ACS 3.2 NAS changes IP yet it still works

c-davies · ‎11-04-2005

Hi,

I have ACS 3.2 with switches authenticating via 802.1x to it. BY Accident a switch ip got changed however users can still authenticate to it.

I want to confirm this is normal as I understand the pre-shared key is the bit that secure mutial authentication ans the IP of the switch is just a label.

Now in this state of having the wrong IP nothing is logged to tell me this, just unknown NAS appears, no passed authentications or failed. It all used to work.

I begs the question, IF someone got hold of my pre-shared key and poped a new switch on the network how would I know?

andrewclymer · ‎11-04-2005

Authentication should never work between an unknown NAS and the AAA server.

Further Authentication should never work if the shared key is also different.

If Authentication is working after the IP of the switch has changed, then it would suggests one of two things

1) You have a wildcard address range defined that has the same shared key as your switch has

2) A bug in ACS

However judging by your description of the logs it implies that it is neither of these since it is reporting correctly that the NAS is unknown.

If users are still gaining access and then it suggests to me that the switch has some kind of fallback mode that if AAA functionality is not working allow users some kind of locally provisioned access.

darpotter · ‎11-04-2005

Try just stopping all the ACS services.. I suspect your users will still get access.

.. and yes the in all EAP based forms of authentication the RADIUS packets are signed in the Message-Authenticator attribute using the shared key.