cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
271
Views
15
Helpful
13
Replies
Highlighted
Beginner

IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

I set up FlexVPN with help of https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html. But instead of using a RADIUS server I want to use local users. Below is an excerpt from my AAA and FlexVPN setup followed by the error message I am getting when testing through iPhone AnyConnect client. The TEST user verifies on the command line just fine.

 

Any help much appreciated.

 

router1#show run aaa
!
aaa authentication login default local
aaa authentication login USER local
aaa authorization exec default local
aaa authorization network GROUP local
username TEST privilege 15 password 0 test
!
aaa attribute list FlexVPN_ATTRIBUTE_LIST
attribute type interface-config "ip mtu 1100"
attribute type interface-config "tunnel key 10"
!
aaa new-model
aaa session-id common

 

crypto ikev2 authorization policy FlexVPN_LOCAL_POLICY
pool FlexVPN_POOL
dns 4.2.2.2
netmask 255.255.255.0
def-domain beamtechnology.com
aaa attribute list FlexVPN_ATTRIBUTE_LIST
route set interface
!
crypto ikev2 proposal FlexVPN_PROPOSAL
encryption 3des
integrity sha1
group 2
!
crypto ikev2 policy FlexVPN_IKEv2_POLICY
match address local 38.88.174.100
proposal FlexVPN_PROPOSAL
!
!
crypto ikev2 profile FlexVPN_IKEv2_PROFILE
match identity remote address 0.0.0.0
match identity remote key-id SECRET
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint FlexVPN_TP
aaa authentication eap USER
aaa authorization group eap list GROUP FlexVPN_LOCAL_POLICY
virtual-template 1
!
no crypto ikev2 http-url cert
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip scp server enable
!
!
!
crypto ipsec transform-set FlexVPN_TRANSFORM esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile FlexVPN_IPsec_PROFILE
set transform-set FlexVPN_TRANSFORM
set ikev2-profile FlexVPN_IKEv2_PROFILE

 

---

*Dec 5 02:54:55.304: AAA/BIND(0000511A): Bind i/f
*Dec 5 02:54:55.304: IKEv2:Use authen method list USER

*Dec 5 02:54:55.304: AAA/AUTHEN/LOGIN (0000511A): Pick method list 'USER'
*Dec 5 02:54:55.304: IKEv2:pre-AAA: client sent TEST as EAP-Id response
*Dec 5 02:54:55.304: IKEv2:sending TEST [EAP-Id] as username to AAA
*Dec 5 02:54:55.304: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent
*Dec 5 02:54:55.304: IKEv2:%Unsuccessful AAA response FAIL

*Dec 5 02:54:55.304: IKEv2:(SA ID = 1):[AAA -> IKEv2] Unsuccessful response received
*Dec 5 02:54:55.308: IKEv2:Received response from authenticator
*Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):: Extensible Authentication Protocol failed
*Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):SM Trace-> SA: I_SPI=DC166CB622FC43CC R_SPI=6F311212AB7AEE68 (R) MsgID = 2 CurState: R_PROC_EAP_RESP Event: EV_DELETE
*Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):Action: Action_Null
*Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):SM Trace-> SA: I_SPI=DC166CB622FC43CC R_SPI=6F311212AB7AEE68 (R) MsgID = 2 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
*Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):Verification of peer's authentication data FAILED
*Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):Sending authentication failure notify
*Dec 5 02:54:55.308: IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED
*Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

---

13 REPLIES
RJI Collaborator
Collaborator

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

Hi,

What IOS version is your router running? On older IOS versions authentication using the local database was unsupported, however it works on newer IOS versions.

 

Does the iPhone have the certificate in use by the router?

 

This FlexVPN example might be more appropriate than the on you provided.

 

HTH

Beginner

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

IOS version 15.3 on a 891F router. The phone does have the cert in place after which I was able to see the sign in dialog for username/password. Funny, the config you are pointing to is the one I started out with but due to cert issues ended up with the one I pasted. I will revisit and see if I can make it work. Please note that the cert I am using is not verified as it's been generated solely on the router. Once I can confirm a functional solution my plan is to purchase client AnyConnect licenses and get a real cert.

 

Shall I upgrade the IOS version?

 

Thanks!

RJI Collaborator
Collaborator

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

The document suggests - IOS release 15.5(2)T or later
Setup the router as CA, use that to sign the routers' certificate. Export the CA Root Certificate and import that into the iphone.

HTH
Beginner

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

The router is already setup as a CA and this seems to function properly. Unfortunately, I have to setup a service contract first with a Cisco partner before upgrading IOS, which won't happen right away. In the meantime I setup FreeRadius to verify the initial 'version 15.3 may not support VPN aaa local' theory.  Now I am getting other errors that I am working through, and from what it looks like the MD5 challenge fails: "Failed to receive the AUTH msg before the timer expired".

Beginner

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

Actually, there was a misconfiguration on my part. The issue I am seeing now is below in router and FreeRadius output:

 

--- ROUTER ---

*Dec 6 02:46:44.394: IKEv2:Use authen method list USER

*Dec 6 02:46:44.394: AAA/AUTHEN/LOGIN (000063AE): Pick method list 'USER'
*Dec 6 02:46:44.394: IKEv2:sending TEST [EAP-Id] as username to AAA
*Dec 6 02:46:44.394: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent
*Dec 6 02:46:45.182: AAA/AUTHEN/LOGIN (000063AD): Pick method list 'default'
*Dec 6 02:46:45.418: IKEv2:%Unsuccessful AAA response FAIL

*Dec 6 02:46:45.422: IKEv2:(SA ID = 1):[AAA -> IKEv2] Unsuccessful response received
*Dec 6 02:46:45.422: IKEv2:Received response from authenticator
*Dec 6 02:46:45.422: IKEv2:(SESSION ID = 114,SA ID = 1):: Extensible Authentication Protocol failed
*Dec 6 02:46:45.422: IKEv2:(SESSION ID = 114,SA ID = 1):SM Trace-> SA: I_SPI=6A9E97D254CBB37E R_SPI=460821D2E3F332D3 (R) MsgID = 3 CurState: R_PROC_EAP_RESP Event: EV_RECV_EAP_FAIL
*Dec 6 02:46:45.422: IKEv2:(SESSION ID = 114,SA ID = 1):Sending EAP status message

 

--- FreeRadius ---

(22) Received Access-Request Id 50 from 38.88.174.100:1645 to 10.10.191.184:1812 length 135
(22) Service-Type = Login-User
(22) Cisco-AVPair = "service-type=Login"
(22) Calling-Station-Id = "10.1.10.65"
(22) User-Name = "TEST"
(22) EAP-Message = 0x023c0016041082640374eb55332f88e6f89c6b692b2c
(22) Message-Authenticator = 0xc18cb20962b312c7184603cb2401815d
(22) State = 0xe44cdc41e470d83d802dbe7aaae367d0
(22) NAS-IP-Address = 38.88.174.100
(22) session-state: No cached attributes
(22) # Executing section authorize from file /etc/raddb/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) [chap] = noop
(22) [mschap] = noop
(22) [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "TEST", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) eap: Peer sent EAP Response (code 2) ID 60 length 22
(22) eap: No EAP Start, assuming it's an on-going EAP conversation
(22) [eap] = updated
(22) files: users: Matched entry bob at line 87
(22) [files] = ok
(22) [expiration] = noop
(22) [logintime] = noop
(22) pap: WARNING: Auth-Type already set. Not setting to PAP
(22) [pap] = noop
(22) } # authorize = updated
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) authenticate {
(22) eap: Expiring EAP session with state 0xe44cdc41e470d83d
(22) eap: Finished EAP session with state 0xe44cdc41e470d83d
(22) eap: Previous EAP request found for state 0xe44cdc41e470d83d, released from the list
(22) eap: Peer sent packet with method EAP MD5 (4)
(22) eap: Calling submodule eap_md5 to process data
(22) eap: Sending EAP Failure (code 4) ID 60 length 4
(22) eap: Freeing handler
(22) [eap] = reject
(22) } # authenticate = reject
(22) Failed to authenticate the user
(22) Using Post-Auth-Type Reject
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Post-Auth-Type REJECT {
(22) attr_filter.access_reject: EXPAND %{User-Name}
(22) attr_filter.access_reject: --> TEST
(22) attr_filter.access_reject: Matched entry DEFAULT at line 11
(22) [attr_filter.access_reject] = updated
(22) [eap] = noop
(22) policy remove_reply_message_if_eap {
(22) if (&reply:EAP-Message && &reply:Reply-Message) {
(22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(22) else {
(22) [noop] = noop
(22) } # else = noop
(22) } # policy remove_reply_message_if_eap = noop
(22) } # Post-Auth-Type REJECT = updated
(22) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(22) Sending delayed response
(22) Sent Access-Reject Id 50 from 10.10.191.184:1812 to 38.88.174.100:1645 length 44
(22) EAP-Message = 0x043c0004
(22) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.

