This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Trying to configure Anyconnect Remote-Access VPN with ASR1000, ISE and Active Directory and facing the following problem:
the authentication is failing with the following messages on ISE:
|11001||Received RADIUS Access-Request|
|11017||RADIUS created a new session|
|15049||Evaluating Policy Group|
|15008||Evaluating Service Selection Policy|
|15048||Queried PIP - Network Access.Device IP Address|
|15006||Matched Default Rule|
|12300||Prepared EAP-Request proposing PEAP with challenge|
|11006||Returned RADIUS Access-Challenge|
|11001||Received RADIUS Access-Request|
|11018||RADIUS is re-using an existing session|
|11801||Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead|
|11803||Failed to negotiate EAP because EAP-MSCHAP not allowed in the Allowed Protocols|
|11003||Returned RADIUS Access-Reject|
while EAP-MSCHAP is clearly allowed int the Authentication Policy
The authentication policy matching sequence is
|Authentication Policy||RAVPN1 >> Default|
Allowed protocols list named TEST:
Is there anything else that needs to be enabled/permitted?
It worked perfectly with local users authentication and EAP-MD5.
Update: looks like the only mode working is EAP-MD5 (with local users, AD doesn´t support it). Trying to use EAP-GTC with both local and AD identity sources fails with the same message saying EAP-GTC is not permitted by Allowed Protocols List while the protocol IS being permitted.
Update: It looks like ISE is declaring PEAP expecting to perform MS-CHAPv2 as inner method and AnyConnect Client says MS-CHAPv2 directly, so the systems fail to negotiate.
ISE says PEAP:
12300 Prepared EAP-Request proposing PEAP with challenge
AnyConnect responds, "no, I want EAP-MSCHAP":
11801 Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead
Which is weird, because EAP-MSCHAP IS actually MSCHAP inside PEAP or EAP-FAST. I suppose there is no such thing as using EAP-MSCHAP instead of PEAP, but inside of it.
If I choose EAP-MD5 it works, because EAP-MD5 is declared as EAP-MD5 by both sides. The problem is you can't youse EAP-MD5 with Active Directory, only with local users.
Is there any way to overcome this?
009801: *Nov 9 12:09:37.254 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
009802: *Nov 9 12:09:37.254 EET: IKEv2-ERROR:% IKEv2 profile not found
009803: *Nov 9 12:09:37.258 EET: IKEv2-ERROR:(SESSION ID = 110,SA ID = 1):: Failed to locate an item in the database
009804: *Nov 9 12:09:37.258 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Verification of peer's authentication data FAILED
009805: *Nov 9 12:09:37.258 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Sending authentication failure notify
EAP is an authentication framework, not a specific authentication mechanism. ISE is fully IETF compliant RADIUS server. MSCHAP is not a IETF supported inner method for EAP, however MD5 is analogous to the PPP CHAP protocol, so EAP-MD5 could be used. The EAP method's defined IETF RFC's are EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, EAP-AKA and EAP-AKA'. The commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, LEAP and EAP-TTLS. PEAP (Protected EAP) has two IETF defined inner methods (PEAPv1) EAP-GTC, MSCHAPv2 (PEAPv0). There are also many vendor specific EAP types outside of these.
I agree with you that ALL vendors should follow and be compliant with a RFC/draft/etc, but as we all know is not always the case in this world.
I would gladly use EAP-MD5 even if is collision and MITM prone, if I would have one of the following tools:
a) A sharp tool to determine Microsoft to accept MD5 challenge in user auth.
b) A tool to export/import AD users (including updates of password or account status) through ERS in ISE
As I don't have either one, I'm trying to make AD happy, ISE happy and me happy :-)
Now, leaving the joke aside, the problem, I think, resides in ISE as long as me and asigachev checked the EAP-FAST/PEAP with MSCHAPv2 method, but when authentication occurs, ISE says is not checked.
It is also true that in every configuration guide involving FlexVPN, IOS/IOS XE and Anyconnect client, when MSCHAPv2 was mentioned there was always a Microsoft Radius configured and never saw ISE. Now I wonder why...