Unsucessful ACS to RADIUS token server exchange

Hello team:
We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.
When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.
In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:
(1) Framed-IP = 255.255.255.255
(2) Class = 0x434143533a302f356662622f37663030303030312f31383133
We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.
So we are missing something.
¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!
thank you very much in advance
Rogelio Alvez
Argentina

Thanks for the interest Tarik!
Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:
ACS Debug from a terminal monitor
2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')
2w1d: AAA/AUTHEN (4096347873): status = GETUSER
2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
2w1d: AAA/AUTHEN (4096347873): status = GETPASS
2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')
2w1d: AAA/AUTHEN (4096347873): status = GETPASS
2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
2w1d: RADIUS: ustruct sharecount=1
2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86
2w1d:         Attribute 4 6 C0A800CB
2w1d:         Attribute 5 6 00000007
2w1d:         Attribute 61 6 00000005
2w1d:         Attribute 1 15 63616D61
2w1d:         Attribute 31 15 3139322E
2w1d:         Attribute 2 18 893A4B64
2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32
2w1d:         Attribute 18 12 52656A65
2w1d: RADIUS: saved authorization data for user 80E8A88C at 0
2w1d: AAA/AUTHEN (4096347873): status = FAIL
2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.
2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
2w1d: AAA: parse name=tty7 idb type=-1 tty=-1
2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0
2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN
2w1d: AAA/AUTHEN/START (2072451976): found list pepe
2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)
2w1d: AAA/AUTHEN (2072451976): status = GETUSER
Freeradius Debug
rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94
    User-Name = "camara/829113"
    NAS-IP-Address = 192.168.0.3
    NAS-Port = 6372
    NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"
    User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"
# Executing section authorize from file /etc/freeradius/sites-enabled/vuserver
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
[auth_log]     expand: %t -> Sat Jul 14 18:42:32 2012
++[auth_log] returns ok
[IPASS] Looking up realm "camara" for User-Name = "camara/829113"
[IPASS] Found realm "DEFAULT"
[IPASS] Adding Stripped-User-Name = "829113"
[IPASS] Adding Realm = "DEFAULT"
[IPASS] Authentication realm is LOCAL.
++[IPASS] returns ok
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
++[files] returns noop
++[control] returns noop
rlm_perl: Response: 201: Succeeded
rlm_perl: Added pair User-Name = camara/829113
rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
rlm_perl: Added pair Realm = DEFAULT
rlm_perl: Added pair Stripped-User-Name = 829113
rlm_perl: Added pair NAS-Port = 6372
rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Perl
# Executing group from file /etc/freeradius/sites-enabled/vuserver
+- entering group Perl {...}
rlm_perl: Added pair User-Name = camara/829113
rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
rlm_perl: Added pair Realm = DEFAULT
rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
rlm_perl: Added pair NAS-Port = 6372
rlm_perl: Added pair Stripped-User-Name = 829113
rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
  WARNING: Empty post-auth section.  Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver
Sending Access-Accept of id 23 to 192.168.0.3 port 3912
    Framed-IP-Address = 255.255.255.255
    Class = 0x434143533a302f3265662f37663030303030312f31383133
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 23 with timestamp +575
Ready to process requests.
Inside the file archive.zip you`ll find
cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)
captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)
If you need more information or output please let me know.
Rogelio

Similar Messages

  • ACS 4.2 RDBMS Action 105/108 - How to set to something other than default "RADIUS Token Server"

    I'm trying to create an import script for RDBMS to import users, but cannot figure out how to set the "PASS_TYPE_RADIUS_TOKEN" to something other than the default of "RADIUS Token Server".  We have multiple RADIUS Token Server definitions.
    I can create a user with what I need, except external db password is set to "RADIUS Token Server".  How do I set it to (for example) something like "RADIUS Token Server - xxxx"
    We have more than 1 RADIUS Token Server definition called "RADIUS Token Server - xxxx", "RADIUS Token Server - yyyy". 
    Thanks!

    As per my knowledge you have to update 4.2 ACS to
    5.1, because when you go for RDBMS synchronization it wont allow you, I have faced problem in past while primary ACS was 4.1 and secondary I have 4.2, I have updated primary ACS to 4.2 and everything is working fine.

  • ISE Admin Access Authentication to RADIUS Token Server

    Hi all!
    I want to use an External  RADIUS Token Server for ISE Admin Access Authentication and Authorization.
    Authentication works, but how do I map the users  to Admin Groups? Is there a way  to map a returned RADIUS Attribute  (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
    Thanks in advance,
    Michael Langerreiter

    ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
    Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
    Last Modified
    Nov 25, 2014
    Product
    Cisco Identity Services Engine (ISE) 3300 Series Appliances
    Known Affected Releases
    1.3(0.876)
    Description (partial)
    Symptom:
    ISE 1.3 RBAC fails with shadow user & Radius token
    Operations > Reports > Deployment Status > Administrator Logins report shows
    Authentication failed due to zero RBAC Groups
    Conditions:
    RBAC with shadow user & Radius token
    View Bug Details in Bug Search Tool
    Why Is Login Required?
    Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
    Bug Details Include
    Full Description (including symptoms, conditions and workarounds)
    Status
    Severity
    Known Fixed Releases
    Related Community Discussions
    Number of Related Support Cases
    Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

  • 802.1x ACS RSA Secure ID/Safeword Token server

    Hello, We are trying to impliment wireless scurity in our network. We want to issue badges with attached tokens so clients can come into our office and login to our wireless network, They would then be prompted for their login and password which would be their Badge ID an their token credentials.
    We are using an airespace wireless security device, We specify ACS as the 802.1x radius server. Airespace is sending the requests to ACS just fine but ACS does not seem to like what it's seeing. We also imported a custom VSA vendor file for the airespace wireless security device. The log below reflects this.
    We have tested by creating local ACS users, and authentication works and we can get onto our network. But when we specify the AAA servers as our Radius Token Server, Set the unknown user DB to that Server and test auth, We are not granted permission to our WLAN. It's as if Cisco does not recognize the PEAP auth information and rejects it by default. We ARE required to get this working with XPSP1, as we would hate to have to install software on every clients laptop.
    A wireless client of ours DID work when we specified EAP-GTC on the client side, But it will never work when we specify PEAP on the client side, We never seem to see communications from ACS to our Safeword token server regardless of what we do(including the successful EAP-GTC login). Our radius strings are correct etc. Safeword is listening on 1812, But also has protols EASSP-1/2 listening on ports we have set manually(are these relevant to our needs?)
    The failed attempts log show "External DB Auth Failed"
    Here is a snip of the CSRadius/RDS.log when we try to auth, when we sniff traffic we see the eap request and the radius reject on the wire, but we never see ACS ask the token server. If anyone can make any suggestions on how we could troubleshoot further/test or make forward progress in any way please do. Thank you all in advance.
    Cisco RDS log attached.

    The problem could be with your Secure ID RSA server.

  • How to configure AD and Token server (over radius) authentication

    Dear forum,
    I have a scenario where users should be allowed network access after their have given their AD credentials and a token (Blackshield Token server).
    The token server speaks over radius to the cisco ACS appliance. I have managed to get users authenticated by means of their AD credentials. I am how ever not able to use both means in order to have a successfull authentication.
    Does anyone have a configuration example for this scenario? Any help would be greatly appreciated.
    Thanks!!!

    Hi,
    I have had two deployments using this form of authentication.
    Just so we are on the same page, the token servers that I have integrated connect to an Active Directory server running NPS (MS radius), then the user will have to send their password+token and the token software will check the account password, and then the token to see if the users succeeds.
    Let me know if that is the design of your software. If it is, then all you need to do is configure the token software to run on radius and then set the policies up from there. From the network device standpoint it just needs to point to the radius server.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ACS 4.0 and RSA Token Server problem

    Hi,
    We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
    Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
    I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
    When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
    After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
    Any help or advice appreciated.
    Thanks

    Hi,
    The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
    Following link talks about the same.
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
    Regards,
    ~JG

  • ACS5.2 with Radius to RSA token server

    I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

    It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

  • Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

    Hi,
    I would be very appreciated if anyone can share their experience. Thanks in advance.
    Issue:
    I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
    Problems encountered:
    Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
    In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
    Questions:
    1. Please kindly advise how I should resolve this problem.
    2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
    Troubleshooting steps I have done:
    Below is the steps I took to setup the external DB.
    1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
    2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
    2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
    Thank you.

    I have NO experience with ACS SE 4.2 and
    RSA SecurID Token Server BUT I have
    experiences with Cisco ACS 4.1 running on
    Windows 2003 SP2 Enterprise Edition and
    RSA SecurID Token Server.
    All the troubleshoot you've done is correct.
    In Windows 2003 running Cisco ACS, you can
    install the test authentication RSA client
    and that you can verify that the setup
    is correct (by verifying that the sdconf.rec
    is not corrupted).
    One thing I can think of is that when you
    setup the ACS SE box, under external
    database, configure unknown user policy,
    did you check it to tell how to define users
    when they are not found in the ACS internal
    database. Did you select RSA SecurID token
    server?
    Other than that, from what I understand,
    you've done everything correctly.

  • Edge Transport Server - Exchange 2013 coexistence Exchange 2007

    Hi Exchange-Gurus,
    We have one Exchange Org.
    sub AD Domain1: A.domain.com (with Exchange 2007 SP3 R10)
    sub AD Domain2: B.domain.com (with Exchange 2013 CU6); DMZ contains Exchange Transport Server - Exchange 2013
    Is it possible to install within the DMZ of AD Domain1   a Edge Transport Server - Exchange 2013?
    Thanks.
    Guitarman

    Hi Guitar,
    Thank you for your question.
    Is it possible to install within the DMZ of AD Domain1 
    an Edge Transport Server - Exchange 2013?
    A: Yes, we could create an Exchange 2013 Edge server on the DMZ of AD domain1.
    Notice: Before we create an EdgeSync Subscription between an Exchange 2007 Hub Transport server and an Exchange 2013 SP1 Edge Transport server, we need to install Exchange 2007 SP3
    Update Rollup 13 or later on the Exchange 2007 Hub Transport server.
    We could refer to the following link:
    https://technet.microsoft.com/en-us/library/aa996719(v=exchg.150).aspx
    If there are any questions regarding this issue, please be free to let me know.
    Best Regard,
    Jim

  • How can we set Admin rights to access all user mailboxes in IMAP server exchange 2010?

    Hi,
    IMAP is in exchange 2010..
    as per guide:
    http://technet.microsoft.com/en-us/library/jj200730%28v=exchg.150%29.aspx
    CSV Files for IMAP Migration Batches`
    Use super-user or administrator credentials.   This requires that you use an account in your IMAP messaging system that has the necessary rights to access all user mailboxes.
    In the CSV file, you use the credentials for this account for each row. To learn whether your IMAP server supports this approach and how to enable it, see the documentation for your IMAP server.
    How can we set Admin rights to access all user mailboxes in IMAP server exchange 2010?
    thanks?

    Hi,
    Do you mean assigning a user full access permission to all other mailboxes? If so, we can try the following command:
    Get-Mailbox -Server “Exchange 2010” | Add-MailboxPermission -User AdminUserName -AccessRights FullAccess
    Thanks,
    Winnie Liang
    TechNet Community Support

  • WAP321 ignore global radius active server ip address

    Hello everyone,
    I have few WAP321 with a radius server listening on 2 different IPs (one for each SSID).
    I configured the global radius server with theses two IPs.
    Then I created 2 wireless networks with WPA enterprise, global radius settings.
    I selected global radius "active server ip address 1" for the first network and global radius "active server ip address 2" for the second but it does not work. After saving the 2 networks only connect to the first IP of the radius and the select field only display "active server ip address 1" for both networks.
    Is it a bug ? or something I haven't understood ?
    Using firmware 1.0.5.3.
    Thank you.

    Hi flallart1
    Personally I can't confirm this behavior as I have no WAP321 unit by hand. But I wanted to say something about your setup.
    You've configured RADIUS server with two different IP's.
    Each RADIUS IP provides different authentication rules - like different user database or different set of authorization rules.
    You have added both RADIUS IPs inside Global RADIUS setting configuration.
    And inside each SSID (Virtual Access Point) setting you kept "Use global RADIUS server settings" checked, but you have explicitly selected "Active Server" for that particular SSID for which is suited.
    What "Active Server" means: Enables the administrative selection of the active RADIUS server, rather than having the WAP device attempt to contact each configured server in sequence and choose the first server that is up.
    In reality this means that from existing pool of available RADIUS servers you can choose preferred server by your own. But in case that preferred RADIUS server is not reachable, another one will be used for that SSID. But this is not good behavior in your case - because once that situation happen and your WAP selected different IP for particular SSID, your authentication scheme will be completely different as second RADIUS IP provides different authentication/authorization rulebase. If that RADIUS IP change happen, all clients already connected to that SSID according rulebase of first RADIUS IP will be denied in few next minutes, because re-authentication will fail as now it will be done according rulebase of second RADIUS IP. Also new clients will not be able to connect which normally works for them.
    In your case you should ignore global RADIUS settings and explicitly configure RADIUS IP inside each SSID (Virtual Access Point) - i.e. IP of RADIUS server which is only related to that SSID. In your scenario, there is no Backup RADIUS IP as both of them provides different authentication.

  • Debug radius local-server

    Hi all!
    Please help me/
    I'm use c181x-adventerprisek9-mz.151-4.M9.bin.
    I'm set AP with local radius server. In official documentation have "debug radius local-server", in ios command reference this command also exits.
    But in my router not have this command.
    This is bug?

    Are you running this command in Privileged EXEC mode, or global config mode? This is a Privileged EXEC command, so when you enter it, your prompt should look like this:
    RouterName# debug radius local-server
    And not like this:
    RouterName(config)# debug radius local-server
    Please also note that since this is a debug command, it will not appear in your device's running-config, and it may not continue running if you reload or power-cycle your device. It will just show debug messages at the console line and/or log them to the logging buffer and/or to an Syslog server, if configured.

  • RADIUS auth-server unavailable messages

    Hello,
    during troubleshooting of some other WLC (WiSM2, 7.4.121.0) issues I have noticed that there is some messages like this:
    hu Feb 27 15:01:11 2014    RADIUS auth-server 192.168.4.66:1812 available
    1    Thu Feb 27 15:01:06 2014    RADIUS auth-server 192.168.4.66:1812 unavailable
    2    Thu Feb 27 15:01:06 2014    RADIUS server 192.168.4.66:1812 failed to respond to request (ID 216) for client 9c:d2:4b:bd:82:fb / user '***'
    3    Thu Feb 27 14:58:24 2014    RADIUS auth-server 192.168.4.66:1812 available
    4    Thu Feb 27 14:58:22 2014    RADIUS auth-server 192.168.4.66:1812 unavailable
    5    Thu Feb 27 14:58:22 2014    RADIUS server 192.168.4.66:1812 failed to respond to request (ID 128) for client 9c:d2:4b:bd:82:fb / user '***'
    6    Thu Feb 27 14:57:56 2014    RADIUS auth-server 192.168.4.66:1812 available
    7    Thu Feb 27 14:57:43 2014    RADIUS auth-server 192.168.4.66:1812 unavailable
    8    Thu Feb 27 14:57:43 2014    RADIUS server 192.168.4.66:1812 failed to respond to request (ID 103) for client 9c:d2:4b:bd:82:fb / user '***'
    9    Thu Feb 27 14:57:18 2014    RADIUS auth-server 192.168.4.66:1812 available
    10    Thu Feb 27 14:57:12 2014    RADIUS auth-server 192.168.4.66:1812 unavailable
    During that time I have ping radius server from console but it looks OK:
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >
    (WiSM-slot25-1) >show time
    Time............................................. Thu Feb 27 15:00:10 2014
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    (WiSM-slot25-1) >ping 192.168.4.66
    Send count=3, Receive count=3 from 192.168.4.66
    There is only one radius configured in WLC.
    (WiSM-slot25-1) >show radius auth statistics
    Authentication Servers:
    Server Index..................................... 1
    Server Address................................... 192.168.4.66
    Msg Round Trip Time.............................. 11 (msec)
    First Requests................................... 31952
    Retry Requests................................... 285
    Accept Responses................................. 4002
    Reject Responses................................. 274
    Challenge Responses.............................. 27620
    Malformed Msgs................................... 0
    Bad Authenticator Msgs........................... 0
    Pending Requests................................. 0
    Timeout Requests................................. 341
    Unknowntype Msgs................................. 0
    Other Drops...................................... 0
    What I can do to troubleshoot this, some debug commands, timer tuning... ?
    Regrds,
    Mladen

    that could also be load on the AAA server.  the WLC callas a radius server dead/unavailable if it doesn't respond to 3 requests for a client authetication.
    You may want to also try disabling agressive failover.
    config radius aggressive-failover disable.
    this changes the behavior of the WLC that the AAA has to not responde to three consecutive clients before it's called dead.  but if you only have the one server it may not help too much.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • ACE - Radius Auth - Server Deadtime strange behavior... bug?

    Following issue...
    Two ACE Contexts -> Admin and Test
    Both are configured to authenticate via AAA and Radius. Everything works as intended, roles get submitted by Radius etc.
    If you configure a deadtime >0 and for example you stop the Radius Service the current ACE context detects the unavailable radius server and marks it as dead after retransmit and timeout values have expired. If you activate the radius service again the ace context never clears the "Radius Server=Dead" flag.
    If you don't login while doing maintenance on you're radius service everything is fine, but once the deadtimer kicks in it's over.
    I verified this behavior with using context Admin and context Test the same time. I ended up with one context working with the same server perfect and one still having it marked as dead.
    I got some debug output and the config for both contexts.
    Ahmed or Gilles can you reproduce this behavior?
    EDIT: Reloading the module and setting the "deadtime 0" fixes the behavior.
    --- CONTEXT -> ADMIN ---
    2006 Aug 24 16:08:06.875245 radius: (ctx:0)get_radius_server_info_from_group:
    2006 Aug 24 16:08:06.875830 radius: (ctx:0)Skipping DEAD RADIUS server 10.10.10.1
    2006 Aug 24 16:08:06.875888 radius: (ctx:0)radius_request_process_next_server:
    All RADIUS servers failed to respond after retries.
    --- CONTEXT -> TEST ---
    2006 Aug 24 16:08:20.676439 radius: (ctx:0)get_radius_server_info_from_group:
    2006 Aug 24 16:08:20.677049 radius: (ctx:0)radius_request_process_next_server:
    found a server server index in group 0
    2006 Aug 24 16:08:23.085763 radius: (ctx:0)get_radius_server_info_from_group:
    2006 Aug 24 16:08:23.086024 radius: (ctx:0)radius_request_process_next_server:
    found a server server index in group 0
    2006 Aug 24 16:08:23.090753 radius: (ctx:0)Got context name Test
    --- Configuration -> CONTEXT ADMIN ---
    ace-module-01/Admin# sh run
    Generating configuration....
    radius-server host 10.10.10.1 key 7 "<secret>" auth-port 1645 acct-port 1646 authentication accounting
    aaa group server radius RADIUS_VTY
    server 10.10.10.1
    deadtime 1
    aaa authentication login default group RADIUS_VTY local
    --- Configuration -> CONTEXT TEST ---
    ace-module-01/Test#
    Generating configuration....
    radius-server host 10.10.10.1 key 7 "<secret>" auth-port 1645 acct-port 1646 authentication accounting
    aaa group server radius RADIUS_VTY
    server 10.10.10.1
    deadtime 1
    aaa authentication login default group RADIUS_VTY local
    Software
    loader: Version 12.2[118]
    system: Version 3.0(0)A1(2) [build 3.0(0)A1(2)
    jwilley_23:41:53-2006/06/11_/auto/adbu-rel/ws/REL_3_0_0_A1_2]
    system image file: [LCP] disk0:c6ace-t1k9-mz.3.0.0_A1_2.bin

    I see the same issue even with A1(3).
    I have submitted a new ddts for this - CSCsf19177.
    If you activate the 'debug radius server-monitor' command, you should see the ACE module trying to authenticate user test with password test.
    However, this request never makes it to the radius server.
    The bug has been logged and we will investigate.
    Thanks for reporting this problem to us.
    Gilles.

  • ACS Express radius authentication AD authorization

    I work at a University and for some reason we have multiple systems for authentication and authorization.  That being said I am trying to use radius to do authentication and AD for authorization for VPNs.  I have the radius authentication working against our radius server.  I have my ACS express setup to join the AD domain and everything looks good there.  I setup the AD server as a radius object in AAA server groups on my ASA.  Then I add the server below in the servers in selected groups window.  I put all the info in there and when I hit test I click authorization and put in the username that I know is in the domain group I have associated with this on the ACS.  The test fails and with authorization failed with invalid password.  When I look at the logs on the ACS I see
    01/06/2011 20:14:26 acsxp/server Warning Server 0 AD Agent Plain Text Authentication Failed for user: username@domain
    01/06/2011 20:14:26 acsxp/server Warning Server 0 Authentication for user username failed for reason = 0
    01/06/2011 20:14:26 acsxp/server Error Protocol 0 Request from 172.20.5.2: User username rejected . by RemoteServer: AD (InvalidPassword). 
    Username and domain are correct I just edited them for posting.  It seems like it is trying to authenticate rather than authorize.  All I want it to do is say yes the user is in this group or no the user is not in this group?  You can't even fill in the password when testing authorization?  Maybe I have something setup wrong on the ACS side but when I look at AD under users and identity stores, it says it is joined to the domain.  When I do AD domain diagnostics under troubleshooting everything looks good.  I have the ASA I am testing from defined as a device and in the ASA device group.  Under access services in Radius access services I have one service that I setup that connects to the AD and it found the group so I know it is connecting.  Any idea what I am doing wrong or where to look?
    Any help would be GREATLY appreciated!
    Thanks
    Joe

    Hi Joe,
    We could take a deeper look at what is happening through some logs and debugs:
    1. On ACS Express, under
    Reports & Troubleshooting > Troubleshooting > Server Logs
    please set the Express Server Trace Level to 5 and the Web Server Trace Level to 4.
    Also, for the Log Level under OS Logging, please set its value to "Debug".
    If previous old logs are not essential to you, you may also wanna delete all the log files first, so that we capture logs for the last day only.
    2. On the ASA, please enable the following debugs
    debug aaa authentication
    debug aaa authorization
    debug radius
    3. Then please first recreate a successful authentication attempt, and then recreate the authorization test issue with the same user account for which you tested the successful authentication.
    4. After the issue is recreated, please attach the debugs from the ASA and following files from the ACS Server Logs:
    acsxp_adagent.log
    acsxp_agent_server.log
    acsxp_mcd.log
    acsxp_server.log
    acsxp_server_trace.log
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Maybe you are looking for

  • Issue with Macbook Pro (early 2011) screen going black.

    I installed an SSD with Mt Lion.  Periodically the screen goes black like it's going to sleep.  It hasn't done this in the past just noticed it the last few weeks.  The SSD is a Crucial with 8GB of Crucial memory.  I've got all the software fixes up

  • Network is not reading the appropriate DNS Settings

    I went through many trouble shooting rounds with Time Warner Cable to discover that the modem isn't the problem. I also tried replacing my ethernet cable and setting up an entirely new location which resulted in the wrong ISP numbers for TWC. I am at

  • PLEASE HELP!  members deleted after refreshing, current report and report layout

    Hi , First of all , before explain my issue, I read the note about March Microsoft update, and my symptoms aren't exactly similar but almost the same. And it appeared last week, so one month after the ms update. So, I opened my report, and I see that

  • PXI-6509 Error occurred at Reset Device

    Greetings Everyone,      I recently had three (3) PXI-6509's fail in one of my Test Stations.  I tried to reset them in MAX and received the following message: "The device reset has failed.  The error report from the device driver is as follows: Erro

  • Pico Drive ROM's

    Hello Does anyone helps me find Picodrive rom's for my N900. Are they specific or work on any device? Many thanks Solved! Go to Solution.