Guest

Preview Tool

Cisco Bug: CSCvu90727 - Native VPN client with EAP-TLS authentication fails to connect to ASA

Last Modified

Sep 11, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3.12)

Description (partial)

Symptom:
Using the Native VPN client with windows 10 or mac OSx is failing to connect to the ASA when using EAP-TLS for authentication.

What we see is AAA on the firewall fails to make the radius packet during the TLS exchange between the RADIUS server and the client:

Jul 06 2020 11:40:54: %ASA-7-711001: IKEv2-PLAT-4: (42): EAP message forwarded to AAA shim successfully
Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, Fiber started
Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, build request attributes
Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-7[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, authenticating user
Jul 06 2020 11:40:54: %ASA-7-711001: radius mkreq: 0x485
Jul 06 2020 11:40:54: %ASA-7-711001:     old request 0x485 --> 69 (0x00007fce454762b0), state 3
Jul 06 2020 11:40:54: %ASA-7-711001: wait pass - pass '***'. make request
Jul 06 2020 11:40:54: %ASA-7-711001: RADIUS_REQUEST
Jul 06 2020 11:40:54: %ASA-7-711001: radius.c: rad_mkpkt
Jul 06 2020 11:40:54: %ASA-7-711001: rad_mkpkt: ip:source-ip=10.10.110.10
Jul 06 2020 11:40:54: %ASA-7-711001: rad_mkpkt_authen() fail
Jul 06 2020 11:40:54: %ASA-7-711001: Resetting 10.10.110.1's numtries
Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-4[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, AAA response=REJECT
Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-4[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, AAA call returned failure -1, error code 1
Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, Fiber exit
Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, async callback
Jul 06 2020 11:40:54: %ASA-7-711001: IKEv2-PLAT-2: (42): EAP: Failure reported in AAA status response in AAA EAP passthrough callback, Authentication failed., status 1.
Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, Request complete
Jul 06 2020 11:40:54: %ASA-7-711001: IKEv2-PROTO-2: (42): Authenticator sent NULL EAP message

Conditions:
Native VPN client using EAP-TLS to authenticate the client.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.