ASA SSL VPN radius authentication problem

[Sergey Sivertsev]

Hello!

I have a problem with ASA SSL VPN authentication. Help me, please, to find a solution.

I checked this document:

https://www.rcdevs.com/downloads/viewer/2/HOWTOs/Cisco.txt/

I use default shared secret "testing123".

When I use test aaa command on ASA I receive a successful authentication:

ASAx/pri/act# test aaa-server authentication RCDEVS host 172.16.10.196 usernam$

Password: **********

INFO: Attempting Authentication test to IP address <172.16.10.196> (timeout: 10 seconds)

INFO: Authentication Successful

And successful result in the radius bridge log file:

Tue Apr 19 23:06:24 2016 : Auth: rlm_openotp: OpenOTP Authentication succeeded

But when I try to use this radius group with Cisco ASA SSL VPN configuration I receive an error with authentication.

In the radius bridge log file:

Tue Apr 19 23:10:05 2016 : Auth: rlm_openotp: Invalid context attribute "Calling-Station-Id" (bad length)

What could be wrong with my configuration?

[Spyridon Gouliarmis (RCDevs)]

Hello Sergey,

sounds like our FreeRADIUS fork and your Cisco ASA disagree on what's proper RADIUS. Can you run radiusd in debug mode and try again? (service radiusd stop && service radiusd debug) Then copy the whole authentication here. I'm curious about what Calling-Station-Id contains.

[Sergey Sivertsev]

Hello Spyridon!

Thank you for help!

Here is the debug from radiusd:

Ready to process requests.

rad_recv: Access-Request packet from host 192.168.191.1 port 11202, id=6, length=241

        User-Name = "anyconnect"

        User-Password = "anyconnect"

        NAS-Port = 57344

        Called-Station-Id = "192.168.192.3"

        Calling-Station-Id = "83.220.236.70"

        NAS-Port-Type = Virtual

        Tunnel-Client-Endpoint:0 = "83.220.236.70"

        NAS-IP-Address = 192.168.191.1

        Cisco-AVPair = "audit-session-id=c0a8bf010000e00057172de7"

        Cisco-AVPair = "ip:source-ip=83.220.236.70"

        Vendor-3076-Attr-146 = 0x74657374

        Vendor-3076-Attr-150 = 0x00000003

        Cisco-AVPair = "coa-push=true"

# Executing section authorize from file /opt/radiusd/conf/radiusd.conf

+group authorize {

[eap] No EAP-Message, not doing EAP

++[eap] = noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] = noop

++[openotp] = ok

+} # group authorize = ok

Found Auth-Type = openotp

# Executing group from file /opt/radiusd/conf/radiusd.conf

+group authenticate {

rlm_openotp: Found source attribute "Tunnel-Client-Endpoint" with value "83.220.236.70"

rlm_openotp: Invalid context attribute "Calling-Station-Id" (bad length)

++[openotp] = invalid

+} # group authenticate = invalid

Failed to authenticate the user.

Login incorrect: [anyconnect] (from client any port 57344 cli 83.220.236.70)

Using Post-Auth-Type Reject

  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.

Sending Access-Reject of id 6 to 192.168.191.1 port 11202

Finished request 0.

Going to the next request

Waking up in 9.9 seconds.

Cleaning up request 0 ID 6 with timestamp +35

Ready to process requests.

And debug radius from ASA:

ASAx/pri/act# radius mkreq: 0x21

alloc_rip 0x00007fff32dc2848

    new request 0x21 --> 6 (0x00007fff32dc2848)

got user 'anyconnect'

got password

add_req 0x00007fff32dc2848 session 0x21 id 6

RADIUS_REQUEST

radius.c: rad_mkpkt

rad_mkpkt: ip:source-ip=83.220.236.70

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 241).....

01 06 00 f1 f1 25 28 e2 67 56 6b 2e 17 c6 be 20    |  .....%(.gVk....

4a 87 67 30 01 0c 61 6e 79 63 6f 6e 6e 65 63 74    |  J.g0..anyconnect

02 12 a9 8b 86 1b ce d5 02 3e 0a b9 6e 3b 08 b3    |  .........>..n;..

89 05 05 06 00 00 e0 00 1e 0f 31 39 32 2e 31 36    |  ..........192.16

38 2e 31 39 32 2e 33 1f 0f 38 33 2e 32 32 30 2e    |  8.192.3..83.220.

32 33 36 2e 37 30 3d 06 00 00 00 05 42 0f 38 33    |  236.70=.....B.83

2e 32 32 30 2e 32 33 36 2e 37 30 04 06 c0 a8 bf    |  .220.236.70.....

01 1a 31 00 00 00 09 01 2b 61 75 64 69 74 2d 73    |  ..1.....+audit-s

65 73 73 69 6f 6e 2d 69 64 3d 63 30 61 38 62 66    |  ession-id=c0a8bf

30 31 30 30 30 30 65 30 30 30 35 37 31 37 32 64    |  010000e00057172d

65 37 1a 22 00 00 00 09 01 1c 69 70 3a 73 6f 75    |  e7."......ip:sou

72 63 65 2d 69 70 3d 38 33 2e 32 32 30 2e 32 33    |  rce-ip=83.220.23

36 2e 37 30 1a 0c 00 00 0c 04 92 06 74 65 73 74    |  6.70........test

1a 0c 00 00 0c 04 96 06 00 00 00 03 1a 15 00 00    |  ................

00 09 01 0f 63 6f 61 2d 70 75 73 68 3d 74 72 75    |  ....coa-push=tru

65                                                 |  e

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 6 (0x06)

Radius: Length = 241 (0x00F1)

Radius: Vector: F12528E267566B2E17C6BE204A876730

Radius: Type = 1 (0x01) User-Name

Radius: Length = 12 (0x0C)

Radius: Value (String) =

61 6e 79 63 6f 6e 6e 65 63 74                      |  anyconnect

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

a9 8b 86 1b ce d5 02 3e 0a b9 6e 3b 08 b3 89 05    |  .......>..n;....

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xE000

Radius: Type = 30 (0x1E) Called-Station-Id

Radius: Length = 15 (0x0F)

Radius: Value (String) =

31 39 32 2e 31 36 38 2e 31 39 32 2e 33             |  192.168.192.3

Radius: Type = 31 (0x1F) Calling-Station-Id

Radius: Length = 15 (0x0F)

Radius: Value (String) =

38 33 2e 32 32 30 2e 32 33 36 2e 37 30             |  83.220.236.70

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

Radius: Type = 66 (0x42) Tunnel-Client-Endpoint

Radius: Length = 15 (0x0F)

Radius: Value (String) =

38 33 2e 32 32 30 2e 32 33 36 2e 37 30             |  83.220.236.70

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 192.168.191.1 (0xC0A8BF01)

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 49 (0x31)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 43 (0x2B)

Radius: Value (String) =

61 75 64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64    |  audit-session-id

3d 63 30 61 38 62 66 30 31 30 30 30 30 65 30 30    |  =c0a8bf010000e00

30 35 37 31 37 32 64 65 37                         |  057172de7

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 34 (0x22)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 28 (0x1C)

Radius: Value (String) =

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 38 33 2e    |  ip:source-ip=83.

32 32 30 2e 32 33 36 2e 37 30                      |  220.236.70

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 3076 (0x00000C04)

Radius: Type = 146 (0x92) Tunnel-Group-Name

Radius: Length = 6 (0x06)

Radius: Value (String) =

74 65 73 74                                        |  test

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 3076 (0x00000C04)

Radius: Type = 150 (0x96) Client-Type

Radius: Length = 6 (0x06)

Radius: Value (Integer) = 3 (0x0003)

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 21 (0x15)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 15 (0x0F)

Radius: Value (String) =

63 6f 61 2d 70 75 73 68 3d 74 72 75 65             |  coa-push=true

send pkt 172.16.10.196/1645

rip 0x00007fff32dc2848 state 7 id 6

rad_vrfy() : response message verified

rip 0x00007fff32dc2848

 : chall_state ''

 : state 0x7

 : reqauth:

     f1 25 28 e2 67 56 6b 2e 17 c6 be 20 4a 87 67 30

 : info 0x00007fff32dc2988

     session_id 0x21

     request_id 0x6

     user 'anyconnect'

     response '***'

     app 0

     reason 0

     skey 'testing123'

     sip 172.16.10.196

     type 1

RADIUS packet decode (response)

--------------------------------------

Raw packet data (length = 20).....

03 06 00 14 59 53 35 b8 6c b0 ff 22 eb 3a 92 46    |  ....YS5.l..".:.F

6e 1e a9 0f                                        |  n...

Parsed packet data.....

Radius: Code = 3 (0x03)

Radius: Identifier = 6 (0x06)

Radius: Length = 20 (0x0014)

Radius: Vector: 595335B86CB0FF22EB3A92466E1EA90F

rad_procpkt: REJECT

RADIUS_DELETE

remove_req 0x00007fff32dc2848 session 0x21 id 6

free_rip 0x00007fff32dc2848

radius: send queue empty

среда, 20 апреля 2016 г., 10:37:13 UTC+3 пользователь Spyridon Gouliarmis (RCDevs) написал:

[Spyridon Gouliarmis (RCDevs)]

I just asked the devs, it might be because of the following line in /opt/radiusd/conf/openotp.conf:

context_attribute = "Calling-Station-Id"

If it's uncommented like this in your file, comment it. Our module expects the contents of whatever the context attribute is to contain a long enough string (> 16 octets), which is not the case here.

You can set your source_attribute to Calling-Station-Id instead. This will make the calling station id the source of the authentication request in the WebADM logs.

We're still figuring out how to get the remote user's IP address from different RADIUS implementations, by trial and error, so things might change a little on that front in the near future.

[Sergey Sivertsev]

/opt/radiusd/conf/openotp.conf  was with default settings and context attribute was commented, so by default it was set as Calling-Station-Id.

I uncommented it for test and I tried to check with different values:

context_attribute = "Calling-Station-Id" 

context_attribute = "Tunnel-Client-Endpoint"

and still received the error about bad length of the context attribute.

I am going to change my Cisco ASA version for checking.

 

[Sergey Sivertsev]

Hello again!

I have just checked work of Cisco Router VPN + RCDevs Radius and received the same error.

May be I do something wrong.

I downloaded the new Vmware OVF: Virtual Appliance (OpenLDAP - OVF)  1.5.0-2. and deployed it on Vmware ESXi.

After that I created user  cn=anyconnect in Webadm and activated it.

I did not change any configuration files and use default radius shared secret value "testing123".

I checked with cisco command "test aaa"  that user is successfully authenticated.

After that I use radius group for VPN user authentication and receive the error with bad length of context attribute.

I deployed RCdevs for Cisco VPN two years ago and I did not have such problem. 

May be I do something wrong now.

Should I deploy an old version of RCDevs? (unfortunately I do not know how to download VMware appliance of previous versions)

 I really enjoy RCdevs tools and I would like to use it. Help me, please, to find a solution. 

среда, 20 апреля 2016 г., 19:37:15 UTC+3 пользователь Sergey Sivertsev написал:

[Spyridon Gouliarmis (RCDevs)]

Just checking: I assume you've restarted radiusd after commenting context_attribute (all of the instances in the file, just to be sure)?

[Sergey Sivertsev]

Yes, of course. I restarted radiusd after every change. When I checked working with Cisco router I used new virtual appliance with commented by default context attribute. 

четверг, 21 апреля 2016 г., 11:14:58 UTC+3 пользователь Spyridon Gouliarmis (RCDevs) написал:

[Spyridon Gouliarmis (RCDevs)]

Probably a bug in that version, then. Can you try the latest one from today? https://www.rcdevs.com/downloads/download/1/Enterprise/radiusd-1.2.5-2-x64.sh.gz/

If it works and no one else complains about your current version, we'll just call it a day.

[Sergey Sivertsev]

I upgraded radiusd with this version. But I have the same error.

четверг, 21 апреля 2016 г., 12:59:00 UTC+3 пользователь Spyridon Gouliarmis (RCDevs) написал:

[Sergey Sivertsev]

Hi Spirydon!

I have just installed radiusd-1.2.4-x64.sh.gz (previous version) and it works without errors.

Thank you for help!

четверг, 21 апреля 2016 г., 22:57:58 UTC+3 пользователь Sergey Sivertsev написал: