ACS 5.3 Stripping Radius User Prefix
Hi,
I have configure my ACS 5.3 to strip the prefix of the radius username (Domain\weekwang) it received and I also configured my ACS as the External Radius Server. However, this does not seem to work. The authentication protocol that I am using is PEAP Mschap v2.
I have read inside this forum that due to the fact that the radius username and password is transited inside the TLS tunnel of the PEAP MsChap v2 thus ACS is not able to do the stripping as it is not allow to touch anything inside the TLS tunnel. Please advice if I have get the concept correctly.
Rgds
Hi Steven,
this is unfortunately correct. Using yourself as radius proxy is a great workaround to strip things.
However, by design if you use an external database (LDAP or proxy radius server), the mschapv2 encryption of the password makes it impossible to authenticate the user since the tunnel is ended on the first ACS. It will work with PEAP-GTC but all mschapv2 methods will fail.
Nicolas
Similar Messages
-
ISE: test-radius user check fails
The ISE user guides suggest to use a username called 'test-radius' as option to the 'radius-server host' commands. This will cause the respective NAD (a Cat3560 in my case) to make an authentication check on each configured ISE every 60 minutes.
The problem is that every hour I see an authentication failure for this user, but ONLY on my second ISE (I'm running a Standalone HA deployment). Since both hosts should replicate the same user DB, why would it only fail on the second ISE? When I direct end-user login authentications to the second ISE exclusively, they will be passed normally.
See the attached screenshot of the failed authentication attempt for the test-radius user. I've been seeing this with ISE 1.1 as well as 1.1.1.
The relevant config on the switch is:
username test-radius secret 5 <snipped>
radius-server host 172.26.10.35 auth-port 1812 acct-port 1813 test username test-radius key 7 <snipped>
radius-server host 172.26.10.36 auth-port 1812 acct-port 1813 test username test-radius key 7 <snipped>
Questions:
- How can I get rid of that error?
- Is that test-radius option of much use at all in an ISE setup? As far as I could find out, it would be a measure to figure out if the second ISE policy server is running at all as long as the first one hasn't failed.
Thanks for any help.
ToniHi Toni,
I believe you do not see any Access-Requests with the 'test-radius' on your primary ISE PDP server at all. The reason is simply that this server is already known as alive due to the regular Access-Requests for user authentication, so there is really no reason for checking its availability.
Obviously this does not explain the behavior why the test request is failing. Anyhow,sniffing the RADIUS request packets from your switch towards the ISE should bring light into the darkness.
If you are having a switch with software version 12.2X (Test switch: WS-C3560G-48PS, C3560-IPBASEK9-M, 12.2(53)SE2) the encrypted password contained does not match the one that you have locally configured on the switch (You may want to use Wireshark as proof).
On the other hand, if you are having a switch with software version 15.0X (Test switch: WS-C3560X-48P, C3560E-UNIVERSALK9-M, 15.0(1)SE3) the encrypted password contained does match the one that you have locally configured. Side node: It will not work with an MD5 encrypted password, so you have to use 'username test-radius password '.
However, this whole behavior does not affect user authentication at all and is hence only cosmetic. For the switches itself it only matters if it gets a response from the ISE (RADIUS) to know if it is alive or not.
Hi Tarik,
Testing with the 'test aaa...' command does not result in the 'Authentication Failure', that Toni had mentioned.
Kind regards and hth,
Stephan
*Please rate helpful posts* -
WCS setup RADIUS users Lobby Ambassador Defaults
Hi
I'm using RADIUS so my users can use their active directory credentials to login WCS and generate guest users accounts...
But I would like to setup some Lobby Ambassador Defaults, I can easily do ths for local users on the WCS system, but how to setup defaults for RADIUS users?
Best Regards,
Steffen.Hi Scott
Tanks for your reply.
I've allready read the article, but I can't see that it says anything about setting up Defaults for the users, only which task the should be able to do...
I would like to setup defaults for the radius users, so when they are authenticated as lobby abassadors the do not need to select which SSID the a generating a guest user account for and so on...
This is possible for local WCS users, but i need to setup these defaults for my RADIUS authenticated users.
Best Reards
Steffen
And btw.. this dicussion was started by me.. https://supportforums.cisco.com/thread/2115616 -
Can i use my ACS 5.2 as Guest user athentication server
Hi,
Is this possible?
MarlonThere is no a specific feature in the ACS to automatically generate random users/password, but you can definitely create them manually yourself under Users and Identity Stores/Users.
You can create the guest account there and assign those users to a guest group as well.
Here is the documentation just in case:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1287418 -
Can ACS run TACACS+ adn RADIUS concurrently?
I know that ACS supports both TACACS+ and RADIUS protocols. My question is can ACS run TACACS+ and RADIUS concurrently?
Once you go into Network Configuration, you enter the Network Device Group you want to add the device to. Select the option to add a client device and input the information, but enter a different client hostname, with the same IP Address in each seperate Network Device Configuration. You can specify which Network Device Group for the client to use, and in the specific group is where you will specify which resources the client members will be able to access. I specified a few different groups with different access restricitions, because I didn't want the Dial -In or Wireless people to have Admin Access to my TACACS+ configured devices...
Let me know if this helps... -
User authentication in Cisco ACS by adding external RADIUS database
Hi,
I would like to configure the below setup:
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
Any help on this would be really grateful to me.
Thanks and Regards,
Rahul.Thanks Ajay,
As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
-> In external user databases, i have added a external RADIUS token server.
-> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
-> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
Here is what i found in "Failed attempts" logs under Reports and activities.
Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
Filtering is not applied.
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
02/28/2012
00:42:18
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:41:33
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:31:52
Unknown NAS
Am i missing any thing in configuration side with respect to ACS?
Thanks -
Import Steel Belted Radius users to ACS
Is there a method to import SBR (local) users into ACS? Perhaps via some intermediate tool? The SBR exports will contain one-way-hashed passwords, so the question is really whether there is any method to import ACS users with these?
Hi Tarik
That's very helpful, but one problem is that the authenticating devices are specialised hardware on which the users cannot change their passwords - it has to be done by local administration staff who have the necessary tools. So the question is whether there is any mechanism to use an exported file from Steel Belted Radius, including hashed passwords, which can be imported into ACS?
The passwords are stored directly in the SBR server. I've just had a look at what it's capable of exporting, and it seems I can get the data out in XML format, which I can then manipulate, of course. However, the issue is that the passwords are not exported in plain text. If the password is stored as a hash on the SBR server, you get an MD5 hash in the XML file. If it is stored in "plain text" in the SBR server then the XML export shows the password in encrypted form. -
Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password
Dear all,
Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password" but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
Best regards,
PiotrIf this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
I am sorry if I am not able to help but I am not using the anyconnect for production.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
Adding AAA servers to ACS to use Proxy RADIUS distribution Table
Hello,
I've added two non ACS radius servers (Radiator) to the AAA servers on Network Config, in order to use them on a proxy distribution table.
I had problems authenticating users through those servers and I did a sniffer trace on the outside interface of the ACS.
What I saw is that ACS sends packets to the AAA server configured as RADIUS on port 1645, not 1812, the expected standard, and port to which the others servers are listening to. How can I change this behaviour?
Thanks
GustavoACS by default will listen on both ports 1645 and 1812, the two "standard" Radius ports. However, when talking to a proxy server it will only send them on 1645, by default. To change this you have to go into the registry and change it as follows:
Under [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.x\Hosts\\RADIUS] (where is the server you want to send the 1812 reuests to, and note that you may have to add the RADIUS key if it isn't there already), you can add the following:
"authPort"=dword:0000066e <<---- 1645
"acctPort"=dword:0000066d <<---- 1646
"timeout"=dword:00000001
"single connection"=dword:00000000
"strip users"=dword:00000000
You don't need all of them, you can just change the authPort to 1812 (714 in hex) and acctPort to 1813 (0x715) and you should be good to go. Make sure you reboot the server after making the registry changes. Keys are case-sensitive too so make sure you type them in EXACTLY as I've shown above. -
ACS 4.2 Windows Radius Attributes for VPN-dial-in
Hello,
this Situation:
Remote-User establish a VPN-Connection (AnyConnect) to a ASA 8.4, ASA forwards Authentication to ACS 4.2. , ACS should assign IP-Adress from a Adress-Pool dependent on GroupMembership (LDAP)
the Problem:
the User gets an IP-Config with a Default-Gateway which is always the 3.Address of the IP-Pool (IP-Pools are /28 Ranges), the Mask is ok (/32).
On the ASA-Log I can see a Message:
%ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
I've assigned following Attibutes:
IP Assignement: Assigned from AAA server pool (the accordant pool is selected)
IETF Radius Attributes:
006 Service Type: Framed
007 Framed Protocol: ppp
009 Framed-IP-Netmask: 255.255.255.255
(not sure about) 022 Framed-Route: 0.0.0.0
025 Class: <Group-Policy of ASA>
does anyone of you know, what I'm making wrong?
on The ASA I can't find any settings.
Thanks for any adviceO'Brien Simon
Did you manage to get a reply to your question about the timeout period for dynamic users in ACS 4.2 ? As this is what I was about to ask but noticed your post.
Many thanks
florrieford -
ACS and APC UPS - radius authentication
Has anyone configured their APC UPS network managment cards to authenticate to ACS. The cards support radius, and I have that working, but the user only works as read only. How can I get them to work at at admin level ? I am not sure how to pass the attibutes back to the UPS.
Thanks for any tips.
RandySave the following into an ini file and use the CS Utils feature to import the UDF / VSA
Don't include the lines "====" bits!
You can rename the Admin/Device/ReadOnly to what ever you like as the interger value is what is important, the name is only used byt the ACS interface for displaying the options in the HTML.
=====================================
[User Defined Vendor]
Name=APC Devices
IETF Code=318
VSA 1=APC-Service-Type
[APC-Service-Type]
Type=INTEGER
Profile=OUT
Enums=APC-Auth-Type
[APC-Auth-Type]
1=Admin
2=Device
3=ReadOnly
===================================== -
Cisco ACS 4.2 and Radius authentication?
Hi,
I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?To access network devices for administrative purpose, we have only three methods available :
[1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted, and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
[2] SSH : Which uses public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client
and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
[3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
And the most secure way to administer a device is to use SSH.
Rgds, Jatin
Do rate helpful post~ -
ACS 3.3 Send Radius Attribute 135 & 136
Hi
I need an ACS box to return IETF RADIUS attributes 135 & 136 to a NAS for the assignment of DNS servers to clients.
The ACS 3.3 user guide lists these as supported IETF RADIUS Attributes however they don't seem to be available under Interface Configuration--> Radius IETF.
Would anyone know how I can enable these ?
Thanks
LeonHi Leon,
That is quite strange. You should have those attributes.
As you mentioned you have ACS SE, if you could console into it. Issue command,
stop csadmin
start csadmin
Or rebooting ACS SE will re-start the CSAdmin server.
If you are restarting services from, System Configuration > Service Control, then that wont restart the CSAdmin service.
Give that a try.
Regards,
Prem -
ACS 4.0.2 Radius Authentication Setup
Dear Experts,
I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.
As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844
I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1:
Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2:
In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.
After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
Kindly help as it is not mentioned in the documentation available with me.
Regards,
KarthikHello,
As per the ASCII and HEXA settings concern you might want to ignore those fields and leave them as they are by default.
As per the "Bad request from NAS" and "Invalid message authenticator in EAP request" it is 99% of the times a Shared Secret Mismatch.
Under the ACS Interface Configuration > Advanced Options > Is the Network Device Groups option enabled? If yes, please check the Shared Secret Key at the NDG level where the device was created. Remember the NDG Shared Secret takes precedence over the one configured on the AAA Client entry itself.
Attaching an Example:
AAA client with Shared Secret as "Cisco123":
NDG Entry (which allocates AAA clients) with Shared Secret as "cisco"
In order to check the NDG Shared Secret go to Network Configuration > Click the appropriate NDG > Scroll to the bottom and click on Edit Properties.: -
Assign ip pool per nas on ACS 3.2 with radius
Hello
is it possible to assign different ip pools defined on the ACS to different NAS? For eg. I like to assign the IP pool x to the NAS X and the IP pool y to the nas Y. So if a user logins in to X he gets the pool x and on Y the pool y.
thanks for any answers.
AndreIts not possible to assign end users an ip address based on the NAS equipment that they currently are connected too.
Maybe you are looking for
-
How can i use a second router to replace verizon fios router?
Okay so just as the title says how do i use a second router? I got a cisco valet router... I don't know how to use it because the verizon router/modem is wierd i know how to use a router if i only had a modem but fios gives router/modem so how can i
-
Hi all In case there's a problem with the wiki, I thought I should say that I couldn't get the static IP instructions in the Beginner's Guide to work for me. As a new user the problem was likely to be with me, although I did notice the same complaint
-
New field in field catalog in MC21
hi masters i have to create a charecteristic in infostructure and the reference data element should be there in field catalogs in the 2nd screen (pop up) of tr. MC21. But im not able to find one suitable data element. Is there any way to create our o
-
Photoshop cs5 update has deleted 64bit version
Running this mornings 12/14/10 updates has lead to the deletion of Photoshop cs5 64bit.I have the 32bit version but cannot point any of my files to this through the file association default settings. I am running on Windows 7. I also cannot change th
-
If I do this will other user on this Mac be able to submit (and share) more in that same folder? Building up one continuous shared media folder.