cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3121
Views
0
Helpful
18
Replies
Highlighted
Beginner

ISE Anyconnect Active Directory EAP-MSCHAP not allowed

Hello everyone

 

Trying to configure Anyconnect Remote-Access VPN with ASR1000, ISE and Active Directory and facing the following problem:

the authentication is failing with the following messages on ISE:

11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Network Access.Device IP Address
 15006Matched Default Rule
 11507Extracted EAP-Response/Identity
 12300Prepared EAP-Request proposing PEAP with challenge
 11006Returned RADIUS Access-Challenge
 11001Received RADIUS Access-Request
 11018RADIUS is re-using an existing session
 11801Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead
 11803Failed to negotiate EAP because EAP-MSCHAP not allowed in the Allowed Protocols
 11504Prepared EAP-Failure
 11003Returned RADIUS Access-Reject

 

while EAP-MSCHAP is clearly allowed int the Authentication Policy

The authentication policy matching sequence is

Authentication PolicyRAVPN1 >> Default

 

Allowed protocols list named TEST:

Is there anything else that needs to be enabled/permitted?

It worked perfectly with local users authentication and EAP-MD5.

Update: looks like the only mode working is EAP-MD5 (with local users, AD doesn´t support it). Trying to use EAP-GTC with both local and AD identity sources fails with the same message saying EAP-GTC is not permitted by Allowed Protocols List while the protocol IS being permitted.

 

Update: It looks like ISE is declaring PEAP expecting to perform MS-CHAPv2 as inner method and AnyConnect Client says MS-CHAPv2 directly, so the systems fail to negotiate.

ISE says PEAP:

12300   Prepared EAP-Request proposing PEAP with challenge

AnyConnect responds, "no, I want EAP-MSCHAP":

11801   Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead

Which is weird, because EAP-MSCHAP IS actually MSCHAP inside PEAP or EAP-FAST. I suppose there is no such thing as using EAP-MSCHAP instead of PEAP, but inside of it.

If I choose EAP-MD5 it works, because EAP-MD5 is declared as EAP-MD5 by both sides. The problem is you can't youse EAP-MD5 with Active Directory, only with local users.

 

Is there any way to overcome this?

18 REPLIES 18
Highlighted

I did, but anything you do to that string, results in no profile matching:
009801: *Nov  9 12:09:37.254 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
009802: *Nov  9 12:09:37.254 EET: IKEv2-ERROR:% IKEv2 profile not found
009803: *Nov  9 12:09:37.258 EET: IKEv2-ERROR:(SESSION ID = 110,SA ID = 1):: Failed to locate an item in the database
009804: *Nov  9 12:09:37.258 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Verification of peer's authentication data FAILED
009805: *Nov  9 12:09:37.258 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Sending authentication failure notify
Highlighted

Found out that those error messages are also in the debug output of a working profile (EAP-MD5). So, those are not necesarly a problem.
I found out though:
007761: *Nov 6 01:11:12.962 EET: IKEv2:(SESSION ID = 96,SA ID = 1):Error in settig received config mode data
007762: *Nov 6 01:11:12.962 EET: IKEv2:(SESSION ID = 96,SA ID = 1):Auth exchange failed
007763: *Nov 6 01:11:12.962 EET: IKEv2-ERROR:(SESSION ID = 96,SA ID = 1):: Auth exchange failed
Highlighted
Beginner

EAP is an authentication framework, not a specific authentication mechanism. ISE is fully IETF compliant RADIUS server. MSCHAP is not a IETF supported inner method for EAP, however MD5 is analogous to the PPP CHAP protocol, so EAP-MD5 could be used.  The EAP method's defined IETF RFC's are EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, EAP-AKA and EAP-AKA'. The commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, LEAP and EAP-TTLS. PEAP (Protected EAP) has two IETF defined inner methods (PEAPv1) EAP-GTC, MSCHAPv2 (PEAPv0). There are also many vendor specific EAP types outside of these.

 

Highlighted

Hi waynesymes,

 

I agree with you that ALL vendors should follow and be compliant with a RFC/draft/etc, but as we all know is not always the case in this world.

I would gladly use EAP-MD5 even if is collision and MITM prone, if I would have one of the following tools:

a) A sharp tool to determine Microsoft to accept MD5 challenge in user auth.

b) A tool to export/import AD users (including updates of password or account status) through ERS in ISE

As I don't have either one, I'm trying to make AD happy, ISE happy and me happy :-)

Now, leaving the joke aside, the problem, I think, resides in ISE as long as me and asigachev checked the EAP-FAST/PEAP with MSCHAPv2 method, but when authentication occurs, ISE says is not checked.

It is also true that in every configuration guide involving FlexVPN, IOS/IOS XE and Anyconnect client, when MSCHAPv2 was mentioned there was always a Microsoft Radius configured and never saw ISE. Now I wonder why...

 

 

Content for Community-Ad