Solved: Re: FlexVPN AnyConnect-EAP

Daniel Lucas · ‎09-21-2018

Been banging my head against the wall with this, and thought I would see if anyone has gotten this working - I am trying to get this working in my lab before potentially moving it into production. Below is my setup:

Router - CSR1000v running IOSXE 16.06.04

Client - Windows 7 machine with AnyConnect version 4.6.01103

RADIUS Server - ISE 2.3.0.298

I have followed this Cisco doc:

FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP

From the debugs I am getting to the last part of the Client/Server exchanges, but right after "Send AUTH, to verify peer after EAP exchange" I get a "Verification of peer's authentication data FAILED"

Below is the relevant FlexVPN server config:

aaa new-model
aaa group server radius ISE-RADIUS
 server-private x.x.x.x key ******
 ip vrf forwarding MGMT
 ip radius source-interface GigabitEthernet1
!
aaa authentication login ISE-AUTH group ISE-RADIUS
aaa authorization network ISE-AUTHOR group ISE-RADIUS 
!
crypto pki trustpoint SELF
 enrollment url http://10.1.1.1:80
 subject-name CN=LAB-IOS-VPN01.ccie.lab
 revocation-check crl
 rsakeypair FLEX-KEY
!
crypto ikev2 proposal ANYCONNECT-PROPOSAL 
 encryption aes-gcm-256 aes-gcm-128
 prf sha1
 group 1
!
crypto ikev2 policy AC-IKE-POLICY 
 match address local 192.168.10.1
 proposal ANYCONNECT-PROPOSAL
!
crypto ikev2 profile ANYCONNECT-GETCERT
 match identity remote key-id NEEDCERTIFICATE
 identity local fqdn LAB-IOS-VPN01.ccie.lab
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint SELF
 aaa authentication anyconnect-eap ISE-AUTH
 aaa authorization group anyconnect-eap list ISE-AUTHOR flex-user
 aaa authorization user anyconnect-eap list ISE-AUTH flex-user
 virtual-template 100
!
no crypto ikev2 http-url cert
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile ANYCONNECT-IPSEC-PROFILE
 set transform-set ESP-AES256-SHA 
!
interface GigabitEthernet3
 ip address 192.168.10.1 255.255.255.0
 negotiation auto
!
interface Virtual-Template100 type tunnel
 ip unnumbered GigabitEthernet3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ANYCONNECT-IPSEC-PROFILE
!
ip local pool default 172.31.255.10 172.31.255.20

I am using username 'flex-user' when attempting to authenticate - This user is in ISE, and ISE does return an Access-Accept along with the radius attributes.

I have attached the IKE and RADIUS debugs.

Any help would be appreciated.

-Thanks

Daniel Lucas · ‎09-26-2018

Well, after some more time throwing things against the wall trying to get this working, I finally got AnyConnect to authentication/connect successfully. Turns out there was 2 issues:

1. I didn't have the password specified for the username I was specifying for authorization (the guide I referenced didn't either, but maybe ACS would allow you to enter a username without a password, but ISE requires a password for a local user).

2. This one I don't fully understand, but the IKEv2 proposal needed to be changed to:

crypto ikev2 proposal ANYCONNECT-PROPOSAL 
 encryption aes-cbc-256
 integrity sha1
 group 2
!
LAB-IOS-VPN01#sh crypto ikev2 prop ANYCONNECT-PROPOSAL
 IKEv2 proposal: ANYCONNECT-PROPOSAL 
     Encryption : AES-CBC-256
     Integrity  : SHA96
     PRF        : SHA1
     DH Group   : DH_GROUP_1024_MODP/Group 2

I read somewhere that for certificate-based authentication the PRF needs to match the algorithm used to sign the certificate, but I am not sure why any of the else matters. I'm sure there is a list of support algorithms that can be used in this situation buried out there somewhere...if someone has that list or any thoughts on this I would be curious to know.

