Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2462
Views
1
Helpful
12
Replies

AnyConnect syslog AAA user authentication rejected

Go to solution
davparker
Level 1
Level 1

‎05-07-2024 12:15 PM

I have some locally managed FTDs. I'm parsing syslog data for VPN auth failures. The FDM FlexConfig won't allow some of the simplest changes like "no logging hide username" (bug). Anyway, most the AAA user authentication errors indicate reason = Unspecified and the username is "*****".  But there are some log entries that report the actual username and reason = Invalid password. I checked AD, it appears that the usernames displayed are actual accts in AD. I can't tell about the others as I am unable to display the actual username that was attempted. I'm wondering why the difference in the syslog messages. I'm unable to find what "Unspecified error" means. Was that caused by AnyConnect or someone failing auth through the web client? Or maybe those accts don't actually exist in AD so it lists "*****' and generates the Unspecified error?

Thanks,
David

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight

‎05-08-2024 12:48 AM

This is by design. From the feature description:

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

So, if you see ****, the user doesn't exist, and if you see the username and the reason is "Invalid password", the user exists, but password is incorrect. The reason is shown as "Unspecified error" just to hide further details.

Also described here:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-101001-to-199021.html#con_8293726

113005

Error Message %ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = ip_addr : user = *****: user IP = ip_addr

Explanation The AAA authentication on a connection has failed. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured.

 

View solution in original post

12 Replies 12

Go to solution
tvotna
Spotlight
Spotlight

‎05-08-2024 12:48 AM

This is by design. From the feature description:

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

So, if you see ****, the user doesn't exist, and if you see the username and the reason is "Invalid password", the user exists, but password is incorrect. The reason is shown as "Unspecified error" just to hide further details.

Also described here:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-101001-to-199021.html#con_8293726

113005

Error Message %ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = ip_addr : user = *****: user IP = ip_addr

Explanation The AAA authentication on a connection has failed. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured.

 

Go to solution
davparker
Level 1
Level 1
In response to tvotna

‎05-08-2024 06:00 AM

You can't configure "no logging hide username" using flexconfig on a locally managed FTD device. It incorrectly throws a syntax error upon validation. At most it should throw a warning and let you proceed. I also am standing up FMC managed firewalls at another location and this was not an issue. Flexconfig seems mostly broken in FDM. This makes handling security incidents much more problematic. We are working on bringing all of our firewalls into FMC but that will take time. Meanwhile I'm left partially blinded on these FDM managed devices.

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to davparker

‎05-08-2024 06:17 AM

I remember somebody reported that he managed to get FlexConfig working by configuring "no loggin hide username" (logging without the last G). Don't believe this is true, although there is bug which tells the same:

CSCvj02826 Need a way to negate "logging hide username" in FTD

 

0 Helpful

Go to solution
othydojo
Level 1
Level 1
In response to tvotna

‎05-15-2024 09:52 AM

@tvotnaThis actually worked. I ran this up in CDO with our test FTD VPN and flex config took the command "no loggin hide username"

0 Helpful

Go to solution
davparker
Level 1
Level 1
In response to tvotna

‎05-08-2024 06:21 AM

Ahh, I just realized you confirmed my suspicions.If the username is invalid, it is all *.

Thanks
David

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-08-2024 12:52 AM - edited ‎05-08-2024 06:37 AM

Check above 

Thanks 

MHM

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to MHM Cisco World

‎05-08-2024 12:57 AM

Believe you or not, this is how it works.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎05-17-2024 02:17 AM

For this point  did you check it?

MHM

0 Helpful

Go to solution
davparker
Level 1
Level 1

‎05-16-2024 12:23 PM

I started seeing entries in our syslog like the following:

AAA user authentication Rejected : reason = User was not found : local database

What sort of VPN auth attempt tries against the local database? We don't have fallback to local database enabled.

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to davparker

‎05-17-2024 12:59 AM - edited ‎05-17-2024 01:02 AM

There are two possibilities.

1. You have not patched FTD and it is vulnerable to https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC

CSCwh23100 Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability
CSCwh45108 Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability

In this case you need to update it.

2. You're running fixed version, but didn't implement hardening measures. In this case connection attempts may hit DefaultWEBVPNGroup connection profile, that is why you see such messages. Refer to the following doc:
https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Read the following discussion too:
https://community.cisco.com/t5/network-security/cisco-asa-anyconnect-ddos-protection/m-p/5050819/highlight/true#M1110394

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to davparker

‎05-17-2024 02:16 AM

Some User that is try to access using any password username direct to use defualt Group policy' since realm is not match. 

You need no-access policy for these user

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/216313-configure-ra-vpn-using-ldap-authenticati.html

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card