cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1940
Views
5
Helpful
27
Replies

IKEv2-ERROR:AnyConnect EAP - failed to get author list

Hello community,

I am trying to implement IPSEC remote access VPN between Anyconnect on Windows and Cisco IOS router.

For some reason, i get the following error during the IKE_AUTH phase:

IKEv2-ERROR:AnyConnect EAP - failed to get author list

On the client side, the error is the following:

The VPN client failed to establish the connection.

The ikev2 configuration and the aaa are listed below :

crypto ikev2 authorization policy VPNPOL
pool SAKAS
netmask 255.255.255.0
route set interface
route set access-list split-tunnel


crypto ikev2 proposal PROPOSAL
encryption aes-cbc-256
integrity sha256
group 2


crypto ikev2 policy POLICY
proposal PROPOSAL


crypto ikev2 profile acvpn
match identity remote key-id *$AnyConnectClient$*
identity local address 209.165.202.130
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint VPN
aaa authentication anyconnect-eap AUTH
aaa authorization group anyconnect-eap list AUTHZ VPNPOL
virtual-template 1

 

aaa new-model
aaa authentication login AUTH local
aaa authorization network AUTHZ local

I also named the profile that the client uses with the name of acvpn.xml

I do not know what I am missing to make it work.

Any help would be appreciated.

Thanks in advance.

27 Replies 27

Hello MHM,

I have read this post and i have named my profile as acvpn.xml

You download profile to client?

Also some note from cisco doc.

Disable ip http and https server 

And no crypto ikev2 http-url cert

MHM

I imported the profile manually to the corresponding folder.

I will try the last command you recommended and i will try it again.

The http and https services i think they are already disabled.

Hope this work

MHM

Unfortunately it did not work .

Debug aaa authentication 

Debug aaa authorization 

Debug crypto ikev2 packet 

Debug crypto ikev2 error 

Share this as text file.

Here it is. Somewhere in the middle the client receives the error while trying to connect to the router. But the debugging messages keep showing for an extra period of time.

crypto ikev2 authorization policy VPNPOL
pool SAKAS <- check pool config 
netmask 255.255.255.0 <- remove this 
route set interface <- remove this 
route set access-list split-tunnel <- for test remove this 

Check again the attribute is unknown from client 

I removed the commands in the authz policy you mentioned, but still it does not work.

Sorry for ask again I need to see debug one by one' i.e. debug aaa auth then try connect then disable it and enable debug aaa authz 

Second do you config trustpoint VPN correctly?

Third 

Can I see the xml profile

MHM

Hello MHM,

I upload the .txt files and also the .xml profile in two images.

Hi friend 

I make double check all config is correct

But 

Can you share 

Show crypto pki certificate 

Also

I read about

aaa authz user cached

it add for EAP anyconnect but to honest I dont why. Try add ot and check.

MHM

Hello MHM,

 

Here is the output of the show crypto pki certificate:

PQR-Rtr#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=SP-CA
o=sp.public
Subject:
Name: PQR-Rtr.pqr.public
hostname=PQR-Rtr.pqr.public
cn=PQR-Rtr.pqt.public
Validity Date:
start date: 11:35:32 UTC Nov 27 2023
end date: 11:35:32 UTC Nov 24 2032
Associated Trustpoints: VPN

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=SP-CA
o=sp.public
Subject:
cn=SP-CA
o=sp.public
Validity Date:
start date: 22:07:03 UTC Jul 12 2016
end date: 22:07:03 UTC Jul 8 2034
Associated Trustpoints: VPN

 

I also added the  aaa authorization user anyconnect-eap cached command and it did not work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: