EAP is an authentication - Page 2

asigachev · ‎05-19-2015

Hello everyone

Trying to configure Anyconnect Remote-Access VPN with ASR1000, ISE and Active Directory and facing the following problem:

the authentication is failing with the following messages on ISE:

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Network Access.Device IP Address
	15006	Matched Default Rule
	11507	Extracted EAP-Response/Identity
	12300	Prepared EAP-Request proposing PEAP with challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	11801	Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead
	11803	Failed to negotiate EAP because EAP-MSCHAP not allowed in the Allowed Protocols
	11504	Prepared EAP-Failure
	11003	Returned RADIUS Access-Reject

while EAP-MSCHAP is clearly allowed int the Authentication Policy

The authentication policy matching sequence is

Authentication Policy

RAVPN1 >> Default

Allowed protocols list named TEST:

Is there anything else that needs to be enabled/permitted?

It worked perfectly with local users authentication and EAP-MD5.

Update: looks like the only mode working is EAP-MD5 (with local users, AD doesn´t support it). Trying to use EAP-GTC with both local and AD identity sources fails with the same message saying EAP-GTC is not permitted by Allowed Protocols List while the protocol IS being permitted.

Update: It looks like ISE is declaring PEAP expecting to perform MS-CHAPv2 as inner method and AnyConnect Client says MS-CHAPv2 directly, so the systems fail to negotiate.

ISE says PEAP:

12300 Prepared EAP-Request proposing PEAP with challenge

AnyConnect responds, "no, I want EAP-MSCHAP":

11801 Extracted EAP-Response/NAK requesting to use EAP-MSCHAP instead

Which is weird, because EAP-MSCHAP IS actually MSCHAP inside PEAP or EAP-FAST. I suppose there is no such thing as using EAP-MSCHAP instead of PEAP, but inside of it.

If I choose EAP-MD5 it works, because EAP-MD5 is declared as EAP-MD5 by both sides. The problem is you can't youse EAP-MD5 with Active Directory, only with local users.

Is there any way to overcome this?

Cristi Romano · ‎11-09-2015

I did, but anything you do to that string, results in no profile matching:

009801: *Nov  9 12:09:37.254 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
009802: *Nov  9 12:09:37.254 EET: IKEv2-ERROR:% IKEv2 profile not found
009803: *Nov  9 12:09:37.258 EET: IKEv2-ERROR:(SESSION ID = 110,SA ID = 1):: Failed to locate an item in the database
009804: *Nov  9 12:09:37.258 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Verification of peer's authentication data FAILED
009805: *Nov  9 12:09:37.258 EET: IKEv2:(SESSION ID = 110,SA ID = 1):Sending authentication failure notify

Cristi Romano · ‎11-05-2015

Found out that those error messages are also in the debug output of a working profile (EAP-MD5). So, those are not necesarly a problem.

I found out though:

007761: Nov 6 01:11:12.962 EET: IKEv2:(SESSION ID = 96,SA ID = 1):Error in settig received config mode data
007762: Nov 6 01:11:12.962 EET: IKEv2:(SESSION ID = 96,SA ID = 1):Auth exchange failed
007763: *Nov 6 01:11:12.962 EET: IKEv2-ERROR:(SESSION ID = 96,SA ID = 1):: Auth exchange failed

waynesymes · ‎10-09-2015

EAP is an authentication framework, not a specific authentication mechanism. ISE is fully IETF compliant RADIUS server. MSCHAP is not a IETF supported inner method for EAP, however MD5 is analogous to the PPP CHAP protocol, so EAP-MD5 could be used. The EAP method's defined IETF RFC's are EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, EAP-AKA and EAP-AKA'. The commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, LEAP and EAP-TTLS. PEAP (Protected EAP) has two IETF defined inner methods (PEAPv1) EAP-GTC, MSCHAPv2 (PEAPv0). There are also many vendor specific EAP types outside of these.

decode.chr13 · ‎10-09-2015

Hi waynesymes,

I agree with you that ALL vendors should follow and be compliant with a RFC/draft/etc, but as we all know is not always the case in this world.

I would gladly use EAP-MD5 even if is collision and MITM prone, if I would have one of the following tools:

a) A sharp tool to determine Microsoft to accept MD5 challenge in user auth.

b) A tool to export/import AD users (including updates of password or account status) through ERS in ISE

As I don't have either one, I'm trying to make AD happy, ISE happy and me happy :-)

Now, leaving the joke aside, the problem, I think, resides in ISE as long as me and asigachev checked the EAP-FAST/PEAP with MSCHAPv2 method, but when authentication occurs, ISE says is not checked.

It is also true that in every configuration guide involving FlexVPN, IOS/IOS XE and Anyconnect client, when MSCHAPv2 was mentioned there was always a Microsoft Radius configured and never saw ISE. Now I wonder why...

ISE Anyconnect Active Directory EAP-MSCHAP not allowed

I did, but anything you do to that string, results in no profile matching:

Found out that those error messages are also in the debug output of a working profile (EAP-MD5). So, those are not necesarly a problem.

I found out though:

007761: *Nov 6 01:11:12.962 EET: IKEv2:(SESSION ID = 96,SA ID = 1):Error in settig received config mode data007762: *Nov 6 01:11:12.962 EET: IKEv2:(SESSION ID = 96,SA ID = 1):Auth exchange failed007763: *Nov 6 01:11:12.962 EET: IKEv2-ERROR:(SESSION ID = 96,SA ID = 1):: Auth exchange failed

007761: Nov 6 01:11:12.962 EET: IKEv2:(SESSION ID = 96,SA ID = 1):Error in settig received config mode data
007762: Nov 6 01:11:12.962 EET: IKEv2:(SESSION ID = 96,SA ID = 1):Auth exchange failed
007763: *Nov 6 01:11:12.962 EET: IKEv2-ERROR:(SESSION ID = 96,SA ID = 1):: Auth exchange failed