Showing results for 
Search instead for 
Did you mean: 

IKEv2-ERROR:AnyConnect EAP - failed to get author list

Hello community,

I am trying to implement IPSEC remote access VPN between Anyconnect on Windows and Cisco IOS router.

For some reason, i get the following error during the IKE_AUTH phase:

IKEv2-ERROR:AnyConnect EAP - failed to get author list

On the client side, the error is the following:

The VPN client failed to establish the connection.

The ikev2 configuration and the aaa are listed below :

crypto ikev2 authorization policy VPNPOL
pool SAKAS
route set interface
route set access-list split-tunnel

crypto ikev2 proposal PROPOSAL
encryption aes-cbc-256
integrity sha256
group 2

crypto ikev2 policy POLICY
proposal PROPOSAL

crypto ikev2 profile acvpn
match identity remote key-id *$AnyConnectClient$*
identity local address
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint VPN
aaa authentication anyconnect-eap AUTH
aaa authorization group anyconnect-eap list AUTHZ VPNPOL
virtual-template 1


aaa new-model
aaa authentication login AUTH local
aaa authorization network AUTHZ local

I also named the profile that the client uses with the name of acvpn.xml

I do not know what I am missing to make it work.

Any help would be appreciated.

Thanks in advance.

27 Replies 27

Hello MHM,

I have read this post and i have named my profile as acvpn.xml

You download profile to client?

Also some note from cisco doc.

Disable ip http and https server 

And no crypto ikev2 http-url cert


I imported the profile manually to the corresponding folder.

I will try the last command you recommended and i will try it again.

The http and https services i think they are already disabled.

Hope this work


Unfortunately it did not work .

Debug aaa authentication 

Debug aaa authorization 

Debug crypto ikev2 packet 

Debug crypto ikev2 error 

Share this as text file.

Here it is. Somewhere in the middle the client receives the error while trying to connect to the router. But the debugging messages keep showing for an extra period of time.

crypto ikev2 authorization policy VPNPOL
pool SAKAS <- check pool config 
netmask <- remove this 
route set interface <- remove this 
route set access-list split-tunnel <- for test remove this 

Check again the attribute is unknown from client 

I removed the commands in the authz policy you mentioned, but still it does not work.

Sorry for ask again I need to see debug one by one' i.e. debug aaa auth then try connect then disable it and enable debug aaa authz 

Second do you config trustpoint VPN correctly?


Can I see the xml profile


Hello MHM,

I upload the .txt files and also the .xml profile in two images.

Hi friend 

I make double check all config is correct


Can you share 

Show crypto pki certificate 


I read about

aaa authz user cached

it add for EAP anyconnect but to honest I dont why. Try add ot and check.


Hello MHM,


Here is the output of the show crypto pki certificate:

PQR-Rtr#sh crypto pki certificates
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Name: PQR-Rtr.pqr.public
Validity Date:
start date: 11:35:32 UTC Nov 27 2023
end date: 11:35:32 UTC Nov 24 2032
Associated Trustpoints: VPN

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Validity Date:
start date: 22:07:03 UTC Jul 12 2016
end date: 22:07:03 UTC Jul 8 2034
Associated Trustpoints: VPN


I also added the  aaa authorization user anyconnect-eap cached command and it did not work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: