cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
10
Helpful
3
Replies

AnyConnect connection failed

angelito_mas
Level 1
Level 1

Hi guys,

I have configured a flexvpn with a csr1000v as hub and some clients that connect to it through anyconnect.

The tunnel are established with local credentials but I have to deploy the authorization and authentication against a radius server. The server is a Windows Server 2019 with NPS role installed.

This is a part of the config on the CSR:

aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTHC local
aaa authentication login AnyConnect group radius
aaa authorization exec default local none
aaa authorization network default local
aaa authorization network AUTHZ local
aaa authorization network AnyConnect group radius
aaa accounting network AnyConnect start-stop group radius group AnyConnect
!
!
!
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
!
!
!
!
!
ip domain name *****vpn.com
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
crypto pki server CA
no database archive
issuer-name cn=ca.*****.com
grant auto
lifetime certificate 7305
lifetime ca-certificate 7305
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint CA
revocation-check crl
rsakeypair CA
!
crypto pki trustpoint IOSCA
enrollment url http://172.16.0.4:80
subject-name cn=iotodvpn.*****.com
subject-alt-name iotodvpn.*****.com
revocation-check none
!
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
!
!
!
!
!
!
license udi pid C8000V sn 95E3P9I41SJ
license boot level network-essentials addon dna-essentials
diagnostic bootup level minimal
memory free low-watermark processor 68460
!
!
spanning-tree extend system-id
!
redundancy
!
!
crypto ikev2 name-mangler *****
email username
!
!
crypto ikev2 name-mangler AC_mangler
fqdn all
!
!
crypto ikev2 authorization policy *****
pool *****TestPool
route set interface
route set remote ipv4 172.28.0.0 255.255.252.0
route set remote ipv4 172.26.255.0 255.255.255.0
route set remote ipv4 172.28.5.0 255.255.255.0
route accept any distance 70
!
crypto ikev2 authorization policy AC_VPN
pool AnyConnect
dns 172.16.0.6
route set interface
route set remote ipv4 172.28.0.0 255.255.252.0
route set remote ipv4 172.26.255.0 255.255.255.0
route accept any distance 70
!
!
!
crypto ikev2 keyring *****_Flex_key
peer ****
identity email domain alleantiaVPN.io
pre-shared-key *****
!
!
!
crypto ikev2 profile *****_VPN_I2PF
match fvrf any
match identity remote email domain *****VPN.io
identity local key-id *****
authentication remote pre-share
authentication local pre-share
keyring local *****_Flex_key
dpd 29 2 periodic
aaa authorization group psk list *****VPN *****VPN
virtual-template 2
!
crypto ikev2 profile *****_VPN_Any
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote eap query-identity
pki trustpoint IOSCA
aaa authentication eap AnyConnect
aaa authorization group eap list AnyConnect
aaa authorization user eap list AnyConnect
virtual-template 3
reconnect timeout 600
anyconnect profile acvpn
!
no crypto ikev2 http-url cert
!
!
!
!
crypto logging ikev2
!
!
!
!
!
crypto vpn anyconnect profile acvpn flash:/acvpn.xml
!
!
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile *****_VPN_AC
set transform-set TS
set ikev2-profile *****_VPN_Any
!
crypto ipsec profile *****_VPN_IPS_PF
set ikev2-profile *****_VPN_I2PF
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description FlexTunnel interface
ip address 172.28.0.1 255.255.252.0
ip mtu 1400
!
interface Loopback1
ip address 172.26.255.1 255.255.255.0
ip mtu 1400
!
interface Loopback2
description Flex_AnyConnect
ip address 172.28.5.1 255.255.255.0
ip mtu 1400
!
interface VirtualPortGroup0
vrf forwarding GS
ip address 192.168.35.101 255.255.255.0
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
ip mtu 1358
ip nat inside
ip tcp adjust-mss 1318
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile *****_VPN_IPS_PF
!
interface Virtual-Template3 type tunnel
ip unnumbered Loopback2
ip mtu 1358
ip nat inside
ip tcp adjust-mss 1318
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile *****_VPN_AC
!
iox
ip local pool *****TestPool 172.28.0.2 172.28.3.254
ip local pool AnyConnect 172.28.5.2 172.28.5.254
ip forward-protocol nd
ip tcp window-size 8192
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet1 overload
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip ftp username iotodvpn
ip ftp password 7 02070A5C0E0A00
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 172.16.0.1 global
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh server algorithm publickey ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521
ip scp server enable
!
ip access-list standard GS_NAT_ACL
10 permit 192.168.35.0 0.0.0.255
!
ip access-list extended ACL-VPN-IN
10 permit ip 10.8.85.240 0.0.0.7 any
20 permit ip 10.172.28.0 0.0.3.255 any
ip access-list extended ACL-VPN-OUT
10 permit ip 172.26.255.0 0.0.0.255 any
20 permit ip 10.172.28.0 0.0.3.255 any
!
ip radius source-interface GigabitEthernet1
ip access-list extended 101
10 permit ip 172.28.0.0 0.0.3.255 any
15 permit ip 172.28.5.0 0.0.0.255 any
!
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
!
radius server *****VPN
address ipv4 172.16.0.6 auth-port 1812 acct-port 1813
key 7 022608570E0701351D1A484B554540
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
transport input ssh
line vty 5 20
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp authenticate
ntp source GigabitEthernet1
ntp server 193.204.114.232
ntp server 193.204.114.105
!
!
!
!
!
!
app-hosting appid guestshell
app-vnic gateway1 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.35.102 netmask 255.255.255.0
app-default-gateway 192.168.35.101 guest-interface 0
name-server0 8.8.8.8
end
 When I attempt to connect, I enter the credentials but it fails with this error:
Authentication Details:
Connection Request Policy Name: AnyConnect
Network Policy Name: AnyConnect
Authentication Provider: Windows
Authentication Server: radius.*****vpn.com
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 3030303037384542
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 Any suggestions? Someone can help me?

3 Replies 3

aaa new-model
!

radius server RADIUS
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
key Cisco
!

aaa group server radius RADIUS
server RADIUS
!

aaa authentication login Anyconnet group RADIUS
aaa authorization network Anyconnet group RADIUS
aaa accounting network Anyconnet start-stop group RADIUS
please do not forget to rate.

Hi, thanks for the help.

The error was given by the command about the aaa authorization group incorrect.

Now it is working

this virtual template no need to tunnel source for both virtual template for FlexVPN S2S and Anyconnect. 
remove it.

please notice when you use same tunnel source in any VPN the IPSec profile must shared.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: