topic Re: ACS authentication with 3750 switch in Network Access Control

ACS authentication with 3750 switch

bws — Sun, 10 Mar 2019 21:24:14 GMT

Hi all,

i am configured my acs server to act as Tacacs+ AAA Server and configured 3750 SWICTH as AAA client but with dot1x implementation. But when i connect a laptop to this switch dot1x port, it prompts me for username and password and after providing the credentials it keeps on failing to authenticate. This is what i get on switch when user sends credential information.

23:09:21: %TAC+: illegal type=6 for login

23:09:21: TAC+: send AUTHEN/START packet ver=192 id=2079844561

23:09:21: TAC+: Using default tacacs server-group "tacacs+" list.

23:09:21: TAC+: Opening TCP/IP to 10.200.2.2/49 timeout=5

23:09:21: TAC+: Opened TCP/IP handle 0x304E230 to 10.200.2.2/49

23:09:21: TAC+: periodic timer started

23:09:21: TAC+: 10.200.2.2 req=2A32320 Qd id=2079844561 ver=192 handle=0x304E230 expire=5 AUTHEN/START/LOGIN/UNKNOWN queued

23:09:21: TAC+: 10.200.2.2 (2079844561) AUTHEN/START/LOGIN/UNKNOWN queued

23:09:21: TAC+: 10.200.2.2 id=2079844561 wrote 121 of 121 bytes

23:09:21: TAC+: 10.200.2.2 req=2A32320 Qd id=2079844561 ver=192 handle=0x304E230 expire=4 AUTHEN/START/LOGIN/UNKNOWN sent

23:09:21: TAC+: 10.200.2.2 read=12 wanted=12 alloc=12 got=12

23:09:21: TAC+: 10.200.2.2 read=28 wanted=28 alloc=28 got=16

23:09:21: TAC+: 10.200.2.2 received 28 byte reply for 2A32320

23:09:21: TAC+: req=2A32320 Tx id=2079844561 ver=192 handle=0x304E230 expire=4 AUTHEN/START/LOGIN/UNKNOWN processed

23:09:21: TAC+: (2079844561) AUTHEN/START/LOGIN/UNKNOWN processed

23:09:21: TAC+: periodic timer stopped (queue empty)

23:09:21: TAC+: ver=192 id=2079844561 received AUTHEN status = GETPASS

Re: ACS authentication with 3750 switch

will.shaw — Tue, 13 Dec 2005 16:45:37 GMT

use radius.

Re: ACS authentication with 3750 switch

bws — Wed, 14 Dec 2005 05:17:25 GMT

Dear Shaw,

thanks for your answer but i have to stick with ACS as it supports external databse (i.e. like AD and LDAP) which i will be integrating with dot1x

Re: ACS authentication with 3750 switch

will.shaw — Wed, 14 Dec 2005 08:15:35 GMT

Cisco ACS supports Radius. You can't use TACACS+ for dot1x because you can't use EAP over TACACS+

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801f0a44.html

Re: ACS authentication with 3750 switch

bws — Wed, 14 Dec 2005 09:02:58 GMT

Thank Shaw for ur reply.

is it possible to integrate radius with LDAP or active directory for authentication?

Re: ACS authentication with 3750 switch

will.shaw — Wed, 14 Dec 2005 09:18:55 GMT

yes, the ACS server will still handle the integration with the Active Directory or LDAP, in the same way it does for any autherntication method. Radius is the method of authentication between the ACS server and the client, and the reason it is used instead of TACACS+, is because TACACS+ does 'present' the necessary information needed to authenticate with the windows domain.

Re: ACS authentication with 3750 switch

bws — Wed, 14 Dec 2005 13:46:38 GMT

i have just swicthed my configuration to radius but as soon as i connect a laptop to my AAA client i.e 3750 switch it gives me the below error:

My AAA Radius server ip is 10.200.2.2 and

AAA client switch 3750 ip is 10.200.2.1.

1d21h: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down

1d21h: RADIUS: Pick NAS IP for u=0x2355BC0 tableid=0 cfg_addr=0.0.0.0

1d21h: RADIUS: ustruct sharecount=2

1d21h: Radius: radius_port_info() success=1 radius_nas_port=1

1d21h: RADIUS: EAP-login: length of radius packet = 149 code = 1

1d21h: RADIUS(00000000): Send Access-Request to 10.200.2.2:1812 id 1645/7, len 149

1d21h: RADIUS: authenticator 89 AD D5 29 4F 57 CF 6A - 64 15 29 ED ED B6 02 D7

1d21h: RADIUS: NAS-IP-Address [4] 6 10.200.2.1

1d21h: RADIUS: NAS-Port [5] 6 50101

1d21h: RADIUS: NAS-Port-Type [61] 6 Eth [15]

1d21h: RADIUS: User-Name [1] 19 "DIFC\adil.ibrahim"

1d21h: RADIUS: Called-Station-Id [30] 19 "00-12-7F-72-2F-03"

1d21h: RADIUS: Calling-Station-Id [31] 19 "00-0D-60-FB-89-C0"

1d21h: RADIUS: Service-Type [6] 6 Framed [2]

1d21h: RADIUS: Framed-MTU [12] 6 1500

1d21h: RADIUS: EAP-Message [79] 24

1d21h: RADIUS: 02 00 00 16 01 44 49 46 43 5C 61 64 69 6C 2E 69 [?????DIFC\adil.i]

1d21h: RADIUS: 62 72 61 68 69 6D [brahim]

1d21h: RADIUS: Message-Authenticato[80] 18

1d21h: RADIUS: 89 B1 E7 61 43 EF 6A 7B E5 7D 95 AF 94 12 26 B6 [???aC?j{?}????&?]

1d21h: RADIUS: Received from id 1645/7 10.200.2.2:1812, Access-Reject, len 56

1d21h: RADIUS: authenticator 96 7E 41 5A 20 48 28 F1 - B7 F7 26 21 F5 B0 82 92

1d21h: RADIUS: EAP-Message [79] 6

1d21h: RADIUS: 04 00 00 04 [????]

1d21h: RADIUS: Reply-Message [18] 12

1d21h: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]

1d21h: RADIUS: Message-Authenticato[80] 18

1d21h: RADIUS: 00 D6 71 93 0F 2F 61 FB 01 1A 69 53 B3 3B E5 3A [??q??/a???iS?;?:]

1d21h: RADIUS: EAP-login: length of eap packet = 4

1d21h: RADIUS: EAP-login: got reject from radius

it keeps on giving me below error whenover i connect a laptop to this AAA client.

1d21h: RADIUS: EAP-login: length of eap packet = 4

1d21h: RADIUS: EAP-login: got reject from radius

Re: ACS authentication with 3750 switch

will.shaw — Wed, 14 Dec 2005 14:36:32 GMT

have you read through the guide above? or any guide?

I'm a little confused as to how you have your setup configured.

The reason your authentication is failing now, is because either:

a) The user doesn't exist on the radius server

b) Unsupported authentication method (PEAP, PAP, CHAP etc.. not enabled on your acs)_

c) Other user restrictions in place.

If your using the Cisco ACS, you should be able to check the 'failed attempts' log to find out why the authentication wasn't sucessful.

Please can you post the log, along with the dot1x config for your switch up.

Re: ACS authentication with 3750 switch

bws — Sun, 18 Dec 2005 14:02:04 GMT

Shaw,

i am able to authenticate users via radius know but only those users which i have created in my ACS manaully. Also i've specified external database of my Active Directory in my ACS BUT the users from AD are not being authenticated. Please advise.

Re: ACS authentication with 3750 switch

will.shaw — Mon, 19 Dec 2005 11:38:38 GMT

You need to configure the following:

EXTERNAL USER DATABASES:

- Unknown user policy: make sure the option to check the databse instead of fail attempt is selected.

- Database Group Mapping: ensure that the unknown users are being placed in the correct ACS group when they are automatically added.

You need to check in the failed attempts log to see why the users are not being authenticated.. please post the log so I can better advise you.

Re: ACS authentication with 3750 switch

bws — Tue, 20 Dec 2005 14:29:25 GMT

Hi Shaw,

i've gone through the Logs and have found the following errors:

When i firts tried to login using the MD5 Authentication from XP Machine, ACS generated the following error:

"12/19/2005 19:20:59 Authen failed DIFC\adil.ibrahim .. 00-00-39-28-94-B8 Auth type not supported by External DB"

Later when i tried to login with PEAP authentication ACS generated this error:

Date Time Message-Type User-Name Group-Name Caller-ID Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address

12/19/2005 19:27:10 Authen failed DIFC\adil.ibrahim .. 00-0D-60-5F-B8-40 EAP type not configured check Global Authentication Setup page .. .. 50102 10.200.2.1

After all this when i went to System Configuration> Global Authentication Setup and checked marked the

Allow EAP-MSCHAPv2

Allow EAP-GTC under PEAP settings and said submit and restart, it gave me the following error:

Authentication configuration errors

Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed.

Hope this will bring us to final solution of this ACS to be operation. Your comments are really appreciated and helpfull.

Re: ACS authentication with 3750 switch

will.shaw — Wed, 21 Dec 2005 10:52:01 GMT

Just select the "allow EAP-MSCHAPv2" option in Global Authentication Setup, and leave EAP-GTC un-checked. This should enable MS-Chap v2 without any problems, and this should now work.

If you want to use any of the certificate based authentication methods (PEAP, EAP-TLS) then you will need obtain a certificate for your server.

Try enabling the EAP-MSCHAPv2 and let me know if it works.

Re: ACS authentication with 3750 switch

bws — Wed, 21 Dec 2005 13:25:51 GMT

Shaw,

by just selecting "allow EAP-MSCHAPv2" under PEAP it still keeps on giving me the same error

"Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed."

Re: ACS authentication with 3750 switch

will.shaw — Wed, 21 Dec 2005 13:41:05 GMT

If you want to use PEAP then you will need to install a certificate on your server, and all your clients.

You can use Just MD5 for Dot1x..

Ensure the EAP-MD5 box is checked on the Global authentication page, and that the MS-CHAP version 1 version 2 authentication boxes are checkd.

In you client, select the authentication EAP type to be "MD5-Challenge".

Re: ACS authentication with 3750 switch

bws — Wed, 21 Dec 2005 15:39:05 GMT

Shaw,

i doubt that under ACS active directory with dot1x authentication, it wont support MD5. Well anyway i'll try that.

further more if i need to install a certificate on server, how can i obtain it both for the client and acs server.

Re: ACS authentication with 3750 switch

will.shaw — Wed, 21 Dec 2005 16:41:53 GMT

MD5 will work as an authentication method.

If you want to use a certificate then you will need a certificate server to obtain the certificates from. Do you have one of these, or can you set them up? Have you worked with certificates before?

Installing a certificate on the ACS is documented in the ACS help section. For clients, just install the certificate in the usual way.

Re: ACS authentication with 3750 switch

bws — Sun, 25 Dec 2005 12:37:52 GMT

Hi Shaw,

back again,

using md5 login method it gives error "Auth type not supported by External DB"

AND AFTER configuring PEAP support and using PEAP login method from end users machine it gives the following error "EAP-TLS or PEAP authentication failed during SSL handshake"

by the way i haven't install the certificate on client. Do i need to install it on client machine also , if yes, pls let me know how to install it a client machine which is not part of domain. I just need to test it before i implement it.

now where is the probelm. what needs to be sorted out. Pls help!

Re: ACS authentication with 3750 switch

bws — Sun, 25 Dec 2005 14:25:38 GMT

Hi Shaw,

just to let u know, that i was missing the certificate installation on client side. i have done the certificate installation on client side and know when i try to put the login credentials it generates following error in log:

"12/25/2005 18:20:42 Authen failed DIFC\adil.ibrahim .. 00-10-C6-CD-5F-67 External DB account Restriction .. .. 50102 10.200.2.1 "

i've checked thier is no any kind of time restirction for the mapped group. Pls help.

Thanks in advance

Re: ACS authentication with 3750 switch

will.shaw — Wed, 28 Dec 2005 12:27:06 GMT

Check if you have the "Dialin Permission" option checked within

External User Databases -> Database Configuration -> Windows Databse -> Configure

If this is checked, then the user needs to have Dialin Permission within the Active Directory Account.

Also check if you have any logs within AD to see why the user authentication failed.

Re: ACS authentication with 3750 switch

bws — Tue, 17 Jan 2006 17:00:25 GMT

Hi,

Back again....

first of all i would like to thank you for all the help you provided to me ....yeh my acs seems to be working with Active directory

i am able to login my machine after i conf a cert server and install the cert on client machine...it works fine...but know when my login with my domain ID and try to change my domain password it gives me error that MYDOMAIN not available.....where can be the problem?

thanks,