09-18-2019 03:55 PM - edited 02-21-2020 09:45 PM
I am working to configure a Cisco IOS based AnyConnect IPsec VPN. This requires us to use MSCHAPv2 and forward to an additional RADIUS system, which is Windows NPS in our environment.
I have the Duo 2FA working correctly, however when the Access-Accept is received, I also see the below:
Sep 18 16:07:15.092: RADIUS: MPPE-Send-Key length is bogus, [00] sendkeylen=140, Send-Key=<omitted>
Which results in the VPN tunnel is not established. I'm not sure where to ask the VPN MSP to check in the Cisco config as I'm not familiar with any MPPE configuration beyond setting the encryption strength on NPS.
Below is the full debugging output from the Cisco router.
Sep 18 16:07:05.694: RADIUS/ENCODE(0000120A):Orig. component type = VPN IPSEC Sep 18 16:07:05.695: RADIUS/ENCODE(0000120A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off Sep 18 16:07:05.695: RADIUS(0000120A): Config NAS IP: xx.xx.xx.xx Sep 18 16:07:05.695: RADIUS(0000120A): Config NAS IPv6: :: Sep 18 16:07:05.695: RADIUS/ENCODE(0000120A): acct_session_id: 8850 Sep 18 16:07:05.695: RADIUS(0000120A): sending Sep 18 16:07:05.696: RADIUS: Message Authenticator encoded Sep 18 16:07:05.696: RADIUS(0000120A): Send Access-Request to xx.xx.xx.xx:1812 id 1645/6, len 235 RADIUS: authenticator 6A 42 6A A7 DB 49 90 BB - 0F 72 CE 1C D3 4C 2E 77 Sep 18 16:07:05.696: RADIUS: Service-Type [6] 6 Login [1] Sep 18 16:07:05.696: RADIUS: Vendor, Cisco [26] 26 Sep 18 16:07:05.696: RADIUS: Cisco AVpair [1] 20 "service-type=Login" Sep 18 16:07:05.696: RADIUS: Vendor, Cisco [26] 47 Sep 18 16:07:05.696: RADIUS: Cisco AVpair [1] 41 "isakmp-phase1-id=xx.xx.xx.xx" Sep 18 16:07:05.697: RADIUS: Calling-Station-Id [31] 16 "xx.xx.xx.xx" Sep 18 16:07:05.697: RADIUS: Vendor, Cisco [26] 69 Sep 18 16:07:05.697: RADIUS: Cisco AVpair [1] 63 "audit-session-id=xx.xx.xx.xx" Sep 18 16:07:05.697: RADIUS: User-Name [1] 11 "name" Sep 18 16:07:05.697: RADIUS: EAP-Message [79] 16 RADIUS: 02 3B 00 0E 01 62 6B 69 6E 67 73 74 6F 6E [ ;name] Sep 18 16:07:05.697: RADIUS: Message-Authenticato[80] 18 RADIUS: 0B FF 34 C9 87 68 1D C5 3E A0 CE 28 9D 5D 8A 12 [ 4h>(]] Sep 18 16:07:05.698: RADIUS: NAS-IP-Address [4] 6 xx.xx.xx.xx Sep 18 16:07:05.698: RADIUS(0000120A): Sending a IPv4 Radius Packet Sep 18 16:07:05.698: RADIUS(0000120A): Started 30000 sec timeout Sep 18 16:07:08.637: RADIUS: Received from id 1645/6 xx.xx.xx.xx:1812, Access-Challenge, len 119 RADIUS: authenticator 6A C6 AC D8 16 79 4D 5F - 39 3D A0 55 48 17 F1 81 Sep 18 16:07:08.637: RADIUS: State [24] 38 RADIUS: 1F 4C 02 C7 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 44 D9 28 4E [ L7D(N] Sep 18 16:07:08.637: RADIUS: Message-Authenticato[80] 18 RADIUS: 41 B3 91 BB B2 33 06 1A 8C 81 07 AF EC 4A A2 63 [ A3Jc] Sep 18 16:07:08.638: RADIUS: Session-Timeout [27] 6 60 Sep 18 16:07:08.638: RADIUS: EAP-Message [79] 37 RADIUS: 01 3C 00 23 1A 01 3C 00 1E 10 EB C2 AA 8A 16 BA 86 0B 82 C2 2C 9A F8 15 20 91 50 48 58 56 57 50 43 31 31 [ <#<, PHXVWPC11] Sep 18 16:07:08.638: RADIUS(0000120A): Received from id 1645/6 RADIUS/DECODE: EAP-Message fragments, 35, total 35 bytes Sep 18 16:07:08.677: RADIUS/ENCODE(0000120A):Orig. component type = VPN IPSEC Sep 18 16:07:08.677: RADIUS/ENCODE(0000120A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off Sep 18 16:07:08.677: RADIUS(0000120A): Config NAS IP: xx.xx.xx.xx Sep 18 16:07:08.677: RADIUS(0000120A): Config NAS IPv6: :: Sep 18 16:07:08.678: RADIUS/ENCODE(0000120A): acct_session_id: 8850 Sep 18 16:07:08.678: RADIUS(0000120A): sending Sep 18 16:07:08.678: RADIUS: Message Authenticator encoded Sep 18 16:07:08.678: RADIUS(0000120A): Send Access-Request to xx.xx.xx.xx:1812 id 1645/7, len 327 RADIUS: authenticator 88 4F 8A 94 8A 96 95 3B - 12 18 84 BE 21 E5 37 77 Sep 18 16:07:08.679: RADIUS: Service-Type [6] 6 Login [1] Sep 18 16:07:08.679: RADIUS: Vendor, Cisco [26] 26 Sep 18 16:07:08.679: RADIUS: Cisco AVpair [1] 20 "service-type=Login" Sep 18 16:07:08.679: RADIUS: Vendor, Cisco [26] 47 Sep 18 16:07:08.679: RADIUS: Cisco AVpair [1] 41 "isakmp-phase1-id=xx.xx.xx.xx" Sep 18 16:07:08.680: RADIUS: Calling-Station-Id [31] 16 "xx.xx.xx.xx" Sep 18 16:07:08.680: RADIUS: Vendor, Cisco [26] 69 Sep 18 16:07:08.680: RADIUS: Cisco AVpair [1] 63 "audit-session-id=xx.xx.xx.xx" Sep 18 16:07:08.680: RADIUS: User-Name [1] 11 "name" Sep 18 16:07:08.681: RADIUS: EAP-Message [79] 70 RADIUS: 02 3C 00 44 1A 02 3C 00 3F 31 A2 61 77 93 E8 0B 94 11 87 84 67 42 CB 63 4E 73 00 00 00 00 00 00 00 00 08 56 09 8B 10 2E 5F E3 5B [<D<?1awgBcNs V._[] RADIUS: 58 3F 20 75 04 AB FB C6 B0 7D CE 7C 8E 8D 3B 00 62 6B 69 6E 67 73 74 6F 6E [ X? u}|;name] Sep 18 16:07:08.681: RADIUS: Message-Authenticato[80] 18 RADIUS: 61 E4 72 A3 00 41 8F E3 40 02 B6 A1 63 9A 3A 22 [ arA@c:"] Sep 18 16:07:08.681: RADIUS: State [24] 38 RADIUS: 1F 4C 02 C7 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 44 D9 28 4E [ L7D(N] Sep 18 16:07:08.682: RADIUS: NAS-IP-Address [4] 6 166.60.177.13 Sep 18 16:07:08.682: RADIUS(0000120A): Sending a IPv4 Radius Packet Sep 18 16:07:08.682: RADIUS(0000120A): Started 30000 sec timeout Sep 18 16:07:08.832: RADIUS: Received from id 1645/7 xx.xx.xx.xx:1812, Access-Challenge, len 135 RADIUS: authenticator 1C B5 FE D4 20 D4 A9 E8 - 24 9E 4A A2 DA 1B 95 4E Sep 18 16:07:08.833: RADIUS: State [24] 38 RADIUS: 1F 4C 02 C7 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 44 D9 28 4E [ L7D(N] Sep 18 16:07:08.833: RADIUS: Message-Authenticato[80] 18 RADIUS: 1D 10 D9 C2 A3 EB 7A CF FB 7F 1F 20 DA 75 F9 98 [ z u] Sep 18 16:07:08.833: RADIUS: Session-Timeout [27] 6 60 Sep 18 16:07:08.833: RADIUS: EAP-Message [79] 53 RADIUS: 01 3D 00 33 1A 03 3C 00 2E 53 3D 34 34 45 37 43 33 45 32 38 42 [=3<.S=44E7C3E28B] RADIUS: 35 33 32 39 39 30 38 41 39 38 35 35 36 36 34 33 [5329908A98556643] RADIUS: 31 35 35 33 35 45 39 46 43 39 30 35 44 35 [ 15535E9FC905D5] Sep 18 16:07:08.834: RADIUS(0000120A): Received from id 1645/7 RADIUS/DECODE: EAP-Message fragments, 51, total 51 bytes Sep 18 16:07:08.871: RADIUS/ENCODE(0000120A):Orig. component type = VPN IPSEC Sep 18 16:07:08.871: RADIUS/ENCODE(0000120A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off Sep 18 16:07:08.871: RADIUS(0000120A): Config NAS IP: xx.xx.xx.xx Sep 18 16:07:08.871: RADIUS(0000120A): Config NAS IPv6: :: Sep 18 16:07:08.871: RADIUS/ENCODE(0000120A): acct_session_id: 8850 Sep 18 16:07:08.871: RADIUS(0000120A): sending Sep 18 16:07:08.871: RADIUS: Message Authenticator encoded Sep 18 16:07:08.871: RADIUS(0000120A): Send Access-Request to xx.xx.xx.xx:1812 