Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5872
Views
0
Helpful
25
Replies

Anyconnect and ISE with DUO MFA strange issue

Steven Williams
Level 4
Level 4

‎02-13-2019 11:53 AM

I am using the ASA to primary auth against Cisco ISE servers and then secondary authentication to DUO proxy servers using DUO_auth Only. 

I am seeing some strange things in the ISE radius logs. I see a successful auth followed by a rejected auth, but I still get one and still have access. 

 

First session says 5200 authentication succeeded. 

 

  24343 RPC Logon request succeeded - stevenwilliams@eftdomain.net
  24402 User authentication against Active Directory succeeded - All_AD_Join_Points
  22037 Authentication Passed
  24423 ISE has not been able to confirm previous successful machine authentication
  15036

Evaluating Authorization Policy
  15004 Matched rule - IT
  15016 Selected Authorization Profile - SSLVPN_IT
  11022 Added the dACL specified in the Authorization Profile
  22081 Max sessions policy passed
  22080 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept

 

So that looks good. RADIUS looks good also.  Then the second log says RADIUS failed due to incorrect password.

 

Event 5400 Authentication failed
Failure Reason 24408 User authentication against Active Directory failed since user has entered the wrong password
Resolution Check the user password credentials. If the RADIUS request is using PAP for authentication, also check the Shared Secret configured for the Network Device
Root cause User authentication against Active Directory failed since user has entered the wrong password
Username stevenwilliams

 

  24323 Identity resolution detected single matching account
  24344 RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,stevenwilliams@eftdomain.net
  24408 User authentication against Active Directory failed since user has entered the wrong password - All_AD_Join_Points
  22057 The advanced option that is configured for a failed authentication request is used
  22061 The 'Reject' advanced option is configured in case of a failed authentication request
  11003 Returned RADIUS Access-Reject

 

So I do not get it. The only thing I am thinking is this is happening due to incorrect configuration at the authentication policy area. What are these "suppose" to be how are they "suppose" to be configured? When do they need to be modified?

 

Screen Shot 2019-02-13 at 1.52.03 PM.png

0 Helpful
25 Replies 25

Francesco Molino
VIP Alumni
VIP Alumni
In response to Steven Williams

‎02-14-2019 04:26 PM

Very basic config. Take a look at the pictures.

 

I changed to use my duo proxy and it works the same way.

6D33D1B1-604B-4345-B823-D3BEF84D5168.jpegE1BBE6CF-CD07-4DAB-A405-F67C89F98171.jpegD46948A0-3CDD-4680-9FD7-B0C0A424D15D.jpeg


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Steven Williams
Level 4
Level 4
In response to Francesco Molino

‎02-14-2019 04:30 PM

Something is wrong then. I am using a identity sequence for all ad joint points. because I have multiple domains. and ISE is seeing what looks like multiple authentication requests...Its strange...Nothing is talking radius to ISE except the ASA.
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Steven Williams

‎02-14-2019 04:33 PM

Then, create an ISQ with only 1 AD for testing and see if it works.

Maybe it’s an issue with your multi-domain ISQ.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Steven Williams
Level 4
Level 4
In response to Francesco Molino

‎02-15-2019 06:52 AM

The issue has to be with the ASA and/or ISE. I made the secondary authentication DUO-LDAP which will send the request right out to DUO cloud and I still get one success login and one denied login:

 

Screen Shot 2019-02-15 at 8.51.14 AM.png

0 Helpful

Steven Williams
Level 4
Level 4
In response to Steven Williams

‎02-15-2019 06:57 AM

Here is the failed authentication output

Preview file
113 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Steven Williams

‎02-15-2019 08:09 AM

Just to make sure, Can you use an identity source sequence with only 1 AD (just for testing) and see if you get the same result?
If so, can you take a tcpdump on your ISE + a debug on your ASA to see what traffic is exchanged and which one is making trouble here.
The 2nd auth could be either LDAP or PROXY, there's no relationship with ISE because both are going straight to Duo cloud.

Can you also share your ASA config please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Steven Williams
Level 4
Level 4
In response to Francesco Molino

‎02-15-2019 11:05 AM

webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macos-4.6.02074-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.6.02074-webdeploy-k9.pkg 2
anyconnect profiles Anyconnect_Client_Profile_01 disk0:/anyconnect_client_profile_01.xml
anyconnect enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 10.20.1.55
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect profiles value Connection_Profile type user
group-policy VPNGroupPolicy internal
group-policy VPNGroupPolicy attributes
vpn-tunnel-protocol ssl-client
group-policy NA_SSLVPN internal
group-policy NA_SSLVPN attributes
dns-server value 10.20.0.55 10.21.0.56
vpn-idle-timeout 5
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
address-pools value Na_VPN_Subnet
webvpn
anyconnect keep-installer installed
anyconnect profiles value Anyconnect_Client_Profile_01 type user
anyconnect ask none default anyconnect
dynamic-access-policy-record DfltAccessPolicy

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Na_VPN_Subnet
authentication-server-group NA_ISE
secondary-authentication-server-group Duo-LDAP use-primary-username
authorization-server-group NA_ISE
accounting-server-group NA_ISE
default-group-policy NA_SSLVPN
password-management password-expire-in-days 5

 

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Steven Williams

‎02-15-2019 08:07 PM

Can you remove "authorization-server-group" from your tunnel-group ?
Can you show the AAA configuration please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Steven Williams
Level 4
Level 4
In response to Francesco Molino

‎02-18-2019 10:14 AM

aaa-server BNA_ISE protocol radius
aaa-server BNA_ISE (Management) host 10.20.0.85
aaa-server BNA_ISE (Management) host 10.81.3.25
aaa-server TACACS protocol tacacs+
aaa-server TACACS (Management) host 10.20.0.85
aaa-server TACACS (Management) host 10.81.3.25
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host api-******.duosecurity.com
aaa-server Duo-RADIUS protocol radius
aaa-server Duo-RADIUS (INSIDE) host 10.20.0.93
aaa authentication enable console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting ssh console TACACS
aaa accounting serial console TACACS
aaa accounting enable console TACACS
aaa accounting command TACACS
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
0 Helpful

Steven Williams
Level 4
Level 4
In response to Francesco Molino

‎02-18-2019 10:31 AM

removing authorization server group worked.....but why? Where is the authorization coming from if you dont define it?
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Steven Williams

‎02-18-2019 05:30 PM

You would use authorization-server-group if for example you authenticate your users on a DUO server and then authorize them against ISE.

As you're using ise for authentication, this same radius server give authorization through the same flow and no need to resend an authorization to ISE for this same user.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents