Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2604
Views
5
Helpful
27
Replies

IKEv2-ERROR:AnyConnect EAP - failed to get author list

sakatzidisgiwrgos
Level 1
Level 1

‎11-22-2023 12:30 PM

Hello community,

I am trying to implement IPSEC remote access VPN between Anyconnect on Windows and Cisco IOS router.

For some reason, i get the following error during the IKE_AUTH phase:

IKEv2-ERROR:AnyConnect EAP - failed to get author list

On the client side, the error is the following:

The VPN client failed to establish the connection.

The ikev2 configuration and the aaa are listed below :

crypto ikev2 authorization policy VPNPOL
pool SAKAS
netmask 255.255.255.0
route set interface
route set access-list split-tunnel


crypto ikev2 proposal PROPOSAL
encryption aes-cbc-256
integrity sha256
group 2


crypto ikev2 policy POLICY
proposal PROPOSAL


crypto ikev2 profile acvpn
match identity remote key-id *$AnyConnectClient$*
identity local address 209.165.202.130
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint VPN
aaa authentication anyconnect-eap AUTH
aaa authorization group anyconnect-eap list AUTHZ VPNPOL
virtual-template 1

 

aaa new-model
aaa authentication login AUTH local
aaa authorization network AUTHZ local

I also named the profile that the client uses with the name of acvpn.xml

I do not know what I am missing to make it work.

Any help would be appreciated.

Thanks in advance.

Labels:
27 Replies 27

MHM Cisco World
VIP
VIP

‎11-22-2023 12:42 PM

https://community.cisco.com/t5/vpn/flexvpn-eap-anyconnect-with-local-authentication-aaa-failure/td-p/4447475

Check this I think you need to rename the client profile.

0 Helpful

sakatzidisgiwrgos
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 12:44 PM

Hello MHM,

I have read this post and i have named my profile as acvpn.xml

MHM Cisco World
VIP
VIP
In response to sakatzidisgiwrgos

‎11-22-2023 01:09 PM

You download profile to client?

Also some note from cisco doc.

Disable ip http and https server 

And no crypto ikev2 http-url cert

MHM

0 Helpful

sakatzidisgiwrgos
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 01:12 PM

I imported the profile manually to the corresponding folder.

I will try the last command you recommended and i will try it again.

The http and https services i think they are already disabled.

MHM Cisco World
VIP
VIP
In response to sakatzidisgiwrgos

‎11-22-2023 01:16 PM

Hope this work

MHM

0 Helpful

sakatzidisgiwrgos
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 01:53 PM

Unfortunately it did not work .

0 Helpful

MHM Cisco World
VIP
VIP
In response to sakatzidisgiwrgos

‎11-22-2023 02:02 PM

Debug aaa authentication 

Debug aaa authorization 

Debug crypto ikev2 packet 

Debug crypto ikev2 error 

Share this as text file.

0 Helpful

sakatzidisgiwrgos
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 02:08 PM

Here it is. Somewhere in the middle the client receives the error while trying to connect to the router. But the debugging messages keep showing for an extra period of time.

Preview file
45 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to sakatzidisgiwrgos

‎11-22-2023 02:29 PM

crypto ikev2 authorization policy VPNPOL
pool SAKAS <- check pool config 
netmask 255.255.255.0 <- remove this 
route set interface <- remove this 
route set access-list split-tunnel <- for test remove this 

Check again the attribute is unknown from client 

0 Helpful

sakatzidisgiwrgos
Level 1
Level 1
In response to MHM Cisco World

‎11-23-2023 03:07 AM

I removed the commands in the authz policy you mentioned, but still it does not work.

0 Helpful

MHM Cisco World
VIP
VIP
In response to sakatzidisgiwrgos

‎11-23-2023 06:54 AM

Sorry for ask again I need to see debug one by one' i.e. debug aaa auth then try connect then disable it and enable debug aaa authz 

Second do you config trustpoint VPN correctly?

Third 

Can I see the xml profile

MHM

0 Helpful

sakatzidisgiwrgos
Level 1
Level 1
In response to MHM Cisco World

‎11-23-2023 08:59 AM

Hello MHM,

I upload the .txt files and also the .xml profile in two images.

Preview file
1 KB
Preview file
1 KB
Preview file
8 KB
Preview file
21 KB
Preview file
3 KB
Preview file
244 KB
Preview file
554 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to sakatzidisgiwrgos

‎11-26-2023 01:35 PM

Hi friend 

I make double check all config is correct

But 

Can you share 

Show crypto pki certificate 

Also

I read about

aaa authz user cached

it add for EAP anyconnect but to honest I dont why. Try add ot and check.

MHM

0 Helpful

sakatzidisgiwrgos
Level 1
Level 1
In response to MHM Cisco World

‎11-27-2023 04:28 AM

Hello MHM,

 

Here is the output of the show crypto pki certificate:

PQR-Rtr#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=SP-CA
o=sp.public
Subject:
Name: PQR-Rtr.pqr.public
hostname=PQR-Rtr.pqr.public
cn=PQR-Rtr.pqt.public
Validity Date:
start date: 11:35:32 UTC Nov 27 2023
end date: 11:35:32 UTC Nov 24 2032
Associated Trustpoints: VPN

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=SP-CA
o=sp.public
Subject:
cn=SP-CA
o=sp.public
Validity Date:
start date: 22:07:03 UTC Jul 12 2016
end date: 22:07:03 UTC Jul 8 2034
Associated Trustpoints: VPN

 

I also added the  aaa authorization user anyconnect-eap cached command and it did not work.

0 Helpful
Customers Also Viewed These Support Documents