Who Me Too'd this topic

Hello everyone

Trying to configure Anyconnect Remote-Access VPN with ASR1000, ISE and Active Directory and facing the following problem:

the authentication is failing with the following messages on ISE:

while EAP-MSCHAP is clearly allowed int the Authentication Policy

The authentication policy matching sequence is

Allowed protocols list named TEST:

Is there anything else that needs to be enabled/permitted?

It worked perfectly with local users authentication and EAP-MD5.

Update: looks like the only mode working is EAP-MD5 (with local users, AD doesn´t support it). Trying to use EAP-GTC with both local and AD identity sources fails with the same message saying EAP-GTC is not permitted by Allowed Protocols List while the protocol IS being permitted.

Update: It looks like ISE is declaring PEAP expecting to perform MS-CHAPv2 as inner method and AnyConnect Client says MS-CHAPv2 directly, so the systems fail to negotiate.

ISE says PEAP:

12300   Prepared EAP-Request proposing PEAP with challenge

AnyConnect responds, "no, I want EAP-MSCHAP":

11801   Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead

Which is weird, because EAP-MSCHAP IS actually MSCHAP inside PEAP or EAP-FAST. I suppose there is no such thing as using EAP-MSCHAP instead of PEAP, but inside of it.

If I choose EAP-MD5 it works, because EAP-MD5 is declared as EAP-MD5 by both sides. The problem is you can't youse EAP-MD5 with Active Directory, only with local users.

Is there any way to overcome this?