Final working router configuration:

aaa authentication login ISE-AUTH group ISE-RADIUS
aaa authorization network ISE-AUTHOR group ISE-RADIUS 
!
crypto pki server LAB-IOS-CA
 database level names
 no database archive
 issuer-name CN=LAB-IOS-VPN01.ccie.lab
 grant auto
 auto-rollover
 eku server-auth client-auth 
 database url bootflash:
!
crypto pki trustpoint SELF
 enrollment url http://10.1.1.1:80
 subject-name CN=LAB-IOS-VPN01.ccie.lab
 subject-alt-name LAB-IOS-VPN01.ccie.lab
 revocation-check none
 rsakeypair FLEX-KEY
!         
crypto pki trustpoint LAB-IOS-CA
 revocation-check crl
 rsakeypair LAB-IOS-CA
!
!
crypto ikev2 proposal ANYCONNECT-PROPOSAL 
 encryption aes-cbc-256
 integrity sha1
 group 2
!
crypto ikev2 profile ANYCONNECT-GETCERT
 match identity remote key-id NEEDCERTIFICATE
 identity local fqdn LAB-IOS-VPN01.ccie.lab
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint SELF
 aaa authentication anyconnect-eap ISE-AUTH
 aaa authorization group anyconnect-eap list ISE-AUTHOR flex-user password <password>
 aaa authorization user anyconnect-eap cached
 virtual-template 100
!
no crypto ikev2 http-url cert
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile ANYCONNECT-IPSEC-PROFILE
 set transform-set ESP-AES256-SHA 
!
interface GigabitEthernet3
 ip address 192.168.10.1 255.255.255.0
 negotiation auto
!
interface Virtual-Template100 type tunnel
 ip unnumbered GigabitEthernet3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ANYCONNECT-IPSEC-PROFILE
!
ip local pool default 172.31.255.10 172.31.255.20
!

Client XML File:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>All</CertificateStore>
		<CertificateStoreMac>All</CertificateStoreMac>
		<CertificateStoreOverride>false</CertificateStoreOverride>
		<ProxySettings>Native</ProxySettings>
		<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
		<AuthenticationTimeout>12</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="true">false</LocalLanAccess>
		<DisableCaptivePortalDetection UserControllable="true">true</DisableCaptivePortalDetection>
		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
		<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
		<AutoReconnect UserControllable="false">true
			<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
		</AutoReconnect>
		<AutoUpdate UserControllable="false">false</AutoUpdate>
		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
		<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Automatic
			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
		</PPPExclusion>
		<EnableScripting UserControllable="false">false</EnableScripting>
		<EnableAutomaticServerSelection UserControllable="true">false
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
		</RetainVpnOnLogoff>
		<AllowManualHostInput>true</AllowManualHostInput>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>Lab Get Cert</HostName>
			<HostAddress>LAB-IOS-VPN01.ccie.lab</HostAddress>
			<PrimaryProtocol>IPsec
				<StandardAuthenticationOnly>true
					<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>
					<IKEIdentity>NEEDCERTIFICATE</IKEIdentity>
				</StandardAuthenticationOnly>
			</PrimaryProtocol>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

ISE Config:

Hope this helps someone from banging their head against the wall like I did :)

View solution in original post

Rob Ingram · ‎09-21-2018

Hi,
Shot in the dark - do have the crl working? Your TP is checking for crl

Daniel Lucas · ‎09-25-2018

Thanks for the reply,

Yea it should be - although I didn't include in the config, the router acting as the FlexVPN server is also the CA server. Also no certificates are currently revoked. Also, the FlexVPN server isn't doing certificate-based client authentication.

-Thanks

Daniel Lucas · ‎09-26-2018

Well, after some more time throwing things against the wall trying to get this working, I finally got AnyConnect to authentication/connect successfully. Turns out there was 2 issues:

1. I didn't have the password specified for the username I was specifying for authorization (the guide I referenced didn't either, but maybe ACS would allow you to enter a username without a password, but ISE requires a password for a local user).

2. This one I don't fully understand, but the IKEv2 proposal needed to be changed to:

crypto ikev2 proposal ANYCONNECT-PROPOSAL 
 encryption aes-cbc-256
 integrity sha1
 group 2
!
LAB-IOS-VPN01#sh crypto ikev2 prop ANYCONNECT-PROPOSAL
 IKEv2 proposal: ANYCONNECT-PROPOSAL 
     Encryption : AES-CBC-256
     Integrity  : SHA96
     PRF        : SHA1
     DH Group   : DH_GROUP_1024_MODP/Group 2

I read somewhere that for certificate-based authentication the PRF needs to match the algorithm used to sign the certificate, but I am not sure why any of the else matters. I'm sure there is a list of support algorithms that can be used in this situation buried out there somewhere...if someone has that list or any thoughts on this I would be curious to know.

Final working router configuration:

aaa authentication login ISE-AUTH group ISE-RADIUS
aaa authorization network ISE-AUTHOR group ISE-RADIUS 
!
crypto pki server LAB-IOS-CA
 database level names
 no database archive
 issuer-name CN=LAB-IOS-VPN01.ccie.lab
 grant auto
 auto-rollover
 eku server-auth client-auth 
 database url bootflash:
!
crypto pki trustpoint SELF
 enrollment url http://10.1.1.1:80
 subject-name CN=LAB-IOS-VPN01.ccie.lab
 subject-alt-name LAB-IOS-VPN01.ccie.lab
 revocation-check none
 rsakeypair FLEX-KEY
!         
crypto pki trustpoint LAB-IOS-CA
 revocation-check crl
 rsakeypair LAB-IOS-CA
!
!
crypto ikev2 proposal ANYCONNECT-PROPOSAL 
 encryption aes-cbc-256
 integrity sha1
 group 2
!
crypto ikev2 profile ANYCONNECT-GETCERT
 match identity remote key-id NEEDCERTIFICATE
 identity local fqdn LAB-IOS-VPN01.ccie.lab
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint SELF
 aaa authentication anyconnect-eap ISE-AUTH
 aaa authorization group anyconnect-eap list ISE-AUTHOR flex-user password <password>
 aaa authorization user anyconnect-eap cached
 virtual-template 100
!
no crypto ikev2 http-url cert
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile ANYCONNECT-IPSEC-PROFILE
 set transform-set ESP-AES256-SHA 
!
interface GigabitEthernet3
 ip address 192.168.10.1 255.255.255.0
 negotiation auto
!
interface Virtual-Template100 type tunnel
 ip unnumbered GigabitEthernet3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ANYCONNECT-IPSEC-PROFILE
!
ip local pool default 172.31.255.10 172.31.255.20
!

Client XML File:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>All</CertificateStore>
		<CertificateStoreMac>All</CertificateStoreMac>
		<CertificateStoreOverride>false</CertificateStoreOverride>
		<ProxySettings>Native</ProxySettings>
		<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
		<AuthenticationTimeout>12</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="true">false</LocalLanAccess>
		<DisableCaptivePortalDetection UserControllable="true">true</DisableCaptivePortalDetection>
		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
		<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
		<AutoReconnect UserControllable="false">true
			<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
		</AutoReconnect>
		<AutoUpdate UserControllable="false">false</AutoUpdate>
		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
		<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Automatic
			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
		</PPPExclusion>
		<EnableScripting UserControllable="false">false</EnableScripting>
		<EnableAutomaticServerSelection UserControllable="true">false
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
		</RetainVpnOnLogoff>
		<AllowManualHostInput>true</AllowManualHostInput>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>Lab Get Cert</HostName>
			<HostAddress>LAB-IOS-VPN01.ccie.lab</HostAddress>
			<PrimaryProtocol>IPsec
				<StandardAuthenticationOnly>true
					<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>
					<IKEIdentity>NEEDCERTIFICATE</IKEIdentity>
				</StandardAuthenticationOnly>
			</PrimaryProtocol>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

ISE Config:

Hope this helps someone from banging their head against the wall like I did :)

Rob Ingram · ‎09-26-2018

Well done in getting it working.

If you don't specify a password for authorization the default is "cisco", as default ISE wouldn't accept without modifying the password policy or specifiying a password, as you've done.

Regarding the IKEv2 Proposal, you should definately use stronger algorthims, especially DH group. This cisco blog post is useful

HTH

Daniel Lucas · ‎09-27-2018

Thanks for the information,
I had forgotten about the default password used for authorization; thanks for mentioning that.
The blog post was helpful as well; I will be sure to Group19 in production environment.

-Thanks

MersCisco · ‎09-27-2020

Hi Daniel,

This was a really helpful.

Just a quick query.Were you able try it with multiple anyconnect profile?

My requirement is the user should be able to download profile from router based on his privilege.As I see from release notes 16.9.1,there can only be one profile and its name should be acvpn.