cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11028
Views
0
Helpful
19
Replies

Anyconnect to ASA to ISE to Azure MFA - Radius retry issue

Ralphy006
Level 1
Level 1

 

Hi all,
I currently use Anyconnect SSL VPN (4.5) connecting to an ASA running 9.X code.

I am transitioning to Azure MFA, and use ISE as well for authentication.

So the thought is, when logging into the VPN, the ASA would send a radius request to ISE (username and password).

ISE would then send a radius request the Azure MFA server which does the authentication of the username/password and 2-factor. I have this working assuming the user responds to the 2-factor.

I stumbled upon this scenario. If the user does NOT respond to the 2-factor and just let's it hang, the auth times out. And I can cancel out of the login prompt.

However, the ASA continues to send access-requests. Even after ISE sends a access-reject. This results in continuous 2-factor requests.

Any ideas?

ASA to ISE is set to 65 second timeout.

ISE to Azure MFA is set to 60 second timeout.


aaa-server TEST protocol radius
interim-accounting-update periodic 3
max-failed-attempts 1
merge-dacl before-avpair
dynamic-authorization
aaa-server TEST (inside) host 10.X.X.1
timeout 65
key *****
aaa-server TEST (inside) host 10.x.x.2
timeout 65
key *****

Any ideas would help!

19 Replies 19

AMoore1776
Level 1
Level 1

My ISE/ ASA is doing the same thing. But we only get the constant radius request when a user times out with out putting in the MFA pin. Also had it when users would use their work phone and then forward the work phone to home phone. even though they connected still got constant phone calls. I feel like it is something with ASA but since he deny request isnt going through ISE back to the ASA. ive been at a loss. 

But my anyconnect is 4.6.0362, ISE 2.3 Patch5 and ASA is running a similar code. I have either 60sec or 90 secfor time out. 

When this happens a user will get non-stop text messages. 

Ive had some first fail to get the PIN in time but then restart the process, enter the correct PIN, be Authenticated, and postured through ISE have complete network availability. But, since the first try didn't go through her phone range every 5 sec for an hour.

Ive got a TAC case in still no answers on how or why this is happening.

 

Wow it sounds like we have the same exact problem. I'm encouraged and discouraged at the same time =)

 

I also do posturing through ISE, that's why I wanted the radius requests to go through ISE first. I might try doing the radius requests straight to the Azure MFA and see if that helps (I think it will be the same issue).

 

How many Azure MFA servers do you have? I'm assuming they are on-prem?

 

How many ISE servers do you have?

 

Have you ever tried the LDAP Azure MFA option?

 

I have a TAC case open too... I can keep you updated. I'm not terribly optimistic about it though.

We weren't sure if this was ever going to work MFA, couldn't find documents of successful MFA. We had on-prem at first, worked, but with this same problem. Then we got it to work with microsoft azure cloud. Since this doesn't happen to more than 1% of users our management chalks it up as gremlins. Not good enough for me I want it to work flawlessly. We have 4 ise... 1 admin 1 policy at each HQa and HQb for fail over. NO LDAP with VPN. 

i am currently testing LDAP with our wireless network. but i get that working with an additional 6 radius requests on my live logs. 

If you get a fix for this please let me know. ill do the same. good luck

Just got off the phone with TAC. Looks like there is nothing we can do until ASA codes fulfills this enhancement request to increase the radius retry timer.

 

Below is a PCAP of my ASA with radius requests to ISE. Note the id=142, id=143, etc etc.

 

The ASA automatically starts creating NEW radius id's every ~15 seconds.

 

The access-rejects to the ASA only apply to a particular id. So the first access-reject at the 57 second mark is for id=142. At that point access-requests with the id of 142 stop. The other ones keep going (143, 144, 145).

 

Not 100% sure what causes the radius ID changes. It might have to do with the radius RFC.

 

Anyways, long story short, not much we can do. I have a couple of other ideas to try and will let you know how it goes.

 

What authentication timer do you have set for your anyconnect profile?

 

Screen Shot 2019-04-04 at 10.11.30 AM.png

Just got off the phone with TAC. Looks like there is nothing we can do until ASA codes fulfills this enhancement request to increase the radius retry timer.

 

Below is a PCAP of my ASA with radius requests to ISE. Note the id=142, id=143, etc etc.

 

The ASA automatically starts creating NEW radius id's every ~15 seconds.

 

The access-rejects to the ASA only apply to a particular id. So the first access-reject at the 57 second mark is for id=142. At that point access-requests with the id of 142 stop. The other ones keep going (143, 144, 145).

 

Not 100% sure what causes the radius ID changes. It might have to do with the radius RFC.

 

Anyways, long story short, not much we can do. I have a couple of other ideas to try and will let you know how it goes.

 

What authentication timer do you have set for your anyconnect profile?

 

Screen Shot 2019-04-04 at 10.11.30 AM.png

The problem looks to be a mistmatch between the timeout you can set on the AnyConnect profile vs the retry interval on for the Radius request on the ASA. There is no fix for it until the ASA allows more than 10 seconds as this timer.

 

How long does the user keep getting the texts/phone calls? I am wondering if by getting an optimum value between 10-120 seconds (max for Anyconnect profile auth timeout) might help here. This may reduce the number of repeats the ASA does. 

 

Also, what is the role of ISE in this setup? 

The problem looks to be a mistmatch between the timeout you can set on the AnyConnect profile vs the retry interval on for the Radius request on the ASA. There is no fix for it until the ASA allows more than 10 seconds as this timer.

  • After additional testing... the retry seems to be dictated by the Anyconnect profile. So when I set the Auth timeout to 25 seconds, I only see the ASA try every 25 seconds. The problem with increasing it, is that after the first 25 seconds expires, the login prompt gets stuck in the "connection attempt failed". It doesn't allow for new login attempts. And this lasts for 4 x the anyconnect profile auth timer. In the logs I seem "connection attempt failed" 4 times.
  • If I could somehow reduce the "connection attempt failed" attempts to 1 or 2... it would be a lot better.

 

How long does the user keep getting the texts/phone calls? I am wondering if by getting an optimum value between 10-120 seconds (max for Anyconnect profile auth timeout) might help here. This may reduce the number of repeats the ASA does. 

  • They seem to get it for 3 extra times regardless of what I set the Anyconnect profile auth timer to it seems. And if they respond to the 3 extra times, it doesn't allow for the login to work. They are residual.

Also, what is the role of ISE in this setup? 

  • ASA does radius to ISE, ISE sends the radius to an Azure MFA NPS server. The need for ISE being the middle-man is 2 fold: 1) visibility 2) posturing
Any ideas are appreciated!

There are a lot of timers in play among the 3 components in play:

 

ASA Radius:

 

max-failed-attempts : This is the number of times the ASA will use a given RADIUS server before marking it as failed if no response is received (max value of 5.)
retry-interval : The number of seconds until the ASA will retry a given authentication (max 10 seconds.)
timeout : The number of seconds until the ASA will fail over to a backup server. (no max listed)

 

Anyconnect:

Anyconnect authentication timeout: Time AnyConnect waits up for an authentication from the secure gateway before terminating the connection attempt. AnyConnect then displays a message indicating the authentication timed out. Number of seconds in the range of 10 to 120.

 

ISE Radius:

Server Timeout: the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
Connection Attempts: the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.

 

Try to set the Following:

 

asa radius max-fail-attempts=1
radius retry-interval=10 seconds
radius timeout=30 seconds

anyconnect auth timeout = 30 seconds

ise radius server timeout = 30 seconds
ise radius connection attempts = 1

 

I think I got the logic correct here. The above settings should theoretically should give the user 30 seconds to type in his token/push etc. The ASA will send one attempt every 10 seconds to ISE which then proxies it to MFA. ISE then sends 1 attempt per ASA radius request to the MFA server and waits for 30 seconds. If this fails, then it sends a Radius Reject back to the ASA per ASA attempt. Put together, this should result in a maximum possible 4 texts/phone calls the user receives. 

 

If you change all the values to 20, this can be reduced to 3, but that is cutting into the time the user has to get the text and do the MFA bit. 

 

If only the radius retry-interval on the ASA could be set to 30 seconds, this re-attempt could also be avoided. Sigh!!

 

 

Has anyone successfully implemented Azure cloud MFA with ASA AnyConnect? I'm seeing an issue where the SMS method for MFA works fine, because Azure responds with the challenge/response requirement to the ASA and an addiitonal dialogue box pops up for the user and waits for my timeout value (90 seconds). The problem is using App or Phone call method with Azure MFA. Azure does not respond to ASA until the user confirms the MFA prompt. ASA retries after a max setting of 10 seconds. At that point, Azure still does not respond to the duplicate RADIUS request and the AnyConnect client receives a failure. The user must approve the App or phone call from Azure within the 10 seconds before retry, which is a very short time. I currently have a TAC case open, but I'm seeing there is no enhancement to extend the retry-interval setting for RADIUS.

Hi- were you able to find a solution? - We had it working fine but it the call back started failing 4 days ago because of the retry interval we believe. If not responded to within 10 seconds it would send the duplicate request.

Yes I got mine working.

ASA sends the radius request to ISE> ISE sends radius token to azure

ISE > administration > identity managent > external identity source > radius token >> connections are set to 60 seconds for 2 attempts

 

on the ASA:

 

aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 1
reactivation-mode depletion deadtime 5
dynamic-authorization
aaa-server ISE (Inside) host <ISE IPaddress>
timeout 90
key *****
authentication-port 1812
accounting-port 1813
aaa-server ISE (Inside) host  <ISE IPaddress>
timeout 90
key *****
authentication-port 1812
accounting-port 1813

group-policy gpISE attributes
wins-server value <IPaddress>
dns-server value < IPaddress>
vpn-simultaneous-logins 1
vpn-idle-timeout 30
vpn-session-timeout 720
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy excludespecified
split-tunnel-network-list value vpnSplitTunnel
default-domain value z1.tdi.state.tx.us
client-bypass-protocol enable
address-pools value vpnPool
webvpn
anyconnect mtu 1300
anyconnect ssl keepalive 90
anyconnect dpd-interval client 90
anyconnect dpd-interval gateway 90
anyconnect modules value iseposture
anyconnect profiles value acpVPN type user
anyconnect ssl df-bit-ignore enable

How are you using the radius token?  Are you connecting to NPS or directly to Azure?

Im not familiar what NPS is but I have point it directly to the Azure cloud we have. From there we have to tell the Azure server to accept requests from our ISE nodes.

Thanks for the response.  NPS is Network Policy Server it's a role that sits on a Windows server.  For that configuration you can't use Radius Token, you can only setup ISE as a external radius server. 

 

So you have ISE configured to connect directly to Azure?  How did you do that?  We're having issues and I can't seem to find any documentation on it.