05-19-2015 10:45 AM - edited 03-10-2019 10:44 PM
Hello everyone
Trying to configure Anyconnect Remote-Access VPN with ASR1000, ISE and Active Directory and facing the following problem:
the authentication is failing with the following messages on ISE:
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - Network Access.Device IP Address | |
15006 | Matched Default Rule | |
11507 | Extracted EAP-Response/Identity | |
12300 | Prepared EAP-Request proposing PEAP with challenge | |
11006 | Returned RADIUS Access-Challenge | |
11001 | Received RADIUS Access-Request | |
11018 | RADIUS is re-using an existing session | |
11801 | Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead | |
11803 | Failed to negotiate EAP because EAP-MSCHAP not allowed in the Allowed Protocols | |
11504 | Prepared EAP-Failure | |
11003 | Returned RADIUS Access-Reject |
while EAP-MSCHAP is clearly allowed int the Authentication Policy
The authentication policy matching sequence is
Authentication Policy | RAVPN1 >> Default |
Allowed protocols list named TEST:
Is there anything else that needs to be enabled/permitted?
It worked perfectly with local users authentication and EAP-MD5.
Update: looks like the only mode working is EAP-MD5 (with local users, AD doesn´t support it). Trying to use EAP-GTC with both local and AD identity sources fails with the same message saying EAP-GTC is not permitted by Allowed Protocols List while the protocol IS being permitted.
Update: It looks like ISE is declaring PEAP expecting to perform MS-CHAPv2 as inner method and AnyConnect Client says MS-CHAPv2 directly, so the systems fail to negotiate.
ISE says PEAP:
12300 Prepared EAP-Request proposing PEAP with challenge
AnyConnect responds, "no, I want EAP-MSCHAP":
11801 Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead
Which is weird, because EAP-MSCHAP IS actually MSCHAP inside PEAP or EAP-FAST. I suppose there is no such thing as using EAP-MSCHAP instead of PEAP, but inside of it.
If I choose EAP-MD5 it works, because EAP-MD5 is declared as EAP-MD5 by both sides. The problem is you can't youse EAP-MD5 with Active Directory, only with local users.
Is there any way to overcome this?
11-09-2015 02:21 AM
009801: *Nov 9 12:09:37.254 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
009802: *Nov 9 12:09:37.254 EET: IKEv2-ERROR:% IKEv2 profile not found
009803: *Nov 9 12:09:37.258 EET: IKEv2-ERROR:(SESSION ID = 110,SA ID = 1):: Failed to locate an item in the database
009804: *Nov 9 12:09:37.258 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Verification of peer's authentication data FAILED
009805: *Nov 9 12:09:37.258 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Sending authentication failure notify
11-05-2015 03:22 PM
10-09-2015 08:02 AM
EAP is an authentication framework, not a specific authentication mechanism. ISE is fully IETF compliant RADIUS server. MSCHAP is not a IETF supported inner method for EAP, however MD5 is analogous to the PPP CHAP protocol, so EAP-MD5 could be used. The EAP method's defined IETF RFC's are EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, EAP-AKA and EAP-AKA'. The commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, LEAP and EAP-TTLS. PEAP (Protected EAP) has two IETF defined inner methods (PEAPv1) EAP-GTC, MSCHAPv2 (PEAPv0). There are also many vendor specific EAP types outside of these.
10-09-2015 08:43 AM
I agree with you that ALL vendors should follow and be compliant with a RFC/draft/etc, but as we all know is not always the case in this world.
I would gladly use EAP-MD5 even if is collision and MITM prone, if I would have one of the following tools:
a) A sharp tool to determine Microsoft to accept MD5 challenge in user auth.
b) A tool to export/import AD users (including updates of password or account status) through ERS in ISE
As I don't have either one, I'm trying to make AD happy, ISE happy and me happy :-)
Now, leaving the joke aside, the problem, I think, resides in ISE as long as me and asigachev checked the EAP-FAST/PEAP with MSCHAPv2 method, but when authentication occurs, ISE says is not checked.
It is also true that in every configuration guide involving FlexVPN, IOS/IOS XE and Anyconnect client, when MSCHAPv2 was mentioned there was always a Microsoft Radius configured and never saw ISE. Now I wonder why...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide