01-13-2016 10:10 AM - edited 02-21-2020 08:37 PM
I am configuring a new connection profile for remote access using IKEv2 instead of ssl. I used the following link for guidelines:
https://supportforums.cisco.com/document/74111/asa-anyconnect-ikev2-configuration-example
It is pretty straightforward but it's not working for me. When I try to connect to the connection profile I get the following error:
"Login denied, unauthorized connection mechanism, contact your administrator"
I haven't configured any DAP records to it's just using the default one that allows all connections. I am not really finding too much information on that error, anyone know what I can do to fix this? Thanks!
Solved! Go to Solution.
01-13-2016 04:26 PM
I just checked our ASA. Your config is very similar to mine. I don't have this line:
anyconnect profiles ikev2-anyconnect_client_profile disk0:/ikev2-anyconnect_client_profile.xml
I also have a newer version of AnyConnect deployed:
anyconnect image disk0:/anyconnect-win-4.1.06020-k9.pkg 1 regex "Windows NT"
I have found the clients *.XML profile can be a bit touchy. Below is a sample XML profile that I use:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.
xsd">
<ServerList>
<HostEntry>
<HostName>"customer name"</HostName>
<HostAddress>"DNS name of device - must match certificate"</HostAddress>
<UserGroup>"group name"</UserGroup>
<PrimaryProtocol>IPsec</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
01-13-2016 11:52 AM
Could you post your existing AAA config (all the lines containing aaa).
01-13-2016 11:59 AM
Here it is:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (vlan60) host 10.25.20.6
aaa-server TACACS+ (vlan60) host 10.20.20.6
aaa authentication enable console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+
aaa local authentication attempts max-fail 10
The ikev2 vpn is set up to use local authentication. Thanks!
01-13-2016 12:04 PM
Can you post the tunnel group configuration please (I especially want to see the authentication-server-group and authorization-server-group commands to confirm how authentication and authorization is being done).
01-13-2016 01:08 PM
Here are the configurations, I think I have everything in here:
tunnel-group anyconnect-ikev2 type remote-access
tunnel-group anyconnect-ikev2 general-attributes
address-pool vpnpool
default-group-policy GroupPolicy_anyconnect-ikev2
tunnel-group anyconnect-ikev2 webvpn-attributes
group-alias anyconnect-ikev2 enable
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 3
anyconnect profiles anyconnect-ikev2_client_profile disk0:/anyconnect-ikev2_client_profile.xml
anyconnect profiles ikev2-anyconnect_client_profile disk0:/ikev2-anyconnect_client_profile.xml
anyconnect profiles profile disk0:/profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_anyconnect-ikev2 internal
group-policy GroupPolicy_anyconnect-ikev2 attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2
default-domain value redplaid.com
webvpn
anyconnect profiles value anyconnect-ikev2_client_profile type user
01-13-2016 01:31 PM
Try adding this to force the use of local usernames and passwords:
tunnel-group anyconnect-ikev2 type remote-access
tunnel-group anyconnect-ikev2 general-attributes
authentication-server-group LOCAL
01-13-2016 02:41 PM
That didn't make any difference. The authentication appears to be working correctly either way according to the syslog messages:
Jan 13 16:38:52 x.x.x.x %ASA-6-113012: AAA user authentication Successful : local database : user = redplaid2
Jan 13 16:38:52 x.x.x.x %ASA-6-113009: AAA retrieved default group policy (GroupPolicy_anyconnect-ikev2) for user = redplaid2
Jan 13 16:38:52 x.x.x.x %ASA-6-113008: AAA transaction status ACCEPT : user = redplaid2
Jan 13 16:38:52 x.x.x.x %ASA-6-734001: DAP: User redplaid2, Addr x.x.x.x, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
Any other ideas?
01-13-2016 03:35 PM
Reading this more closely we are getting an authorization failure. Can you show use a sanitised version of the local user account?
Can you also do a debug of the authorisation process? Something like:
debug aaa authorization
01-13-2016 03:37 PM
I see it is using the DAP default access policy.
The following DAP records were selected for this connection: DfltAccessPolicy
Do you promise me this is 100% normal and not customised in any way?
01-13-2016 03:56 PM
I assure you the DAP record was not altered in any way. I am able to log in to the ssl vpn connection profile just fine, it's just the ikev2 connection that I cannot log in to. I am also not seeing anything when I run the debugging, not sure if I am doing something wrong. Here is the username that I am using:
username redplaid2 password **************** encrypted privilege 15
Thanks!
01-13-2016 04:03 PM
Are you using the same trustpoint, ASDM_TrustPoint1, for the SSL VPN?
01-13-2016 04:26 PM
I just checked our ASA. Your config is very similar to mine. I don't have this line:
anyconnect profiles ikev2-anyconnect_client_profile disk0:/ikev2-anyconnect_client_profile.xml
I also have a newer version of AnyConnect deployed:
anyconnect image disk0:/anyconnect-win-4.1.06020-k9.pkg 1 regex "Windows NT"
I have found the clients *.XML profile can be a bit touchy. Below is a sample XML profile that I use:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.
xsd">
<ServerList>
<HostEntry>
<HostName>"customer name"</HostName>
<HostAddress>"DNS name of device - must match certificate"</HostAddress>
<UserGroup>"group name"</UserGroup>
<PrimaryProtocol>IPsec</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
01-13-2016 04:28 PM
I notice in that link you supplied their XML profile doesn't have the UserGroup attribute.
We have multiple groups configured on our ASA. Perhaps it is only needed if you have more than one (or perhaps it only uses the default group). And from your post your ASA also sounds like it has multiple groups.
01-13-2016 05:34 PM
Thanks for the information Philip. I am not sure I know what you mean by user group. All we have is one database of users and it's the local database. The XML profile that is installed on the ASA was automatically created by the asa when I set this up using the remote access wizard in the ASDM. I adjusted the xml file earlier today but it was incorrect, I thought the "hostname" was supposed to be the dns name. I changed that and the "host address" but it's still giving me the same error.
01-13-2016 05:49 PM
From the above config, you group is anyconnect-ikev2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide