Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6014
Views
0
Helpful
2
Replies

802.1x with dACL - invalid attribute prefix: "ACS"

Go to solution
sergio.paganoni
Level 1
Level 1

‎11-08-2011 05:45 AM - edited ‎03-10-2019 06:32 PM

Dear All,

I've spent half a day traying to solve this without success, I hope you could help me.

I've configured a simple 802.1x solution on a pilot PC that have to authenticate via PEAP-MSCHAPv2 users against my ACS Internal User database.

Switch version:

Model number                    : WS-C3750V2-48PS-S

Software:     c3750-ipbasek9-mz.122-52.SE.bin

ACS:

C1121 with version 5.3.0.40

The problem occurs when the ACS sends within the Authentication-Accept radius packet the following attribute:

cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-AUTH-4eb90704

At the switch side I see the following debug log:

002558: Nov  8 14:31:35.586: %AUTHMGR-5-START: Starting 'dot1x' for client (0022.680b.da7b) on Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19

002559: Nov  8 14:31:35.703: AAA/ATTR: invalid attribute prefix: "ACS"

002560: Nov  8 14:31:35.703: %DOT1X-5-FAIL: Authentication failed for client (0022.680b.da7b) on Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19

002561: Nov  8 14:31:35.703: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (0022.680b.da7b) on Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19

802.1x switch related config:

GLOBAL:

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

radius-server host 172.31.254.140 auth-port 1645 acct-port 1646

radius-server host 172.31.254.141 auth-port 1645 acct-port 1646

radius-server key 7 123415ASFASFAS55512

radius-server vsa send accounting

radius-server vsa send authentication

ip device tracking

ip access-list extended DEFAULT-ANY

permit ip any any

PORT SPECIFIC

interface FastEthernet1/0/1

description 802.1x Template Port

switchport access vlan 244

switchport mode access

ip access-group DEFAULT-ANY in

authentication event fail action next-method

authentication open

authentication priority dot1x mab

authentication port-control auto

authentication periodic

mab

dot1x pae authenticator

dot1x timeout tx-period 10

end

The authentication at ACS side is successfully completed but for some reason the switch cannot understand the attribute sent to him by the ACS:

Why the authentication results in 'server-dead' ?

I've hereby attached the authorization profile, the downlodable ACL and the RADIUS authentication detail for the request...

Any idea?

Thanks a lot!

Labels:
Preview file
65 KB
Preview file
15 KB
Preview file
149 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎11-08-2011 02:29 PM

Yes, I came across the same issue and ended up as a bug with the 3750

CSCtj28883 dACL attribute parsing failed when 'aaa author' debug turned ON

 

description is

DACL processing fails when the following debugging parameters are turned on.

1. debug aaa attr

2. debug aaa authorization

The same works fine when they are turned down. Attaching the switch log.

I believe was resolved in version 3750-Build 12.2(55) as from the following note attached to the bug since was found to be unreproducable on later builds

Submitter has confirmed that the bug is not seen on 55SE image.

The issue is only seen in 53SE

can also try and switch debugs off

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jrabinow
Level 7
Level 7

‎11-08-2011 02:29 PM

Yes, I came across the same issue and ended up as a bug with the 3750

CSCtj28883 dACL attribute parsing failed when 'aaa author' debug turned ON

 

description is

DACL processing fails when the following debugging parameters are turned on.

1. debug aaa attr

2. debug aaa authorization

The same works fine when they are turned down. Attaching the switch log.

I believe was resolved in version 3750-Build 12.2(55) as from the following note attached to the bug since was found to be unreproducable on later builds

Submitter has confirmed that the bug is not seen on 55SE image.

The issue is only seen in 53SE

can also try and switch debugs off

0 Helpful

Go to solution
sergio.paganoni
Level 1
Level 1
In response to jrabinow

‎11-11-2011 06:08 AM

Hi jrabinow,

Thanks a lot for the reply, I've upgraded to 12.2(58)SE2 and it worked...

I still receive the invalid attribute error but now at least the ACL is applied to the interface and the authentication result is successfully!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents