Cisco FTD1120 configured from FMC email OTP and Anyconnect

I’m very new to privacyIDEA-- we are testing it as a email/sms OTP addition to our windows AD radius deployment of cisco anyconnect clients–as privacyIDEA will be used as the secondary AAA server, user pins will not be set and we will rely on the emailed OTP exclusively.

I’ve enrolled privacyIDEA tokens to a few test users emails and have had success in testing the radius functionally. we send the radius authentication request first with username only, then get an email with the OTP. Response in testing seems to show that the freeradius plugin is working correctly:

sending authentication request to server ..**.18:1812
Transmitting packet, code=1 id=32 length=49
received response from the server in 78miliseconds
reply packet code=2 id=32 length=48
response: Access-Accept
------------------------attribute dump-------------------------
Relply-Message=privacyIDEA access granted

When connecting to the FTD1120 as secondary AAA server we get the following in the logs–

2021-11-06 13:12:39 Info AAA unable to complete the request Error : reason = Invalid response received from server : user = r***
2021-11-06 13:12:21 Info AAA challenge received for user r*** from server ...18 <–privacyidea server
2021-11-06 13:12:20 Info AAA user authentication successful : server = ..
.3 : user = r*** ← primary AD with NPS

I can tell you that the freeradius server seems to be granting access correctly (although there seems to be some errors)

(19) perl-privacyidea: &request:Cisco-AVPair += $RAD_REQUEST{‘Cisco-AVPair’} → ‘coa-push=true’
(19) perl-privacyidea: &request:ASA-ClientType = $RAD_REQUEST{‘ASA-ClientType’} → ‘AnyConnect-Client-SSL-VPN’
(19) perl-privacyidea: ERROR: Failed to create pair - Unknown name “privacyIDEA-Serial”
(19) perl-privacyidea: ERROR: &reply:privacyIDEA-Serial += $RAD_REPLY{‘privacyIDEA-Serial’} → ‘PIEM00003C93’
(19) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} → ‘privacyIDEA access granted’
(19) perl-privacyidea: ERROR: Internal failure creating pair &reply:Class += $RAD_REPLY{‘Class’} → ‘undef’
(19) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} → ‘Perl’
(19) [perl-privacyidea] = ok
(19) } # Auth-Type Perl = ok
(19) Sent Access-Accept Id 30 from ...18:1812 to ...253:10575 length 0
(19) Reply-Message = “privacyIDEA access granted”
(19) Finished request
Waking up in 4.9 seconds.
(19) Cleaning up request packet ID 30 with timestamp +4885
Ready to process requests

Is my problem related to a bug with the cisco FTD?? Maybe the privacyIDEA radius plugin needs a config that i missed? Any help appreciated

Hi All-- wanted to let you know that I was able to fix my problem by reading past posts in the forum, “password-management” option deselect was the key, thanks for all your help!

Dave_Baddorf

Jul '16

Cornelius,
Thanks for your help! After troubleshooting this further I found out
that on the Cisco ASA when the command “password-management” is used then
the RADIUS requests to FreeRADIUS must be using MS-CHAP instead of PAP.
Once I removed that “password-management” command I was able to use
two-factor authentication for the ASA VPN’s, through FreeRADIUS to
PrivacyIDEA.
I appreciate your great product!
DaveOn Thursday, July 21, 2016 at 4:29:07 PM UTC-4, Cornelius Kölbel wrote:

2 Likes