cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2570
Views
10
Helpful
21
Replies

ASA IPsec connection config via ASDM on 5510

tony.kiser
Level 1
Level 1

Hello, I'm having a problem completing an IPSec(IKEv1) connection to be used with Chromebooks. I have gone through the config and believe it's correct, but with an attempted connection I get: AAA user authentication Rejected : reason = Invalid password : local database : user = xxxxx

I am trying to use local user account for current testing, and have confirmed, and reconfirmed the password is correct.  Any idea why the authentication isn't being passed?

1 Accepted Solution

Accepted Solutions

Tony,

In case you are using MS-CHAPv2, then the user account should be like:

username cisco password cisco123 mschap

Let me know.

Thanks.

Please rate any helpful posts.

View solution in original post

21 Replies 21

Hi,

So you are connecting with the Cisco IPsec client?

Have you tried with another account?

Please attach "debug aaa common 255"

Thanks.

Portu.

Please rate any helpful posts

Sent from Cisco Technical Support Android App

I'm trying to use both the VPN config on a mac and the VPN config on a Chrombook.  The instructions to setup for Chrombook I found here

(http://support.google.com/chromeos/bin/answer.py?hl=en&answer=2382577)

Log attached.

Please attach the AAA output.

Thanks.

Sent from Cisco Technical Support Android App

I'm sorry, I'm pretty new at this device, is there a specific command you are asking me to run to get the aaa output?

I figured it out... Here is the output and it's attached.

debug aaa common enabled at level 255

lcociscoasa# AAA API: In aaa_open

AAA session opened: handle = 120

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(a7b57c78) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction

aaai_policy_name_to_server_id(DefaultRAGroup)

Got server ID 0 for group policy DB

Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server:

AAA FSM: In AAA_SendMsg

User: DefaultRAGroup

Resp:

grp_policy_ioctl(9ef75e0, 114698, a7b57200)

grp_policy_ioctl: Looking up DefaultRAGroup

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 120, pAcb = ab912150

AAA task: aaa_process_msg(a7b57c78) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Tunnel Group Policy Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

user attributes:

  1     User-Name(1)     14    "DefaultRAGroup"

  2     User-Password(2)      0    0xAB7DF77B   ** Unresolved Attribute **

user policy attributes:

None

tunnel policy attributes:

  1     Primary-DNS(4101)      4    IP: 10.30.16.120

  2     Secondary-DNS(4102)      4    IP: 10.30.16.121

  3     Tunnelling-Protocol(4107)      4    12

  4     Group-Policy(4121)     14    "DefaultRAGroup"

  5     Split-Tunnel-Inclusion-List(4123)      8    "DefaultRAGroup_splitTunnelAcl"

  6     Default-Domain-Name(4124)     14    "ad.seagate.com"

  7     Split-Tunneling-Policy(4151)      4    1

AAA API: In aaa_close

AAA task: aaa_process_msg(a7b57c78) received message type 3

In aaai_close_session (120)

AAA API: In aaa_open

AAA session opened: handle = 121

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(a7b57c78) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction

Initiating authentication to primary server (Svr Grp: LOCAL)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server:

AAA FSM: In AAA_SendMsg

User: vpnuser

Resp:

In localauth_ioctl

Local authentication of user vpnuser

callback_aaa_task: status = -1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 121, pAcb = ab912150

aaa_backend_callback: Error:

AAA task: aaa_process_msg(a7b57c78) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Authentication Status: -1 (REJECT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT

AAA_NextFunction: authen svr = LOCAL, author svr = , user pol = , tunn pol = DefaultRAGroup

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

user attributes:

  1     MS-CHAP-Error(8194)     14    "[01]E=691 R=0 V=3"

user policy attributes:

None

tunnel policy attributes:

None

Auth Status = REJECT

AAA API: In aaa_close

AAA task: aaa_process_msg(a7b57c78) received message type 3

In aaai_close_session (121)

Hi Tony,

So are you connecting as an L2TP/IPsec client?

Thanks.

Yes.  Or at least that's what I'm trying to do.

I am just curious, have you tried with a Windows machine running the L2TP/IPsec client?

Thanks.

Yes, and it doesn't connect.

Tony,

In case you are using MS-CHAPv2, then the user account should be like:

username cisco password cisco123 mschap

Let me know.

Thanks.

Please rate any helpful posts.

You mean the word mschap shold actually be typed in after the password with a space?

(another example) password123 mschap

Correct.

same error.

Tony,

Please attach the configuration.

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: