Windows Azure (Phone Factor) Multi-Factor Authentication Issues with Cisco ASA

0

I have a Cisco ASA security appliance and I am trying to use the Azure MFA Server on a domain member (virtual) server (Windows Server 2012 R2). The MFA server is installed, and configured correctly to the best of my knowledge.

When I run an AAA test from the Cisco CLI, it works fine:

test aaa-server authentication RADIUS

It asks me for the server IP address, and my domain credentials. The MFA system calls my phone, I enter my PIN and I get as successful test, as follows (debug output)

Attempting Authentication test to IP address <192.168.100.3> (timeout: 62 seconds)
alloc_rip 0xac1a30a4
    new request 0x80000005 --> 29 (0xac1a30a4)
got user 'Morgan'
got password
add_req 0xac1a30a4 session 0x80000005 id 29
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 80).....
01 1d 00 50 2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4    |  ...P,.r.>.....E.
4c 33 b9 1d 01 08 4d 6f 72 67 61 6e 02 22 80 0c    |  L3....Morgan."..
4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a 47 e1    |  L...fh..&.2E*.G.
5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 04 06    |  Z.z5....I.\.uq..
c0 a8 64 fd 05 06 00 00 00 08 3d 06 00 00 00 05    |  ..d.......=.....

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 29 (0x1D)
Radius: Length = 80 (0x0050)
Radius: Vector: 2C0D72E73ED90AD2A81945D44C33B91D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) = 
4d 6f 72 67 61 6e                                  |  Morgan
Radius: Type = 2 (0x02) User-Password
Radius: Length = 34 (0x22)
Radius: Value (String) = 
80 0c 4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a    |  ..L...fh..&.2E*.
47 e1 5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71    |  G.Z.z5....I.\.uq
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x8
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.100.3/1645
radius.c: rad_mkpkt

RADIUS packet decode (authentication request (retransmission))

--------------------------------------
Raw packet data (length = 80).....
01 1d 00 50 2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4    |  ...P,.r.>.....E.
4c 33 b9 1d 01 08 4d 6f 72 67 61 6e 02 22 80 0c    |  L3....Morgan."..
4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a 47 e1    |  L...fh..&.2E*.G.
5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71 04 06    |  Z.z5....I.\.uq..
c0 a8 64 fd 05 06 00 00 00 09 3d 06 00 00 00 05    |  ..d.......=.....

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 29 (0x1D)
Radius: Length = 80 (0x0050)
Radius: Vector: 2C0D72E73ED90AD2A81945D44C33B91D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) = 
4d 6f 72 67 61 6e                                  |  Morgan
Radius: Type = 2 (0x02) User-Password
Radius: Length = 34 (0x22)
Radius: Value (String) = 
80 0c 4c b3 ba fc 66 68 e7 f2 26 db 32 45 2a 0a    |  ..L...fh..&.2E*.
47 e1 5a 19 7a 35 e3 07 e1 00 49 1a 5c c9 75 71    |  G.Z.z5....I.\.uq
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x9
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 192.168.100.3/1645
rip 0xac1a30a4 state 7 id 29
rad_vrfy() : response message verified
rip 0xac1a30a4
 : chall_state ''
 : state 0x7
 : reqauth:
     2c 0d 72 e7 3e d9 0a d2 a8 19 45 d4 4c 33 b9 1d 
 : info 0xac1a31dc
     session_id 0x80000005
     request_id 0x1d
     user 'Morgan'
     response '***'
     app 0
     reason 0
     skey 'cisco'
     sip 192.168.100.3
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 20).....
02 1d 00 14 4f b4 3f 0d 47 3e 85 48 c0 f2 eb 6f    |  ....O.?.G>.H...o
7d 92 19 14                                        |  }...

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 29 (0x1D)
Radius: Length = 20 (0x0014)
Radius: Vector: 4FB43F0D473E8548C0F2EB6F7D921914
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xac1a30a4 session 0x80000005 id 29
free_rip 0xac1a30a4
radius: send queue empty
INFO: Authentication Successful

Hooray! It works! But, not so fast.

When I dial in from my remote client (which is just Windows 7 x64 DUN), the MFA RADIUS server rejects me (same exact credentials). To wit:

radius mkreq: 0x8d9
alloc_rip 0xac1a30a4
    new request 0x8d9 --> 22 (0xac1a30a4)
got user 'Morgan'
got password
add_req 0xac1a30a4 session 0x8d9 id 22
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 191).....
01 16 00 bf 38 24 5e c4 67 f8 67 f6 df a4 45 ad    |  ....8$^.g.g...E.
d9 bb 37 ca 01 08 4d 6f 72 67 61 6e 05 06 00 34    |  ..7...Morgan...4
d0 00 06 06 00 00 00 02 07 06 00 00 00 01 3d 06    |  ..............=.
00 00 00 05 42 11 31 39 32 2e 31 36 38 2e 31 30    |  ....B.192.168.10
30 2e 32 35 33 1a 18 00 00 01 37 0b 12 93 4e 09    |  0.253.....7...N.
d3 05 63 7b d1 7f 27 08 60 2e 8b a4 68 1a 3a 00    |  ..c{.'.`...h.:.
00 01 37 19 34 01 00 64 74 e0 85 42 cc b2 0a 93    |  ..7.4..dt..B....
34 89 9e 8e 9e 3c aa 00 00 00 00 00 00 00 00 00    |  4....<..........
28 e9 58 f7 0e bf b1 15 43 c5 f8 79 a8 c8 4f 3f    |  (.X.....C..y..O?
08 e5 4f 13 a3 c9 c5 04 06 c0 a8 64 fd 1a 16 00    |  ..O........d....
00 0c 04 92 10 44 65 66 61 75 6c 74 52 41 47 72    |  .....DefaultRAGr
6f 75 70 1a 0c 00 00 0c 04 96 06 00 00 00 05       |  oup............

