05-19-2015 10:45 AM - edited 03-10-2019 10:44 PM
Hello everyone
Trying to configure Anyconnect Remote-Access VPN with ASR1000, ISE and Active Directory and facing the following problem:
the authentication is failing with the following messages on ISE:
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - Network Access.Device IP Address | |
15006 | Matched Default Rule | |
11507 | Extracted EAP-Response/Identity | |
12300 | Prepared EAP-Request proposing PEAP with challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11801 | Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead | |
11803 | Failed to negotiate EAP because EAP-MSCHAP not allowed in the Allowed Protocols | |
11504 | Prepared EAP-Failure | |
11003 | Returned RADIUS Access-Reject |
while EAP-MSCHAP is clearly allowed int the Authentication Policy
The authentication policy matching sequence is
Authentication Policy | RAVPN1 >> Default |
Allowed protocols list named TEST:
Is there anything else that needs to be enabled/permitted?
It worked perfectly with local users authentication and EAP-MD5.
Update: looks like the only mode working is EAP-MD5 (with local users, AD doesn´t support it). Trying to use EAP-GTC with both local and AD identity sources fails with the same message saying EAP-GTC is not permitted by Allowed Protocols List while the protocol IS being permitted.
Update: It looks like ISE is declaring PEAP expecting to perform MS-CHAPv2 as inner method and AnyConnect Client says MS-CHAPv2 directly, so the systems fail to negotiate.
ISE says PEAP:
12300 Prepared EAP-Request proposing PEAP with challenge
AnyConnect responds, "no, I want EAP-MSCHAP":
11801 Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead
Which is weird, because EAP-MSCHAP IS actually MSCHAP inside PEAP or EAP-FAST. I suppose there is no such thing as using EAP-MSCHAP instead of PEAP, but inside of it.
If I choose EAP-MD5 it works, because EAP-MD5 is declared as EAP-MD5 by both sides. The problem is you can't youse EAP-MD5 with Active Directory, only with local users.
Is there any way to overcome this?
05-19-2015 11:31 AM
Are you using the AD connector in ISE or LDAP to connect to AD ?
05-19-2015 12:22 PM
AD connector. (AD Join feature)
05-21-2015 02:28 PM
Sounds strange, is your AnyConnect VPN setup using SSL or IKEv2 ?
Maybe try to remove all thos unneeded protocols, so only mschap_v2 is the only on left in your authentication allowed protocols list.
05-22-2015 05:22 AM
I use IKEv2-IPSEC.
I tried to remove all the unneded protocols. There is an option to leave EAP-MSCHAP under PEAP or under EAP-FAST, I tried both. In first case ISE proposes PEAP and Anyconnect responds with EAP-MSCHAP and negotiation fails, in the second case same thing happens with EAP-FAST.
Have you ever seen the solution working?
The thing is as far as I remember when you set up EAP authentication on Wireless LAN controller for example, you have setting options very similar to the ones you have on ISE, i.e. PEAP with MS-CHAP inside or EAP-FAST with MS-CHAP. So during the negotiation ISE proposes PEAP, WLC responds PEAP, they agree and then all the MS-CHAP exchange goes inside. In the case of Anyconnect VPN client you have no option to choose between PEAP and EAP-FAST, it is just EAP-MSCHAPv2 option.
07-26-2016 03:01 AM
Hello,
we are facing the same problem. Ikev2 , Anyconnect and the EAP-MSCHAPv2 authC method.
Its sad, that Cisco is not able to authenticate the IKEv2 clients (MSCHAPv2) on the routers with the ISE/ACS combination at all. The only possible way is the TLS method. I don't think that MD5 authentication is secured algorithm nowadays.
Another way is used the Cisco ASA. FW is capable to authenticate the EAP-MSCHAPv2 clients with the ISE/ACS in the background.
Based on my research, Cisco released the official bug ID :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw99531/?referring_site=bugquickviewclick
Enhancement = miracle :-)
Usually our customers migrate their remote access solution from Ikev1 to ikev2 and the already have ACS/ISE. They are wondering, that they need to change the authentication process of the clients or they need to deploy another RADIUS AuthC server.....
10-08-2015 11:12 PM
Hello,
I'm facing the same problem.
Did you manage to solve this?
Thank you
11-02-2015 09:10 AM
Hi, Cristi
Looks like I am on my way. Will update soon.
11-03-2015 04:45 AM
So, basically, we had to upgrade the router IOS so we got anyconnect-eap method support. For our platform which is ASR1000 we went to 15.5(3)S (03.16.00.S)
crypto ikev2 profile AC
match identity remote key-id cisco.com
identity local dn
authentication remote anyconnect-eap aggregate
authentication local rsa-sig
pki trustpoint my.verisign.trustpoint
dpd 60 2 on-demand
aaa authentication anyconnect-eap AC
aaa authorization user anyconnect-eap cached
virtual-template 40
And here is the profile used
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">false</ClearSmartcardPin>
<IPProtocolSupport>IPv4</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Automatic
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>YOURHOSTNAME</HostName>
<HostAddress>x.x.x.x</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<IKEIdentity>cisco.com</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
11-04-2015 03:02 AM
Hi,
We will test it tonight and update here.
Authentication method in Anyconnect, I guess it must be: EAP-Anyconnect.
Authentication protocol in ISE, must be? I'll check them all anyway to see which one it picks up.
Thanks,
C
11-04-2015 06:01 AM
Authentication protocol on ISE is PAP in our case.
I have just tested and it works, I will try to reproduce all the configuration one more time later.
One more important thing I have just noticed in the solution proposed is that you have to change the Anyconnect Client local policy to bypass client update download, otherwise the client fails to establish the connection saying "The VPN client failed to establish a connection"
Open the file C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml
and change <BypassDownloader> option to True.
11-05-2015 03:07 AM
11-05-2015 04:41 AM
Have you edited the AnyconnectLocalPolicy? Because the problem looks similar to what we had before doing that.
I have send you part of the ASR config by mail.
11-05-2015 02:48 PM
11-07-2015 04:29 PM
Have you tried removing special characters from key-id?
just to check if this could be a problem...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: