topic Re: Access issue in Network Security

Access issue

ciscoworlds — Tue, 12 Mar 2019 11:18:17 GMT

Hi;

I'm trying to configure remote access VPN to Cisco FTD 6.2.2. My internal RADIUS is ISE 2.4 (patch 5). The remote access VPN establishes successfully; but some interesting things happens:

I get double logs on ISE, one shows failed attempt and the 2nd one shows successful attempt.

The details for the failed logs is like this (briefed):

And the details of the successful log is like this (Briefed):

The connection details on FTD shows every flows "allowed" to pass through firewall. I even installed the Wireshark and captured packets on a internal server. But the issue is after successful establishment of remote access VPN on a sample public client, I cannot reach any internal clients. As I said I got "allowed" connection logs on FTD, showing every packet passed through firewall. On internal client, I got entries showing that remote access VPN client has sent packets to the internal server but interesting part is, none of the packets have been replied. I mean, internal server gets all of the remote access VPN packets, but doesn't send any response at all. The default gateway of the internal server is FTD and it can reach all of the networks but doesn't send any response to the packets it received from remote access VPN client.

Any idea?

Re: Access issue

Sheraz.Salim — Mon, 31 Dec 2018 13:24:50 GMT

Its seem you ISE policy had an issue as you match two policy at the same time. what EAP protocol you using for authentication. and what setting apply on end point?

could you please share your policy setting in regards to VPN setup.

also code 24408 point your user name is locked out. the best get back to AD and unlock this account.

Re: Access issue

Sheraz.Salim — Mon, 31 Dec 2018 13:20:22 GMT

Its seem you ISE policy had an issue as you match two policy at the same time. what EAP protocol you using for authentication,and what setting apply on end point

could you please share your policy setting in regards to VPN setup.

Re: Access issue

Mohammed al Baqari — Mon, 31 Dec 2018 16:40:50 GMT

Hi,

You have an authentication policy called TRAVPN which has multiple statements. The first statement authenticates against AD which is failing as the error states. The default statement passes the authentication but you aren't posting the entire logs to see what identity source is used for successful authentication. Because ISE performs multiple lookups you see duplicate logs. To avoid this either resolve the problem of AD authentication if you are using AD for VPN users, or configure a statement above AD statement which matches AnyConnect VPN clients as source and authenticates them against the required identity source (which is used in the default statement and passes the authentication).

Re: Access issue

ciscoworlds — Thu, 03 Jan 2019 09:42:30 GMT

I'm using Default Network Access without any change.

The details of this policy set is as below, which shows there is only one Default authentication policy, nothing more.

And there is only one authorization policy, as simple as the following:

So as seen there is no complex thing on the ISE and if there were any misconfiguration, it would not be the ISE. Also both of these 2 simultaneously logs (failed-login log and successful-login log) shows the matching auth/athZ rules correctly. I mean both logs shows that the user "xadmin1" matches with auth/authZ rules TRAVPN. So why one of them uses the same auth/authZ rules cannot pas authentication with the same AD as the other successful one uses!

I even reset the password for the user "xadmin1" despite that there should be no relevance (because if the password for that user was wrong, why the same user with the same password was able to pass the auth/authz which is displayed in the successful-login log?!

These are the log files on the VPN Client inside the AnyConnect VPN:

11:45:25 AM Contacting x.x.x.x.
11:45:37 AM User credentials entered.
11:45:38 AM Establishing VPN session...
11:45:38 AM The AnyConnect Downloader is performing update checks...
11:45:38 AM Checking for profile updates...
11:45:38 AM Checking for product updates...
11:45:38 AM Checking for customization updates...
11:45:38 AM Performing any required updates...
11:45:38 AM The AnyConnect Downloader updates have been completed.
11:45:50 AM Establishing VPN session...
11:45:50 AM Establishing VPN - Initiating connection...
11:45:50 AM Establishing VPN - Examining system...
11:45:50 AM Establishing VPN - Activating VPN adapter...
11:45:54 AM Establishing VPN - Configuring system...
11:45:54 AM Establishing VPN...
11:45:54 AM Connected to x.x.x.x.

So as seen, I've gotten any specific error on the client side too.

It might be something related to the Anyconnect I think.

Re: Access issue

Sheraz.Salim — Thu, 03 Jan 2019 09:57:08 GMT

i think the issue could be your Authentication Policy where you mention Default=All_User_ID_Stores, it would
be ideal if you create a seprate identity source sequence and put your only AD in it and then test it.

Re: Access issue

ciscoworlds — Thu, 03 Jan 2019 10:13:10 GMT

Note: I found the reason! I removed the SGT from the ISE authZ rule and now reachability is restored!

Re: Access issue

Sheraz.Salim — Thu, 03 Jan 2019 10:26:24 GMT

well done 🙂