Problem with Access-Challenge with multiple Reply-Message

richardl11 · ‎09-26-2015

I am using an ASA 5505 to VPN in to private network. The AAA is handled by FreeRADIUS and I have written a custom module that handles 2FA.

Capturing logs, with debug aaa authentication, radius decode, crypto ipsec 255, and crypto ikev1 255.

Multiple Reply-Message's are allowed for in the Access-Challenge

The Attributes field MAY have one or more Reply-Message Attribute

Also for Reply-Message

Multiple Reply-Message's MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet.

Looking at the logs above, at line 622 you can see the RADIUS Access-Challenge with TWO Reply-Messages. Then on line 659 you can see the IKEv1 raw dump containing only one of the Reply-Message's. Is this a limitation of IKE, a misconfiguration of how the Access-Challenge is setup, a misconfiguration of how the ASA is setup or a bug in ASA?

mike prescher · ‎11-11-2015

So after identifying possible interoperability issues using IKEv1, or at least improvements in interoperability purported by...

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

...for IKEv2, you tried this with IKEv2 with no better results, is that correct?

If CLI or ADSM exhibit the same behavior, you further believe the IKE difference is irrelevent because IKE isn't used in those access communications but the problem still exhibits?

Thanks,

m.

richardl11 · ‎11-12-2015

Both CLI and ADSM login show the same behavior of not handling multiple Reply-Message's. Since CLI and ADSM presumably don't use IKE, my guess is this problem is closer to the translation of RADIUS Access-Challenge by the ASA.