Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1754
Views
0
Helpful
2
Replies

FTD Firepower 2120 AnyConnect VPN with NPS doesnt work

marcuswoberg61769
Level 1
Level 1

‎10-04-2019 08:01 AM - edited ‎02-21-2020 09:45 PM

Hi!

 

My company has 2x Firepower 2120s, managed by a FMCv, one of the intended uses for these is a AnyConnect VPN setup.

 

Myself, and a network consultant has set up everything inside the FTD, using SSL (not IPsec), all group policys and network profiles should be correct, everything is built after several different guides.

 

For authenticaton, we have a NPS server in our domain, said RADIUS is authenticating several different units, and has no reported issue.

 

We have added the main Firepower as a RADIUS client

We have added a "Connection Request Policy" Type: Undefined, Condition: Client IPv4 (Firepower internal IP)

We have added a "Network Policy" Type: Undefined, Condition: Client IPv4 (Firepower internal IP) Condition: domain usergroup, Constraints: PAP enable

 

Nothing in said setup should have a configuration error, not according to all the different guides ive followed.

 

 

However, if I run a aaa-server authentication test with a user account that is a member of the user group in AD, I get a:
"ERROR: Authenticaion Rejected: AAA failure.

 

If i try from an AnyConnect client, I try to connect to the external IP of the Firepower, followed by the connection profile:

(62.xx.xx.xx/VPN-PROFILE)

And I get "Login failed"

 

 

If I check the RADIUS log, I get an audit failure, with the reason code 65.
(The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.)

 

 

If I check the test accounts Dial-in properties, and enable "Always grant access" I instead get an audit failure with the reason code 66:

(The user attempted to use an authentication method that is not enabled on the matching network policy)

Authentication method is PAP, which is enabled in the Network Policy.

 

 

I'm sure it is something incredibly simple, but I Can't for the life of me figure it out, Im currently on the verge of rebuilding the RADIUS server, and I'd like to avoid that, so all the help I can get would be much appriciated!

 

BR

 

Marcus

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-07-2019 03:03 AM

One of my customers has NPS-based RADIUS authentication for his FTD remote access VPNs. Here are the settings for a typical group. (The redacted bit is the group-policy name as configured in FMC.)

NPS settings.PNG

0 Helpful

marcuswoberg61769
Level 1
Level 1
In response to Marvin Rhoads

‎10-07-2019 05:25 AM

Hi and thanks for your response!

 

I have tried with the settings you provided, same issue, ive also tinkered around with a few different settings, but ive been around the block regarding the "Class" attribute, as I can determine, it only applies while using a dynamic group distribution in FMC, however, none of it unfortunatly, made any difference, the issue persists.

 

Ive also set up a separate RADIUS server, I must however, made a mistake with that one, since when I perform a aaa-auth test from the Firepower, I get a no response from server.

0 Helpful
Customers Also Viewed These Support Documents