05-19-2015 10:45 AM - edited 03-10-2019 10:44 PM
Hello everyone
Trying to configure Anyconnect Remote-Access VPN with ASR1000, ISE and Active Directory and facing the following problem:
the authentication is failing with the following messages on ISE:
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - Network Access.Device IP Address | |
15006 | Matched Default Rule | |
11507 | Extracted EAP-Response/Identity | |
12300 | Prepared EAP-Request proposing PEAP with challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11801 | Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead | |
11803 | Failed to negotiate EAP because EAP-MSCHAP not allowed in the Allowed Protocols | |
11504 | Prepared EAP-Failure | |
11003 | Returned RADIUS Access-Reject |
while EAP-MSCHAP is clearly allowed int the Authentication Policy
The authentication policy matching sequence is
Authentication Policy | RAVPN1 >> Default |
Allowed protocols list named TEST:
Is there anything else that needs to be enabled/permitted?
It worked perfectly with local users authentication and EAP-MD5.
Update: looks like the only mode working is EAP-MD5 (with local users, AD doesn´t support it). Trying to use EAP-GTC with both local and AD identity sources fails with the same message saying EAP-GTC is not permitted by Allowed Protocols List while the protocol IS being permitted.
Update: It looks like ISE is declaring PEAP expecting to perform MS-CHAPv2 as inner method and AnyConnect Client says MS-CHAPv2 directly, so the systems fail to negotiate.
ISE says PEAP:
12300 Prepared EAP-Request proposing PEAP with challenge
AnyConnect responds, "no, I want EAP-MSCHAP":
11801 Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead
Which is weird, because EAP-MSCHAP IS actually MSCHAP inside PEAP or EAP-FAST. I suppose there is no such thing as using EAP-MSCHAP instead of PEAP, but inside of it.
If I choose EAP-MD5 it works, because EAP-MD5 is declared as EAP-MD5 by both sides. The problem is you can't youse EAP-MD5 with Active Directory, only with local users.
Is there any way to overcome this?