Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2359
Views
4
Helpful
2
Replies

IPS 7.0 and AAA with ACS 4.x

Go to solution
mik.gustafsson
Level 1
Level 1

‎08-26-2011 07:00 AM - edited ‎03-10-2019 05:27 AM

Hi,

Im trying to get my lab IPS too work with our ACS server, but can't get it to work.

I get a Radius reject when i try to access my IPS, wrong password.

I have tried several combinations of configuration, and password, on the IPS and on the ACS.

Any tip on configuration? 

Is the NAS-ID important, can't find were to put that on the ACS.

And can't get no nas-id  command to work.

IPS-4240 with 7.0(5a)E4

ACS 4.1

ACS log

AUTH 08/26/2011 14:45:11 I 5803 9612 0x3a     Worker 3 processing message 1711.

AUTH 08/26/2011 14:45:11 I 2780 9612 0x3a Start UDB_POLICY_CREATE_CONTEXT, client 2 (127.0.0.1)

AUTH 08/26/2011 14:45:11 I 0400 9612 0x0 [PDE]: PolicyMgr::CreateContext: new context id=43

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: User-Name=idstest

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: User-Password=(binary value)

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=172.16.30.200

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: NAS-Identifier=cisco-ips

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=413

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=5

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: Service-Type=8

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=172.16.30.7

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=5

AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0

AUTH 08/26/2011 14:45:11 I 1664 9612 0x0 [PDE]: PolicyMgr::SelectService: context id=43; no profile was matched - using default (0)

AUTH 08/26/2011 14:45:11 I 5448 9612 0x3a Done UDB_POLICY_CREATE_CONTEXT, client 2, status UDB_OK

AUTH 08/26/2011 14:45:11 I 5803 9612 0x3a     Worker 3 processing message 1712.

AUTH 08/26/2011 14:45:11 I 2780 9612 0x3a Start UDB_AUTHENTICATE_USER, client 2 (127.0.0.1)

AUTH 08/26/2011 14:45:11 I 1742 9612 0x3b pvAuthenticateUser: authenticate 'idstest' against CSDB

AUTH 08/26/2011 14:45:11 E 3205 9612 0x3b Plain DB pass check for idstest failed

AUTH 08/26/2011 14:45:11 I 0207 9612 0x0 [PDE]: PolicyMgr::TerminateContext: context id=43 is deleted

AUTH 08/26/2011 14:45:11 I 5448 9612 0x3b Done UDB_AUTHENTICATE_USER, client 2, status UDB_INVALID_PASSWORD

AUTH 08/26/2011 14:45:11 I 5803 9612 0x3b     Worker 3 processing message 1713.

AUTH 08/26/2011 14:45:11 I 2780 9612 0x3b Start UDB_LOG, client 2 (127.0.0.1)

AUTH 08/26/2011 14:45:11 I 5448 9612 0x3b Done UDB_LOG, client 2, status UDB_OK

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rodrigo Gurriti
Level 3
Level 3

‎08-28-2011 04:23 PM

Use the following link to make sure you are setting the AV-Pairs if necessary to set up administrators, operators or service account

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_setup.html#wp1236274

Here is the place you need to set up on the IPS, if you dont use AV-Pairs, set the Network access ID to the default account

Here are one of the places you need to set up on the ACS, Here you add the devices as allowed to talk with the ACS

Here is how you set the AV-Pairs for the user

View solution in original post

2 Replies 2

Go to solution
Rodrigo Gurriti
Level 3
Level 3

‎08-28-2011 04:23 PM

Use the following link to make sure you are setting the AV-Pairs if necessary to set up administrators, operators or service account

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_setup.html#wp1236274

Here is the place you need to set up on the IPS, if you dont use AV-Pairs, set the Network access ID to the default account

Here are one of the places you need to set up on the ACS, Here you add the devices as allowed to talk with the ACS

Here is how you set the AV-Pairs for the user

Go to solution
mik.gustafsson
Level 1
Level 1
In response to Rodrigo Gurriti

‎09-17-2011 11:04 AM

After some late testing we were able to get it to work. :-)

In addition to your explanation we hade to changed the Network Access ID so it was the same as our ACS- Network Device Group name.

Another thing that we noticed when testing was that if the IPS is behinde NAT you need to add both NAT and real ip address to the ACS- AAA Client IP address field.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card