Beginner

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

Ok, I successfully setup a FreeRadius server and followed yet another setup @ https://community.cisco.com/t5/security-documents/flexvpn-ikev2-eap-secure-connection-between-iphone-ipad-and-a/ta-p/3136285. With additional modifications I finally was able to log in to VPN without even upgrading IOS. The last thing I am stuck on now is to be able to access internal resources. Basically, the AnyConnect stats show that I can send packets but not receive any. Could this be a route issue on the headend?

RJI Collaborator
Collaborator

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

Upgrading the IOS was only if you are doing local EAP on the router, as it was only available in newer versions of IOS. It doesn't apply if you are using FreeRadius.

Does the backend have a route to the VPN Pool IP address range? ...as in a route pointing to the FlexVPN Hub
Are you pushing down the routes to tunnel through the VPN from the RADIUS server?


Beginner

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

I am extremely new to IOS routing. Below is the config I do have. Hope that helps to identify what I am missing. I left out the working FlexVPN configs.

 

---

interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet0
switchport access vlan 2
no ip address
!
interface GigabitEthernet8
ip address 38.88.174.10 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type sfp
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile FlexVPN_IPsec_PROFILE
!
interface Vlan2
ip address 10.1.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
encapsulation slip
!
ip local pool FlexVPN_POOL 10.1.10.200 10.1.10.249
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 38.88.174.9
!
ip access-list standard NAT
permit 10.1.10.0 0.0.0.255

RJI Collaborator
Collaborator

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

Is the internal resources in the same network as the vlan 2 interface (10.1.10.0/24)?
How are you testing? Are you pinging a dns name or an ip address?

Please provide the output of the following:-

- "show crypto ikev2 sa detailed"
- a screenshot of the anyconnect VPN Route Details tab
Beginner

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

All resources are in the same 10.1.10.0/24 network, LAN and VPN. I tested by 1) trying to ping from phone by ip and 2) from router to ping phone ip. See attached images and below output. I changed our real domain to domain.com. Pinging the assigned phone IP from the router succeeds but fails from any other connected device, e.g., my desktop. Same is true for phone not reaching anything in the 10.1.10.0/24 network. Also not sure if this may help, I attached the test user as configured in FreeRadius.

 

--- FreeRadius users entry for TEST user ---

Service-Type = Framed-User,
Service-Type = Login,
Cisco-AVPair +="ipsec:addr-pool=FlexVPN_POOL",
Cisco-AVPair +="ipsec:route-set-interface=1"

 

---

router1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 38.88.174.10/4500 10.1.10.110/52074 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: EAP
Life/Active Time: 86400/66 sec
CE id: 2082, Session-id: 16
Status Description: Negotiation done
Local spi: 5EC9C186087014E4 Remote spi: D62A76DB900E940D
Local id: ipaddress=38.88.174.10+hostname=vpn.domain.com,cn=vpn.domain.com,ou=TAC
Remote id: TESTID
Remote EAP id: TEST
Local req msg id: 0 Remote req msg id: 7
Local next msg id: 0 Remote next msg id: 7
Local req queued: 0 Remote req queued: 7
Local window: 5 Remote window: 1
DPD configured for 60 seconds, retry 2
Fragmentation not configured.
Extended Authentication configured.
NAT-T is detected outside
Cisco Trust Security SGT is disabled
Assigned host addr: 10.1.10.214
Initiator of SA : No

IPv6 Crypto IKEv2 SA

---

 

 

Beginner

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

Just wondering if my additional information that was being asked for will help to sort out what am I missing?

 

Thanks

Beginner

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

Hi Vifilio,

 

Your inside hosts will never send their packets to the default gateway (router in this case) trying to reach a VPN client as they are in the same IP range 10.1.10.0/24. You should separate the IP ranges for the LAN on Vlan2 and the FlexVPNpool to make the hosts and the VPN client communicate. 

 

The reason why your router is able to reach the VPN client is the specific route in the routing table while the VPN client is connected.

 

Hope this helps. Let me know.

Beginner

Re: IKEv2 AAA authentication fails with AnyConnect and local user with FlexVPN configured

That was very helpful and did do the trick. Now I am able to ping from within the lan and to the lan. The last piece I need to sort out is to know how to route traffic to my WLAN when connected via VPN. I tried a few routes but wasn't successful.

 

Thanks so much for all your help to this point.

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers