AD connector. (AD Join feature)

Sounds strange, is your AnyConnect VPN setup using SSL or IKEv2 ?

Maybe try to remove all thos unneeded protocols, so only mschap_v2 is the only on left in your authentication allowed protocols list.

I use IKEv2-IPSEC.

I tried to remove all the unneded protocols. There is an option to leave EAP-MSCHAP under PEAP or under EAP-FAST, I tried both. In first case ISE proposes PEAP and Anyconnect responds with EAP-MSCHAP and negotiation fails, in the second case same thing happens with EAP-FAST.
 

Have you ever seen the solution working?

The thing is as far as I remember when you set up EAP authentication on Wireless LAN controller for example, you have setting options very similar to the ones you have on ISE, i.e. PEAP with MS-CHAP inside or EAP-FAST with MS-CHAP. So during the negotiation ISE proposes PEAP, WLC responds PEAP, they agree and then all the MS-CHAP exchange goes inside. In the case of Anyconnect VPN client you have no option to choose between PEAP and EAP-FAST, it is just EAP-MSCHAPv2 option.

Hello,

we are facing the same problem. Ikev2 , Anyconnect and the EAP-MSCHAPv2 authC method.

Its sad, that Cisco is not able to authenticate the IKEv2 clients (MSCHAPv2) on the routers with the ISE/ACS combination at all. The only possible way is the TLS method. I don't think that MD5 authentication is secured algorithm nowadays.

Another way is used the Cisco ASA. FW is capable to authenticate the EAP-MSCHAPv2 clients with the ISE/ACS in the background.

Based on my research, Cisco released the official bug ID :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw99531/?referring_site=bugquickviewclick

Enhancement = miracle :-) 

Usually our customers migrate their remote access solution from Ikev1 to ikev2 and the already have ACS/ISE. They are wondering, that they need to change the authentication process of the clients or they need to deploy another RADIUS AuthC server.....

Hi, Cristi

Looks like I am on my way. Will update soon.

So, basically, we had to upgrade the router IOS so we got anyconnect-eap method support. For our platform which is ASR1000 we went to 15.5(3)S (03.16.00.S)

The TAC engineer says it works, I didn't have time to test it yet, so if you try it, please post the result here.

crypto ikev2 profile AC
 match identity remote key-id cisco.com
 identity local dn 
 authentication remote anyconnect-eap aggregate
 authentication local rsa-sig
 pki trustpoint my.verisign.trustpoint
 dpd 60 2 on-demand
 aaa authentication anyconnect-eap AC
 aaa authorization user anyconnect-eap cached
 virtual-template 40

And here is the profile used

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">false</ClearSmartcardPin>
<IPProtocolSupport>IPv4</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Automatic
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>YOURHOSTNAME</HostName>
<HostAddress>x.x.x.x</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<IKEIdentity>cisco.com</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

Hi,

We will test it tonight and update here.

Authentication method in Anyconnect, I guess it must be: EAP-Anyconnect.

Authentication protocol in ISE, must be? I'll check them all anyway to see which one it picks up.

Thanks,

C

Authentication protocol on ISE is PAP in our case.

I have just tested and it works, I will try to reproduce all the configuration one more time later.

One more important thing I have just noticed in the solution proposed is that you have to change the Anyconnect Client local policy to bypass client update download, otherwise the client fails to establish the connection saying "The VPN client failed to establish a connection"

Open the file C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml

and change <BypassDownloader> option to True.

Hi,

I also noticed auth proto is PAP. Wonder if it can be changed.

We've done the following steps:

1) Upgraded to 3.16.

2) Used your config, but noticed that we need to add to your suggested config:

crypto ikev2 profile AC
 match identity remote key-id *$AnyConnectClient$*

otherwise the router would not pick any profile and throw an error that no matching profile was found. Is this also your situation?

3) Anyconnect now:

- connects to router

- asks for user/pass

- router sends info to ISE

- ISE succesufully authenticates and sends back to router: Authorization: Permit

- router then needs some info that does not get or understands:

<some of the data>

004419: *Nov 5 08:12:34.093 EET: IKEv2:(SESSION ID = 58,SA ID = 1):Config-type: Config-request
004420: *Nov 5 08:12:34.093 EET: IKEv2:(SESSION ID = 58,SA ID = 1):Attrib type: ipv4-addr, length: 0
004421: *Nov 5 08:12:34.093 EET: IKEv2:(SESSION ID = 58,SA ID = 1):Attrib type: ipv4-netmask, length: 0
004422: *Nov 5 08:12:34.093 EET: IKEv2:(SESSION ID = 58,SA ID = 1):Attrib type: ipv4-dns, length: 0
004423: *Nov 5 08:12:34.093 EET: IKEv2:(SESSION ID = 58,SA ID = 1):Attrib type: ipv4-nbns, length: 0
004424: *Nov 5 08:12:34.093 EET: IKEv2:(SESSION ID = 58,SA ID = 1):Attrib type: unknown, length: 0
004425: *Nov 5 08:12:34.093 EET: IKEv2:(SESSION ID = 58,SA ID = 1):Attrib type: app-version, length: 32, data: AnyConnect Darwin_i386 4.0.00048
004426: *Nov 5 08:12:34.093 EET: IKEv2:(SESSION ID = 58,SA ID = 1):Attrib type: ipv4-subnet, length: 0

<...>

004467: *Nov 5 08:12:34.094 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
004468: *Nov 5 08:12:34.094 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
004469: *Nov 5 08:12:34.094 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
004470: *Nov 5 08:12:34.094 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
004471: *Nov 5 08:12:34.094 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-cleanup-interval in cfg-req
004472: *Nov 5 08:12:34.095 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
004473: *Nov 5 08:12:34.095 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
004474: *Nov 5 08:12:34.095 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib reconnect-dpd-interval in cfg-req
004475: *Nov 5 08:12:34.095 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req
004476: *Nov 5 08:12:34.095 EET: IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req

<...>

Would it be possible to share here your full config (including: aaa, virtual-template, crypto ikev2, crypto ipsec)?

"sh run | sec aaa|crypto ikev2|crypto ipsec|^interface Virtual-Template"

Did you set anything else on ISE for Authorization, except Permit?

Thanks,

CR

PS: I don't know how to move this conversation to private (email/private message) and come back here with final result. 

Have you edited the AnyconnectLocalPolicy? Because the problem looks similar to what we had before doing that.

I have send you part of the ASR config by mail.

I did edit the AnyconnectLocalPolicy.xml:

<BypassDownloader>true</BypassDownloader>

I compared my config with yours and they look similar.

The main difference is that i really need to have:

match identity remote key-id *$AnyConnectClient$* 

instead of: 

match identity remote key-id cisco.com

I'm still stuck at the latest output: 

IKEv2-ERROR:IKEv2 responder - unsupported attrib unknown in cfg-req

I found another guy with the same problem 6 months ago, not even a reply :-)

https://supportforums.cisco.com/discussion/12500956/flexvpn-ras-anyconnect-certificates

Still debuging. I'll update when I figure out what is wrong.

Have you tried removing special characters from key-id?

just to check if this could be a problem...