Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
968
Views
0
Helpful
2
Replies

My Cisco ASA AnyConnect SSL VPN users receive multiple 2FA requests.

ermionline
Level 1
Level 1

‎04-08-2021 06:06 AM

Hi

I have AnyConnect SSL VPN deployed on ASA 5525-X and on-premise Windows Radius Server which will send Authentication traffic to Remote Server which is deployed on PING-Federate server,

The issue is users are getting multiple 2FA requests on their phone while trying to connect to the corporate VPN. Can someone have any idea why this is happening?

 

Regards,

Ermias W

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎04-08-2021 07:02 AM - edited ‎04-08-2021 07:04 AM

@ermionline 

Has this ever worked?

Does this happen all of the time?

 

It could be the timeout value between the ASA and NPS or NPS and Ping servers it too short. Have a look and increase the timeout, usually 60 seconds is a good value.

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Rob Ingram

‎04-09-2021 01:24 PM - edited ‎04-09-2021 01:24 PM

Hi Rob,

I've actually faced this behavior couple of times. The issue was indeed with authentication timeout. However, I believe increasing it wont help.

The issue I faced was quite hard to understand at that point. If the user fails to acknowledge and approve/deny first MFA push notification for whatever reason, he ends up in endless loop, in which push would hit him each 120s, without easy option do stop it. Configuration was quite simple - MFA server was used as secondary authentication, with timeout of 120s, and max-failed-attempts of 3. Once users misses to react on first push, ASA is attempting retransmission every 10s (by default), until timeout period of 120s steps in. Retransmission is happening with same RADIUS ID, so MFA treats it as same message, and it doesn't retransmit push to the client. However, at some point and after timeout happens, ASA changes RADIUS ID (which is expected behavior), which MFA interprets as new request and in turn triggers another push. This is where max-failed-attempts was meant to step in, and, in theory, after 3 unsuccessful attempts it should stop the loop. However, as this was quite a busy GW, during these retransmissions, a successful login happens, which in turn reset counter for max-failed-login back to 0 (as this is configuration per aaa-server group, so we can have numerous failed attempts, but one successful attempt within period of timeout*max-failed-attempt would reset counter back to 0), so max-failed-attempts actually never steps in and we ended up in infinite loop.

Solution in our case was to reduce max-failed-attempts to 1, and timeout to 60s:

aaa-server MFA protocol radius
max-failed-attempts 1
aaa-server MFA (inside) host 10.1.100.100
timeout 60
aaa-server MFA (inside) host 10.20.100.100
timeout 60

This effectively solved our issue and worst case we saw since then is that someone can get one or two push requests, but never infinite loops. This also means that our MFA servers are flapping much more often, but don't find that to be an obstacle.

Also, in terms of timers, I found that most suitable option for me is:

  • 120s in AnyConnect profile (max value, which would guarantee me at least 2 login attempts, no matter what)
  • 60s for ASA-ISE (again, which would guarantee me at least 2 login attempts, if one ISE server fails)
  • 45s for ISE-MFA, in case where I don't use secondary authentication on ASA (which would guarantee me at least 2 attempts, even if one MFA server failed)

Regards

Milos

0 Helpful
Customers Also Viewed These Support Documents