BugZero | Cisco BugID CSCvu90727 - Native VPN client with EAP-TLS authentication fail...

Cisco - Defect ID: CSCvu90727

Native VPN client with EAP-TLS authentication fails to connect to ASA

Cisco - Defect ID: CSCvu90727

Native VPN client with EAP-TLS authentication fails to connect to ASA

Last updated on 7/5/2023

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.16.1

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Using the Native VPN client with windows 10 or mac OSx is failing to connect to the ASA when using EAP-TLS for authentication. What we see is AAA on the firewall fails to make the radius packet during the TLS exchange between the RADIUS server and the client: Jul 06 2020 11:40:54: %ASA-7-711001: IKEv2-PLAT-4: (42): EAP message forwarded to AAA shim successfully Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, Fiber started Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, build request attributes Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-7[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, authenticating user Jul 06 2020 11:40:54: %ASA-7-711001: radius mkreq: 0x485 Jul 06 2020 11:40:54: %ASA-7-711001: old request 0x485 --> 69 (0x00007fce454762b0), state 3 Jul 06 2020 11:40:54: %ASA-7-711001: wait pass - pass '***'. make request Jul 06 2020 11:40:54: %ASA-7-711001: RADIUS_REQUEST Jul 06 2020 11:40:54: %ASA-7-711001: radius.c: rad_mkpkt Jul 06 2020 11:40:54: %ASA-7-711001: rad_mkpkt: ip:source-ip=10.10.110.10 Jul 06 2020 11:40:54: %ASA-7-711001: rad_mkpkt_authen() fail Jul 06 2020 11:40:54: %ASA-7-711001: Resetting 10.10.110.1's numtries Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-4[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, AAA response=REJECT Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-4[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, AAA call returned failure -1, error code 1 Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, Fiber exit Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, async callback Jul 06 2020 11:40:54: %ASA-7-711001: IKEv2-PLAT-2: (42): EAP: Failure reported in AAA status response in AAA EAP passthrough callback, Authentication failed., status 1. Jul 06 2020 11:40:54: %ASA-7-711001: AAA/SHIM-8[983:14]: IP=10.10.110.10, TG=DefaultRAGroup, User=TestUser, Request complete Jul 06 2020 11:40:54: %ASA-7-711001: IKEv2-PROTO-2: (42): Authenticator sent NULL EAP message

Conditions

Native VPN client using EAP-TLS to authenticate the client.

Workaround

N/A Move to 9.10.1.32 code as issue is not happening on this version.

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvu90727

Native VPN client with EAP-TLS authentication fails to connect to ASA

Cisco - Defect ID: CSCvu90727

Native VPN client with EAP-TLS authentication fails to connect to ASA

Last updated on 7/5/2023

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?