Re: ACS 3.0 strange failed attempts

simon-galloway · ‎11-10-2005

I am currenlty using Cisco ACS 3.0 and have noticed very strange logs under Reports,failed Attempts.

It is showing numerous failed attempts from username : azbycx to our 4 Core 6500 Catos Switches.

The caller-id field does not display a source ip address and these hits are happening every minute.

I have noticed that any passed or failed attempts to any catos switches does not provide a caller-id ip address in the report. Any ios attempts logs the ip address fine.

Any help would be appreciated. Even a way to log the catos switch to determine what is attempting to log into these 6500 switches.

Thanks SG

darpotter · ‎11-11-2005

Is your concern that

a) the switch is the problem, or

b) that acs isnt logging correctly

You can easily check what acs is recieving

Run CSradius -z -p or CSTacacs -z -e at the command line to see a packet-by-packet debug.

simon-galloway · ‎11-13-2005

Hi,

I ran the csradius -z -p and got the following debug results on unknown username "azbycx"

I not sure if this debug is telling me anything l don't already know !!!

Also caller-id from the failed attempts report is not showing a source ip address from the switches in question which are running CATOS ??

Request from host 172.16.2.6:1645 code=1, id=69, length=65 on port 1024

[001] User-Name value: azbycx

[004] NAS-IP-Address value: 172.16.2.6

[079] EAP-Message value: .E...azbycx

[080] Message-Authenticator value: F2 F3 E3 1C 56 E9 73 10 14 DE C6 F7 24 31 5F 29

ExtensionPoint: Initiating scan of configured extension points...

ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]

ExtensionPoint: [Generic EAP] ASAuthenticateUser failed [-1092]

ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [3 - reject]

ExtensionPoint: Start of Attribute Set

ExtensionPoint: End of Attribute Set

User:azbycx - Authentication type not supported by external database

Sending response code 3, id 69 to 172.16.2.6 on port 1024

Request from host 172.16.2.8:1645 code=1, id=164, length=65 on port 1024

[001] User-Name value: azbycx

[004] NAS-IP-Address value: 172.16.2.8

[079] EAP-Message value: .¤...azbycx

[080] Message-Authenticator value: FD B9 66 FE A4 50 57 FE 68 1F B3 2A CE 57 2C 63

ExtensionPoint: Initiating scan of configured extension points...

ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]

ExtensionPoint: [Generic EAP] ASAuthenticateUser failed [-1092]

ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [3 - reject]

ExtensionPoint: Start of Attribute Set

ExtensionPoint: End of Attribute Set

User:azbycx - Authentication type not supported by external database

Thanks for your assistance

darpotter · ‎11-14-2005

Hmm, your switch is trying to perform an EAP authentication - albeit not very well since there are no calling/called station id attrs which are normal with .1x

I suspect the catos debug logs may give you more of an idea, because this doesnt look like an ACS issue.

Sorry I cant help more

simon-galloway · ‎11-14-2005

Thanks for the reply.

Do you know exactly what debug logs l need to activate on the 6500 CATOS to determine where this source authentications are coming from ??

E.g Radius logging

twilcox · ‎12-15-2005

I was testing 802.1x authentication and ran into this issue. Here's the TAC response I recieved and this fixed the problem:

Just for the future reference we were getting this issue because the keep alives packets are sometimes missinterpretted by ACS server so by adding "Set dot1x radius-keeplive disable" the command stops those keep-alive packets.