08-26-2011 07:00 AM - edited 03-10-2019 05:27 AM
Hi,
Im trying to get my lab IPS too work with our ACS server, but can't get it to work.
I get a Radius reject when i try to access my IPS, wrong password.
I have tried several combinations of configuration, and password, on the IPS and on the ACS.
Any tip on configuration?
Is the NAS-ID important, can't find were to put that on the ACS.
And can't get no nas-id command to work.
IPS-4240 with 7.0(5a)E4
ACS 4.1
ACS log
AUTH 08/26/2011 14:45:11 I 5803 9612 0x3a Worker 3 processing message 1711.
AUTH 08/26/2011 14:45:11 I 2780 9612 0x3a Start UDB_POLICY_CREATE_CONTEXT, client 2 (127.0.0.1)
AUTH 08/26/2011 14:45:11 I 0400 9612 0x0 [PDE]: PolicyMgr::CreateContext: new context id=43
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: User-Name=idstest
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: User-Password=(binary value)
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=172.16.30.200
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: NAS-Identifier=cisco-ips
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=413
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=5
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: Service-Type=8
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=172.16.30.7
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=5
AUTH 08/26/2011 14:45:11 I 0556 9612 0x0 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
AUTH 08/26/2011 14:45:11 I 1664 9612 0x0 [PDE]: PolicyMgr::SelectService: context id=43; no profile was matched - using default (0)
AUTH 08/26/2011 14:45:11 I 5448 9612 0x3a Done UDB_POLICY_CREATE_CONTEXT, client 2, status UDB_OK
AUTH 08/26/2011 14:45:11 I 5803 9612 0x3a Worker 3 processing message 1712.
AUTH 08/26/2011 14:45:11 I 2780 9612 0x3a Start UDB_AUTHENTICATE_USER, client 2 (127.0.0.1)
AUTH 08/26/2011 14:45:11 I 1742 9612 0x3b pvAuthenticateUser: authenticate 'idstest' against CSDB
AUTH 08/26/2011 14:45:11 E 3205 9612 0x3b Plain DB pass check for idstest failed
AUTH 08/26/2011 14:45:11 I 0207 9612 0x0 [PDE]: PolicyMgr::TerminateContext: context id=43 is deleted
AUTH 08/26/2011 14:45:11 I 5448 9612 0x3b Done UDB_AUTHENTICATE_USER, client 2, status UDB_INVALID_PASSWORD
AUTH 08/26/2011 14:45:11 I 5803 9612 0x3b Worker 3 processing message 1713.
AUTH 08/26/2011 14:45:11 I 2780 9612 0x3b Start UDB_LOG, client 2 (127.0.0.1)
AUTH 08/26/2011 14:45:11 I 5448 9612 0x3b Done UDB_LOG, client 2, status UDB_OK
Solved! Go to Solution.
08-28-2011 04:23 PM
Use the following link to make sure you are setting the AV-Pairs if necessary to set up administrators, operators or service account
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_setup.html#wp1236274
Here is the place you need to set up on the IPS, if you dont use AV-Pairs, set the Network access ID to the default account
Here are one of the places you need to set up on the ACS, Here you add the devices as allowed to talk with the ACS
Here is how you set the AV-Pairs for the user
08-28-2011 04:23 PM
Use the following link to make sure you are setting the AV-Pairs if necessary to set up administrators, operators or service account
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_setup.html#wp1236274
Here is the place you need to set up on the IPS, if you dont use AV-Pairs, set the Network access ID to the default account
Here are one of the places you need to set up on the ACS, Here you add the devices as allowed to talk with the ACS
Here is how you set the AV-Pairs for the user
09-17-2011 11:04 AM
After some late testing we were able to get it to work. :-)
In addition to your explanation we hade to changed the Network Access ID so it was the same as our ACS- Network Device Group name.
Another thing that we noticed when testing was that if the IPS is behinde NAT you need to add both NAT and real ip address to the ACS- AAA Client IP address field.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: