cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3053
Views
1
Helpful
12
Replies

AnyConnect syslog AAA user authentication rejected

davparker
Level 1
Level 1

I have some locally managed FTDs. I'm parsing syslog data for VPN auth failures. The FDM FlexConfig won't allow some of the simplest changes like "no logging hide username" (bug). Anyway, most the AAA user authentication errors indicate reason = Unspecified and the username is "*****".  But there are some log entries that report the actual username and reason = Invalid password. I checked AD, it appears that the usernames displayed are actual accts in AD. I can't tell about the others as I am unable to display the actual username that was attempted. I'm wondering why the difference in the syslog messages. I'm unable to find what "Unspecified error" means. Was that caused by AnyConnect or someone failing auth through the web client? Or maybe those accts don't actually exist in AD so it lists "*****' and generates the Unspecified error?

Thanks,
David

 

1 Accepted Solution

Accepted Solutions

tvotna
Spotlight
Spotlight

This is by design. From the feature description:

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

So, if you see ****, the user doesn't exist, and if you see the username and the reason is "Invalid password", the user exists, but password is incorrect. The reason is shown as "Unspecified error" just to hide further details.

Also described here:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-101001-to-199021.html#con_8293726

113005

Error Message %ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = ip_addr : user = *****: user IP = ip_addr

Explanation The AAA authentication on a connection has failed. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured.

 

View solution in original post

12 Replies 12

tvotna
Spotlight
Spotlight

This is by design. From the feature description:

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

So, if you see ****, the user doesn't exist, and if you see the username and the reason is "Invalid password", the user exists, but password is incorrect. The reason is shown as "Unspecified error" just to hide further details.

Also described here:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-101001-to-199021.html#con_8293726

113005

Error Message %ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = ip_addr : user = *****: user IP = ip_addr

Explanation The AAA authentication on a connection has failed. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured.

 

You can't configure "no logging hide username" using flexconfig on a locally managed FTD device. It incorrectly throws a syntax error upon validation. At most it should throw a warning and let you proceed. I also am standing up FMC managed firewalls at another location and this was not an issue. Flexconfig seems mostly broken in FDM. This makes handling security incidents much more problematic. We are working on bringing all of our firewalls into FMC but that will take time. Meanwhile I'm left partially blinded on these FDM managed devices.

I remember somebody reported that he managed to get FlexConfig working by configuring "no loggin hide username" (logging without the last G). Don't believe this is true, although there is bug which tells the same:

CSCvj02826 Need a way to negate "logging hide username" in FTD

 

@tvotnaThis actually worked. I ran this up in CDO with our test FTD VPN and flex config took the command "no loggin hide username"

Ahh, I just realized you confirmed my suspicions.If the username is invalid, it is all *.

Thanks
David

Check above 

Thanks 

MHM

Believe you or not, this is how it works.

 

For this point  did you check it?

MHM

davparker
Level 1
Level 1

I started seeing entries in our syslog like the following:

AAA user authentication Rejected : reason = User was not found : local database

What sort of VPN auth attempt tries against the local database? We don't have fallback to local database enabled.

There are two possibilities.

1. You have not patched FTD and it is vulnerable to https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC

CSCwh23100 Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability
CSCwh45108 Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability

In this case you need to update it.

2. You're running fixed version, but didn't implement hardening measures. In this case connection attempts may hit DefaultWEBVPNGroup connection profile, that is why you see such messages. Refer to the following doc:
https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Read the following discussion too:
https://community.cisco.com/t5/network-security/cisco-asa-anyconnect-ddos-protection/m-p/5050819/highlight/true#M1110394

 

Some User that is try to access using any password username direct to use defualt Group policy' since realm is not match. 

You need no-access policy for these user

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

MHM

Review Cisco Networking for a $25 gift card