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 22 (0x16)
Radius: Length = 191 (0x00BF)
Radius: Vector: 38245EC467F867F6DFA445ADD9BB37CA
Radius: Type = 1 (0x01) User-Name
Radius: Length = 8 (0x08)
Radius: Value (String) = 
4d 6f 72 67 61 6e                                  |  Morgan
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x34D000
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 7 (0x07) Framed-Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 17 (0x11)
Radius: Value (String) = 
31 39 32 2e 31 36 38 2e 31 30 30 2e 32 35 33       |  192.168.100.253
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 11 (0x0B) MS-CHAP-Challenge
Radius: Length = 18 (0x12)
Radius: Value (String) = 
93 4e 09 d3 05 63 7b d1 7f 27 08 60 2e 8b a4 68    |  .N...c{.'.`...h
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 58 (0x3A)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 25 (0x19) MS-CHAP2-Response
Radius: Length = 52 (0x34)
Radius: Value (String) = 
01 00 64 74 e0 85 42 cc b2 0a 93 34 89 9e 8e 9e    |  ..dt..B....4....
3c aa 00 00 00 00 00 00 00 00 00 28 e9 58 f7 0e    |  <..........(.X..
bf b1 15 43 c5 f8 79 a8 c8 4f 3f 08 e5 4f 13 a3    |  ...C..y..O?..O..
c9 c5                                              |  ..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.100.253 (0xC0A864FD)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 22 (0x16)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 16 (0x10)
Radius: Value (String) = 
44 65 66 61 75 6c 74 52 41 47 72 6f 75 70          |  DefaultRAGroup
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 150 (0x96) Client-Type
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 5 (0x0005)
send pkt 192.168.100.3/1645
rip 0xac1a30a4 state 7 id 22
rad_vrfy() : response message verified
rip 0xac1a30a4
 : chall_state ''
 : state 0x7
 : reqauth:
     38 24 5e c4 67 f8 67 f6 df a4 45 ad d9 bb 37 ca 
 : info 0xac1a31dc
     session_id 0x8d9
     request_id 0x16
     user 'Morgan'
     response '***'
     app 0
     reason 0
     skey 'cisco'
     sip 192.168.100.3
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 38).....
03 16 00 26 5e fd c0 10 be 94 4b 72 5f 0e 51 a8    |  ...&^.....Kr_.Q.
d3 5b 3a 65 1a 12 00 00 01 37 02 0c 01 45 3d 36    |  .[:e.....7...E=6
39 31 00 52 3d 31                                  |  91.R=1

Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 22 (0x16)
Radius: Length = 38 (0x0026)
Radius: Vector: 5EFDC010BE944B725F0E51A8D35B3A65
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 18 (0x12)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 2 (0x02) MS-CHAP-Error
Radius: Length = 12 (0x0C)
Radius: Value (String) = 
01 45 3d 36 39 31 00 52 3d 31                      |  .E=691.R=1
rad_procpkt: REJECT
RADIUS_DELETE
remove_req 0xac1a30a4 session 0x8d9 id 22
free_rip 0xac1a30a4
radius: send queue empty

The DUN client is set up to use MS-CHAP-V2 exlcusively, and to require encryption. I can see from my syslog entries that the ASA is establishing the tunnel correctly, so it's not an IKE or L2TP issue.

I would note that the format of the RADIUS request itself is markedly different, as you can see. I don't see any Type 2 (User-Password) elements in the request coming (I assume) from the DUN client. I really don't understand RADIUS in detail, and I'm stumped.

I really need to get our employees back into this VPN. Ideas?

authentication
azure
vpn
cisco
radius
asked on Stack Overflow Aug 12, 2015 by Morgan Leppink • edited Sep 17, 2015 by halfer

1 Answer

0

OK, so after further research, I found my own answer to the question I asked.

Turns out that to have the domain authenticate an MS-CHAP-v2 request, NTLMv1 is required. To enhance security, our group policy has the "Network security: LAN Manager authentication level" set to 5 - Send NTLMv2 response only\refuse LM & NTLM (with NTLM here meaning NTLMv1). I changed this group policy setting to 4 - Send NTLMv2 response only\refuse LM (meaning allow NTLMv1 requests but respond only with NTLMv2) and now the Azure MFA (PhoneFactor) Radius Server works perfectly!

I would really like to switch this back to 5 (for security) so I'm still looking for a way to force the Azure MFA (PhoneFactor) Radius Server to authenticate against the domain using NTLMv2 instead. I will post here if I find a way to make that work. But for now, at least I'm back into our 2-factor VPN.

answered on Stack Overflow Aug 13, 2015 by Morgan Leppink

User contributions licensed under CC BY-SA 3.0