id 1645/8, len 265 RADIUS: authenticator CF 93 53 97 46 1F 7E 12 - EF 83 37 67 9B 8F ED 0E Sep 18 16:07:08.871: RADIUS: Service-Type [6] 6 Login [1] Sep 18 16:07:08.872: RADIUS: Vendor, Cisco [26] 26 Sep 18 16:07:08.872: RADIUS: Cisco AVpair [1] 20 "service-type=Login" Sep 18 16:07:08.872: RADIUS: Vendor, Cisco [26] 47 Sep 18 16:07:08.872: RADIUS: Cisco AVpair [1] 41 "isakmp-phase1-id=xx.xx.xx.xx" Sep 18 16:07:08.872: RADIUS: Calling-Station-Id [31] 16 "xx.xx.xx.xx" Sep 18 16:07:08.872: RADIUS: Vendor, Cisco [26] 69 Sep 18 16:07:08.872: RADIUS: Cisco AVpair [1] 63 "audit-session-id=xx.xx.xx.xx" Sep 18 16:07:08.872: RADIUS: User-Name [1] 11 "name" Sep 18 16:07:08.872: RADIUS: EAP-Message [79] 8 RADIUS: 02 3D 00 06 1A 03 [ =] Sep 18 16:07:08.872: RADIUS: Message-Authenticato[80] 18 RADIUS: 28 97 D9 C5 72 FE CB EE 01 50 84 ED 95 4D B4 D8 [ (rPM] Sep 18 16:07:08.872: RADIUS: State [24] 38 RADIUS: 1F 4C 02 C7 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 44 D9 28 4E [ L7D(N] Sep 18 16:07:08.873: RADIUS: NAS-IP-Address [4] 6 xx.xx.xx.xx Sep 18 16:07:08.873: RADIUS(0000120A): Sending a IPv4 Radius Packet Sep 18 16:07:08.873: RADIUS(0000120A): Started 30000 sec timeout Sep 18 16:07:15.090: RADIUS: Received from id 1645/8 xx.xx.xx.xx:1812, Access-Accept, len 283 RADIUS: authenticator 66 08 03 3A B3 6F 71 CD - 19 08 35 5D C4 D2 4C CD Sep 18 16:07:15.090: RADIUS: Vendor, Microsoft [26] 42 Sep 18 16:07:15.090: RADIUS: MS-MPPE-Send-Key [16] 36 * Sep 18 16:07:15.090: RADIUS: Service-Type [6] 6 Framed [2] Sep 18 16:07:15.090: RADIUS: Vendor, Microsoft [26] 18 Sep 18 16:07:15.090: RADIUS: MS-CHAP-DOMAIN [10] 12 "xx.xx.xx.xx" Sep 18 16:07:15.090: RADIUS: Vendor, Microsoft [26] 42 Sep 18 16:07:15.090: RADIUS: MS-MPPE-Recv-Key [17] 36 * Sep 18 16:07:15.090: RADIUS: Framed-Protocol [7] 6 PPP [1] Sep 18 16:07:15.091: RADIUS: EAP-Message [79] 6 RADIUS: 03 3D 00 04 [ =] Sep 18 16:07:15.091: RADIUS: Message-Authenticato[80] 18 RADIUS: D8 08 D2 F5 D1 DB 61 2E 16 22 25 D5 0D DB 07 AA [ a."?] Sep 18 16:07:15.091: RADIUS: Reply-Message [18] 28 RADIUS: 53 75 63 63 65 73 73 2E 20 4C 6F 67 67 69 6E 67 [Success. Logging] RADIUS: 20 79 6F 75 20 69 6E 2E 2E 2E [ you in...] Sep 18 16:07:15.091: RADIUS: Vendor, Microsoft [26] 51 Sep 18 16:07:15.091: RADIUS: MS-CHAP-V2-Success [26] 45 "S=xx.xx.xx.xx" Sep 18 16:07:15.091: RADIUS: Class [25] 46 RADIUS: 54 10 05 0D 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 01 D5 6D D7 79 7A 0B C1 00 00 00 00 00 00 00 04 [ T7myz] Sep 18 16:07:15.092: RADIUS(0000120A): Received from id 1645/8 Sep 18 16:07:15.092: RADIUS: MPPE-Send-Key length is bogus, [00] sendkeylen=140, Send-Key=xx.xx.xx.xx {)o Sep 18 16:07:15.092: RADIUS/DECODE: decoder; FAIL Sep 18 16:07:15.092: RADIUS/DECODE: attribute MS-MPPE-Send-Key; FAIL Sep 18 16:07:15.092: RADIUS/DECODE: error in Microsoft VSA 16; FAIL Sep 18 16:07:15.092: RADIUS/DECODE: VSA; FAIL Sep 18 16:07:15.092: RADIUS/DECODE: decoder; FAIL Sep 18 16:07:15.092: RADIUS/DECODE: attribute Vendor-Specific; FAIL Sep 18 16:07:15.092: RADIUS/DECODE: parse response op decode; FAIL Sep 18 16:07:15.094: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Extensible Authentication Protocol failed
04-08-2020 09:05 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide