Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2450
Views
0
Helpful
4
Replies

FlexVPN - EAP-anyconnect with local authentication - aaa failure

Go to solution
sp2720401
Level 1
Level 1

‎08-10-2021 07:23 PM - edited ‎08-10-2021 07:42 PM

I am trying to get EAP Anyconnect working with local authentication based on the following article.


https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

 

I am using IOS-XE 16.9.7 FUJI and Anyconnect 4.7.04056

 

I get the following authentication/authorization error on the anyconnect client. Before this error happened, I wasn't even getting anyconnect to prompt for a username and password until I upgraded the router from the latest version 3 IOS-XE.

 

Debugs and relative ikev2 configurations are included.

 

 

*Aug 11 02:03:24.511: IKEv2:(SESSION ID = 6,SA ID = 1):Stopping timer to wait for auth message
*Aug 11 02:03:24.511: IKEv2:(SESSION ID = 6,SA ID = 1):Processing AnyConnect EAP response
*Aug 11 02:03:24.512: AAA/BIND(0000000F): Bind i/f
*Aug 11 02:03:24.512: IKEv2:Using authentication method list TESTING-AUTH

*Aug 11 02:03:24.512: AAA/AUTHEN/LOGIN (0000000F): Pick method list 'TESTING-AUTH'
*Aug 11 02:03:24.513: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent
*Aug 11 02:03:24.513: IKEv2-ERROR:AnyConnect EAP - failed to get author list
*Aug 11 02:03:24.514: IKEv2:Received response from aaa for AnyConnect EAP
*Aug 11 02:03:24.514: IKEv2:(SESSION ID = 6,SA ID = 1):Generating AnyConnect EAP VERIFY request
*Aug 11 02:03:24.514: IKEv2-ERROR:anyconnect profile not found
*Aug 11 02:03:24.515: IKEv2:(SESSION ID = 6,SA ID = 1):Verification of peer's authentication data FAILED
*Aug 11 02:03:24.515: IKEv2:(SESSION ID = 6,SA ID = 1):Sending authentication failure notify
*Aug 11 02:03:24.515: IKEv2:(SESSION ID = 6,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

Labels:
Preview file
13 KB
Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sp2720401
Level 1
Level 1

‎08-11-2021 05:39 AM

I got it going. The link below shows that the xml profile has to be named acvpn.xml and the ike profile and xml mapping statement has to literally be acvpn. All I did was rename the file, and change the two lines in the config and I was able to connect.

https://community.cisco.com/t5/vpn/failed-to-get-configuration-from-secure-gateway-contact-your/td-p/4176327

View solution in original post

0 Helpful
4 Replies 4

Go to solution
sp2720401
Level 1
Level 1

‎08-11-2021 05:39 AM

I got it going. The link below shows that the xml profile has to be named acvpn.xml and the ike profile and xml mapping statement has to literally be acvpn. All I did was rename the file, and change the two lines in the config and I was able to connect.

https://community.cisco.com/t5/vpn/failed-to-get-configuration-from-secure-gateway-contact-your/td-p/4176327

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-11-2021 07:20 AM - edited ‎08-11-2021 07:21 AM

Hi @sp2720401,

In the configuration, I see that you are invoking authorization group called 'TESTING-AUTH-GROUP', but I don't see it in the configuration. Could you please share aaa section as well? Output of your debug:

*Aug 11 02:03:24.513: IKEv2-ERROR:AnyConnect EAP - failed to get author list

leads me to believe that your authorization is not configured properly.

Also, please share content of the XML profile.

BR,

Milos

0 Helpful

Go to solution
sp2720401
Level 1
Level 1
In response to Milos_Jovanovic

‎08-11-2021 07:57 AM

The AAA matches.

I already got it going based on another post where the user worked with TAC and found out that the xml profile is required to be acvpn.xml.

I didn't believe it at first so kept digging, but then gave it a try. I renamed the file on the routers flash and changed the name of the profile on the client machine then made the following changes below. After that, everything came up.

 

 

crypto vpn anyconnect profile ANYCONNECT-PROFILE-TEST bootflash:ANYCONNECT-PROFILE-TEST.xml

 

crypto ikev2 profile TESTING-IKE-PROFILE
anyconnect profile ANYCONNECT-PROFILE-TEST

------------------------------------------------------------------

crypto vpn anyconnect profile acvpn bootflash:acvpn.xml

 

crypto ikev2 profile TESTING-IKE-PROFILE
anyconnect profile acvpn

0 Helpful

Go to solution
grosinger1
Level 1
Level 1

‎02-26-2024 04:32 AM

In my case solution above not working.

Problem in my case was FlexVPN Site-To-Site ikev2 proposal, that doesn't match to AnyConnect.

Solution was to add a ikev2 proposal for AnyConnect also -> see config down below

 

crypto ikev2 proposal GR_AnyConnect_IKE_prop 
encryption aes-cbc-256
integrity sha384
group 19
crypto ikev2 proposal GR_FlexVPN_IKE_prop 
encryption ***
prf ***
group ***
!
crypto ikev2 policy GR_AnyConnect_FlexVPN_IKE_pol 
proposal GR_AnyConnect_IKE_prop
proposal GR_FlexVPN_IKE_prop
0 Helpful
Customers Also Viewed These Support Documents