Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1866
Views
0
Helpful
5
Replies

ISE providing both Access-Accept and Access-Reject to ASA for VPN Client

Go to solution
Josh Morris
Level 3
Level 3

‎12-10-2019 08:23 AM

I am currently testing ASA VPN connectivity using ISE as AAA. I'm getting mixed results. If you see in the image below, I am getting a successful authentication/authorization. But then it sends an authentication failure back to the ASA which and the ASA sees an authorization reject. But I still get access to the VPN.

 

1.PNG

2.PNG

 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - DEVICE.Device Type
 15004Matched rule - VPN_Authentication
 15041Evaluating Identity Policy
 15006Matched Default Rule
 22072Selected identity source sequence - VPN_Users
 15013Selected Identity Source - stjude.sjcrh.local
 24430Authenticating user against Active Directory - stjude.sjcrh.local
 24325Resolving identity - username
 24313Search for matching accounts at join point - stjude.sjcrh.local
 24319Single matching account found in forest - adroot.sjcrh.local
 24367Skipping unusable domain - ALARIS.LOCAL,Domain trust is one-way
 24367Skipping unusable domain - STJU_TN.cernerasp.com,Domain trust is one-way
 24367Skipping unusable domain - pacs.stjude,Domain trust is one-way
 24367Skipping unusable domain - cernoly.com,Domain trust is one-way
 24367Skipping unusable domain - campusnet.local,Domain trust is one-way
 24367Skipping unusable domain - sjtn.hosted,Domain trust is one-way
 24367Skipping unusable domain - sjtn.healthcatalyst.net,Domain trust is one-way
 24367Skipping unusable domain - BIOS.sjcrh.local,Domain trust is one-way
 24323Identity resolution detected single matching account
 24344RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,username@stjude.sjcrh.local
 24408User authentication against Active Directory failed since user has entered the wrong password - stjude.sjcrh.local
 22057The advanced option that is configured for a failed authentication request is used
 22061The 'Reject' advanced option is configured in case of a failed authentication request
 11003Returned RADIUS Access-Reject
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrewswanson
Level 7
Level 7
In response to Josh Morris

‎12-12-2019 02:11 AM

Hi

 

You have both authentication-server-group and authorization-server-group under your tunnel-group configuration.

 

From cisco documentation below:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_aaa.html

 


The default method for authentication and authorization uses the user login credentials.

•Authentication

–Enabled by authentication server group setting

–Uses the username and password as credentials

•Authorization

–Enabled by authorization server group setting

–Uses the username as a credential

 

Maybe the authorization-server-group is sending your username (minus password) to ISE for authorization.

 

My current setup for Anyconnect using ASA/ISE just has authentication-server-group configured under the tunnel-group and both authentication/authorization works for vpn clients.


hth
Andy

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Peter Koltl
Level 7
Level 7

‎12-11-2019 05:30 AM

Please share the Tunnel-Group (or Connection Profile) configuration.

0 Helpful

Go to solution
Josh Morris
Level 3
Level 3
In response to Peter Koltl

‎12-11-2019 07:38 AM

tunnel-group ISE_AAA type remote-access
tunnel-group ISE_AAA general-attributes
authentication-server-group ISE_RADIUS
authorization-server-group ISE_RADIUS
accounting-server-group ISE_RADIUS
default-group-policy ISE_TEST
dhcp-server subnet-selection 10.200.x.x
dhcp-server subnet-selection 10.244.x.x
tunnel-group ISE_AAA webvpn-attributes
group-url https://testingurl enable
tunnel-group webvpn type remote-access

0 Helpful

Go to solution
Josh Morris
Level 3
Level 3
In response to Josh Morris

‎12-11-2019 09:42 AM

It's just weird. I feel like I am successfully being authorized because I added a DACL for testing and it gets applied successfully. But I see in the ASA logs that authorization was rejected and I see the two log entries in the ISE live logs.

3.PNG

 

 

 

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to Josh Morris

‎12-12-2019 02:11 AM

Hi

 

You have both authentication-server-group and authorization-server-group under your tunnel-group configuration.

 

From cisco documentation below:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_aaa.html

 


The default method for authentication and authorization uses the user login credentials.

•Authentication

–Enabled by authentication server group setting

–Uses the username and password as credentials

•Authorization

–Enabled by authorization server group setting

–Uses the username as a credential

 

Maybe the authorization-server-group is sending your username (minus password) to ISE for authorization.

 

My current setup for Anyconnect using ASA/ISE just has authentication-server-group configured under the tunnel-group and both authentication/authorization works for vpn clients.


hth
Andy

0 Helpful

Go to solution
Josh Morris
Level 3
Level 3
In response to andrewswanson

‎12-12-2019 05:41 AM

Thanks, that is interesting. Although counter-intuitive. I did remove the authorization command and tried again, and I no longer get the additional ISE failure. I now get three successful logs in ISE with the following steps...

 

Session Events

2019-12-12 07:36:59.61Dynamic Authorization succeeded
2019-12-12 07:36:51.07RADIUS Accounting watchdog update
2019-12-12 07:36:49.583RADIUS Accounting start request
2019-12-12 07:36:49.575DACL Download Succeeded
2019-12-12 07:36:49.574

Authentication succeeded

 

 

 

The ASA does not report a failed (or successful) authorization, but it also does use the DACL I have applied in my ISE authorization policy, so I guess authorization is working.

 

Thanks, I will continue to test. 

0 Helpful
Customers Also Viewed These Support Documents