeing entries in our syslog like the following:

AAA user authentication Rejected : reason = User was not found : local database

What sort of VPN auth attempt tries against the local database? We don't have fallback to local database enabled.

Re: AnyConnect syslog AAA user authentication rejected

tvotna — Fri, 17 May 2024 08:02:49 GMT

There are two possibilities.

1. You have not patched FTD and it is vulnerable to https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC

CSCwh23100 Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability
CSCwh45108 Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability

In this case you need to update it.

2. You're running fixed version, but didn't implement hardening measures. In this case connection attempts may hit DefaultWEBVPNGroup connection profile, that is why you see such messages. Refer to the following doc:
https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Read the following discussion too:
https://community.cisco.com/t5/network-security/cisco-asa-anyconnect-ddos-protection/m-p/5050819/highlight/true#M1110394

Re: AnyConnect syslog AAA user authentication rejected

MHM Cisco World — Fri, 17 May 2024 09:16:30 GMT

Some User that is try to access using any password username direct to use defualt Group policy' since realm is not match.

You need no-access policy for these user

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

MHM

Re: AnyConnect syslog AAA user authentication rejected

MHM Cisco World — Fri, 17 May 2024 09:17:29 GMT

For this point did you check it?

MHM